2020-04-21 01:57:23 +04:30
|
|
|
/*
|
2021-04-23 00:43:01 +04:30
|
|
|
* Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
|
2020-04-21 01:57:23 +04:30
|
|
|
*
|
2021-04-22 01:24:48 -07:00
|
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
2020-04-21 01:57:23 +04:30
|
|
|
*/
|
|
|
|
|
|
2022-02-21 22:11:15 +01:00
|
|
|
#include <AK/Base64.h>
|
2021-01-17 16:57:17 +01:00
|
|
|
#include <AK/Debug.h>
|
2020-08-25 15:11:15 +02:00
|
|
|
#include <AK/Endian.h>
|
2020-10-30 11:56:31 +03:30
|
|
|
#include <LibCore/ConfigFile.h>
|
2020-05-06 21:43:27 +04:30
|
|
|
#include <LibCore/DateTime.h>
|
2021-04-18 13:46:17 +04:30
|
|
|
#include <LibCore/File.h>
|
2020-04-21 01:57:23 +04:30
|
|
|
#include <LibCore/Timer.h>
|
2021-04-18 13:46:17 +04:30
|
|
|
#include <LibCrypto/ASN1/ASN1.h>
|
2020-08-02 05:27:42 +04:30
|
|
|
#include <LibCrypto/ASN1/PEM.h>
|
2022-02-21 22:25:34 +01:00
|
|
|
#include <LibCrypto/PK/Code/EMSA_PKCS1_V1_5.h>
|
2020-04-21 01:57:23 +04:30
|
|
|
#include <LibCrypto/PK/Code/EMSA_PSS.h>
|
|
|
|
|
#include <LibTLS/TLSv12.h>
|
2021-03-12 17:29:37 +01:00
|
|
|
#include <errno.h>
|
2020-04-21 01:57:23 +04:30
|
|
|
|
2020-05-29 22:22:01 +02:00
|
|
|
#ifndef SOCK_NONBLOCK
|
|
|
|
|
# include <sys/ioctl.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-04-21 01:57:23 +04:30
|
|
|
namespace TLS {
|
|
|
|
|
|
2020-12-19 15:07:09 +01:00
|
|
|
void TLSv12::consume(ReadonlyBytes record)
|
2020-04-21 01:57:23 +04:30
|
|
|
{
|
|
|
|
|
if (m_context.critical_error) {
|
2021-01-17 16:57:17 +01:00
|
|
|
dbgln("There has been a critical error ({}), refusing to continue", (i8)m_context.critical_error);
|
2020-04-21 01:57:23 +04:30
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (record.size() == 0) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-07 15:33:24 +03:30
|
|
|
dbgln_if(TLS_DEBUG, "Consuming {} bytes", record.size());
|
2020-04-21 01:57:23 +04:30
|
|
|
|
2021-11-10 14:33:44 +01:00
|
|
|
if (m_context.message_buffer.try_append(record).is_error()) {
|
2021-09-06 03:28:46 +04:30
|
|
|
dbgln("Not enough space in message buffer, dropping the record");
|
|
|
|
|
return;
|
|
|
|
|
}
|
2020-04-21 01:57:23 +04:30
|
|
|
|
|
|
|
|
size_t index { 0 };
|
|
|
|
|
size_t buffer_length = m_context.message_buffer.size();
|
|
|
|
|
|
|
|
|
|
size_t size_offset { 3 }; // read the common record header
|
|
|
|
|
size_t header_size { 5 };
|
2021-01-17 16:57:17 +01:00
|
|
|
|
2021-02-07 15:33:24 +03:30
|
|
|
dbgln_if(TLS_DEBUG, "message buffer length {}", buffer_length);
|
2021-01-17 16:57:17 +01:00
|
|
|
|
2020-04-21 01:57:23 +04:30
|
|
|
while (buffer_length >= 5) {
|
2021-05-14 09:22:56 +04:30
|
|
|
auto length = AK::convert_between_host_and_network_endian(ByteReader::load16(m_context.message_buffer.offset_pointer(index + size_offset))) + header_size;
|
2020-04-21 01:57:23 +04:30
|
|
|
if (length > buffer_length) {
|
2021-02-07 15:33:24 +03:30
|
|
|
dbgln_if(TLS_DEBUG, "Need more data: {} > {}", length, buffer_length);
|
2020-04-21 01:57:23 +04:30
|
|
|
break;
|
|
|
|
|
}
|
2020-12-19 18:19:15 +01:00
|
|
|
auto consumed = handle_message(m_context.message_buffer.bytes().slice(index, length));
|
2020-05-03 14:28:40 +02:00
|
|
|
|
2021-01-23 23:59:27 +01:00
|
|
|
if constexpr (TLS_DEBUG) {
|
2021-01-17 16:57:17 +01:00
|
|
|
if (consumed > 0)
|
|
|
|
|
dbgln("consumed {} bytes", consumed);
|
|
|
|
|
else
|
|
|
|
|
dbgln("error: {}", consumed);
|
|
|
|
|
}
|
2020-04-21 01:57:23 +04:30
|
|
|
|
|
|
|
|
if (consumed != (i8)Error::NeedMoreData) {
|
|
|
|
|
if (consumed < 0) {
|
2021-01-17 16:57:17 +01:00
|
|
|
dbgln("Consumed an error: {}", consumed);
|
2020-04-21 01:57:23 +04:30
|
|
|
if (!m_context.critical_error)
|
|
|
|
|
m_context.critical_error = (i8)consumed;
|
|
|
|
|
m_context.error_code = (Error)consumed;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
index += length;
|
|
|
|
|
buffer_length -= length;
|
|
|
|
|
if (m_context.critical_error) {
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("Broken connection");
|
2020-04-21 01:57:23 +04:30
|
|
|
m_context.error_code = Error::BrokenConnection;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (m_context.error_code != Error::NoError && m_context.error_code != Error::NeedMoreData) {
|
2021-01-17 16:57:17 +01:00
|
|
|
dbgln("consume error: {}", (i8)m_context.error_code);
|
2020-04-21 01:57:23 +04:30
|
|
|
m_context.message_buffer.clear();
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (index) {
|
2022-06-13 05:20:42 -07:00
|
|
|
// FIXME: Propagate errors.
|
|
|
|
|
m_context.message_buffer = MUST(m_context.message_buffer.slice(index, m_context.message_buffer.size() - index));
|
2020-04-21 01:57:23 +04:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-06 21:43:27 +04:30
|
|
|
bool Certificate::is_valid() const
|
|
|
|
|
{
|
|
|
|
|
auto now = Core::DateTime::now();
|
|
|
|
|
|
2021-04-18 13:46:17 +04:30
|
|
|
if (now < not_before) {
|
|
|
|
|
dbgln("certificate expired (not yet valid, signed for {})", not_before.to_string());
|
|
|
|
|
return false;
|
2020-05-06 21:43:27 +04:30
|
|
|
}
|
|
|
|
|
|
2021-04-18 13:46:17 +04:30
|
|
|
if (not_after < now) {
|
|
|
|
|
dbgln("certificate expired (expiry date {})", not_after.to_string());
|
|
|
|
|
return false;
|
2020-05-06 21:43:27 +04:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-05 13:24:00 +04:30
|
|
|
void TLSv12::try_disambiguate_error() const
|
|
|
|
|
{
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("Possible failure cause(s): ");
|
2020-05-05 13:24:00 +04:30
|
|
|
switch ((AlertDescription)m_context.critical_error) {
|
|
|
|
|
case AlertDescription::HandshakeFailure:
|
|
|
|
|
if (!m_context.cipher_spec_set) {
|
2021-02-07 07:19:34 +03:30
|
|
|
dbgln("- No cipher suite in common with {}", m_context.extensions.SNI);
|
2020-05-05 13:24:00 +04:30
|
|
|
} else {
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- Unknown internal issue");
|
2020-05-05 13:24:00 +04:30
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case AlertDescription::InsufficientSecurity:
|
2021-02-07 07:19:34 +03:30
|
|
|
dbgln("- No cipher suite in common with {} (the server is oh so secure)", m_context.extensions.SNI);
|
2020-05-05 13:24:00 +04:30
|
|
|
break;
|
2020-05-26 23:27:41 +01:00
|
|
|
case AlertDescription::ProtocolVersion:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- The server refused to negotiate with TLS 1.2 :(");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::UnexpectedMessage:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- We sent an invalid message for the state we're in.");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::BadRecordMAC:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- Bad MAC record from our side.");
|
|
|
|
|
dbgln("- Ciphertext wasn't an even multiple of the block length.");
