void TableGet::CheckTable() { cs_.B_.SetInsertPoint(entry_); cs_.B_.CreateCondBr(table_.HasTag(ctb(LUA_TTABLE)), switchtag_, finishget_); auto ttvalue = static_cast<llvm::PointerType*>(cs_.rt_.GetType("TValue")); auto nulltvalue = llvm::ConstantPointerNull::get(ttvalue); tms_.push_back({nulltvalue, entry_}); }
void TableGet::SwithTag() { #if 1 cs_.B_.SetInsertPoint(switchtag_); tablevalue_ = table_.GetTable(); auto s = cs_.B_.CreateSwitch(key_.GetTag(), getany_, 4); auto AddCase = [&](int v, llvm::BasicBlock* block) { s->addCase(static_cast<llvm::ConstantInt*>(cs_.MakeInt(v)), block); }; AddCase(LUA_TNUMINT, getint_); AddCase(ctb(LUA_TSHRSTR), getshrstr_); AddCase(ctb(LUA_TLNGSTR), getlngstr_); AddCase(LUA_TNIL, searchtm_); #else cs_.B_.SetInsertPoint(switchtag_); tablevalue_ = table_.GetTable(); cs_.B_.CreateBr(getany_); #endif }
vector<Update::IUpdateJob::ptr> WaveformBlockFilter:: prepareUpdate(Tfr::ChunkAndInverse& chunk) { Update::IUpdateJob::ptr ctb(new WaveformBlockUpdater::Job{chunk.input}); return vector<Update::IUpdateJob::ptr>{ctb}; }
void tSecureStream::m_setupClient(const tRSA& rsa, string appGreeting) { // This block is protected by constant timing in case // there is a man-in-the-middle who is causing the client // connection to fail over-and-over and analysing the time // it takes for the client to re-start the connection. // This block prevents info from being leaked about the // particular pre_secret that is being used by the current // connection attempt. vector<u8> rand_c, pre_secret, enc; { tConstTimeBlock ctb(&gClientInitTimingHistory); // Generate the client random vector. rand_c = s_genRand(kRandVectLen); // Generate the pre-secret random vector. pre_secret = s_genRand(kPreSecretLen); // Encrypt the pre-secret under the server's RSA public key. enc = rsa.encrypt(pre_secret); } // Send all this to the server. pack(m_internal_writable, kLibrhoGreeting); pack(m_internal_writable, appGreeting); pack(m_internal_writable, rand_c); pack(m_internal_writable, enc); s_flush(m_internal_writable); // Read the greeting from the server. // We don't care if timing info is leaked here // because 'kSuccessfulGreeting' is not a secret. string greetingResponse; try { unpack(m_internal_readable, greetingResponse, (u32)(std::max(kSuccessfulGreeting.length(), kFailedGreeting.length()))); } catch (ebObject& e) { throw eRuntimeError("The secure server didn't reply with its greeting."); } if (greetingResponse != kSuccessfulGreeting) throw eRuntimeError("The secure server sent a failure greeting."); // Read the random server bytes. // Again, we don't care about leaking timing info here. vector<u8> rand_s; try { unpack(m_internal_readable, rand_s, kRandVectLen); } catch (ebObject& e) { throw eRuntimeError("The secure server sent a random vector of the wrong length."); } if (rand_s.size() != kRandVectLen) throw eRuntimeError("The secure server sent a random vector of the wrong length."); // Another const timing block. vector<u8> secret, fPrime, g; { tConstTimeBlock ctb(&gClientProcessResponseTimingHistory); // Calculated the shared secret (from the pre-secret). secret = H1(pre_secret, rand_c, rand_s); // Calculate the correct response from the server. fPrime = H2(secret, rand_c, rand_s); // Calculate the proof-of-client. g = H3(secret, rand_c, rand_s); } // Read the proof-of-server hash. vector<u8> f; try { unpack(m_internal_readable, f, (u32)fPrime.size()); } catch (ebObject& e) { throw eRuntimeError("The secure server failed to verify itself."); } if (!s_constTimeIsEqual(f, fPrime)) throw eRuntimeError("The secure server failed to verify itself."); // Send the proof-of-client. (That is, prove we are not just replaying some other connection.) pack(m_internal_writable, g); s_flush(m_internal_writable); // Setup secure streams with the server. vector<u8> ksw = H4(pre_secret, secret, rand_c, rand_s); // <-- the Key for the Server Writer vector<u8> kcw = H5(pre_secret, secret, rand_c, rand_s); // <-- the Key for the Client Writer m_readable = new tReadableAES(m_internal_readable, kOpModeCBC, &ksw[0], s_toKeyLen(ksw.size())); m_writable = new tWritableAES(m_internal_writable, kOpModeCBC, &kcw[0], s_toKeyLen(kcw.size())); }
