fix timing side channel when reading headers with invalid reserved bits

2025-04-04 04:37:36 +03:00 · 2019-01-28 11:10:50 +09:00 · 2019-01-28 11:10:50 +09:00 · 7b9b711a77
commit 7b9b711a77
parent 4fe0f6752c
4 changed files with 105 additions and 26 deletions
--- a/packet_unpacker_test.go
+++ b/packet_unpacker_test.go
@ -110,6 +110,60 @@ var _ = Describe("Packet Unpacker", func() {
 		Expect(err).To(MatchError("test err"))
 	})

+	It("defends against the timing side-channel when the reserved bits are wrong, for long header packets", func() {
+		extHdr := &wire.ExtendedHeader{
+			Header: wire.Header{
+				IsLongHeader:     true,
+				Type:             protocol.PacketTypeHandshake,
+				DestConnectionID: connID,
+				Version:          version,
+			},
+			PacketNumber:    0x1337,
+			PacketNumberLen: 2,
+		}
+		hdr, hdrRaw := getHeader(extHdr)
+		hdrRaw[0] |= 0xc
+		opener := mocks.NewMockLongHeaderOpener(mockCtrl)
+		opener.EXPECT().DecryptHeader(gomock.Any(), gomock.Any(), gomock.Any())
+		cs.EXPECT().GetHandshakeOpener().Return(opener, nil)
+		opener.EXPECT().Open(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return([]byte("payload"), nil)
+		_, err := unpacker.Unpack(hdr, append(hdrRaw, payload...))
+		Expect(err).To(MatchError(wire.ErrInvalidReservedBits))
+	})
+
+	It("defends against the timing side-channel when the reserved bits are wrong, for short header packets", func() {
+		extHdr := &wire.ExtendedHeader{
+			Header:          wire.Header{DestConnectionID: connID},
+			PacketNumber:    0x1337,
+			PacketNumberLen: 2,
+		}
+		hdr, hdrRaw := getHeader(extHdr)
+		hdrRaw[0] |= 0x18
+		opener := mocks.NewMockShortHeaderOpener(mockCtrl)
+		opener.EXPECT().DecryptHeader(gomock.Any(), gomock.Any(), gomock.Any())
+		cs.EXPECT().Get1RTTOpener().Return(opener, nil)
+		opener.EXPECT().Open(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return([]byte("payload"), nil)
+		_, err := unpacker.Unpack(hdr, append(hdrRaw, payload...))
+		Expect(err).To(MatchError(wire.ErrInvalidReservedBits))
+	})
+
+	It("returns the decryption error, when unpacking a packet with wrong reserved bits fails", func() {
+		extHdr := &wire.ExtendedHeader{
+			Header:          wire.Header{DestConnectionID: connID},
+			PacketNumber:    0x1337,
+			PacketNumberLen: 2,
+		}
+		hdr, hdrRaw := getHeader(extHdr)
+		hdrRaw[0] |= 0x18
+		opener := mocks.NewMockShortHeaderOpener(mockCtrl)
+		opener.EXPECT().DecryptHeader(gomock.Any(), gomock.Any(), gomock.Any())
+		cs.EXPECT().Get1RTTOpener().Return(opener, nil)
+		testErr := errors.New("decryption error")
+		opener.EXPECT().Open(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil, testErr)
+		_, err := unpacker.Unpack(hdr, append(hdrRaw, payload...))
+		Expect(err).To(MatchError(testErr))
+	})
+
 	It("decrypts the header", func() {
 		extHdr := &wire.ExtendedHeader{
 			Header: wire.Header{