You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While auditing the unmarshal routine responsible for unmarshalling the encapsulated
request, we observed that the implementation reads the 2 byte kemID directly from the
attacker-controlled buffer without adequately checking that the attacker-controlled kemID is
valid. The implementation raises a panic() in the event that the call to kemID.Scheme()
defaults to the switch statement, resulting in a remote DoS situation.
Notably, a reference implementation utilizing the ohttp-go library wraps the entire library into
the Golang standard http library, which provides a built-in mechanism to recover from raised
panics. However, the library itself should return an appropriate error when the provided
kemID is invalid, rather than assuming a panic state.
Affected file:
vendor/github.com/cloudflare/circl/hpke/algs.go
Affected code:
func (k KEM) Scheme() kem.AuthScheme {
switch k {
case KEM_P256_HKDF_SHA256:
return dhkemp256hkdfsha256
case KEM_P384_HKDF_SHA384:
return dhkemp384hkdfsha384
case KEM_P521_HKDF_SHA512:
return dhkemp521hkdfsha512
case KEM_X25519_HKDF_SHA256:
return dhkemx25519hkdfsha256
case KEM_X448_HKDF_SHA512:
return dhkemx448hkdfsha512
case KEM_X25519_KYBER768_DRAFT00:
return hybridkemX25519Kyber768
default:
panic(ErrInvalidKEM)
}
}
The following test function will trigger a crash by causing the KEM validation to panic:
PoC:
func TestInvalidKem(t *testing.T) {
data := []byte{0x03, 0x04, 0x50, 0x4f, 0x53, 0x54, 0x03, 0x6d, 0x30,
0x30, 0x00, 0x00,
0x00, 0x03, 0x30, 0x30, 0x30, 0x30, 0x06}
UnmarshalEncapsulatedRequest(data)
}
To mitigate this issue, we suggest utilizing the kemID.IsValid() method before invoking
kemID.Scheme().CiphertextSize(). If the kemID is invalid, false will be returned and the
UnmarshalEncapsulatedRequest function should gracefully return, rather than inducing a
panic situation.
The text was updated successfully, but these errors were encountered:
While auditing the unmarshal routine responsible for unmarshalling the encapsulated
request, we observed that the implementation reads the 2 byte kemID directly from the
attacker-controlled buffer without adequately checking that the attacker-controlled kemID is
valid. The implementation raises a panic() in the event that the call to kemID.Scheme()
defaults to the switch statement, resulting in a remote DoS situation.
Notably, a reference implementation utilizing the ohttp-go library wraps the entire library into
the Golang standard http library, which provides a built-in mechanism to recover from raised
panics. However, the library itself should return an appropriate error when the provided
kemID is invalid, rather than assuming a panic state.
Affected file:
ohttp-go/ohttp.go
Affected code:
func UnmarshalEncapsulatedRequest(enc []byte) (EncapsulatedRequest, error)
{
b := bytes.NewBuffer(enc)
[...]
kdfIDBuffer := make([]byte, 2)
_, err = b.Read(kdfIDBuffer)
if err != nil {
return EncapsulatedRequest{}, err
}
[...]
kemID := hpke.KEM(binary.BigEndian.Uint16(kemIDBuffer))
[...]
key := make([]byte, kemID.Scheme().CiphertextSize())
[...]
}
Affected file:
vendor/github.com/cloudflare/circl/hpke/algs.go
Affected code:
func (k KEM) Scheme() kem.AuthScheme {
switch k {
case KEM_P256_HKDF_SHA256:
return dhkemp256hkdfsha256
case KEM_P384_HKDF_SHA384:
return dhkemp384hkdfsha384
case KEM_P521_HKDF_SHA512:
return dhkemp521hkdfsha512
case KEM_X25519_HKDF_SHA256:
return dhkemx25519hkdfsha256
case KEM_X448_HKDF_SHA512:
return dhkemx448hkdfsha512
case KEM_X25519_KYBER768_DRAFT00:
return hybridkemX25519Kyber768
default:
panic(ErrInvalidKEM)
}
}
The following test function will trigger a crash by causing the KEM validation to panic:
PoC:
func TestInvalidKem(t *testing.T) {
data := []byte{0x03, 0x04, 0x50, 0x4f, 0x53, 0x54, 0x03, 0x6d, 0x30,
0x30, 0x00, 0x00,
0x00, 0x03, 0x30, 0x30, 0x30, 0x30, 0x06}
UnmarshalEncapsulatedRequest(data)
}
To mitigate this issue, we suggest utilizing the kemID.IsValid() method before invoking
kemID.Scheme().CiphertextSize(). If the kemID is invalid, false will be returned and the
UnmarshalEncapsulatedRequest function should gracefully return, rather than inducing a
panic situation.
The text was updated successfully, but these errors were encountered: