Add support for incomplete DS2 flow data with a zero tag.

2025-04-04 02:00:43 +00:00 · 2022-05-02 15:32:28 -04:00 · 2022-05-02 15:32:28 -04:00 · 1098cab272
commit 1098cab272
parent 0c586f92b6
5 changed files with 69 additions and 3 deletions
--- a/oscar/SleepLib/crypto.cpp
+++ b/oscar/SleepLib/crypto.cpp
@ -68,6 +68,38 @@ CryptoResult decrypt_aes256_gcm(const QByteArray & key,
    return result;
 }

+CryptoResult encrypt_aes256_gcm(const QByteArray & key,
+                                const QByteArray & iv, const QByteArray & plaintext,
+                                QByteArray & ciphertext, QByteArray & tag)
+{
+    CryptoResult result = OK;
+    ciphertext.clear();
+    try {
+        const std::vector<uint8_t> botan_key(key.begin(), key.end());
+        const std::vector<uint8_t> botan_iv(iv.begin(), iv.end());
+
+        Botan::secure_vector<uint8_t> botan_message(plaintext.begin(), plaintext.end());
+
+        std::unique_ptr<Botan::Cipher_Mode> enc = Botan::Cipher_Mode::create("AES-256/GCM", Botan::ENCRYPTION);
+        enc->set_key(botan_key);
+        enc->start(botan_iv);
+        enc->finish(botan_message);
+        //qDebug() << QString::fromStdString(Botan::hex_encode(botan_message.data(), botan_message.size()));
+
+        size_t tag_size = enc->tag_size();
+        QByteArray message((char*) botan_message.data(), botan_message.size());
+        tag = message.right(tag_size);
+        ciphertext = message.left(message.size() - tag_size);
+    }
+    catch (std::exception& e) {
+        // Make sure no Botan exceptions leak out and terminate the application.
+        qWarning() << "Unexpected exception in encrypt_aes256_gcm:" << e.what();
+        result = UnknownError;
+    }
+    return result;
+
+}
+
 CryptoResult pbkdf2_sha256(const QByteArray & passphrase, const QByteArray & salt, int iterations, QByteArray & key)
 {
    CryptoResult result = OK;
--- a/oscar/SleepLib/crypto.h
+++ b/oscar/SleepLib/crypto.h
@ -22,6 +22,9 @@ CryptoResult decrypt_aes256(const QByteArray & key, const QByteArray & ciphertex
 CryptoResult decrypt_aes256_gcm(const QByteArray & key,
                                const QByteArray & iv, const QByteArray & ciphertext, const QByteArray & tag,
                                QByteArray & plaintext);
+CryptoResult encrypt_aes256_gcm(const QByteArray & key,
+                                const QByteArray & iv, const QByteArray & plaintext,
+                                QByteArray & ciphertext, QByteArray & tag);
 CryptoResult pbkdf2_sha256(const QByteArray & passphrase, const QByteArray & salt, int iterations, QByteArray & key);

 #endif // CRYPTO_H
--- a/oscar/SleepLib/loader_plugins/prs1_loader.cpp
+++ b/oscar/SleepLib/loader_plugins/prs1_loader.cpp
@ -365,12 +365,23 @@ bool PRDS2File::decryptData()

    if (error) {
        if (error == InvalidTag) {
-            // This has been observed where the tag is zero and the data appears truncated.
-            qWarning() << name() << "DS2 payload doesn't match tag, skipping";
+            static const QByteArray s_zero_tag(16, 0);
+            if (m_payload_tag == s_zero_tag) {
+                // This has been observed where the tag is zero and the data appears truncated.
+                // Decrypt and ignore the tag. Rely on the decrypted payload's CRC for integrity.
+                qWarning() << name() << "DS2 payload has zero tag, recovering data";
+                error = encrypt_aes256_gcm(m_payload_key, m_iv, ciphertext, plaintext, m_payload_tag);
+                if (error) {
+                    qWarning() << "*** DS2 unexpected exception decrypting" << name();
+                }
+            } else {
+                qWarning() << name() << "DS2 payload doesn't match tag, skipping";
+            }
        } else {
            qWarning() << "*** DS2 unexpected exception decrypting" << name();
        }
-    } else {
+    }
+    if (!error) {
        m_payload.setData(plaintext);
        m_payload.open(QIODevice::ReadOnly);
        valid = true;
--- a/oscar/tests/cryptotests.cpp
+++ b/oscar/tests/cryptotests.cpp
@ -85,6 +85,25 @@ void CryptoTests::testAES256GCM()
    }
 }

+void CryptoTests::testAES256GCMencrypt()
+{
+    QByteArray empty;
+    for (int i = 0; i < s_AES256GCMVectorCount; i++) {
+        const AES256GCMVector_t* v = &s_AES256GCMVectors[i];
+        QByteArray key = QByteArray::fromHex(v->key);
+        QByteArray plaintext = QByteArray::fromHex(v->p);
+        QByteArray iv = QByteArray::fromHex(v->iv);
+        QByteArray expected_ciphertext = QByteArray::fromHex(v->c);
+        QByteArray expected_tag = QByteArray::fromHex(v->tag);
+
+        QByteArray ciphertext;
+        QByteArray tag;
+        CryptoResult result = encrypt_aes256_gcm(key, iv, plaintext, ciphertext, tag);
+        Q_ASSERT(result == OK);
+        Q_ASSERT(ciphertext == expected_ciphertext);
+        Q_ASSERT(tag == expected_tag);
+    }
+}

 void CryptoTests::testPBKDF2_SHA256()
 {
--- a/oscar/tests/cryptotests.h
+++ b/oscar/tests/cryptotests.h
@ -14,6 +14,7 @@ class CryptoTests : public QObject
 private slots:
    void testAES256();
    void testAES256GCM();
+    void testAES256GCMencrypt();
    void testPBKDF2_SHA256();
    void testPRS1Benchmarks();
 };