[Bug]: RP2040 - Decrypt or Encrypt (during remote admin for example) crashes the device #4855
Comments
TheMalkavien
changed the title
|
UPDATE : I also have some heltec devices. I Had a PKI_FAILED message by trying to remote admin a 2.5.1 htv3, I checked the keys, everything were right. I'm not a professional developer, I may understand thing the wrong way, but it seems that my changes are fixing other issues related to encryption. Hope this helps. |
|
I could hug you for this. Such excellent work. Memory alignment is something we don't have to worry about much with X86 code, so I didn't even consider it here. |
|
@TheMalkavien Do you want to go ahead and make a PR with these fixes? |
|
Hi, of course ! |
…n crashes or strange behavior (#4867) * Replace multiple potentially non aligned pointer dereference (#4855) First step to fix some Crypto crashes or strange behaviors * Makes the two Crypto byte buffers aligned (#4855) Fix #4855, and probably multiple Crypto problems depending on hardware --------- Co-authored-by: Ben Meadors <[email protected]> Co-authored-by: GUVWAF <[email protected]>
Category
Hardware Compatibility
Hardware
Other
Firmware Version
2.5 +
Description
Hi,
Since 2.5+, my rp2040-lora was unusable. When trying to remote admin, the devices just crash.
I finally took time to do some investigations and found out it crashes just after the "Attempting PKI decryption" message.
I found out that there was some pointer dereference on "extraNonce" on the "encryptCurve25519" and "decryptCurve25519" functions causing this crash. The pointer itself is not bad (valid address) but was not word-aligned on the memory. While it may work on most hardware (with non-guaranted results), it makes rp2040 crash.
Good news is I have a fix, which you may use or not, depending on how you want to handle this situation.
Firstly, I replaced the dereferences "*extraNonce" with a memcpy, like that on 2 or 3 places :
*extraNonce = extraNonceTmp; ==> memcpy(extraNonce, &extraNonceTmp, 4); // do not use dereference on non aligned pointersI tested, and it worked further until another crash. I again found out a lot of pointer dereference into the byte buffer in the aes code, which is not very good news (you can't replace every dereference, and don't want to touch the aes code !), but can be fixed in this case with a simple alignment directive on the buffer itself during declaration (the buffer was not aligned at all !) :
With these 2 tricks, my rp2040 is finally working fine on 2.5+ on decrypt AND crypt (tested on 2.5.1).
The directive is not sufficient, because the code use as nonce the last 4 bytes of the buffer, and this buffer does not always have a size modulo 4. But you can easily change by using another way to get a nonce.
Also, it may explain arbitrary crashes on other devices.
I'm not sure I explained it right, but I can answer questions :)
Thanks !
Relevant log output
No response
The text was updated successfully, but these errors were encountered: