Need help with REALITY implementation

[Pelfox]

Hi there! I'm currently working on implementing the REALITY protocol for educational purposes, but I'm stuck on the final step: AEAD decryption of the TLS payload.

To test my approach, I cloned the REALITY repository and wrote a small runnable Golang where I manually inserted the relevant values (like session_id from ClientHello, etc.). However, it's also failing at the last stage because the ConstantTimeCompare function returns 0.

Implementation structure

• First, I read the initial 5 bytes of the TLS header:
  • 1 byte for the record type
  • 2 bytes for the TLS version
  • 2 bytes for the body length
• Then, I allocate a buffer based on the body length and read the full payload from the stream
• I parse the TLS payload and extract all extensions, including the SNI and, most importantly, the KeyShare

KeyShare implementation

1. I read the total length of the keys
2. I iterate through the keys, parsing each group ID (2 bytes) and its corresponding key length (2 bytes)
3. If the group ID is 0x001D (29), I use the X25519 algorithm (from a known crypto library), the server’s private key, and the parsed key share to derive the shared secret, which I store

Next, I initialize an HKDF instance using SHA256:

• The salt is set to the first 20 bytes of the ClientHello's random field
• The IKM is the shared secret
• I expand the key using "REALITY" as the info

I then initialize the AEAD cipher using the cipher suite sent by the client. Finally:

• I extract the session_id from the ClientHello and use it as the msg for decryption
• The aad is set to the entire TLS payload
• The nonce is derived from the last 20 bytes of the ClientHello's random field

Despite all this, the AEAD decryption still fails. Any insight into what might be going wrong would be greatly appreciated!

Specific code snippets

KeyShare extension parsing

TlsExtension::KeyShare(data) => {
    let shared_keys = extract_shared_keys(data).await?;
    let mut auth_keys = Vec::with_capacity(shared_keys.len());

    for entry in shared_keys {
        println!("Key Share entry: {:#04x?}", entry);
        if entry.group_id == 0x001D {
            let exchange: [u8; 32] = entry.key_exchange.try_into().unwrap(); // TODO: checks
            let auth_key = x25519(self.private_key.to_bytes(), exchange);
            println!("Auth key: {:#04x?}", auth_key);
            auth_keys.push(auth_key);
        }
    }

    builder.auth_keys = auth_keys;
}

Hkdf & aead initialization

// create_aead_from_cipher_preference snippet
pub fn create_aead_from_cipher_preference(
    cipher_suites: &[u16],
    auth_key: &[u8],
    has_aes_gcm_hardware_support: bool,
) -> Result<AeadCipher, &'static str> {
    if auth_key.len() != 32 {
        return Err("auth_key must be 32 bytes");
    }

    if is_aes_gcm_preferred(cipher_suites, has_aes_gcm_hardware_support) {
        // AES-GCM chosen
        let key = aes_gcm::Key::<Aes256Gcm>::from_slice(auth_key);
        Ok(AeadCipher::AesGcm(Aes256Gcm::new(key)))
    } else {
        // ChaCha20-Poly1305 fallback
        let key = chacha20poly1305::Key::from_slice(auth_key);
        Ok(AeadCipher::ChaCha(ChaCha20Poly1305::new(key)))
    }
}
// ...

let hk = Hkdf::<Sha256>::new(Some(salt), &auth_key);
let mut shared_key = [0u8; 32];
hk.expand(b"REALITY", &mut shared_key)
    .map_err(EncryptionLayerError::HkdfError)?;

let aead = create_aead_from_cipher_preference(
    &ch.ciphers.iter().map(|c| c.0).collect::<Vec<u16>>(),
    &shared_key,
    true,
)
.map_err(EncryptionLayerError::AEADError)?;

Decryption

let plaintext = match aead {
    AeadCipher::AesGcm(c) => c.decrypt( // <- here the error occurs
        AesGcmNonce::from_slice(&ch.random[20..]),
        Payload {
            msg: ciphertext,
            aad: &payload.payload,
        },
    ),
    AeadCipher::ChaCha(c) => c.decrypt(
        ChaChaNonce::from_slice(&ch.random[20..]),
        Payload {
            msg: ciphertext,
            aad: &payload.payload,
        },
    ),
};

And here's the snippet from the openGeneric function from gcm_generic.go file:

var expectedTag [gcmTagSize]byte
gcmAuthGeneric(expectedTag[:], &H, &tagMask, ciphertext, additionalData)

log.Printf("%+v", expectedTag)
log.Printf("%+v", tag)
log.Printf("%+v", expectedTag[:g.tagSize])

if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
    return errOpen // <- here the error occurs
}

And the output:

2025/05/14 00:22:17 [105 204 100 246 43 70 135 110 53 124 148 190 182 186 4 152]
2025/05/14 00:22:17 [233 78 123 224 4 247 94 65 14 52 194 174 248 108 171 24]
2025/05/14 00:22:17 [105 204 100 246 43 70 135 110 53 124 148 190 182 186 4 152]

Any help would be really appreciated!

[Pelfox]

UPDATE: Getting deeper... Modified REALITY's source code and now dumping each possible buffer, and they are identical. ClientHello's random, shared key entry, session ID, even buffer for HDKF auth key after expannsion.

[Pelfox]

UPDATE: nailed it! The issue was that I wasn't resetting the client_id field of the ClientHello payload.