Ladybird/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-06-09 09:34:57 +09:00
Code Activity

LibTLS: Parse SECP256r1 parameters separately

Browse source
This commit is contained in:
devgianlu 2024-12-05 14:28:41 +01:00 committed by Ali Mohammad Pur
parent bce2893638
commit 27fbcf70bf
Notes: github-actions[bot] 2024-12-07 18:09:43 +00:00
2 changed files with 26 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Libraries/LibTLS/HandshakeServer.cpp
View file

@ -452,13 +452,14 @@ ssize_t TLSv12::verify_ecdsa_server_key_exchange(ReadonlyBytes server_key_info_b
} }
auto signature_length = AK::convert_between_host_and_network_endian(ByteReader::load16(signature_buffer.offset_pointer(2))); auto signature_length = AK::convert_between_host_and_network_endian(ByteReader::load16(signature_buffer.offset_pointer(2)));
auto signature = signature_buffer.slice(4, signature_length); auto signature_bytes = signature_buffer.slice(4, signature_length);
if (m_context.certificates.is_empty()) { if (m_context.certificates.is_empty()) {
dbgln("verify_ecdsa_server_key_exchange failed: Attempting to verify signature without certificates"); dbgln("verify_ecdsa_server_key_exchange failed: Attempting to verify signature without certificates");
return (i8)Error::NotSafe; return (i8)Error::NotSafe;
} }
ReadonlyBytes server_point = m_context.certificates.first().public_key.raw_key; auto server_public_key = m_context.certificates.first().public_key.ec;
auto server_point = Crypto::Curves::SECPxxxr1Point { server_public_key.x(), server_public_key.y() };
auto message_result = ByteBuffer::create_uninitialized(64 + server_key_info_buffer.size()); auto message_result = ByteBuffer::create_uninitialized(64 + server_key_info_buffer.size());
if (message_result.is_error()) { if (message_result.is_error()) {
@ -494,6 +495,14 @@ ssize_t TLSv12::verify_ecdsa_server_key_exchange(ReadonlyBytes server_key_info_b
return (i8)Error::NotUnderstood; return (i8)Error::NotUnderstood;
} }
auto maybe_signature = Crypto::Curves::SECPxxxr1Signature::from_asn(signature_bytes, {});
if (maybe_signature.is_error()) {
dbgln("verify_ecdsa_server_key_exchange failed: Signature is not ASN.1 DER encoded");
return (i8)Error::NotUnderstood;
}
auto signature = maybe_signature.release_value();
switch (ec_curve.release_value()) { switch (ec_curve.release_value()) {
case SupportedGroup::SECP256R1: { case SupportedGroup::SECP256R1: {
Crypto::Hash::Manager manager(hash_kind); Crypto::Hash::Manager manager(hash_kind);
@ -501,7 +510,7 @@ ssize_t TLSv12::verify_ecdsa_server_key_exchange(ReadonlyBytes server_key_info_b
auto digest = manager.digest(); auto digest = manager.digest();
Crypto::Curves::SECP256r1 curve; Crypto::Curves::SECP256r1 curve;
res = curve.verify(digest.bytes(), server_point, signature); res = curve.verify_point(digest.bytes(), server_point, signature);
break; break;
} }
case SupportedGroup::SECP384R1: { case SupportedGroup::SECP384R1: {
@ -510,7 +519,7 @@ ssize_t TLSv12::verify_ecdsa_server_key_exchange(ReadonlyBytes server_key_info_b
auto digest = manager.digest(); auto digest = manager.digest();
Crypto::Curves::SECP384r1 curve; Crypto::Curves::SECP384r1 curve;
res = curve.verify(digest.bytes(), server_point, signature); res = curve.verify_point(digest.bytes(), server_point, signature);
break; break;
} }
default: { default: {

15
Libraries/LibTLS/TLSv12.cpp
View file

@ -371,6 +371,17 @@ bool Context::verify_certificate_pair(Certificate const& subject, Certificate co
return false; return false;
} }
auto public_key = issuer.public_key.ec;
auto public_point = Crypto::Curves::SECPxxxr1Point { public_key.x(), public_key.y() };
auto maybe_signature = Crypto::Curves::SECPxxxr1Signature::from_asn(subject.signature_value, {});
if (maybe_signature.is_error()) {
dbgln("verify_certificate_pair: Signature is not ASN.1 DER encoded");
return false;
}
auto signature = maybe_signature.release_value();
switch (ec_curve.release_value()) { switch (ec_curve.release_value()) {
case SupportedGroup::SECP256R1: { case SupportedGroup::SECP256R1: {
Crypto::Hash::Manager hasher(kind); Crypto::Hash::Manager hasher(kind);
@ -378,7 +389,7 @@ bool Context::verify_certificate_pair(Certificate const& subject, Certificate co
auto hash = hasher.digest(); auto hash = hasher.digest();
Crypto::Curves::SECP256r1 curve; Crypto::Curves::SECP256r1 curve;
auto result = curve.verify(hash.bytes(), issuer.public_key.raw_key, subject.signature_value); auto result = curve.verify_point(hash.bytes(), public_point, signature);
if (result.is_error()) { if (result.is_error()) {
dbgln("verify_certificate_pair: Failed to check SECP256r1 signature {}", result.release_error()); dbgln("verify_certificate_pair: Failed to check SECP256r1 signature {}", result.release_error());
return false; return false;
@ -391,7 +402,7 @@ bool Context::verify_certificate_pair(Certificate const& subject, Certificate co
auto hash = hasher.digest(); auto hash = hasher.digest();
Crypto::Curves::SECP384r1 curve; Crypto::Curves::SECP384r1 curve;
auto result = curve.verify(hash.bytes(), issuer.public_key.raw_key, subject.signature_value); auto result = curve.verify_point(hash.bytes(), public_point, signature);
if (result.is_error()) { if (result.is_error()) {
dbgln("verify_certificate_pair: Failed to check SECP384r1 signature {}", result.release_error()); dbgln("verify_certificate_pair: Failed to check SECP384r1 signature {}", result.release_error());
return false; return false;