Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

QUIC/decrypt_crypto: Actually check if decryption was successful

Browse source 
...and bail if it wasn't.

PCAP was produced using OSS-Fuzz input from issue 383379789.
This commit is contained in:
Arne Welzel 2024-12-11 13:04:45 +01:00 committed by Tim Wojtulewicz
parent d745d746bc
commit c2f2388f18
5 changed files with 19 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/analyzer/protocol/quic/decrypt_crypto.cc
View file

@ -152,7 +152,7 @@ Function that calls the AEAD decryption routine, and returns the decrypted data.
*/ */
hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt::Bytes& all_data, hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt::Bytes& all_data,
uint64_t payload_length, const DecryptionInformation& decryptInfo) { uint64_t payload_length, const DecryptionInformation& decryptInfo) {
int out, out2, res; int out, out2;
if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH ) if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH )
throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length, throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length,
@ -202,7 +202,8 @@ hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt
EVP_CipherUpdate(ctx, decrypt_buffer.data(), &out, encrypted_payload, encrypted_payload_size); EVP_CipherUpdate(ctx, decrypt_buffer.data(), &out, encrypted_payload, encrypted_payload_size);
// Validate whether the decryption was successful or not // Validate whether the decryption was successful or not
EVP_CipherFinal_ex(ctx, NULL, &out2); if ( EVP_CipherFinal_ex(ctx, NULL, &out2) == 0 )
throw hilti::rt::RuntimeError("decryption failed");
// Copy the decrypted data from the decrypted buffer into a Bytes instance. // Copy the decrypted data from the decrypted buffer into a Bytes instance.
return hilti::rt::Bytes(decrypt_buffer.data(), decrypt_buffer.data() + out); return hilti::rt::Bytes(decrypt_buffer.data(), decrypt_buffer.data() + out);

3
testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid cause analyzer_kind analyzer_name failure_reason
1733909795.417573 C4J4Th3PJpwUYZZ6gc violation protocol QUIC decryption failed (<...>/QUIC.spicy:<location>)

5
testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid proto history service
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h udp D -
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc udp D -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 tcp F ftp

BIN
testing/btest/Traces/quic/383379789-decrypt-crash.pcap Normal file
View file

Binary file not shown.

8
testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek Normal file
View file

@ -0,0 +1,8 @@
# @TEST-DOC: Trace produced by OSS-Fuzz triggered a crash due to using a too small local buffer for decryption.
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -Cr $TRACES/quic/383379789-decrypt-crash.pcap base/protocols/quic %INPUT
# @TEST-EXEC: zeek-cut -m ts uid proto history service < conn.log > conn.log.cut
# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut
# @TEST-EXEC: btest-diff conn.log.cut
# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut