void TableGet::CheckTable() {
cs_.B_.SetInsertPoint(entry_);
cs_.B_.CreateCondBr(table_.HasTag(ctb(LUA_TTABLE)), switchtag_, finishget_);
auto ttvalue = static_cast<llvm::PointerType*>(cs_.rt_.GetType("TValue"));
auto nulltvalue = llvm::ConstantPointerNull::get(ttvalue);
tms_.push_back({nulltvalue, entry_});
}
void TableGet::SwithTag() {
#if 1
cs_.B_.SetInsertPoint(switchtag_);
tablevalue_ = table_.GetTable();
auto s = cs_.B_.CreateSwitch(key_.GetTag(), getany_, 4);
auto AddCase = [&](int v, llvm::BasicBlock* block) {
s->addCase(static_cast<llvm::ConstantInt*>(cs_.MakeInt(v)), block);
};
AddCase(LUA_TNUMINT, getint_);
AddCase(ctb(LUA_TSHRSTR), getshrstr_);
AddCase(ctb(LUA_TLNGSTR), getlngstr_);
AddCase(LUA_TNIL, searchtm_);
#else
cs_.B_.SetInsertPoint(switchtag_);
tablevalue_ = table_.GetTable();
cs_.B_.CreateBr(getany_);
#endif
}
vector<Update::IUpdateJob::ptr> WaveformBlockFilter::
prepareUpdate(Tfr::ChunkAndInverse& chunk)
{
Update::IUpdateJob::ptr ctb(new WaveformBlockUpdater::Job{chunk.input});
return vector<Update::IUpdateJob::ptr>{ctb};
}
void tSecureStream::m_setupClient(const tRSA& rsa, string appGreeting)
{
// This block is protected by constant timing in case
// there is a man-in-the-middle who is causing the client
// connection to fail over-and-over and analysing the time
// it takes for the client to re-start the connection.
// This block prevents info from being leaked about the
// particular pre_secret that is being used by the current
// connection attempt.
vector<u8> rand_c, pre_secret, enc;
{
tConstTimeBlock ctb(&gClientInitTimingHistory);
// Generate the client random vector.
rand_c = s_genRand(kRandVectLen);
// Generate the pre-secret random vector.
pre_secret = s_genRand(kPreSecretLen);
// Encrypt the pre-secret under the server's RSA public key.
enc = rsa.encrypt(pre_secret);
}
// Send all this to the server.
pack(m_internal_writable, kLibrhoGreeting);
pack(m_internal_writable, appGreeting);
pack(m_internal_writable, rand_c);
pack(m_internal_writable, enc);
s_flush(m_internal_writable);
// Read the greeting from the server.
// We don't care if timing info is leaked here
// because 'kSuccessfulGreeting' is not a secret.
string greetingResponse;
try {
unpack(m_internal_readable, greetingResponse,
(u32)(std::max(kSuccessfulGreeting.length(), kFailedGreeting.length())));
} catch (ebObject& e) {
throw eRuntimeError("The secure server didn't reply with its greeting.");
}
if (greetingResponse != kSuccessfulGreeting)
throw eRuntimeError("The secure server sent a failure greeting.");
// Read the random server bytes.
// Again, we don't care about leaking timing info here.
vector<u8> rand_s;
try {
unpack(m_internal_readable, rand_s, kRandVectLen);
} catch (ebObject& e) {
throw eRuntimeError("The secure server sent a random vector of the wrong length.");
}
if (rand_s.size() != kRandVectLen)
throw eRuntimeError("The secure server sent a random vector of the wrong length.");
// Another const timing block.
vector<u8> secret, fPrime, g;
{
tConstTimeBlock ctb(&gClientProcessResponseTimingHistory);
// Calculated the shared secret (from the pre-secret).
secret = H1(pre_secret, rand_c, rand_s);
// Calculate the correct response from the server.
fPrime = H2(secret, rand_c, rand_s);
// Calculate the proof-of-client.
g = H3(secret, rand_c, rand_s);
}
// Read the proof-of-server hash.
vector<u8> f;
try {
unpack(m_internal_readable, f, (u32)fPrime.size());
} catch (ebObject& e) {
throw eRuntimeError("The secure server failed to verify itself.");
}
if (!s_constTimeIsEqual(f, fPrime))
throw eRuntimeError("The secure server failed to verify itself.");
// Send the proof-of-client. (That is, prove we are not just replaying some other connection.)
pack(m_internal_writable, g);
s_flush(m_internal_writable);
// Setup secure streams with the server.
vector<u8> ksw = H4(pre_secret, secret, rand_c, rand_s); // <-- the Key for the Server Writer
vector<u8> kcw = H5(pre_secret, secret, rand_c, rand_s); // <-- the Key for the Client Writer
m_readable = new tReadableAES(m_internal_readable, kOpModeCBC,
&ksw[0], s_toKeyLen(ksw.size()));
m_writable = new tWritableAES(m_internal_writable, kOpModeCBC,
&kcw[0], s_toKeyLen(kcw.size()));
}
void tSecureStream::m_setupServer(const tRSA& rsa, string appGreeting)
{
// Read the greeting (part 1) from the client.
// Note: The following DOES leak timing information, but we don't
// care because 'kLibrhoGreeting' isn't a secret.
string receivedLibrhoGreeting;
try {
unpack(m_internal_readable, receivedLibrhoGreeting, (u32)kLibrhoGreeting.size());
} catch (ebObject& e) {
s_failConnection(m_internal_writable, "The secure client did not greet me properly.");
}
if (receivedLibrhoGreeting != kLibrhoGreeting)
s_failConnection(m_internal_writable, "The secure client did not greet me properly.");
// Read the greeting (part 2) from the client.
// Note: The following DOES leak timing information, but we don't
// care because 'appGreeting' isn't a secret.
string receivedAppGreeting;
try {
unpack(m_internal_readable, receivedAppGreeting, (u32)appGreeting.size());
} catch (ebObject& e) {
s_failConnection(m_internal_writable, "The secure client requested a different application.");
}
if (receivedAppGreeting != appGreeting)
s_failConnection(m_internal_writable, "The secure client requested a different application.");
// Read the client's random bytes.
// Again, we don't care about the leaked info here because the correct
// random vector length is not a secret.
vector<u8> rand_c;
try {
unpack(m_internal_readable, rand_c, kRandVectLen);
} catch (ebObject& e) {
s_failConnection(m_internal_writable, "The secure client sent a random byte vector of the wrong length.");
}
if (rand_c.size() != kRandVectLen)
s_failConnection(m_internal_writable, "The secure client sent a random byte vector of the wrong length.");
// Read the encrypted pre-secret from the client.
// (No info is leaked by this section.)
vector<u8> enc;
try {
unpack(m_internal_readable, enc, rsa.maxMessageLength()+5);
} catch (ebObject& e) {
s_failConnection(m_internal_writable, "The secure client failed to send an encrypted pre-secret.");
}
// Now that the server has read everything from the client, it
// will do some calculations.
// We will protect this section with a const time block to
// protect against timing side-channel attacks.
vector<u8> pre_secret, rand_s, secret, f, gPrime;
{
// This object is constructed in this code block, and it
// will be destructed when this block ends. The d'tor of
// this class calls sleep() in order to enforce consistent
// timing of the execution of this block.
tConstTimeBlock ctb(&gServerProcessGreetingTimingHistory);
// Decrypt the pre-secret and make sure it looks okay.
pre_secret = rsa.decrypt(enc);
if (pre_secret.size() != kPreSecretLen)
s_failConnection(m_internal_writable, "The secure client gave a pre-secret that is the wrong length.");
// Generate the server random byte vector.
rand_s = s_genRand(kRandVectLen);
// Calculated the shared secret (from the pre-secret).
secret = H1(pre_secret, rand_c, rand_s);
// Calculate the proof-of-server hash. (The convinces the client that we are the actual server.)
f = H2(secret, rand_c, rand_s);
// Calculate what the client correct response would be.
gPrime = H3(secret, rand_c, rand_s);
}
// Write back to the client all this stuff.
pack(m_internal_writable, kSuccessfulGreeting);
pack(m_internal_writable, rand_s);
pack(m_internal_writable, f);
s_flush(m_internal_writable);
// Have the client prove that it is a real client, not a reply attack.
vector<u8> g;
try {
unpack(m_internal_readable, g, (u32)gPrime.size());
} catch (ebObject& e) {
throw eRuntimeError("The secure client failed to show proof that it is real.");
}
if (!s_constTimeIsEqual(g, gPrime))
throw eRuntimeError("The secure client failed to show proof that it is real.");
// Setup secure streams with the client.
vector<u8> ksw = H4(pre_secret, secret, rand_c, rand_s); // <-- the Key for the Server Writer
vector<u8> kcw = H5(pre_secret, secret, rand_c, rand_s); // <-- the Key for the Client Writer
m_readable = new tReadableAES(m_internal_readable, kOpModeCBC,
&kcw[0], s_toKeyLen(kcw.size()));
m_writable = new tWritableAES(m_internal_writable, kOpModeCBC,
&ksw[0], s_toKeyLen(ksw.size()));
}
