pohui_pohui/firmware
1
0
Fork 0
mirror of https://github.com/meshtastic/firmware.git synced 2025-08-01 11:25:44 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Remove unnecessary memcpy for PKI crypto (#5608)
Some checks failed
CI / setup (check) (push) Waiting to run
Details
CI / setup (esp32) (push) Waiting to run
Details
CI / setup (esp32c3) (push) Waiting to run
Details
CI / setup (esp32c6) (push) Waiting to run
Details
CI / setup (esp32s3) (push) Waiting to run
Details
CI / setup (nrf52840) (push) Waiting to run
Details
CI / setup (rp2040) (push) Waiting to run
Details
CI / setup (stm32) (push) Waiting to run
Details
CI / check (push) Blocked by required conditions
Details
CI / build-esp32 (push) Blocked by required conditions
Details
CI / build-esp32-s3 (push) Blocked by required conditions
Details
CI / build-esp32-c3 (push) Blocked by required conditions
Details
CI / build-esp32-c6 (push) Blocked by required conditions
Details
CI / build-nrf52 (push) Blocked by required conditions
Details
CI / build-rpi2040 (push) Blocked by required conditions
Details
CI / build-stm32 (push) Blocked by required conditions
Details
CI / package-raspbian (push) Waiting to run
Details
CI / package-raspbian-armv7l (push) Waiting to run
Details
CI / package-native (push) Waiting to run
Details
CI / build-docker (push) Waiting to run
Details
CI / after-checks (push) Blocked by required conditions
Details
CI / gather-artifacts (esp32) (push) Blocked by required conditions
Details
CI / gather-artifacts (esp32c3) (push) Blocked by required conditions
Details
CI / gather-artifacts (esp32c6) (push) Blocked by required conditions
Details
CI / gather-artifacts (esp32s3) (push) Blocked by required conditions
Details
CI / gather-artifacts (nrf52840) (push) Blocked by required conditions
Details
CI / gather-artifacts (rp2040) (push) Blocked by required conditions
Details
CI / gather-artifacts (stm32) (push) Blocked by required conditions
Details
CI / release-artifacts (push) Blocked by required conditions
Details
CI / release-firmware (esp32) (push) Blocked by required conditions
Details
CI / release-firmware (esp32c3) (push) Blocked by required conditions
Details
CI / release-firmware (esp32c6) (push) Blocked by required conditions
Details
CI / release-firmware (esp32s3) (push) Blocked by required conditions
Details
CI / release-firmware (nrf52840) (push) Blocked by required conditions
Details
CI / release-firmware (rp2040) (push) Blocked by required conditions
Details
CI / release-firmware (stm32) (push) Blocked by required conditions
Details
Flawfinder Scan / Flawfinder (push) Waiting to run
Details
Semgrep Full Scan / semgrep-full (push) Has been cancelled
Details

Browse Source 
* Remove unnecessary memcpy for PKI crypto

* Update comment s/packet_id/id/

* Create a copy of bytes for each channel decrypt

---------

Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz>
This commit is contained in:
Eric Severance 2024-12-19 17:14:27 -08:00 committed by GitHub
parent 827553f4c7
commit e1de439a7f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/mesh/CryptoEngine.cpp
View File

@ -58,10 +58,16 @@ void CryptoEngine::clearKeys()
* Encrypt a packet's payload using a key generated with Curve25519 and SHA256 * Encrypt a packet's payload using a key generated with Curve25519 and SHA256
* for a specific node. * for a specific node.
* *
* @param bytes is updated in place * @param toNode The MeshPacket `to` field.
* @param fromNode The MeshPacket `from` field.
* @param remotePublic The remote node's Curve25519 public key.
* @param packetId The MeshPacket `id` field.
* @param numBytes Number of bytes of plaintext in the bytes buffer.
* @param bytes Buffer containing plaintext input.
* @param bytesOut Output buffer to be populated with encrypted ciphertext.
*/ */
bool CryptoEngine::encryptCurve25519(uint32_t toNode, uint32_t fromNode, meshtastic_UserLite_public_key_t remotePublic, bool CryptoEngine::encryptCurve25519(uint32_t toNode, uint32_t fromNode, meshtastic_UserLite_public_key_t remotePublic,
uint64_t packetNum, size_t numBytes, uint8_t *bytes, uint8_t *bytesOut) uint64_t packetNum, size_t numBytes, const uint8_t *bytes, uint8_t *bytesOut)
{ {
uint8_t *auth; uint8_t *auth;
long extraNonceTmp = random(); long extraNonceTmp = random();
@ -93,14 +99,18 @@ bool CryptoEngine::encryptCurve25519(uint32_t toNode, uint32_t fromNode, meshtas
* Decrypt a packet's payload using a key generated with Curve25519 and SHA256 * Decrypt a packet's payload using a key generated with Curve25519 and SHA256
* for a specific node. * for a specific node.
* *
* @param bytes is updated in place * @param fromNode The MeshPacket `from` field.
* @param remotePublic The remote node's Curve25519 public key.
* @param packetId The MeshPacket `id` field.
* @param numBytes Number of bytes of ciphertext in the bytes buffer.
* @param bytes Buffer containing ciphertext input.
* @param bytesOut Output buffer to be populated with decrypted plaintext.
*/ */
bool CryptoEngine::decryptCurve25519(uint32_t fromNode, meshtastic_UserLite_public_key_t remotePublic, uint64_t packetNum, bool CryptoEngine::decryptCurve25519(uint32_t fromNode, meshtastic_UserLite_public_key_t remotePublic, uint64_t packetNum,
size_t numBytes, uint8_t *bytes, uint8_t *bytesOut) size_t numBytes, const uint8_t *bytes, uint8_t *bytesOut)
{ {
uint8_t *auth; // set to last 8 bytes of text? const uint8_t *auth = bytes + numBytes - 12; // set to last 8 bytes of text?
uint32_t extraNonce; // pointer was not really used uint32_t extraNonce; // pointer was not really used
auth = bytes + numBytes - 12;
memcpy(&extraNonce, auth + 8, memcpy(&extraNonce, auth + 8,
sizeof(uint32_t)); // do not use dereference on potential non aligned pointers : (uint32_t *)(auth + 8); sizeof(uint32_t)); // do not use dereference on potential non aligned pointers : (uint32_t *)(auth + 8);
LOG_INFO("Random nonce value: %d", extraNonce); LOG_INFO("Random nonce value: %d", extraNonce);

4
src/mesh/CryptoEngine.h
View File

@ -40,9 +40,9 @@ class CryptoEngine
void clearKeys(); void clearKeys();
void setDHPrivateKey(uint8_t *_private_key); void setDHPrivateKey(uint8_t *_private_key);
virtual bool encryptCurve25519(uint32_t toNode, uint32_t fromNode, meshtastic_UserLite_public_key_t remotePublic, virtual bool encryptCurve25519(uint32_t toNode, uint32_t fromNode, meshtastic_UserLite_public_key_t remotePublic,
uint64_t packetNum, size_t numBytes, uint8_t *bytes, uint8_t *bytesOut); uint64_t packetNum, size_t numBytes, const uint8_t *bytes, uint8_t *bytesOut);
virtual bool decryptCurve25519(uint32_t fromNode, meshtastic_UserLite_public_key_t remotePublic, uint64_t packetNum, virtual bool decryptCurve25519(uint32_t fromNode, meshtastic_UserLite_public_key_t remotePublic, uint64_t packetNum,
size_t numBytes, uint8_t *bytes, uint8_t *bytesOut); size_t numBytes, const uint8_t *bytes, uint8_t *bytesOut);
virtual bool setDHPublicKey(uint8_t *publicKey); virtual bool setDHPublicKey(uint8_t *publicKey);
virtual void hash(uint8_t *bytes, size_t numBytes); virtual void hash(uint8_t *bytes, size_t numBytes);

14
src/mesh/Router.cpp
View File

@ -37,7 +37,6 @@ static MemoryDynamic<meshtastic_MeshPacket> staticPool;
Allocator<meshtastic_MeshPacket> &packetPool = staticPool; Allocator<meshtastic_MeshPacket> &packetPool = staticPool;
static uint8_t bytes[MAX_LORA_PAYLOAD_LEN + 1] __attribute__((__aligned__)); static uint8_t bytes[MAX_LORA_PAYLOAD_LEN + 1] __attribute__((__aligned__));
static uint8_t ScratchEncrypted[MAX_LORA_PAYLOAD_LEN + 1] __attribute__((__aligned__));
/** /**
* Constructor * Constructor
@ -327,9 +326,6 @@ bool perhapsDecode(meshtastic_MeshPacket *p)
} }
bool decrypted = false; bool decrypted = false;
ChannelIndex chIndex = 0; ChannelIndex chIndex = 0;
memcpy(bytes, p->encrypted.bytes,
rawSize); // we have to copy into a scratch buffer, because these bytes are a union with the decoded protobuf
memcpy(ScratchEncrypted, p->encrypted.bytes, rawSize);
#if !(MESHTASTIC_EXCLUDE_PKI) #if !(MESHTASTIC_EXCLUDE_PKI)
// Attempt PKI decryption first // Attempt PKI decryption first
if (p->channel == 0 && isToUs(p) && p->to > 0 && !isBroadcast(p->to) && nodeDB->getMeshNode(p->from) != nullptr && if (p->channel == 0 && isToUs(p) && p->to > 0 && !isBroadcast(p->to) && nodeDB->getMeshNode(p->from) != nullptr &&
@ -337,7 +333,7 @@ bool perhapsDecode(meshtastic_MeshPacket *p)
rawSize > MESHTASTIC_PKC_OVERHEAD) { rawSize > MESHTASTIC_PKC_OVERHEAD) {
LOG_DEBUG("Attempt PKI decryption"); LOG_DEBUG("Attempt PKI decryption");
if (crypto->decryptCurve25519(p->from, nodeDB->getMeshNode(p->from)->user.public_key, p->id, rawSize, ScratchEncrypted, if (crypto->decryptCurve25519(p->from, nodeDB->getMeshNode(p->from)->user.public_key, p->id, rawSize, p->encrypted.bytes,
bytes)) { bytes)) {
LOG_INFO("PKI Decryption worked!"); LOG_INFO("PKI Decryption worked!");
memset(&p->decoded, 0, sizeof(p->decoded)); memset(&p->decoded, 0, sizeof(p->decoded));
@ -349,8 +345,6 @@ bool perhapsDecode(meshtastic_MeshPacket *p)
p->pki_encrypted = true; p->pki_encrypted = true;
memcpy(&p->public_key.bytes, nodeDB->getMeshNode(p->from)->user.public_key.bytes, 32); memcpy(&p->public_key.bytes, nodeDB->getMeshNode(p->from)->user.public_key.bytes, 32);
p->public_key.size = 32; p->public_key.size = 32;
// memcpy(bytes, ScratchEncrypted, rawSize); // TODO: Rename the bytes buffers
// chIndex = 8;
} else { } else {
LOG_ERROR("PKC Decrypted, but pb_decode failed!"); LOG_ERROR("PKC Decrypted, but pb_decode failed!");
return false; return false;
@ -367,6 +361,9 @@ bool perhapsDecode(meshtastic_MeshPacket *p)
for (chIndex = 0; chIndex < channels.getNumChannels(); chIndex++) { for (chIndex = 0; chIndex < channels.getNumChannels(); chIndex++) {
// Try to use this hash/channel pair // Try to use this hash/channel pair
if (channels.decryptForHash(chIndex, p->channel)) { if (channels.decryptForHash(chIndex, p->channel)) {
// we have to copy into a scratch buffer, because these bytes are a union with the decoded protobuf. Create a
// fresh copy for each decrypt attempt.
memcpy(bytes, p->encrypted.bytes, rawSize);
// Try to decrypt the packet if we can // Try to decrypt the packet if we can
crypto->decrypt(p->from, p->id, rawSize, bytes); crypto->decrypt(p->from, p->id, rawSize, bytes);
@ -515,9 +512,8 @@ meshtastic_Routing_Error perhapsEncode(meshtastic_MeshPacket *p)
*node->user.public_key.bytes); *node->user.public_key.bytes);
return meshtastic_Routing_Error_PKI_FAILED; return meshtastic_Routing_Error_PKI_FAILED;
} }
crypto->encryptCurve25519(p->to, getFrom(p), node->user.public_key, p->id, numbytes, bytes, ScratchEncrypted); crypto->encryptCurve25519(p->to, getFrom(p), node->user.public_key, p->id, numbytes, bytes, p->encrypted.bytes);
numbytes += MESHTASTIC_PKC_OVERHEAD; numbytes += MESHTASTIC_PKC_OVERHEAD;
memcpy(p->encrypted.bytes, ScratchEncrypted, numbytes);
p->channel = 0; p->channel = 0;
p->pki_encrypted = true; p->pki_encrypted = true;
} else { } else {