|
|
|
|
|
dbgln("- Bad block cipher padding.");
|
|
|
|
|
dbgln("- If both sides are compliant, the only cause is messages being corrupted in the network.");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::RecordOverflow:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- Sent a ciphertext record which has a length bigger than 18432 bytes.");
|
|
|
|
|
dbgln("- Sent record decrypted to a compressed record that has a length bigger than 18432 bytes.");
|
|
|
|
|
dbgln("- If both sides are compliant, the only cause is messages being corrupted in the network.");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::DecompressionFailure:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- We sent invalid input for decompression (e.g. data that would expand to excessive length)");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::IllegalParameter:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- We sent a parameter in the handshake that is out of range or inconsistent with the other parameters.");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::DecodeError:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- The message we sent cannot be decoded because a field was out of range or the length was incorrect.");
|
|
|
|
|
dbgln("- If both sides are compliant, the only cause is messages being corrupted in the network.");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::DecryptError:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- A handshake crypto operation failed. This includes signature verification and validating Finished.");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::AccessDenied:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- The certificate is valid, but once access control was applied, the sender decided to stop negotiation.");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
|
|
|
|
case AlertDescription::InternalError:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- No one knows, but it isn't a protocol failure.");
|
2020-05-26 23:27:41 +01:00
|
|
|
break;
|
2020-05-05 13:24:00 +04:30
|
|
|
case AlertDescription::DecryptionFailed:
|
2020-05-26 23:27:41 +01:00
|
|
|
case AlertDescription::NoCertificate:
|
|
|
|
|
case AlertDescription::ExportRestriction:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- No one knows, the server sent a non-compliant alert.");
|
2020-05-05 13:24:00 +04:30
|
|
|
break;
|
|
|
|
|
default:
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("- No one knows.");
|
2020-05-05 13:24:00 +04:30
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-05-18 20:16:52 +02:00
|
|
|
|
2020-10-30 11:56:31 +03:30
|
|
|
void TLSv12::set_root_certificates(Vector<Certificate> certificates)
|
|
|
|
|
{
|
2022-02-21 22:25:34 +01:00
|
|
|
if (!m_context.root_certificates.is_empty()) {
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("TLS warn: resetting root certificates!");
|
2022-02-21 22:25:34 +01:00
|
|
|
m_context.root_certificates.clear();
|
|
|
|
|
}
|
2020-10-30 11:56:31 +03:30
|
|
|
|
|
|
|
|
for (auto& cert : certificates) {
|
|
|
|
|
if (!cert.is_valid())
|
2021-04-18 13:46:17 +04:30
|
|
|
dbgln("Certificate for {} by {} is invalid, things may or may not work!", cert.subject.subject, cert.issuer.subject);
|
2020-10-30 11:56:31 +03:30
|
|
|
// FIXME: Figure out what we should do when our root certs are invalid.
|
2022-02-21 22:25:34 +01:00
|
|
|
|
|
|
|
|
m_context.root_certificates.set(cert.subject_identifier_string(), cert);
|
2020-10-30 11:56:31 +03:30
|
|
|
}
|
2022-02-02 19:21:55 +03:30
|
|
|
dbgln_if(TLS_DEBUG, "{}: Set {} root certificates", this, m_context.root_certificates.size());
|
2020-10-30 11:56:31 +03:30
|
|
|
}
|
|
|
|
|
|
2022-03-15 19:16:44 +01:00
|
|
|
static bool wildcard_matches(StringView host, StringView subject)
|
|
|
|
|
{
|
2022-02-22 16:04:07 +01:00
|
|
|
if (host == subject)
|
2022-03-15 19:16:44 +01:00
|
|
|
return true;
|
|
|
|
|
|
2022-07-11 17:32:29 +00:00
|
|
|
if (subject.starts_with("*."sv)) {
|
2022-02-22 16:04:07 +01:00
|
|
|
auto maybe_first_dot_index = host.find('.');
|
|
|
|
|
if (maybe_first_dot_index.has_value()) {
|
|
|
|
|
auto first_dot_index = maybe_first_dot_index.release_value();
|
|
|
|
|
return wildcard_matches(host.substring_view(first_dot_index + 1), subject.substring_view(2));
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-03-15 19:16:44 +01:00
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool certificate_subject_matches_host(Certificate& cert, StringView host)
|
|
|
|
|
{
|
|
|
|
|
if (wildcard_matches(host, cert.subject.subject))
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
for (auto& san : cert.SAN) {
|
|
|
|
|
if (wildcard_matches(host, san))
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool Context::verify_chain(StringView host) const
|
2020-10-30 11:56:31 +03:30
|
|
|
{
|
2021-02-07 07:21:32 +03:30
|
|
|
if (!options.validate_certificates)
|
|
|
|
|
return true;
|
|
|
|
|
|
2022-04-01 20:58:27 +03:00
|
|
|
Vector<Certificate> const* local_chain = nullptr;
|
2020-10-30 11:56:31 +03:30
|
|
|
if (is_server) {
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("Unsupported: Server mode");
|
2020-10-30 11:56:31 +03:30
|
|
|
TODO();
|
|
|
|
|
} else {
|
|
|
|
|
local_chain = &certificates;
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-21 22:25:34 +01:00
|
|
|
if (local_chain->is_empty()) {
|
|
|
|
|
dbgln("verify_chain: Attempting to verify an empty chain");
|
|
|
|
|
return false;
|
2020-10-30 11:56:31 +03:30
|
|
|
}
|
|
|
|
|
|
2022-02-22 13:48:52 +01:00
|
|
|
// RFC5246 section 7.4.2: The sender's certificate MUST come first in the list. Each following certificate
|
|
|
|
|
// MUST directly certify the one preceding it. Because certificate validation requires that root keys be
|
|
|
|
|
// distributed independently, the self-signed certificate that specifies the root certificate authority MAY be
|
|
|
|
|
// omitted from the chain, under the assumption that the remote end must already possess it in order to validate
|
|
|
|
|
// it in any case.
|
|
|
|
|
|
2022-03-15 19:16:44 +01:00
|
|
|
if (!host.is_empty()) {
|
|
|
|
|
auto first_certificate = local_chain->first();
|
|
|
|
|
auto subject_matches = certificate_subject_matches_host(first_certificate, host);
|
|
|
|
|
if (!subject_matches) {
|
|
|
|
|
dbgln("verify_chain: First certificate does not match the hostname");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// FIXME: The host is taken from m_context.extensions.SNI, when is this empty?
