session-desktop/libtextsecure/crypto.js

/*
 * vim: ts=4:sw=4:expandtab
 */

;(function(){
    'use strict';

    var encrypt      = libsignal.crypto.encrypt;
    var decrypt      = libsignal.crypto.decrypt;
    var calculateMAC = libsignal.crypto.calculateMAC;
    var verifyMAC    = libsignal.crypto.verifyMAC;

    var PROFILE_IV_LENGTH = 12;   // bytes
    var PROFILE_KEY_LENGTH = 32;  // bytes
    var PROFILE_TAG_LENGTH = 128; // bits
    var PROFILE_NAME_PADDED_LENGTH = 26; // bytes

    function verifyDigest(data, theirDigest) {
        return crypto.subtle.digest({name: 'SHA-256'}, data).then(function(ourDigest) {
            var a = new Uint8Array(ourDigest);
            var b = new Uint8Array(theirDigest);
            var result = 0;
            for (var i=0; i < theirDigest.byteLength; ++i) {
                result = result | (a[i] ^ b[i]);
            }
            if (result !== 0) {
              throw new Error('Bad digest');
            }
        });
    }
    function calculateDigest(data) {
        return crypto.subtle.digest({name: 'SHA-256'}, data);
    }

    window.textsecure = window.textsecure || {};
    window.textsecure.crypto = {
        // Decrypts message into a raw string
        decryptWebsocketMessage: function(message, signaling_key) {
            var decodedMessage = message.toArrayBuffer();

            if (signaling_key.byteLength != 52) {
                throw new Error("Got invalid length signaling_key");
            }
            if (decodedMessage.byteLength < 1 + 16 + 10) {
                throw new Error("Got invalid length message");
            }
            if (new Uint8Array(decodedMessage)[0] != 1) {
                throw new Error("Got bad version number: " + decodedMessage[0]);
            }

            var aes_key = signaling_key.slice(0, 32);
            var mac_key = signaling_key.slice(32, 32 + 20);

            var iv = decodedMessage.slice(1, 1 + 16);
            var ciphertext = decodedMessage.slice(1 + 16, decodedMessage.byteLength - 10);
            var ivAndCiphertext = decodedMessage.slice(0, decodedMessage.byteLength - 10);
            var mac = decodedMessage.slice(decodedMessage.byteLength - 10, decodedMessage.byteLength);

            return verifyMAC(ivAndCiphertext, mac_key, mac, 10).then(function() {
                return decrypt(aes_key, ciphertext, iv);
            });
        },

        decryptAttachment: function(encryptedBin, keys, theirDigest) {
            if (keys.byteLength != 64) {
                throw new Error("Got invalid length attachment keys");
            }
            if (encryptedBin.byteLength < 16 + 32) {
                throw new Error("Got invalid length attachment");
            }

            var aes_key = keys.slice(0, 32);
            var mac_key = keys.slice(32, 64);

            var iv = encryptedBin.slice(0, 16);
            var ciphertext = encryptedBin.slice(16, encryptedBin.byteLength - 32);
            var ivAndCiphertext = encryptedBin.slice(0, encryptedBin.byteLength - 32);
            var mac = encryptedBin.slice(encryptedBin.byteLength - 32, encryptedBin.byteLength);

            return verifyMAC(ivAndCiphertext, mac_key, mac, 32).then(function() {
                if (theirDigest !== null) {
                  return verifyDigest(encryptedBin, theirDigest);
                }
            }).then(function() {
                return decrypt(aes_key, ciphertext, iv);
            });
        },

        encryptAttachment: function(plaintext, keys, iv) {
            if (!(plaintext instanceof ArrayBuffer) && !ArrayBuffer.isView(plaintext)) {
              throw new TypeError(
                '`plaintext` must be an `ArrayBuffer` or `ArrayBufferView`; got: ' +
                typeof plaintext
              );
            }

            if (keys.byteLength != 64) {
                throw new Error("Got invalid length attachment keys");
            }
            if (iv.byteLength != 16) {
                throw new Error("Got invalid length attachment iv");
            }
            var aes_key = keys.slice(0, 32);
            var mac_key = keys.slice(32, 64);

            return encrypt(aes_key, plaintext, iv).then(function(ciphertext) {
                var ivAndCiphertext = new Uint8Array(16 + ciphertext.byteLength);
                ivAndCiphertext.set(new Uint8Array(iv));
                ivAndCiphertext.set(new Uint8Array(ciphertext), 16);

                return calculateMAC(mac_key, ivAndCiphertext.buffer).then(function(mac) {
                    var encryptedBin = new Uint8Array(16 + ciphertext.byteLength + 32);
                    encryptedBin.set(ivAndCiphertext);
                    encryptedBin.set(new Uint8Array(mac), 16 + ciphertext.byteLength);
                    return calculateDigest(encryptedBin.buffer).then(function(digest) {
                        return { ciphertext: encryptedBin.buffer, digest: digest };
                    });
                });
            });
        },
        encryptProfile: function(data, key) {
          var iv = libsignal.crypto.getRandomBytes(PROFILE_IV_LENGTH);
          if (key.byteLength != PROFILE_KEY_LENGTH) {
              throw new Error("Got invalid length profile key");
          }
          if (iv.byteLength != PROFILE_IV_LENGTH) {
              throw new Error("Got invalid length profile iv");
          }
          return crypto.subtle.importKey('raw', key, {name: 'AES-GCM'}, false, ['encrypt']).then(function(key) {
            return crypto.subtle.encrypt({name: 'AES-GCM', iv: iv, tagLength: PROFILE_TAG_LENGTH}, key, data).then(function(ciphertext) {
              var ivAndCiphertext = new Uint8Array(PROFILE_IV_LENGTH + ciphertext.byteLength);
              ivAndCiphertext.set(new Uint8Array(iv));
              ivAndCiphertext.set(new Uint8Array(ciphertext), PROFILE_IV_LENGTH);
              return ivAndCiphertext.buffer;
            });
          });
        },
        decryptProfile: function(data, key) {
          if (data.byteLength < 12 + 16 + 1) {
              throw new Error("Got too short input: " + data.byteLength);
          }
          var iv = data.slice(0, PROFILE_IV_LENGTH);
          var ciphertext = data.slice(PROFILE_IV_LENGTH, data.byteLength);
          if (key.byteLength != PROFILE_KEY_LENGTH) {
              throw new Error("Got invalid length profile key");
          }
          if (iv.byteLength != PROFILE_IV_LENGTH) {
              throw new Error("Got invalid length profile iv");
          }
          var error = new Error(); // save stack
          return crypto.subtle.importKey('raw', key, {name: 'AES-GCM'}, false, ['decrypt']).then(function(key) {
            return crypto.subtle.decrypt({name: 'AES-GCM', iv: iv, tagLength: PROFILE_TAG_LENGTH}, key, ciphertext).catch(function(e) {
              if (e.name === 'OperationError') {
                // bad mac, basically.
                error.message = 'Failed to decrypt profile data. Most likely the profile key has changed.';
                error.name = 'ProfileDecryptError';
                throw error;
              }
            });
          });
        },
        encryptProfileName: function(name, key) {
          var padded = new Uint8Array(PROFILE_NAME_PADDED_LENGTH);
          padded.set(new Uint8Array(name));
          return textsecure.crypto.encryptProfile(padded.buffer, key);
        },
        decryptProfileName: function(encryptedProfileName, key) {
          var data = dcodeIO.ByteBuffer.wrap(encryptedProfileName, 'base64').toArrayBuffer();
          return textsecure.crypto.decryptProfile(data, key).then(function(decrypted) {
            // unpad
            var name = '';
            var padded = new Uint8Array(decrypted);
            for (var i = padded.length; i > 0; i--) {
              if (padded[i-1] !== 0x00) {
                break;
              }
            }

            return dcodeIO.ByteBuffer.wrap(padded).slice(0, i).toArrayBuffer();
          });
        },


        getRandomBytes: function(size) {
            return libsignal.crypto.getRandomBytes(size);
        }
    };
})();
Remove erroneous license file and headers We only use GPLV3 around here. // FREEBIE 10 years ago			`/*`
			`* vim: ts=4:sw=4:expandtab`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`*/`

			`;(function(){`
			`'use strict';`

Dedupe methods Define textsecure.crypto in terms of libsignal.crypto. // FREEBIE 10 years ago			`var encrypt = libsignal.crypto.encrypt;`
			`var decrypt = libsignal.crypto.decrypt;`
			`var calculateMAC = libsignal.crypto.calculateMAC;`
			`var verifyMAC = libsignal.crypto.verifyMAC;`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago
Profiles (#1453) * Add AES-GCM encryption for profiles With tests. * Add profileKey to DataMessage protobuf // FREEBIE * Decrypt and save profile names // FREEBIE * Save incoming profile keys * Move pad/unpad to crypto module // FREEBIE * Support fetching avatars from the cdn // FREEBIE * Translate failed authentication errors When AES-GCM authentication fails, webcrypto returns a very generic error. The same error is thrown for invalid length inputs, but our earlier checks in decryptProfile should rule out those failure modes and leave us safe to assume that we either had bad ciphertext or the wrong key. // FREEBIE * Handle profile avatars (wip) and log decrypt errors // FREEBIE * Display profile avatars Synced contact avatars will still override profile avatars. * Display profile names in convo list Only if we don't have a synced contact name. // FREEBIE * Make cdn url an environment config Use different ones for staging and production // FREEBIE * Display profile name in conversation header * Display profile name in group messages * Update conversation header if profile avatar changes // FREEBIE * Style profile names small with ~ * Save profileKeys from contact sync messages // FREEBIE * Save profile keys from provisioning messages For standalone accounts, generate a random profile key. // FREEBIE * Special case for one-time sync of our profile key Android will use a contact sync message to sync a profile key from Android clients who have just upgraded and generated their profile key. Normally we should receive this data in a provisioning message. // FREEBIE * Infer profile sharing from synced data messages * Populate profile keys on outgoing messages Requires that `profileSharing` be set on the conversation. // FREEBIE * Support for the profile key update flag When receiving a message with this flag, don't init a message record, just process the profile key and move on. // FREEBIE * Display profile names in group member list * Refresh contact's profile on profile key changes // FREEBIE * Catch errors on profile save // FREEBIE * Save our own synced contact info Don't return early if we get a contact sync for our own number // FREEBIE 8 years ago			`var PROFILE_IV_LENGTH = 12; // bytes`
			`var PROFILE_KEY_LENGTH = 32; // bytes`
			`var PROFILE_TAG_LENGTH = 128; // bits`
			`var PROFILE_NAME_PADDED_LENGTH = 26; // bytes`

Add attachment digests // FREEBIE 9 years ago			`function verifyDigest(data, theirDigest) {`
			`return crypto.subtle.digest({name: 'SHA-256'}, data).then(function(ourDigest) {`
			`var a = new Uint8Array(ourDigest);`
			`var b = new Uint8Array(theirDigest);`
			`var result = 0;`
			`for (var i=0; i < theirDigest.byteLength; ++i) {`
			`result = result \| (a[i] ^ b[i]);`
			`}`
			`if (result !== 0) {`
			`throw new Error('Bad digest');`
			`}`
			`});`
			`}`
			`function calculateDigest(data) {`
			`return crypto.subtle.digest({name: 'SHA-256'}, data);`
			`}`

Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`window.textsecure = window.textsecure \|\| {};`
			`window.textsecure.crypto = {`
			`// Decrypts message into a raw string`
Pass the signaling key into decryptWebSocketMessage De-couple this file from dependency on storage. 10 years ago			`decryptWebsocketMessage: function(message, signaling_key) {`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`var decodedMessage = message.toArrayBuffer();`
Validate argument lengths in crypto.js These functions accept an array buffer and extract an AES and MAC key from it without verifying it has the appropriate length. Ciphertext messages are similarly dissected. The slice function does not raise an error on out of bounds accesses but instead returns an empty or partially-filled array. Empty or short arrays will be passed through to the window.crypto.subtle API, where they will raise an error. We should not rely on the Web Crypto API to validate key lengths or for MAC checks to fail. Instead, validate the lengths of given parameters before extracting their components. // FREEBIE 10 years ago
			`if (signaling_key.byteLength != 52) {`
			`throw new Error("Got invalid length signaling_key");`
			`}`
			`if (decodedMessage.byteLength < 1 + 16 + 10) {`
			`throw new Error("Got invalid length message");`
			`}`
			`if (new Uint8Array(decodedMessage)[0] != 1) {`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`throw new Error("Got bad version number: " + decodedMessage[0]);`
Validate argument lengths in crypto.js These functions accept an array buffer and extract an AES and MAC key from it without verifying it has the appropriate length. Ciphertext messages are similarly dissected. The slice function does not raise an error on out of bounds accesses but instead returns an empty or partially-filled array. Empty or short arrays will be passed through to the window.crypto.subtle API, where they will raise an error. We should not rely on the Web Crypto API to validate key lengths or for MAC checks to fail. Instead, validate the lengths of given parameters before extracting their components. // FREEBIE 10 years ago			`}`

			`var aes_key = signaling_key.slice(0, 32);`
			`var mac_key = signaling_key.slice(32, 32 + 20);`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago
			`var iv = decodedMessage.slice(1, 1 + 16);`
			`var ciphertext = decodedMessage.slice(1 + 16, decodedMessage.byteLength - 10);`
			`var ivAndCiphertext = decodedMessage.slice(0, decodedMessage.byteLength - 10);`
			`var mac = decodedMessage.slice(decodedMessage.byteLength - 10, decodedMessage.byteLength);`

Use constant time mac comparison In libtextsecure and in libaxolotl. // FREEBIE 10 years ago			`return verifyMAC(ivAndCiphertext, mac_key, mac, 10).then(function() {`
Remove all external non-test deps on libaxolotl/crypto 11 years ago			`return decrypt(aes_key, ciphertext, iv);`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`});`
			`},`

Add attachment digests // FREEBIE 9 years ago			`decryptAttachment: function(encryptedBin, keys, theirDigest) {`
Validate argument lengths in crypto.js These functions accept an array buffer and extract an AES and MAC key from it without verifying it has the appropriate length. Ciphertext messages are similarly dissected. The slice function does not raise an error on out of bounds accesses but instead returns an empty or partially-filled array. Empty or short arrays will be passed through to the window.crypto.subtle API, where they will raise an error. We should not rely on the Web Crypto API to validate key lengths or for MAC checks to fail. Instead, validate the lengths of given parameters before extracting their components. // FREEBIE 10 years ago			`if (keys.byteLength != 64) {`
			`throw new Error("Got invalid length attachment keys");`
			`}`
			`if (encryptedBin.byteLength < 16 + 32) {`
			`throw new Error("Got invalid length attachment");`
			`}`

Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`var aes_key = keys.slice(0, 32);`
			`var mac_key = keys.slice(32, 64);`

			`var iv = encryptedBin.slice(0, 16);`
			`var ciphertext = encryptedBin.slice(16, encryptedBin.byteLength - 32);`
			`var ivAndCiphertext = encryptedBin.slice(0, encryptedBin.byteLength - 32);`
			`var mac = encryptedBin.slice(encryptedBin.byteLength - 32, encryptedBin.byteLength);`

Use constant time mac comparison In libtextsecure and in libaxolotl. // FREEBIE 10 years ago			`return verifyMAC(ivAndCiphertext, mac_key, mac, 32).then(function() {`
Cleanup attachment attributes Convert attachment ids from longs to strings, and byte buffers to arrays. // FREEBIE 9 years ago			`if (theirDigest !== null) {`
Add attachment digests // FREEBIE 9 years ago			`return verifyDigest(encryptedBin, theirDigest);`
			`}`
			`}).then(function() {`
Remove all external non-test deps on libaxolotl/crypto 11 years ago			`return decrypt(aes_key, ciphertext, iv);`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`});`
			`},`

