Skip to content

[groups] Fix #38823 - filter group keys by session_id during decrypt #39401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[groups] Fix #38823 - filter group keys by session_id during decrypt #39401

wants to merge 1 commit into from
+19 −2

Conversation

turon
Copy link
Contributor

@turon turon commented Jun 5, 2025
edited
Loading

Fix #38823

The receive handler for a group message can try to decrypt against multiple keys, but right now it tries every key when it should only try keys where session_id matches hash(key).

This change will extract the hash of the key from CryptoContext and only attempt decryption when that is equal to the session_id in PacketHeader.

Testing

  • adding in separate commit

@turon turon requested a review from Copilot June 5, 2025 03:44
Copilot

This comment was marked as outdated.

Sign in to view

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jun 5, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The pull request addresses a critical issue where group messages were being decrypted against all available keys, instead of filtering by session ID. The changes introduce a mechanism to derive the session ID from the key and only attempt decryption when the session IDs match. This significantly improves efficiency and security. The implementation appears sound, but I have a few suggestions for improvement.

Summary of Findings

  • Missing Log Messages: Consider adding log messages for key context not found and session ID mismatch to aid in debugging.
  • Potential Null Pointer Dereference: It might be beneficial to add a check to ensure that keyContext is valid before calling DeriveGroupSessionId.
  • Inconsistent Logging: The logging statements for decryption attempts are placed inside a conditional compilation block, which might lead to inconsistent logging behavior.

Merge Readiness

The pull request effectively addresses the issue of filtering group keys by session ID during decryption. However, I recommend addressing the comments provided to improve debugging capabilities and ensure consistent logging. I am unable to directly approve this pull request, and recommend that others review and approve this code before merging. At a minimum, the medium severity issue should be addressed before merging.

@turon turon force-pushed the fix/38823/group-key-filter branch from 184946e to ce941b1 Compare June 5, 2025 04:31
@turon turon force-pushed the fix/38823/group-key-filter branch from ce941b1 to 91e99ef Compare June 5, 2025 04:37
@turon turon requested a review from Copilot June 5, 2025 04:38
Copilot
Copilot AI reviewed Jun 5, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses issue #38823 by ensuring that decryption for group messages is attempted only when the session ID in the packet header matches the hash of the decryption key.

  • Updated header includes to use the appropriate provider and logging constants.
  • Added retrieval of key context and a check to compare the key hash against the session ID to filter decryption attempts.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2025
edited
Loading

PR #39401: Size comparison from b1fc719 to 91e99ef

Full report (72 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
platform target config section b1fc719 91e99ef change % change
bl602 lighting-app bl602+mfd+littlefs+rpc FLASH 1102698 1102736 38 0.0
RAM 179058 179058 0 0.0
bl702 lighting-app bl702+eth FLASH 655804 655842 38 0.0
RAM 135009 135009 0 0.0
bl702+wifi FLASH 833294 833332 38 0.0
RAM 124573 124573 0 0.0
bl706+mfd+rpc+littlefs FLASH 1065726 1065766 40 0.0
RAM 117405 117405 0 0.0
bl702l contact-sensor-app bl702l+mfd+littlefs FLASH 895272 895312 40 0.0
RAM 105708 105708 0 0.0
lighting-app bl702l+mfd+littlefs FLASH 978996 979036 40 0.0
RAM 109892 109892 0 0.0
cc13x4_26x4 lighting-app LP_EM_CC1354P10_6 FLASH 820900 820940 40 0.0
RAM 120224 120224 0 0.0
lock-ftd LP_EM_CC1354P10_6 FLASH 832528 832568 40 0.0
RAM 125376 125376 0 0.0
pump-app LP_EM_CC1354P10_6 FLASH 778024 778064 40 0.0
RAM 113780 113780 0 0.0
pump-controller-app LP_EM_CC1354P10_6 FLASH 762332 762372 40 0.0
RAM 113988 113988 0 0.0
cc32xx air-purifier CC3235SF_LAUNCHXL FLASH 548542 548590 48 0.0
RAM 205192 205192 0 0.0
lock CC3235SF_LAUNCHXL FLASH 582014 582054 40 0.0
RAM 205384 205384 0 0.0
cyw30739 light CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 662981 663021 40 0.0
RAM 77504 77504 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 682817 682865 48 0.0
RAM 80144 80144 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 682817 682865 48 0.0
RAM 80144 80144 0 0.0
CYW930739M2EVB-02 unknown 2040 2040 0 0.0
FLASH 639757 639797 40 0.0
RAM 72572 72572 0 0.0
light-switch CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 624357 624405 48 0.0
RAM 73816 73816 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 643985 644033 48 0.0
RAM 76368 76368 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 643985 644033 48 0.0
RAM 76368 76368 0 0.0
lock CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 645277 645317 40 0.0
RAM 76816 76816 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 664977 665025 48 0.0
RAM 79368 79368 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 664977 665025 48 0.0
RAM 79368 79368 0 0.0
thermostat CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 619945 619993 48 0.0
RAM 70928 70928 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 639797 639845 48 0.0
RAM 73560 73560 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 639797 639845 48 0.0
RAM 73560 73560 0 0.0
efr32 lock-app BRD4187C FLASH 947108 947140 32 0.0
RAM 132036 132036 0 0.0
BRD4338a FLASH 776392 776416 24 0.0
RAM 173256 173256 0 0.0
window-app BRD4187C FLASH 1040072 1040096 24 0.0
RAM 128164 128164 0 0.0
esp32 all-clusters-app c3devkit DRAM 103552 103552 0 0.0
FLASH 1810086 1810128 42 0.0
IRAM 83862 83862 0 0.0
m5stack DRAM 122412 122412 0 0.0
FLASH 1775054 1775090 36 0.0
IRAM 117071 117071 0 0.0
linux air-purifier-app debug unknown 4848 4848 0 0.0
FLASH 2788328 2788462 134 0.0
RAM 117048 117048 0 0.0
all-clusters-app debug unknown 5664 5664 0 0.0
FLASH 6388070 6388204 134 0.0
RAM 537872 537872 0 0.0
all-clusters-minimal-app debug unknown 5528 5528 0 0.0
FLASH 5470366 5470500 134 0.0
RAM 228008 228008 0 0.0
bridge-app debug unknown 5560 5560 0 0.0
FLASH 4802878 4803012 134 0.0
RAM 207680 207680 0 0.0
camera-app debug unknown 8864 8864 0 0.0
FLASH 6901659 6901787 128 0.0
RAM 228920 228920 0 0.0
camera-controller debug unknown 9168 9168 0 0.0
FLASH 14296203 14296347 144 0.0
RAM 657992 657992 0 0.0
chip-tool debug unknown 6240 6240 0 0.0
FLASH 14657911 14658045 134 0.0
RAM 651440 651440 0 0.0