|
|
|
|
|
dbgln("FIXME: verify_chain called without host");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-21 22:25:34 +01:00
|
|
|
for (size_t cert_index = 0; cert_index < local_chain->size(); ++cert_index) {
|
|
|
|
|
auto cert = local_chain->at(cert_index);
|
2020-10-30 11:56:31 +03:30
|
|
|
|
2022-02-21 22:25:34 +01:00
|
|
|
auto subject_string = cert.subject_identifier_string();
|
|
|
|
|
auto issuer_string = cert.issuer_identifier_string();
|
2020-10-30 11:56:31 +03:30
|
|
|
|
2022-02-21 22:25:34 +01:00
|
|
|
if (!cert.is_valid()) {
|
|
|
|
|
dbgln("verify_chain: Certificate is not valid {}", subject_string);
|
2020-10-30 11:56:31 +03:30
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-21 22:25:34 +01:00
|
|
|
auto maybe_root_certificate = root_certificates.get(issuer_string);
|
|
|
|
|
if (maybe_root_certificate.has_value()) {
|
2022-04-13 22:21:27 +02:00
|
|
|
auto& root_certificate = *maybe_root_certificate;
|
2022-02-21 22:25:34 +01:00
|
|
|
auto verification_correct = verify_certificate_pair(cert, root_certificate);
|
|
|
|
|
|
|
|
|
|
if (!verification_correct) {
|
|
|
|
|
dbgln("verify_chain: Signature inconsistent, {} was not signed by {} (root certificate)", subject_string, issuer_string);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Root certificate reached, and correctly verified, so we can stop now
|
|
|
|
|
return true;
|
2022-04-13 22:21:27 +02:00
|
|
|
}
|
2022-02-21 22:25:34 +01:00
|
|
|
|
2022-04-13 22:21:27 +02:00
|
|
|
if (subject_string == issuer_string) {
|
|
|
|
|
dbgln("verify_chain: Non-root self-signed certificate");
|
|
|
|
|
return options.allow_self_signed_certificates;
|
|
|
|
|
}
|
|
|
|
|
if ((cert_index + 1) >= local_chain->size()) {
|
|
|
|
|
dbgln("verify_chain: No trusted root certificate found before end of certificate chain");
|
|
|
|
|
dbgln("verify_chain: Last certificate in chain was signed by {}", issuer_string);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2022-02-21 22:25:34 +01:00
|
|
|
|
2022-04-13 22:21:27 +02:00
|
|
|
auto parent_certificate = local_chain->at(cert_index + 1);
|
|
|
|
|
if (issuer_string != parent_certificate.subject_identifier_string()) {
|
|
|
|
|
dbgln("verify_chain: Next certificate in the chain is not the issuer of this certificate");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2022-02-23 17:35:05 +01:00
|
|
|
|
2022-04-13 22:21:27 +02:00
|
|
|
if (!(parent_certificate.is_allowed_to_sign_certificate && parent_certificate.is_certificate_authority)) {
|
|
|
|
|
dbgln("verify_chain: {} is not marked as certificate authority", issuer_string);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
if (parent_certificate.path_length_constraint.has_value() && cert_index > parent_certificate.path_length_constraint.value()) {
|
|
|
|
|
dbgln("verify_chain: Path length for certificate exceeded");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool verification_correct = verify_certificate_pair(cert, parent_certificate);
|
|
|
|
|
if (!verification_correct) {
|
|
|
|
|
dbgln("verify_chain: Signature inconsistent, {} was not signed by {}", subject_string, issuer_string);
|
|
|
|
|
return false;
|
2022-02-21 22:25:34 +01:00
|
|
|
}
|
2020-10-30 11:56:31 +03:30
|
|
|
}
|
|
|
|
|
|
2022-02-21 22:25:34 +01:00
|
|
|
// Either a root certificate is reached, or parent validation fails as the end of the local chain is reached
|
|
|
|
|
VERIFY_NOT_REACHED();
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-13 22:21:27 +02:00
|
|
|
bool Context::verify_certificate_pair(Certificate const& subject, Certificate const& issuer) const
|
2022-02-21 22:25:34 +01:00
|
|
|
{
|
|
|
|
|
Crypto::Hash::HashKind kind;
|
|
|
|
|
switch (subject.signature_algorithm) {
|
|
|
|
|
case CertificateKeyAlgorithm::RSA_SHA1:
|
|
|
|
|
kind = Crypto::Hash::HashKind::SHA1;
|
|
|
|
|
break;
|
|
|
|
|
case CertificateKeyAlgorithm::RSA_SHA256:
|
|
|
|
|
kind = Crypto::Hash::HashKind::SHA256;
|
|
|
|
|
break;
|
|
|
|
|
case CertificateKeyAlgorithm::RSA_SHA384:
|
|
|
|
|
kind = Crypto::Hash::HashKind::SHA384;
|
|
|
|
|
break;
|
|
|
|
|
case CertificateKeyAlgorithm::RSA_SHA512:
|
|
|
|
|
kind = Crypto::Hash::HashKind::SHA512;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
dbgln("verify_certificate_pair: Unknown signature algorithm, expected RSA with SHA1/256/384/512, got {}", (u8)subject.signature_algorithm);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Crypto::PK::RSAPrivateKey dummy_private_key;
|
2022-04-13 22:21:27 +02:00
|
|
|
Crypto::PK::RSAPublicKey public_key_copy { issuer.public_key };
|
|
|
|
|
auto rsa = Crypto::PK::RSA(public_key_copy, dummy_private_key);
|
2022-02-21 22:25:34 +01:00
|
|
|
auto verification_buffer_result = ByteBuffer::create_uninitialized(subject.signature_value.size());
|
|
|
|
|
if (verification_buffer_result.is_error()) {
|
|
|
|
|
dbgln("verify_certificate_pair: Unable to allocate buffer for verification");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
auto verification_buffer = verification_buffer_result.release_value();
|
|
|
|
|
auto verification_buffer_bytes = verification_buffer.bytes();
|
|
|
|
|
rsa.verify(subject.signature_value, verification_buffer_bytes);
|
|
|
|
|
|
|
|
|
|
// FIXME: This slice is subject hack, this will work for most certificates, but you actually have to parse
|
|
|
|
|
// the ASN.1 data to correctly extract the signed part of the certificate.
