<div dir="ltr"><div>Hi Zhiyi</div><div><br></div><div>I did a test on your CA. The NewResponse packet is decoding correctly.</div><div>However, after sending ChallengeRequest, I'm getting the following error:</div><div><span style="font-family:monospace">0000 15 2b ab 01 04 ad 26 49 6e 74 65 72 65 73 74 20 .+....&Interest <br>0010 70 61 72 61 6d 61 74 65 72 73 20 64 65 63 72 79 paramaters decry<br>0020 70 74 69 6f 6e 20 66 61 69 6c 65 64 2e ption failed.<br></span></div><div><br></div><div>I looked at the CA code and noticed several obvious bugs.</div><div>I guess this error is caused by the first bug. You can look at the packet trace and cross-reference server logs near the packet timestamps, to confirm this theory.<br></div><div><br></div><div><font size="4">HKDF<br></font></div><div>The CA invokes HKDF as follows:</div><div><a href="https://github.com/Zhiyi-Zhang/ndncert/blob/7cca76aeae764667da6f4ca80684439a5af8e5dc/src/ca-module.cpp#L260">https://github.com/Zhiyi-Zhang/ndncert/blob/7cca76aeae764667da6f4ca80684439a5af8e5dc/src/ca-module.cpp#L260</a></div><div><span style="font-family:monospace"> hkdf(sharedSecret.data(), sharedSecret.size(), salt.data(), salt.size(), aesKey.data(), aesKey.size());</span></div><div><br></div><div>The protocol specifies:</div><div style="margin-left:40px">The Info is the 8 byte value of request-id.</div><div>But the implementation is missing the Info parameter.<br></div><div><br></div><div><font size="4">decryptionIv check<br></font></div><div>
<div>The protocol specifies:</div><div style="margin-left:40px">Recipient ... should check ... the counter is monotonically increasing and has not wrapped around.</div>
</div><div>
<div>Suppose the first message from the requester has 3 blocks and uses IV 0xd674c25ade65161400000000, the second message from the requester can use any IV that starts with 0xd674c25ade651614
and ends with a number greater than or equal to 0x00000003. For example, the second message could use IV
0xd674c25ade65161400000003 or
0xd674c25ade65161400000020.
</div>
</div><div><br></div><div>The CA checks the initialization vector as follows:<br></div><div><a href="https://github.com/Zhiyi-Zhang/ndncert/blob/7cca76aeae764667da6f4ca80684439a5af8e5dc/src/detail/crypto-helpers.cpp#L403-L406">https://github.com/Zhiyi-Zhang/ndncert/blob/7cca76aeae764667da6f4ca80684439a5af8e5dc/src/detail/crypto-helpers.cpp#L403-L406</a></div><div><span style="font-family:monospace"> if (currentIv != decryptionIv) {<br> NDN_THROW(std::runtime_error("Error when decrypting the AES Encrypted Block: "<br> "The observed IV is incorrectly formed."));<br> }</span></div><div></div>This implementation is overly strict: it would only admit
0xd674c25ade65161400000003, but incorrectly rejects
0xd674c25ade65161400000020.<div><div><br></div><div>Moreover, the CA fails to check that the random value portion selected by the requester differs from the random value portion selected by the CA. That check is required by the protocol.<br></div><div><br></div><div><font size="4">Buffer overflow in IV decoding<br></font></div><div>There's an undefined behavior in this line:</div><div><a href="https://github.com/Zhiyi-Zhang/ndncert/blob/7cca76aeae764667da6f4ca80684439a5af8e5dc/src/detail/crypto-helpers.cpp#L398">https://github.com/Zhiyi-Zhang/ndncert/blob/7cca76aeae764667da6f4ca80684439a5af8e5dc/src/detail/crypto-helpers.cpp#L398</a></div><div><span style="font-family:monospace">std::vector<uint8_t> currentIv(block.get(tlv::InitializationVector).value(), block.get(tlv::InitializationVector).value() + 12);</span></div><div>If the
TLV-LENGTH of the IV element is less than 12, a buffer overflow condition may occur.<br></div><div><br></div><div>Yours, Junxiao<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 17, 2021 at 6:12 PM Zhiyi Zhang <<a href="mailto:zhiyi@cs.ucla.edu">zhiyi@cs.ucla.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p style="text-align:center"><font color="red"><b>External Email</b><br></font></p><div dir="ltr">Hi Junxiao,<div><br></div><div>I've added RestartSec in the systemd file and removed the status field from NEW packets.</div><div>I also restarted the service on Suns.</div><div><br></div><div>Best,</div><div>Zhiyi</div></div><br></blockquote></div></div></div>