Userland/Libraries/LibTLS/HandshakeClient.cpp at master

jcs.org / serenity
fork atom
Serenity Operating System
fork atom
serenity / Userland / Libraries / LibTLS / HandshakeClient.cpp
at master 420 lines 15 kB view raw
wrap content
Tim Schumacher AK: Rename Stream::write_entire_buffer to Stream::write_until_depleted 3y ago
ecd18628
  1/*
  2 * Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
  3 * Copyright (c) 2022, Michiel Visser <opensource@webmichiel.nl>
  4 *
  5 * SPDX-License-Identifier: BSD-2-Clause
  6 */
  7
  8#include <AK/Debug.h>
  9#include <AK/Hex.h>
 10#include <AK/Random.h>
 11#include <LibCrypto/ASN1/DER.h>
 12#include <LibCrypto/BigInt/UnsignedBigInteger.h>
 13#include <LibCrypto/NumberTheory/ModularFunctions.h>
 14#include <LibCrypto/PK/Code/EMSA_PSS.h>
 15#include <LibTLS/TLSv12.h>
 16
 17namespace TLS {
 18
 19bool TLSv12::expand_key()
 20{
 21    u8 key[192]; // soooooooo many constants
 22    auto key_buffer = Bytes { key, sizeof(key) };
 23
 24    auto is_aead = this->is_aead();
 25
 26    if (m_context.master_key.size() == 0) {
 27        dbgln("expand_key() with empty master key");
 28        return false;
 29    }
 30
 31    auto key_size = key_length();
 32    VERIFY(key_size);
 33    auto mac_size = mac_length();
 34    auto iv_size = iv_length();
 35
 36    pseudorandom_function(
 37        key_buffer,
 38        m_context.master_key,
 39        (u8 const*)"key expansion", 13,
 40        ReadonlyBytes { m_context.remote_random, sizeof(m_context.remote_random) },
 41        ReadonlyBytes { m_context.local_random, sizeof(m_context.local_random) });
 42
 43    size_t offset = 0;
 44    if (is_aead) {
 45        iv_size = 4; // Explicit IV size.
 46    } else {
 47        memcpy(m_context.crypto.local_mac, key + offset, mac_size);
 48        offset += mac_size;
 49        memcpy(m_context.crypto.remote_mac, key + offset, mac_size);
 50        offset += mac_size;
 51    }
 52
 53    auto client_key = key + offset;
 54    offset += key_size;
 55    auto server_key = key + offset;
 56    offset += key_size;
 57    auto client_iv = key + offset;
 58    offset += iv_size;
 59    auto server_iv = key + offset;
 60    offset += iv_size;
 61
 62    if constexpr (TLS_DEBUG) {
 63        dbgln("client key");
 64        print_buffer(client_key, key_size);
 65        dbgln("server key");
 66        print_buffer(server_key, key_size);
 67        dbgln("client iv");
 68        print_buffer(client_iv, iv_size);
 69        dbgln("server iv");
 70        print_buffer(server_iv, iv_size);
 71        if (!is_aead) {
 72            dbgln("client mac key");
 73            print_buffer(m_context.crypto.local_mac, mac_size);
 74            dbgln("server mac key");
 75            print_buffer(m_context.crypto.remote_mac, mac_size);
 76        }
 77    }
 78
 79    switch (get_cipher_algorithm(m_context.cipher)) {
 80    case CipherAlgorithm::AES_128_CBC:
 81    case CipherAlgorithm::AES_256_CBC: {
 82        VERIFY(!is_aead);
 83        memcpy(m_context.crypto.local_iv, client_iv, iv_size);
 84        memcpy(m_context.crypto.remote_iv, server_iv, iv_size);
 85
 86        m_cipher_local = Crypto::Cipher::AESCipher::CBCMode(ReadonlyBytes { client_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246);
 87        m_cipher_remote = Crypto::Cipher::AESCipher::CBCMode(ReadonlyBytes { server_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246);
 88        break;
 89    }
 90    case CipherAlgorithm::AES_128_GCM:
 91    case CipherAlgorithm::AES_256_GCM: {