|
|
|
|
|
ReadonlyBytes message = subject.original_asn1.bytes().slice(4, subject.original_asn1.size() - 4 - (5 + subject.signature_value.size()) - 15);
|
|
|
|
|
auto pkcs1 = Crypto::PK::EMSA_PKCS1_V1_5<Crypto::Hash::Manager>(kind);
|
|
|
|
|
auto verification = pkcs1.verify(message, verification_buffer_bytes, subject.signature_value.size() * 8);
|
|
|
|
|
return verification == Crypto::VerificationConsistency::Consistent;
|
2020-10-30 11:56:31 +03:30
|
|
|
}
|
|
|
|
|
|
2021-05-29 08:26:10 +02:00
|
|
|
template<typename HMACType>
|
2022-04-01 20:58:27 +03:00
|
|
|
static void hmac_pseudorandom_function(Bytes output, ReadonlyBytes secret, u8 const* label, size_t label_length, ReadonlyBytes seed, ReadonlyBytes seed_b)
|
2020-10-30 11:56:31 +03:30
|
|
|
{
|
2021-05-18 21:55:06 +02:00
|
|
|
if (!secret.size()) {
|
|
|
|
|
dbgln("null secret");
|
|
|
|
|
return;
|
|
|
|
|
}
|
2020-10-30 11:56:31 +03:30
|
|
|
|
2021-05-18 21:55:06 +02:00
|
|
|
auto append_label_seed = [&](auto& hmac) {
|
|
|
|
|
hmac.update(label, label_length);
|
|
|
|
|
hmac.update(seed);
|
|
|
|
|
if (seed_b.size() > 0)
|
|
|
|
|
hmac.update(seed_b);
|
|
|
|
|
};
|
2020-10-30 11:56:31 +03:30
|
|
|
|
2021-05-29 08:26:10 +02:00
|
|
|
HMACType hmac(secret);
|
2021-05-18 21:55:06 +02:00
|
|
|
append_label_seed(hmac);
|
2020-10-30 11:56:31 +03:30
|
|
|
|
2021-05-18 21:55:06 +02:00
|
|
|
constexpr auto digest_size = hmac.digest_size();
|
|
|
|
|
u8 digest[digest_size];
|
|
|
|
|
auto digest_0 = Bytes { digest, digest_size };
|
|
|
|
|
|
|
|
|
|
digest_0.overwrite(0, hmac.digest().immutable_data(), digest_size);
|
|
|
|
|
|
|
|
|
|
size_t index = 0;
|
|
|
|
|
while (index < output.size()) {
|
|
|
|
|
hmac.update(digest_0);
|
|
|
|
|
append_label_seed(hmac);
|
|
|
|
|
auto digest_1 = hmac.digest();
|
|
|
|
|
|
|
|
|
|
auto copy_size = min(digest_size, output.size() - index);
|
|
|
|
|
|
|
|
|
|
output.overwrite(index, digest_1.immutable_data(), copy_size);
|
|
|
|
|
index += copy_size;
|
|
|
|
|
|
|
|
|
|
digest_0.overwrite(0, hmac.process(digest_0).immutable_data(), digest_size);
|
|
|
|
|
}
|
2020-10-30 11:56:31 +03:30
|
|
|
}
|
|
|
|
|
|
2022-04-01 20:58:27 +03:00
|
|
|
void TLSv12::pseudorandom_function(Bytes output, ReadonlyBytes secret, u8 const* label, size_t label_length, ReadonlyBytes seed, ReadonlyBytes seed_b)
|
2021-05-29 08:26:10 +02:00
|
|
|
{
|
|
|
|
|
// Simplification: We only support the HMAC PRF with the hash function SHA-256 or stronger.
