From 1098cab27287e174ddc9e691105e216ac445f338 Mon Sep 17 00:00:00 2001 From: sawinglogz <3787776-sawinglogz@users.noreply.gitlab.com> Date: Mon, 2 May 2022 15:32:28 -0400 Subject: [PATCH] Add support for incomplete DS2 flow data with a zero tag. --- oscar/SleepLib/crypto.cpp | 32 +++++++++++++++++++ oscar/SleepLib/crypto.h | 3 ++ oscar/SleepLib/loader_plugins/prs1_loader.cpp | 17 ++++++++-- oscar/tests/cryptotests.cpp | 19 +++++++++++ oscar/tests/cryptotests.h | 1 + 5 files changed, 69 insertions(+), 3 deletions(-) diff --git a/oscar/SleepLib/crypto.cpp b/oscar/SleepLib/crypto.cpp index 1791a646..35d068a4 100644 --- a/oscar/SleepLib/crypto.cpp +++ b/oscar/SleepLib/crypto.cpp @@ -68,6 +68,38 @@ CryptoResult decrypt_aes256_gcm(const QByteArray & key, return result; } +CryptoResult encrypt_aes256_gcm(const QByteArray & key, + const QByteArray & iv, const QByteArray & plaintext, + QByteArray & ciphertext, QByteArray & tag) +{ + CryptoResult result = OK; + ciphertext.clear(); + try { + const std::vector botan_key(key.begin(), key.end()); + const std::vector botan_iv(iv.begin(), iv.end()); + + Botan::secure_vector botan_message(plaintext.begin(), plaintext.end()); + + std::unique_ptr enc = Botan::Cipher_Mode::create("AES-256/GCM", Botan::ENCRYPTION); + enc->set_key(botan_key); + enc->start(botan_iv); + enc->finish(botan_message); + //qDebug() << QString::fromStdString(Botan::hex_encode(botan_message.data(), botan_message.size())); + + size_t tag_size = enc->tag_size(); + QByteArray message((char*) botan_message.data(), botan_message.size()); + tag = message.right(tag_size); + ciphertext = message.left(message.size() - tag_size); + } + catch (std::exception& e) { + // Make sure no Botan exceptions leak out and terminate the application. + qWarning() << "Unexpected exception in encrypt_aes256_gcm:" << e.what(); + result = UnknownError; + } + return result; + +} + CryptoResult pbkdf2_sha256(const QByteArray & passphrase, const QByteArray & salt, int iterations, QByteArray & key) { CryptoResult result = OK; diff --git a/oscar/SleepLib/crypto.h b/oscar/SleepLib/crypto.h index ec7907e6..f21b53d8 100644 --- a/oscar/SleepLib/crypto.h +++ b/oscar/SleepLib/crypto.h @@ -22,6 +22,9 @@ CryptoResult decrypt_aes256(const QByteArray & key, const QByteArray & ciphertex CryptoResult decrypt_aes256_gcm(const QByteArray & key, const QByteArray & iv, const QByteArray & ciphertext, const QByteArray & tag, QByteArray & plaintext); +CryptoResult encrypt_aes256_gcm(const QByteArray & key, + const QByteArray & iv, const QByteArray & plaintext, + QByteArray & ciphertext, QByteArray & tag); CryptoResult pbkdf2_sha256(const QByteArray & passphrase, const QByteArray & salt, int iterations, QByteArray & key); #endif // CRYPTO_H diff --git a/oscar/SleepLib/loader_plugins/prs1_loader.cpp b/oscar/SleepLib/loader_plugins/prs1_loader.cpp index cf011006..002d4315 100644 --- a/oscar/SleepLib/loader_plugins/prs1_loader.cpp +++ b/oscar/SleepLib/loader_plugins/prs1_loader.cpp @@ -365,12 +365,23 @@ bool PRDS2File::decryptData() if (error) { if (error == InvalidTag) { - // This has been observed where the tag is zero and the data appears truncated. - qWarning() << name() << "DS2 payload doesn't match tag, skipping"; + static const QByteArray s_zero_tag(16, 0); + if (m_payload_tag == s_zero_tag) { + // This has been observed where the tag is zero and the data appears truncated. + // Decrypt and ignore the tag. Rely on the decrypted payload's CRC for integrity. + qWarning() << name() << "DS2 payload has zero tag, recovering data"; + error = encrypt_aes256_gcm(m_payload_key, m_iv, ciphertext, plaintext, m_payload_tag); + if (error) { + qWarning() << "*** DS2 unexpected exception decrypting" << name(); + } + } else { + qWarning() << name() << "DS2 payload doesn't match tag, skipping"; + } } else { qWarning() << "*** DS2 unexpected exception decrypting" << name(); } - } else { + } + if (!error) { m_payload.setData(plaintext); m_payload.open(QIODevice::ReadOnly); valid = true; diff --git a/oscar/tests/cryptotests.cpp b/oscar/tests/cryptotests.cpp index ae84ddda..cb3506df 100644 --- a/oscar/tests/cryptotests.cpp +++ b/oscar/tests/cryptotests.cpp @@ -85,6 +85,25 @@ void CryptoTests::testAES256GCM() } } +void CryptoTests::testAES256GCMencrypt() +{ + QByteArray empty; + for (int i = 0; i < s_AES256GCMVectorCount; i++) { + const AES256GCMVector_t* v = &s_AES256GCMVectors[i]; + QByteArray key = QByteArray::fromHex(v->key); + QByteArray plaintext = QByteArray::fromHex(v->p); + QByteArray iv = QByteArray::fromHex(v->iv); + QByteArray expected_ciphertext = QByteArray::fromHex(v->c); + QByteArray expected_tag = QByteArray::fromHex(v->tag); + + QByteArray ciphertext; + QByteArray tag; + CryptoResult result = encrypt_aes256_gcm(key, iv, plaintext, ciphertext, tag); + Q_ASSERT(result == OK); + Q_ASSERT(ciphertext == expected_ciphertext); + Q_ASSERT(tag == expected_tag); + } +} void CryptoTests::testPBKDF2_SHA256() { diff --git a/oscar/tests/cryptotests.h b/oscar/tests/cryptotests.h index 2906abe9..9cc37884 100644 --- a/oscar/tests/cryptotests.h +++ b/oscar/tests/cryptotests.h @@ -14,6 +14,7 @@ class CryptoTests : public QObject private slots: void testAES256(); void testAES256GCM(); + void testAES256GCMencrypt(); void testPBKDF2_SHA256(); void testPRS1Benchmarks(); };