 92        VERIFY(is_aead);
 93        memcpy(m_context.crypto.local_aead_iv, client_iv, iv_size);
 94        memcpy(m_context.crypto.remote_aead_iv, server_iv, iv_size);
 95
 96        m_cipher_local = Crypto::Cipher::AESCipher::GCMMode(ReadonlyBytes { client_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246);
 97        m_cipher_remote = Crypto::Cipher::AESCipher::GCMMode(ReadonlyBytes { server_key, key_size }, key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246);
 98        break;
 99    }
100    case CipherAlgorithm::AES_128_CCM:
101        dbgln("Requested unimplemented AES CCM cipher");
102        TODO();
103    case CipherAlgorithm::AES_128_CCM_8:
104        dbgln("Requested unimplemented AES CCM-8 block cipher");
105        TODO();
106    default:
107        dbgln("Requested unknown block cipher");
108        VERIFY_NOT_REACHED();
109    }
110
111    m_context.crypto.created = 1;
112
113    return true;
114}
115
116bool TLSv12::compute_master_secret_from_pre_master_secret(size_t length)
117{
118    if (m_context.premaster_key.size() == 0 || length < 48) {
119        dbgln("there's no way I can make a master secret like this");
120        dbgln("I'd like to talk to your manager about this length of {}", length);
121        return false;
122    }
123
124    if (m_context.master_key.try_resize(length).is_error()) {
125        dbgln("Couldn't allocate enough space for the master key :(");
126        return false;
127    }
128
129    pseudorandom_function(
130        m_context.master_key,
131        m_context.premaster_key,
132        (u8 const*)"master secret", 13,
133        ReadonlyBytes { m_context.local_random, sizeof(m_context.local_random) },
134        ReadonlyBytes { m_context.remote_random, sizeof(m_context.remote_random) });
135
136    m_context.premaster_key.clear();
137    if constexpr (TLS_DEBUG) {
138        dbgln("master key:");
139        print_buffer(m_context.master_key);
140    }
141
142    if constexpr (TLS_SSL_KEYLOG_DEBUG) {
143        auto file = MUST(Core::File::open("/home/anon/ssl_keylog"sv, Core::File::OpenMode::Append | Core::File::OpenMode::Write));
144        MUST(file->write_until_depleted("CLIENT_RANDOM "sv.bytes()));
145        MUST(file->write_until_depleted(encode_hex({ m_context.local_random, 32 }).bytes()));
146        MUST(file->write_until_depleted(" "sv.bytes()));
147        MUST(file->write_until_depleted(encode_hex(m_context.master_key).bytes()));
148        MUST(file->write_until_depleted("\n"sv.bytes()));
149    }
150
151    expand_key();
152    return true;
153}
154
155void TLSv12::build_rsa_pre_master_secret(PacketBuilder& builder)
156{
157    u8 random_bytes[48];
158    size_t bytes = 48;
159
160    fill_with_random(random_bytes, bytes);
161
162    // remove zeros from the random bytes
163    for (size_t i = 0; i < bytes; ++i) {
164        if (!random_bytes[i])
165            random_bytes[i--] = get_random<u8>();
166    }
167
168    if (m_context.is_server) {
169        dbgln("Server mode not supported");
170        return;
171    } else {
172        *(u16*)random_bytes = AK::convert_between_host_and_network_endian((u16)Version::V12);
173    }
174
175    auto premaster_key_result = ByteBuffer::copy(random_bytes, bytes);
176    if (premaster_key_result.is_error()) {
177        dbgln("RSA premaster key generation failed, not enough memory");
178        return;
179    }
180    m_context.premaster_key = premaster_key_result.release_value();
181
182    // RFC5246 section 7.4.2: The sender's certificate MUST come first in the list.
