mirrors/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-04-21 20:15:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

LibCrypto: Fix issues in the Crypto stack

Browse source 
This commit fixes up the following:
- HMAC should not reuse a single hasher when successively updating
- AES Key should not assume its user key is valid signed char*
- Mode should have a virtual destructor
And adds a RFC5246 padding mode, which is required for TLS
This commit is contained in:
AnotherTest 2020-04-29 19:17:47 +04:30 committed by Andreas Kling
parent 7adb93ede9
commit f1578d7e9e
Notes: sideshowbarker 2024-07-19 07:05:16 +09:00
10 changed files with 93 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
Libraries/LibCrypto/Cipher/AES.cpp
View file

@ -59,7 +59,7 @@ namespace Cipher {
return builder.build();
}
void AESCipherKey::expand_encrypt_key(const StringView& user_key, size_t bits)
void AESCipherKey::expand_encrypt_key(const ByteBuffer& user_key, size_t bits)
{
u32* round_key;
u32 temp;
@ -78,10 +78,10 @@ namespace Cipher {
m_rounds = 14;
}
round_key[0] = get_key(user_key.substring_view(0, 4).characters_without_null_termination());
round_key[1] = get_key(user_key.substring_view(4, 4).characters_without_null_termination());
round_key[2] = get_key(user_key.substring_view(8, 4).characters_without_null_termination());
round_key[3] = get_key(user_key.substring_view(12, 4).characters_without_null_termination());
round_key[0] = get_key(user_key.slice_view(0, 4).data());
round_key[1] = get_key(user_key.slice_view(4, 4).data());
round_key[2] = get_key(user_key.slice_view(8, 4).data());
round_key[3] = get_key(user_key.slice_view(12, 4).data());
if (bits == 128) {
for (;;) {
temp = round_key[3];
@ -103,8 +103,8 @@ namespace Cipher {
return;
}
round_key[4] = get_key(user_key.substring_view(16, 4).characters_without_null_termination());
round_key[5] = get_key(user_key.substring_view(20, 4).characters_without_null_termination());
round_key[4] = get_key(user_key.slice_view(16, 4).data());
round_key[5] = get_key(user_key.slice_view(20, 4).data());
if (bits == 192) {
for (;;) {
temp = round_key[5];
@ -131,8 +131,8 @@ namespace Cipher {
return;
}
round_key[6] = get_key(user_key.substring_view(24, 4).characters_without_null_termination());
round_key[7] = get_key(user_key.substring_view(28, 4).characters_without_null_termination());
round_key[6] = get_key(user_key.slice_view(24, 4).data());
round_key[7] = get_key(user_key.slice_view(28, 4).data());
if (true) { // bits == 256
for (;;) {
temp = round_key[7];
@ -169,7 +169,7 @@ namespace Cipher {
}
}
void AESCipherKey::expand_decrypt_key(const StringView& user_key, size_t bits)
void AESCipherKey::expand_decrypt_key(const ByteBuffer& user_key, size_t bits)
{
u32* round_key;
@ -414,6 +414,10 @@ namespace Cipher {
// fill with the length of the padding bytes
__builtin_memset(m_data.data() + length, m_data.size() - length, m_data.size() - length);
break;
case PaddingMode::RFC5246:
// fill with the length of the padding bytes minus one
__builtin_memset(m_data.data() + length, m_data.size() - length - 1, m_data.size() - length);
break;
default:
// FIXME: We should handle the rest of the common padding modes
ASSERT_NOT_REACHED();

11
Libraries/LibCrypto/Cipher/AES.h
View file

@ -71,8 +71,8 @@ namespace Cipher {
struct AESCipherKey : public CipherKey {
virtual ByteBuffer data() const override { return ByteBuffer::copy(m_rd_keys, sizeof(m_rd_keys)); };
virtual void expand_encrypt_key(const StringView& user_key, size_t bits) override;
virtual void expand_decrypt_key(const StringView& user_key, size_t bits) override;
virtual void expand_encrypt_key(const ByteBuffer& user_key, size_t bits) override;
virtual void expand_decrypt_key(const ByteBuffer& user_key, size_t bits) override;
static bool is_valid_key_size(size_t bits) { return bits == 128 || bits == 192 || bits == 256; };
String to_string() const;
const u32* round_keys() const
@ -80,7 +80,8 @@ namespace Cipher {
return (const u32*)m_rd_keys;
}
AESCipherKey(const StringView& user_key, size_t key_bits, Intent intent)
AESCipherKey(const ByteBuffer& user_key, size_t key_bits, Intent intent)
: m_bits(key_bits)
{
if (intent == Intent::Encryption)
expand_encrypt_key(user_key, key_bits);
@ -91,6 +92,7 @@ namespace Cipher {
virtual ~AESCipherKey() override {}
size_t rounds() const { return m_rounds; }
size_t length() const { return m_bits / 8; }
protected:
u32* round_keys()
@ -102,13 +104,14 @@ namespace Cipher {
static constexpr size_t MAX_ROUND_COUNT = 14;
u32 m_rd_keys[(MAX_ROUND_COUNT + 1) * 4] { 0 };
size_t m_rounds;
size_t m_bits;
};
class AESCipher final : public Cipher<AESCipherKey, AESCipherBlock> {
public:
using CBCMode = CBC<AESCipher>;
AESCipher(const StringView& user_key, size_t key_bits, Intent intent = Intent::Encryption, PaddingMode mode = PaddingMode::CMS)
AESCipher(const ByteBuffer& user_key, size_t key_bits, Intent intent = Intent::Encryption, PaddingMode mode = PaddingMode::CMS)
: Cipher<AESCipherKey, AESCipherBlock>(mode)
, m_key(user_key, key_bits, intent)
{

1
Libraries/LibCrypto/Cipher/Cipher.h
View file

@ -40,6 +40,7 @@ namespace Cipher {
enum class PaddingMode {
CMS, // RFC 1423
RFC5246, // very similar to CMS, but filled with |length - 1|, instead of |length|
Null,
// FIXME: We do not implement these yet
Bit,

1
Libraries/LibCrypto/Cipher/Mode/CBC.h
View file

@ -36,6 +36,7 @@ namespace Cipher {
template <typename T>
class CBC : public Mode<T> {
public:
virtual ~CBC() {}
template <typename... Args>
explicit constexpr CBC<T>(Args... args)
: Mode<T>(args...)

21
Libraries/LibCrypto/Cipher/Mode/Mode.h
View file

@ -35,6 +35,8 @@ namespace Cipher {
template <typename T>
class Mode {
public:
virtual ~Mode() {}
// FIXME: Somehow communicate that encrypt returns the last initialization vector (if the mode supports it)
virtual Optional<ByteBuffer> encrypt(const ByteBuffer& in, ByteBuffer& out, Optional<ByteBuffer> ivec = {}) = 0;
virtual void decrypt(const ByteBuffer& in, ByteBuffer& out, Optional<ByteBuffer> ivec = {}) = 0;
@ -51,10 +53,9 @@ namespace Cipher {
}
virtual String class_name() const = 0;
protected:
T& cipher() { return m_cipher; }
protected:
virtual void prune_padding(ByteBuffer& data)
{
auto size = data.size();
@ -74,6 +75,22 @@ namespace Cipher {
data.trim(size - maybe_padding_length);
break;
}
case PaddingMode::RFC5246: {
auto maybe_padding_length = data[size - 1];
if (maybe_padding_length >= T::block_size() - 1) {
// cannot be padding (the entire block cannot be padding)
return;
}
// FIXME: If we want to constant-time operations, this loop should not stop
for (auto i = maybe_padding_length; i > 0; --i) {
if (data[size - i - 1] != maybe_padding_length) {
// note that this is likely invalid padding
return;
}
}
data.trim(size - maybe_padding_length - 1);
break;
}
case PaddingMode::Null: {
while (data[size - 1] == 0)
--size;

2
Libraries/LibCrypto/Hash/HashFunction.h
View file

@ -51,6 +51,8 @@ namespace Hash {
virtual DigestType peek() = 0;
virtual DigestType digest() = 0;
virtual void reset() = 0;
virtual String class_name() const = 0;
};
}

13
Libraries/LibCrypto/Hash/MD5.cpp
View file

@ -220,18 +220,5 @@ namespace Hash {
__builtin_memset(x, 0, sizeof(x));
}
void MD5::reset()
{
m_A = MD5Constants::init_A;
m_B = MD5Constants::init_B;
m_C = MD5Constants::init_C;
m_D = MD5Constants::init_D;
m_count[0] = 0;
m_count[1] = 0;
__builtin_memset(m_data_buffer, 0, sizeof(m_data_buffer));
}
}
}