|
|
|
|
|
|
|
|
|
|
// RFC 5246: "In this section, we define one PRF, based on HMAC. This PRF with the
|
|
|
|
|
// SHA-256 hash function is used for all cipher suites defined in this
|
|
|
|
|
// document and in TLS documents published prior to this document when
|
|
|
|
|
// TLS 1.2 is negotiated. New cipher suites MUST explicitly specify a
|
|
|
|
|
// PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a
|
|
|
|
|
// stronger standard hash function."
|
|
|
|
|
|
|
|
|
|
switch (hmac_hash()) {
|
|
|
|
|
case Crypto::Hash::HashKind::SHA512:
|
|
|
|
|
hmac_pseudorandom_function<Crypto::Authentication::HMAC<Crypto::Hash::SHA512>>(output, secret, label, label_length, seed, seed_b);
|
|
|
|
|
break;
|
|
|
|
|
case Crypto::Hash::HashKind::SHA384:
|
|
|
|
|
hmac_pseudorandom_function<Crypto::Authentication::HMAC<Crypto::Hash::SHA384>>(output, secret, label, label_length, seed, seed_b);
|
|
|
|
|
break;
|
|
|
|
|
case Crypto::Hash::HashKind::SHA256:
|
|
|
|
|
hmac_pseudorandom_function<Crypto::Authentication::HMAC<Crypto::Hash::SHA256>>(output, secret, label, label_length, seed, seed_b);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
dbgln("Failed to find a suitable HMAC hash");
|
|
|
|
|
VERIFY_NOT_REACHED();
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-02 19:21:55 +03:30
|
|
|
TLSv12::TLSv12(StreamVariantType stream, Options options)
|
|
|
|
|
: m_stream(move(stream))
|
2020-05-18 20:16:52 +02:00
|
|
|
{
|
2021-02-07 07:21:32 +03:30
|
|
|
m_context.options = move(options);
|
2020-05-18 20:16:52 +02:00
|
|
|
m_context.is_server = false;
|
2021-09-06 03:29:52 +04:30
|
|
|
m_context.tls_buffer = {};
|
2022-02-02 19:21:55 +03:30
|
|
|
|
|
|
|
|
set_root_certificates(m_context.options.root_certificates.has_value()
|
|
|
|
|
? *m_context.options.root_certificates
|
|
|
|
|
: DefaultRootCACertificates::the().certificates());
|
|
|
|
|
|
|
|
|
|
setup_connection();
|
2020-05-18 20:16:52 +02:00
|
|
|
}
|
|
|
|
|
|
2022-02-02 19:21:55 +03:30
|
|
|
Vector<Certificate> TLSv12::parse_pem_certificate(ReadonlyBytes certificate_pem_buffer, ReadonlyBytes rsa_key) // FIXME: This should not be bound to RSA
|
2020-08-02 05:27:42 +04:30
|
|
|
{
|
|
|
|
|
if (certificate_pem_buffer.is_empty() || rsa_key.is_empty()) {
|
2022-02-02 19:21:55 +03:30
|
|
|
return {};
|
2020-08-02 05:27:42 +04:30
|
|
|
}
|
2022-02-02 19:21:55 +03:30
|
|
|
|
2021-02-14 14:50:42 +03:30
|
|
|
auto decoded_certificate = Crypto::decode_pem(certificate_pem_buffer);
|
2020-08-02 05:27:42 +04:30
|
|
|
if (decoded_certificate.is_empty()) {
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("Certificate not PEM");
|
2022-02-02 19:21:55 +03:30
|
|
|
return {};
|
2020-08-02 05:27:42 +04:30
|
|
|
}
|
|
|
|
|
|
2021-05-17 20:40:45 +02:00
|
|
|
auto maybe_certificate = Certificate::parse_asn1(decoded_certificate);
|
2020-08-02 05:27:42 +04:30
|