183    auto& certificate = m_context.certificates.first();
184    if constexpr (TLS_DEBUG) {
185        dbgln("PreMaster secret");
186        print_buffer(m_context.premaster_key);
187    }
188
189    Crypto::PK::RSA_PKCS1_EME rsa(certificate.public_key.modulus(), 0, certificate.public_key.public_exponent());
190
191    Vector<u8, 32> out;
192    out.resize(rsa.output_size());
193    auto outbuf = out.span();
194    rsa.encrypt(m_context.premaster_key, outbuf);
195
196    if constexpr (TLS_DEBUG) {
197        dbgln("Encrypted: ");
198        print_buffer(outbuf);
199    }
200
201    if (!compute_master_secret_from_pre_master_secret(bytes)) {
202        dbgln("oh noes we could not derive a master key :(");
203        return;
204    }
205
206    builder.append_u24(outbuf.size() + 2);
207    builder.append((u16)outbuf.size());
208    builder.append(outbuf);
209}
210
211void TLSv12::build_dhe_rsa_pre_master_secret(PacketBuilder& builder)
212{
213    auto& dh = m_context.server_diffie_hellman_params;
214    auto dh_p = Crypto::UnsignedBigInteger::import_data(dh.p.data(), dh.p.size());
215    auto dh_g = Crypto::UnsignedBigInteger::import_data(dh.g.data(), dh.g.size());
216    auto dh_Ys = Crypto::UnsignedBigInteger::import_data(dh.Ys.data(), dh.Ys.size());
217    auto dh_key_size = dh.p.size();
218
219    auto dh_random = Crypto::NumberTheory::random_number(0, dh_p);
220    auto dh_Yc = Crypto::NumberTheory::ModularPower(dh_g, dh_random, dh_p);
221    auto dh_Yc_bytes_result = ByteBuffer::create_uninitialized(dh_key_size);
222    if (dh_Yc_bytes_result.is_error()) {
223        dbgln("Failed to build DHE_RSA premaster secret: not enough memory");
224        return;
225    }
226    auto dh_Yc_bytes = dh_Yc_bytes_result.release_value();
227    dh_Yc.export_data(dh_Yc_bytes);
228
229    auto premaster_key = Crypto::NumberTheory::ModularPower(dh_Ys, dh_random, dh_p);
230    auto premaster_key_result = ByteBuffer::create_uninitialized(dh_key_size);
231    if (premaster_key_result.is_error()) {
232        dbgln("Failed to build DHE_RSA premaster secret: not enough memory");
233        return;
234    }
235    m_context.premaster_key = premaster_key_result.release_value();
236    premaster_key.export_data(m_context.premaster_key, true);
237
238    dh.p.clear();
239    dh.g.clear();
240    dh.Ys.clear();
241
242    if constexpr (TLS_DEBUG) {
243        dbgln("dh_random: {}", dh_random.to_base_deprecated(16));
244        dbgln("dh_Yc: {:hex-dump}", (ReadonlyBytes)dh_Yc_bytes);
245        dbgln("premaster key: {:hex-dump}", (ReadonlyBytes)m_context.premaster_key);
246    }
247
248    if (!compute_master_secret_from_pre_master_secret(48)) {
249        dbgln("oh noes we could not derive a master key :(");
250        return;
251    }
252
253    builder.append_u24(dh_key_size + 2);
254    builder.append((u16)dh_key_size);
255    builder.append(dh_Yc_bytes);
256}
257
258void TLSv12::build_ecdhe_rsa_pre_master_secret(PacketBuilder& builder)
259{
260    // Create a random private key
261    auto private_key_result = m_context.server_key_exchange_curve->generate_private_key();
262    if (private_key_result.is_error()) {
263        dbgln("Failed to build ECDHE_RSA premaster secret: not enough memory");
264        return;
265    }
266    auto private_key = private_key_result.release_value();
267
268    // Calculate the public key from the private key
269    auto public_key_result = m_context.server_key_exchange_curve->generate_public_key(private_key);
270    if (public_key_result.is_error()) {
271        dbgln("Failed to build ECDHE_RSA premaster secret: not enough memory");
272        return;
273    }
274    auto public_key = public_key_result.release_value();
275
276    // Calculate the shared point by multiplying the client private key and the server public key
277    ReadonlyBytes server_public_key_bytes = m_context.server_diffie_hellman_params.p;
278    auto shared_point_result = m_context.server_key_exchange_curve->compute_coordinate(private_key, server_public_key_bytes);
279    if (shared_point_result.is_error()) {
280        dbgln("Failed to build ECDHE_RSA premaster secret: not enough memory");
281        return;
282    }
283    auto shared_point = shared_point_result.release_value();
284
285    // Derive the premaster key from the shared point
286    auto premaster_key_result = m_context.server_key_exchange_curve->derive_premaster_key(shared_point);
287    if (premaster_key_result.is_error()) {
288        dbgln("Failed to build ECDHE_RSA premaster secret: not enough memory");
289        return;
290    }
291    m_context.premaster_key = premaster_key_result.release_value();
292
293    if constexpr (TLS_DEBUG) {
294        dbgln("Build ECDHE_RSA pre master secret");
295        dbgln("client private key: {:hex-dump}", (ReadonlyBytes)private_key);
296        dbgln("client public key:  {:hex-dump}", (ReadonlyBytes)public_key);
297        dbgln("premaster key:      {:hex-dump}", (ReadonlyBytes)m_context.premaster_key);
298    }
299
300    if (!compute_master_secret_from_pre_master_secret(48)) {
301        dbgln("oh noes we could not derive a master key :(");
302        return;
303    }
304
305    builder.append_u24(public_key.size() + 1);
306    builder.append((u8)public_key.size());
307    builder.append(public_key);
308}
309
310ByteBuffer TLSv12::build_certificate()
311{
312    PacketBuilder builder { MessageType::Handshake, m_context.options.version };
313
314    Vector<Certificate const&> certificates;
315    Vector<Certificate>* local_certificates = nullptr;
316
317    if (m_context.is_server) {
318        dbgln("Unsupported: Server mode");
319        VERIFY_NOT_REACHED();
320    } else {
321        local_certificates = &m_context.client_certificates;
322    }
323
324    constexpr size_t der_length_delta = 3;
325    constexpr size_t certificate_vector_header_size = 3;
326
327    size_t total_certificate_size = 0;
328
329    for (size_t i = 0; i < local_certificates->size(); ++i) {
330        auto& certificate = local_certificates->at(i);
331        if (!certificate.der.is_empty()) {
332            total_certificate_size += certificate.der.size() + der_length_delta;
333
334            // FIXME: Check for and respond with only the requested certificate types.
