Update header parser in Secure Cell master key API #592
Commits on Feb 12, 2020
-
Describe master key header format
Just like with passphrase API, introduce structures, serializers and parsers for header used by master key API. It's mostly identical but lacks KDF context.
-
Update SCell master key decryption code path
Make it read like the current passphrase API using the same parsing techniques. This resolves a bunch of possible vulnerabilities found by AFL fuzzer which could be triggered by specific corruptions in the header. We reuse some utilities from passphrase API files so move them into common internal header. Note how we treat the compatibility path. Themis 0.9.6 used to use incompatble format for one of the context fields used for Soter KDF which resulted in encrypted data that cannot be decrypted by modern implementation. We still support decryption of these 'broken' cells by trying compatibility KDF if the initial decryption fails.
-
Update SCell master key encryption code path
Similarly to decryption, unify the code with passphrase implementation.
-
Since we use new definitions now, those are no longer necessary.
-
Use new accessors in passphrase API
We have added a new accessor to KDF in Soter algorithm ID, use it.
-
Validate key length on decryption
Just like with passphrase API, we need to pay close attention to the key length field which we use to determine the length of the derived key. Accept only formats currently produced by Themis. It's unlikely that we update them, and Soter cannot handle other formats anyway right now.
-
Avoid unsigned overflow in length computations
Similar to passphrase API, master key header can encode messages with total length exceeding UINT32_MAX which can cause overflows on 32-bit platforms (with 32-bit size_t). Avoid overflows in computations by judiciously using uint64_t and breaking up intermediate computations to ensure uint64_t is used.
-
Update expected error codes in tests
Changes in master key implementations unify error reporting with passphrase API as well. In particular, we consistently report detected data corruption with THEMIS_FAIL error code now. THEMIS_INVALID_PARAMETER is used to indicate programming errors which could have been prevented by a better type system. Attempting to decrypt corrupted data is not such an issue. Some tests that verify corrupted data processing expect particular error codes to be reported. Update them to expect THEMIS_FAIL now.
Commits on Mar 2, 2020
-
Reduce code duplication in decryption path
We still need to maintain compatibility KDF implementation in order to be able to decrypt data encrypted by Themis 0.9.6 which used incorrect Soter KDF context computation, incompatible with 32-bit platforms. Refactor the compatibility shim code to extact the context computation and avoid duplicating the entire KDF processing, with all its length and algorithm verification.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.