13
Libraries/LibCrypto/Hash/MD5.h
View file

@ -92,10 +92,21 @@ namespace Hash {
inline static DigestType hash(const ByteBuffer& buffer) { return hash(buffer.data(), buffer.size()); }
inline static DigestType hash(const StringView& buffer) { return hash((const u8*)buffer.characters_without_null_termination(), buffer.length()); }
inline virtual void reset() override
{
m_A = MD5Constants::init_A;
m_B = MD5Constants::init_B;
m_C = MD5Constants::init_C;
m_D = MD5Constants::init_D;
m_count[0] = 0;
m_count[1] = 0;
__builtin_memset(m_data_buffer, 0, sizeof(m_data_buffer));
}
private:
inline void transform(const u8*);
inline void reset();
static void encode(const u32* from, u8* to, size_t length);
static void decode(const u8* from, u32* to, size_t length);

16
Libraries/LibCrypto/Hash/SHA2.h
View file

@ -123,10 +123,7 @@ namespace Hash {
builder.appendf("%zu", this->DigestSize * 8);
return builder.build();
};
private:
inline void transform(const u8*);
inline void reset()
inline virtual void reset() override
{
m_data_length = 0;
m_bit_length = 0;
@ -134,6 +131,9 @@ namespace Hash {
m_state[i] = SHA256Constants::InitializationHashes[i];
}
private:
inline void transform(const u8*);
u8 m_data_buffer[BlockSize];
size_t m_data_length { 0 };
@ -176,10 +176,7 @@ namespace Hash {
builder.appendf("%zu", this->DigestSize * 8);
return builder.build();
};
private:
inline void transform(const u8*);
inline void reset()
inline virtual void reset() override
{
m_data_length = 0;
m_bit_length = 0;
@ -187,6 +184,9 @@ namespace Hash {
m_state[i] = SHA512Constants::InitializationHashes[i];
}
private:
inline void transform(const u8*);
u8 m_data_buffer[BlockSize];
size_t m_data_length { 0 };

40
Userland/test-crypto.cpp
View file

@ -50,10 +50,16 @@ void print_buffer(const ByteBuffer& buffer, int split)
{
for (size_t i = 0; i < buffer.size(); ++i) {
if (split > 0) {
if (i % split == 0 && i)
if (i % split == 0 && i) {
printf(" ");
for (size_t j = i - split; j < i; ++j) {
auto ch = buffer[j];
printf("%c", ch >= 32 && ch <= 127 ? ch : '.'); // silly hack
}
puts("");
}
}
printf("%02x", buffer[i]);
printf("%02x ", buffer[i]);
}
puts("");
}
@ -90,7 +96,7 @@ void aes_cbc(const char* message, size_t len)
auto iv = ByteBuffer::create_zeroed(Crypto::Cipher::AESCipher::block_size());
if (encrypting) {
Crypto::Cipher::AESCipher::CBCMode cipher(secret_key, key_bits, Crypto::Cipher::Intent::Encryption);
Crypto::Cipher::AESCipher::CBCMode cipher(ByteBuffer::wrap(secret_key, strlen(secret_key)), key_bits, Crypto::Cipher::Intent::Encryption);
auto enc = cipher.create_aligned_buffer(buffer.size());
cipher.encrypt(buffer, enc, iv);
@ -100,7 +106,7 @@ void aes_cbc(const char* message, size_t len)
else
print_buffer(enc, Crypto::Cipher::AESCipher::block_size());
} else {
Crypto::Cipher::AESCipher::CBCMode cipher(secret_key, key_bits, Crypto::Cipher::Intent::Decryption);
Crypto::Cipher::AESCipher::CBCMode cipher(ByteBuffer::wrap(secret_key, strlen(secret_key)), key_bits, Crypto::Cipher::Intent::Decryption);
auto dec = cipher.create_aligned_buffer(buffer.size());
cipher.decrypt(buffer, dec, iv);
printf("%.*s\n", (int)dec.size(), dec.data());
@ -341,7 +347,7 @@ int aes_cbc_tests()
void aes_cbc_test_name()
{
I_TEST((AES CBC class name));
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriends", 128, Crypto::Cipher::Intent::Encryption);
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriends"_b, 128, Crypto::Cipher::Intent::Encryption);
if (cipher.class_name() != "AES_CBC")
FAIL(Invalid class name);
else
@ -371,7 +377,7 @@ void aes_cbc_test_encrypt()
0x8b, 0xd3, 0x70, 0x45, 0xf0, 0x79, 0x65, 0xca, 0xb9, 0x03, 0x88, 0x72, 0x1c, 0xdd, 0xab,
0x45, 0x6b, 0x1c
};
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriends", 128, Crypto::Cipher::Intent::Encryption);
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriends"_b, 128, Crypto::Cipher::Intent::Encryption);
test_it(cipher, result);
}
{
@ -382,7 +388,7 @@ void aes_cbc_test_encrypt()
0x68, 0x51, 0x09, 0xd7, 0x3b, 0x48, 0x1b, 0x8a, 0xd3, 0x50, 0x09, 0xba, 0xfc, 0xde, 0x11,
0xe0, 0x3f, 0xcb
};
Crypto::Cipher::AESCipher::CBCMode cipher("Well Hello Friends! whf!", 192, Crypto::Cipher::Intent::Encryption);
Crypto::Cipher::AESCipher::CBCMode cipher("Well Hello Friends! whf!"_b, 192, Crypto::Cipher::Intent::Encryption);
test_it(cipher, result);
}
{
@ -393,7 +399,19 @@ void aes_cbc_test_encrypt()
0x47, 0x9f, 0xc2, 0x21, 0xe6, 0x19, 0x62, 0xc3, 0x75, 0xca, 0xab, 0x2d, 0x18, 0xa1, 0x54,
0xd1, 0x41, 0xe6
};
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriendsWellHelloFriends", 256, Crypto::Cipher::Intent::Encryption);
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriendsWellHelloFriends"_b, 256, Crypto::Cipher::Intent::Encryption);
test_it(cipher, result);
}
{
I_TEST((AES CBC with 256 bit key | Specialized Encrypt))
u8 result[] {
0x0a, 0x44, 0x4d, 0x62, 0x9e, 0x8b, 0xd8, 0x11, 0x80, 0x48, 0x2a, 0x32, 0x53, 0x61, 0xe7,
0x59, 0x62, 0x55, 0x9e, 0xf4, 0xe6, 0xad, 0xea, 0xc5, 0x0b, 0xf6, 0xbc, 0x6a, 0xcb, 0x9c,
0x47, 0x9f, 0xc2, 0x21, 0xe6, 0x19, 0x62, 0xc3, 0x75, 0xca, 0xab, 0x2d, 0x18, 0xa1, 0x54,
0xd1, 0x41, 0xe6
};
u8 key[] { 0x0a, 0x8c, 0x5b, 0x0d, 0x8a, 0x68, 0x43, 0xf7, 0xaf, 0xc0, 0xe3, 0x4e, 0x4b, 0x43, 0xaa, 0x28, 0x69, 0x9b, 0x6f, 0xe7, 0x24, 0x82, 0x1c, 0x71, 0x86, 0xf6, 0x2b, 0x87, 0xd6, 0x8b, 0x8f, 0xf1 };
Crypto::Cipher::AESCipher::CBCMode cipher(ByteBuffer::wrap(key, 32), 256, Crypto::Cipher::Intent::Encryption);
test_it(cipher, result);
}
// TODO: Test non-CMS padding options
@ -423,7 +441,7 @@ void aes_cbc_test_decrypt()
0x8b, 0xd3, 0x70, 0x45, 0xf0, 0x79, 0x65, 0xca, 0xb9, 0x03, 0x88, 0x72, 0x1c, 0xdd, 0xab,
0x45, 0x6b, 0x1c
};
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriends", 128, Crypto::Cipher::Intent::Decryption);
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriends"_b, 128, Crypto::Cipher::Intent::Decryption);
test_it(cipher, result, 48);
}
{
@ -434,7 +452,7 @@ void aes_cbc_test_decrypt()
0x68, 0x51, 0x09, 0xd7, 0x3b, 0x48, 0x1b, 0x8a, 0xd3, 0x50, 0x09, 0xba, 0xfc, 0xde, 0x11,
0xe0, 0x3f, 0xcb
};
Crypto::Cipher::AESCipher::CBCMode cipher("Well Hello Friends! whf!", 192, Crypto::Cipher::Intent::Decryption);
Crypto::Cipher::AESCipher::CBCMode cipher("Well Hello Friends! whf!"_b, 192, Crypto::Cipher::Intent::Decryption);
test_it(cipher, result, 48);
}
{
@ -445,7 +463,7 @@ void aes_cbc_test_decrypt()
0x47, 0x9f, 0xc2, 0x21, 0xe6, 0x19, 0x62, 0xc3, 0x75, 0xca, 0xab, 0x2d, 0x18, 0xa1, 0x54,
0xd1, 0x41, 0xe6
};
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriendsWellHelloFriends", 256, Crypto::Cipher::Intent::Decryption);
Crypto::Cipher::AESCipher::CBCMode cipher("WellHelloFriendsWellHelloFriends"_b, 256, Crypto::Cipher::Intent::Decryption);
test_it(cipher, result, 48);
}
// TODO: Test non-CMS padding options