335            if (true) {
336                certificates.append(certificate);
337            }
338        }
339    }
340
341    builder.append((u8)HandshakeType::CertificateMessage);
342
343    if (!total_certificate_size) {
344        dbgln_if(TLS_DEBUG, "No certificates, sending empty certificate message");
345        builder.append_u24(certificate_vector_header_size);
346        builder.append_u24(total_certificate_size);
347    } else {
348        builder.append_u24(total_certificate_size + certificate_vector_header_size); // 3 bytes for header
349        builder.append_u24(total_certificate_size);
350
351        for (auto& certificate : certificates) {
352            if (!certificate.der.is_empty()) {
353                builder.append_u24(certificate.der.size());
354                builder.append(certificate.der.bytes());
355            }
356        }
357    }
358    auto packet = builder.build();
359    update_packet(packet);
360    return packet;
361}
362
363ByteBuffer TLSv12::build_client_key_exchange()
364{
365    bool chain_verified = m_context.verify_chain(m_context.extensions.SNI);
366    if (!chain_verified) {
367        dbgln("certificate verification failed :(");
368        alert(AlertLevel::Critical, AlertDescription::BadCertificate);
369        return {};
370    }
371
372    PacketBuilder builder { MessageType::Handshake, m_context.options.version };
373    builder.append((u8)HandshakeType::ClientKeyExchange);
374
375    switch (get_key_exchange_algorithm(m_context.cipher)) {
376    case KeyExchangeAlgorithm::RSA:
377        build_rsa_pre_master_secret(builder);
378        break;
379    case KeyExchangeAlgorithm::DHE_DSS:
380        dbgln("Client key exchange for DHE_DSS is not implemented");
381        TODO();
382        break;
383    case KeyExchangeAlgorithm::DH_DSS:
384    case KeyExchangeAlgorithm::DH_RSA:
385        dbgln("Client key exchange for DH algorithms is not implemented");
386        TODO();
387        break;
388    case KeyExchangeAlgorithm::DHE_RSA:
389        build_dhe_rsa_pre_master_secret(builder);
390        break;
391    case KeyExchangeAlgorithm::DH_anon:
392        dbgln("Client key exchange for DH_anon is not implemented");
393        TODO();
394        break;
395    case KeyExchangeAlgorithm::ECDHE_RSA:
396        build_ecdhe_rsa_pre_master_secret(builder);
397        break;
398    case KeyExchangeAlgorithm::ECDH_ECDSA:
399    case KeyExchangeAlgorithm::ECDH_RSA:
400    case KeyExchangeAlgorithm::ECDHE_ECDSA:
401    case KeyExchangeAlgorithm::ECDH_anon:
402        dbgln("Client key exchange for ECDHE algorithms is not implemented");
403        TODO();
404        break;
405    default:
406        dbgln("Unknown client key exchange algorithm");
407        VERIFY_NOT_REACHED();
408        break;
409    }
410
411    m_context.connection_status = ConnectionStatus::KeyExchange;
412
413    auto packet = builder.build();
414
415    update_packet(packet);
416
417    return packet;
418}
419
420}