|
|
if (!maybe_certificate.has_value()) {
|
2021-01-09 18:51:44 +01:00
|
|
|
dbgln("Invalid certificate");
|
2022-02-02 19:21:55 +03:30
|
|
|
return {};
|
2020-08-02 05:27:42 +04:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Crypto::PK::RSA rsa(rsa_key);
|
2021-11-28 22:15:57 +01:00
|
|
|
auto certificate = maybe_certificate.release_value();
|
2020-08-02 05:27:42 +04:30
|
|
|
certificate.private_key = rsa.private_key();
|
|
|
|
|
|
2022-02-02 19:21:55 +03:30
|
|
|
return { move(certificate) };
|
2020-08-02 05:27:42 +04:30
|
|
|
}
|
|
|
|
|
|
2021-08-07 21:34:11 +02:00
|
|
|
Singleton<DefaultRootCACertificates> DefaultRootCACertificates::s_the;
|
2020-10-30 11:56:31 +03:30
|
|
|
DefaultRootCACertificates::DefaultRootCACertificates()
|
|
|
|
|
{
|
|
|
|
|
// FIXME: This might not be the best format, find a better way to represent CA certificates.
|
2022-02-21 22:11:15 +01:00
|
|
|
auto config_result = Core::ConfigFile::open_for_system("ca_certs");
|
|
|
|
|
if (config_result.is_error()) {
|
|
|
|
|
dbgln("Failed to load CA Certificates: {}", config_result.error());
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
auto config = config_result.release_value();
|
2022-09-30 14:59:37 +08:00
|
|
|
reload_certificates(config);
|
|
|
|
|
}
|
2022-02-21 22:11:15 +01:00
|
|
|
|
2022-09-30 14:59:37 +08:00
|
|
|
void DefaultRootCACertificates::reload_certificates(Core::ConfigFile& config)
|
|
|
|
|
{
|
|
|
|
|
m_ca_certificates.clear();
|
|
|
|
|
for (auto& entity : config.groups()) {
|
|
|
|
|
for (auto& subject : config.keys(entity)) {
|
|
|
|
|
auto certificate_base64 = config.read_entry(entity, subject);
|
2022-02-21 22:11:15 +01:00
|
|
|
auto certificate_data_result = decode_base64(certificate_base64);
|
|
|
|
|
if (certificate_data_result.is_error()) {
|
|
|
|
|
dbgln("Skipping CA Certificate {} {}: out of memory", entity, subject);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
auto certificate_data = certificate_data_result.release_value();
|
|
|
|
|
auto certificate_result = Certificate::parse_asn1(certificate_data.bytes());
|
|
|
|
|
// If the certificate does not parse it is likely using elliptic curve keys/signatures, which are not
|
|
|
|
|
// supported right now. Currently, ca_certs.ini should only contain certificates with RSA keys/signatures.
|
|
|
|
|
if (!certificate_result.has_value()) {
|
|
|
|
|
dbgln("Skipping CA Certificate {} {}: unable to parse", entity, subject);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
auto certificate = certificate_result.release_value();
|
|
|
|
|
m_ca_certificates.append(move(certificate));
|
|
|
|
|
}
|
2020-10-30 11:56:31 +03:30
|
|
|
}
|
2022-02-21 22:11:15 +01:00
|
|
|
|
2022-02-02 19:21:55 +03:30
|
|
|
dbgln("Loaded {} CA Certificates", m_ca_certificates.size());
|
2020-10-30 11:56:31 +03:30
|
|
|
}
|
2020-04-21 01:57:23 +04:30
|
|
|
}
|