void tSecureStream::m_setupServer(const tRSA& rsa, string appGreeting) { // Read the greeting (part 1) from the client. // Note: The following DOES leak timing information, but we don't // care because 'kLibrhoGreeting' isn't a secret. string receivedLibrhoGreeting; try { unpack(m_internal_readable, receivedLibrhoGreeting, (u32)kLibrhoGreeting.size()); } catch (ebObject& e) { s_failConnection(m_internal_writable, "The secure client did not greet me properly."); } if (receivedLibrhoGreeting != kLibrhoGreeting) s_failConnection(m_internal_writable, "The secure client did not greet me properly."); // Read the greeting (part 2) from the client. // Note: The following DOES leak timing information, but we don't // care because 'appGreeting' isn't a secret. string receivedAppGreeting; try { unpack(m_internal_readable, receivedAppGreeting, (u32)appGreeting.size()); } catch (ebObject& e) { s_failConnection(m_internal_writable, "The secure client requested a different application."); } if (receivedAppGreeting != appGreeting) s_failConnection(m_internal_writable, "The secure client requested a different application."); // Read the client's random bytes. // Again, we don't care about the leaked info here because the correct // random vector length is not a secret. vector<u8> rand_c; try { unpack(m_internal_readable, rand_c, kRandVectLen); } catch (ebObject& e) { s_failConnection(m_internal_writable, "The secure client sent a random byte vector of the wrong length."); } if (rand_c.size() != kRandVectLen) s_failConnection(m_internal_writable, "The secure client sent a random byte vector of the wrong length."); // Read the encrypted pre-secret from the client. // (No info is leaked by this section.) vector<u8> enc; try { unpack(m_internal_readable, enc, rsa.maxMessageLength()+5); } catch (ebObject& e) { s_failConnection(m_internal_writable, "The secure client failed to send an encrypted pre-secret."); } // Now that the server has read everything from the client, it // will do some calculations. // We will protect this section with a const time block to // protect against timing side-channel attacks. vector<u8> pre_secret, rand_s, secret, f, gPrime; { // This object is constructed in this code block, and it // will be destructed when this block ends. The d'tor of // this class calls sleep() in order to enforce consistent // timing of the execution of this block. tConstTimeBlock ctb(&gServerProcessGreetingTimingHistory); // Decrypt the pre-secret and make sure it looks okay. pre_secret = rsa.decrypt(enc); if (pre_secret.size() != kPreSecretLen) s_failConnection(m_internal_writable, "The secure client gave a pre-secret that is the wrong length."); // Generate the server random byte vector. rand_s = s_genRand(kRandVectLen); // Calculated the shared secret (from the pre-secret). secret = H1(pre_secret, rand_c, rand_s); // Calculate the proof-of-server hash. (The convinces the client that we are the actual server.) f = H2(secret, rand_c, rand_s); // Calculate what the client correct response would be. gPrime = H3(secret, rand_c, rand_s); } // Write back to the client all this stuff. pack(m_internal_writable, kSuccessfulGreeting); pack(m_internal_writable, rand_s); pack(m_internal_writable, f); s_flush(m_internal_writable); // Have the client prove that it is a real client, not a reply attack. vector<u8> g; try { unpack(m_internal_readable, g, (u32)gPrime.size()); } catch (ebObject& e) { throw eRuntimeError("The secure client failed to show proof that it is real."); } if (!s_constTimeIsEqual(g, gPrime)) throw eRuntimeError("The secure client failed to show proof that it is real."); // Setup secure streams with the client. vector<u8> ksw = H4(pre_secret, secret, rand_c, rand_s); // <-- the Key for the Server Writer vector<u8> kcw = H5(pre_secret, secret, rand_c, rand_s); // <-- the Key for the Client Writer m_readable = new tReadableAES(m_internal_readable, kOpModeCBC, &kcw[0], s_toKeyLen(kcw.size())); m_writable = new tWritableAES(m_internal_writable, kOpModeCBC, &ksw[0], s_toKeyLen(ksw.size())); }