Crypto: Destroy ChaCha/Poly after one-time-use

2022-04-25 10:05:16 -04:00
parent 4a6f6f8647
commit 71a58cb1bf
5 changed files with 25 additions and 8 deletions
--- a/router/java/src/net/i2p/data/i2np/BuildResponseRecord.java
+++ b/router/java/src/net/i2p/data/i2np/BuildResponseRecord.java
@@ -128,6 +128,8 @@ public class BuildResponseRecord {
            chacha.encryptWithAd(ad, data, 0, data, 0, data.length - 16);
        } catch (GeneralSecurityException e) {
            return false;
+        } finally {
+            chacha.destroy();
        }
        return true;
    }
@@ -155,6 +157,8 @@ public class BuildResponseRecord {
            chacha.decryptWithAd(ad, data, 0, data, 0, rec.length());
        } catch (GeneralSecurityException e) {
            return false;
+        } finally {
+            chacha.destroy();
        }
        return true;
    }
@@ -179,6 +183,8 @@ public class BuildResponseRecord {
            chacha.encryptWithAd(ad, data, 0, data, 0, data.length - 16);
        } catch (GeneralSecurityException e) {
            return false;
+        } finally {
+            chacha.destroy();
        }
        return true;
    }
@@ -208,6 +214,8 @@ public class BuildResponseRecord {
            chacha.decryptWithAd(ad, data, 0, data, 0, rec.length());
        } catch (GeneralSecurityException e) {
            return false;
+        } finally {
+            chacha.destroy();
        }
        return true;
    }
--- a/router/java/src/net/i2p/router/crypto/ratchet/ECIESAEADEngine.java
+++ b/router/java/src/net/i2p/router/crypto/ratchet/ECIESAEADEngine.java
@@ -825,6 +825,8 @@ public final class ECIESAEADEngine {
            if (_log.shouldWarn())
                _log.warn("Unable to decrypt AEAD block", e);
            return false;
+        } finally {
+            chacha.destroy();
        }
        return true;
    }
@@ -1211,6 +1213,8 @@ public final class ECIESAEADEngine {
            if (_log.shouldWarn())
                _log.warn("Unable to encrypt AEAD block", e);
            return null;
+        } finally {
+            chacha.destroy();
        }
        return enc;
    }
--- a/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
+++ b/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
@@ -109,6 +109,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
            chacha.setNonce(n);
            chacha.decryptWithAd(data, off, LONG_HEADER_SIZE,
                                 data, off + LONG_HEADER_SIZE, data, off + LONG_HEADER_SIZE, len - LONG_HEADER_SIZE);
+            chacha.destroy();
            processPayload(data, off + LONG_HEADER_SIZE, len - (LONG_HEADER_SIZE + MAC_LEN), true);
            _sendHeaderEncryptKey2 = introKey;
            do {
--- a/router/java/src/net/i2p/router/transport/udp/OutboundEstablishState2.java
+++ b/router/java/src/net/i2p/router/transport/udp/OutboundEstablishState2.java
@@ -323,12 +323,12 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
            throw new GeneralSecurityException("Bad token 0 in retry");
        _token = token;
        _timeReceived = 0;
+        ChaChaPolyCipherState chacha = new ChaChaPolyCipherState();
+        chacha.initializeKey(_rcvHeaderEncryptKey1, 0);
+        long n = DataHelper.fromLong(data, off + PKT_NUM_OFFSET, 4);
+        chacha.setNonce(n);
        try {
            // decrypt in-place
-            ChaChaPolyCipherState chacha = new ChaChaPolyCipherState();
-            chacha.initializeKey(_rcvHeaderEncryptKey1, 0);
-            long n = DataHelper.fromLong(data, off + PKT_NUM_OFFSET, 4);
-            chacha.setNonce(n);
            chacha.decryptWithAd(data, off, LONG_HEADER_SIZE,
                                 data, off + LONG_HEADER_SIZE, data, off + LONG_HEADER_SIZE, len - LONG_HEADER_SIZE);
            processPayload(data, off + LONG_HEADER_SIZE, len - (LONG_HEADER_SIZE + MAC_LEN), true);
@@ -336,6 +336,8 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
            if (_log.shouldDebug())
                _log.debug("Retry error", gse);
            throw gse;
+        } finally {
+            chacha.destroy();
        }
        packetReceived();
        if (_currentState == OutboundState.OB_STATE_VALIDATION_FAILED) {
--- a/router/java/src/net/i2p/router/transport/udp/PeerTestManager.java
+++ b/router/java/src/net/i2p/router/transport/udp/PeerTestManager.java
@@ -785,12 +785,12 @@ class PeerTestManager {
        if (type != PEER_TEST_FLAG_BYTE)
            return;
        byte[] introKey = _transport.getSSU2StaticIntroKey();
+        ChaChaPolyCipherState chacha = new ChaChaPolyCipherState();
+        chacha.initializeKey(introKey, 0);
+        long n = DataHelper.fromLong(data, off + PKT_NUM_OFFSET, 4);
+        chacha.setNonce(n);
        try {
            // decrypt in-place
-            ChaChaPolyCipherState chacha = new ChaChaPolyCipherState();
-            chacha.initializeKey(introKey, 0);
-            long n = DataHelper.fromLong(data, off + PKT_NUM_OFFSET, 4);
-            chacha.setNonce(n);
            chacha.decryptWithAd(data, off, LONG_HEADER_SIZE,
                                 data, off + LONG_HEADER_SIZE, data, off + LONG_HEADER_SIZE, len - LONG_HEADER_SIZE);
            int payloadLen = len - (LONG_HEADER_SIZE + MAC_LEN);
@@ -799,6 +799,8 @@ class PeerTestManager {
        } catch (Exception e) {
            if (_log.shouldWarn())
                _log.warn("Bad PeerTest packet:\n" + HexDump.dump(data, off, len), e);
+        } finally {
+            chacha.destroy();
        }
    }