chip-tool-ipv6only arm64 unknown 40480 40480 0 0.0
FLASH 12627780 12627876 96 0.0
RAM 697744 697744 0 0.0
fabric-admin debug unknown 5920 5920 0 0.0
FLASH 12727093 12727227 134 0.0
RAM 650840 650840 0 0.0
fabric-bridge-app debug unknown 4808 4808 0 0.0
FLASH 4588780 4588914 134 0.0
RAM 193376 193376 0 0.0
fabric-sync debug unknown 5056 5056 0 0.0
FLASH 5734477 5734605 128 0.0
RAM 490320 490320 0 0.0
lighting-app debug+rpc+ui unknown 6272 6272 0 0.0
FLASH 5652097 5652225 128 0.0
RAM 209896 209896 0 0.0
lock-app debug unknown 5488 5488 0 0.0
FLASH 4836080 4836214 134 0.0
RAM 197128 197128 0 0.0
ota-provider-app debug unknown 4848 4848 0 0.0
FLASH 4440616 4440750 134 0.0
RAM 186016 186016 0 0.0
ota-requestor-app debug unknown 4728 4728 0 0.0
FLASH 4509974 4510108 134 0.0
RAM 188632 188632 0 0.0
shell debug unknown 4248 4248 0 0.0
FLASH 3084380 3084508 128 0.0
RAM 151112 151112 0 0.0
thermostat-no-ble arm64 unknown 9784 9784 0 0.0
FLASH 4234716 4234828 112 0.0
RAM 233448 233448 0 0.0
tv-app debug unknown 5824 5824 0 0.0
FLASH 6099549 6099677 128 0.0
RAM 614552 614552 0 0.0
tv-casting-app debug unknown 5336 5336 0 0.0
FLASH 12809037 12809165 128 0.0
RAM 767968 767968 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 FLASH 922244 922284 40 0.0
RAM 167468 167468 0 0.0
nrf7002dk_nrf5340_cpuapp FLASH 913432 913492 60 0.0
RAM 145712 145712 0 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 FLASH 859368 859408 40 0.0
RAM 141095 141095 0 0.0
nxp contact mcxw71+release FLASH 625376 625424 48 0.0
RAM 63196 63196 0 0.0
lock mcxw71+release FLASH 776416 776456 40 0.0
RAM 67860 67860 0 0.0
psoc6 all-clusters cy8ckit_062s2_43012 FLASH 1672084 1672116 32 0.0
RAM 212464 212464 0 0.0
all-clusters-minimal cy8ckit_062s2_43012 FLASH 1576324 1576356 32 0.0
RAM 208512 208512 0 0.0
light cy8ckit_062s2_43012 FLASH 1448772 1448804 32 0.0
RAM 197240 197240 0 0.0
lock cy8ckit_062s2_43012 FLASH 1481036 1481068 32 0.0
RAM 224952 224952 0 0.0
qpg lighting-app qpg6105+debug FLASH 667500 667540 40 0.0
RAM 105196 105196 0 0.0
lock-app qpg6105+debug FLASH 627568 627608 40 0.0
RAM 99816 99816 0 0.0
stm32 light STM32WB5MM-DK FLASH 465260 465300 40 0.0
RAM 141424 141424 0 0.0
telink bridge-app tl7218x FLASH 694658 694694 36 0.0
RAM 102100 102100 0 0.0
light-app-ota-compress-lzma-factory-data tl3218x FLASH 767076 767112 36 0.0
RAM 50252 50252 0 0.0
light-app-ota-compress-lzma-shell-factory-data tl3218x FLASH 768106 768142 36 0.0
RAM 40544 40544 0 0.0
light-app-ota-shell-factory-data tl7218x FLASH 774204 756620 -17584 -2.3
RAM 109424 97672 -11752 -10.7
light-switch-app-ota-compress-lzma-factory-data tl7218x_retention FLASH 703564 687702 -15862 -2.3
RAM 62812 51780 -11032 -17.6
light-switch-app-ota-compress-lzma-shell-factory-data tlsr9528a FLASH 741518 716152 -25366 -3.4
RAM 85984 73592 -12392 -14.4
light-switch-app-ota-shell-factory-data tl3218x_retention FLASH 713424 713460 36 0.0
RAM 37228 37228 0 0.0
lighting-app-ota-factory-data tlsr9118bdk40d FLASH 601046 601082 36 0.0
RAM 120196 120196 0 0.0
lighting-app-ota-rpc-factory-data-4mb tlsr9518adk80d FLASH 809542 809582 40 0.0
RAM 107692 107692 0 0.0
tizen all-clusters-app arm unknown 5300 5300 0 0.0
FLASH 1821556 1821664 108 0.0
RAM 97184 97184 0 0.0
chip-tool-ubsan arm unknown 20664 20664 0 0.0
FLASH 20933142 20933470 328 0.0
RAM 9116752 9116904 152 0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Assignees
No one assigned
Labels
group messaging transport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Group message decryption is not filtering by session_id / group key
1 participant
@turon