			`encryptAttachment: function(plaintext, keys, iv) {`
Verify `makeAttachmentPointer` and `encryptAttachment` arguments The underlying `crypto.subtle.encrypt` API requires it. 8 years ago			`if (!(plaintext instanceof ArrayBuffer) && !ArrayBuffer.isView(plaintext)) {`
			`throw new TypeError(`
			'`plaintext` must be an `ArrayBuffer` or `ArrayBufferView`; got: ' +
			`typeof plaintext`
			`);`
			`}`

Validate argument lengths in crypto.js These functions accept an array buffer and extract an AES and MAC key from it without verifying it has the appropriate length. Ciphertext messages are similarly dissected. The slice function does not raise an error on out of bounds accesses but instead returns an empty or partially-filled array. Empty or short arrays will be passed through to the window.crypto.subtle API, where they will raise an error. We should not rely on the Web Crypto API to validate key lengths or for MAC checks to fail. Instead, validate the lengths of given parameters before extracting their components. // FREEBIE 10 years ago			`if (keys.byteLength != 64) {`
			`throw new Error("Got invalid length attachment keys");`
			`}`
			`if (iv.byteLength != 16) {`
			`throw new Error("Got invalid length attachment iv");`
			`}`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`var aes_key = keys.slice(0, 32);`
			`var mac_key = keys.slice(32, 64);`

Remove all external non-test deps on libaxolotl/crypto 11 years ago			`return encrypt(aes_key, plaintext, iv).then(function(ciphertext) {`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`var ivAndCiphertext = new Uint8Array(16 + ciphertext.byteLength);`
			`ivAndCiphertext.set(new Uint8Array(iv));`
			`ivAndCiphertext.set(new Uint8Array(ciphertext), 16);`

Remove all external non-test deps on libaxolotl/crypto 11 years ago			`return calculateMAC(mac_key, ivAndCiphertext.buffer).then(function(mac) {`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`var encryptedBin = new Uint8Array(16 + ciphertext.byteLength + 32);`
			`encryptedBin.set(ivAndCiphertext);`
			`encryptedBin.set(new Uint8Array(mac), 16 + ciphertext.byteLength);`
Add attachment digests // FREEBIE 9 years ago			`return calculateDigest(encryptedBin.buffer).then(function(digest) {`
			`return { ciphertext: encryptedBin.buffer, digest: digest };`
			`});`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`});`
			`});`
Copy getRandomBytes from libaxolotl to libtextsecure 11 years ago			`},`
Profiles (#1453) * Add AES-GCM encryption for profiles With tests. * Add profileKey to DataMessage protobuf // FREEBIE * Decrypt and save profile names // FREEBIE * Save incoming profile keys * Move pad/unpad to crypto module // FREEBIE * Support fetching avatars from the cdn // FREEBIE * Translate failed authentication errors When AES-GCM authentication fails, webcrypto returns a very generic error. The same error is thrown for invalid length inputs, but our earlier checks in decryptProfile should rule out those failure modes and leave us safe to assume that we either had bad ciphertext or the wrong key. // FREEBIE * Handle profile avatars (wip) and log decrypt errors // FREEBIE * Display profile avatars Synced contact avatars will still override profile avatars. * Display profile names in convo list Only if we don't have a synced contact name. // FREEBIE * Make cdn url an environment config Use different ones for staging and production // FREEBIE * Display profile name in conversation header * Display profile name in group messages * Update conversation header if profile avatar changes // FREEBIE * Style profile names small with ~ * Save profileKeys from contact sync messages // FREEBIE * Save profile keys from provisioning messages For standalone accounts, generate a random profile key. // FREEBIE * Special case for one-time sync of our profile key Android will use a contact sync message to sync a profile key from Android clients who have just upgraded and generated their profile key. Normally we should receive this data in a provisioning message. // FREEBIE * Infer profile sharing from synced data messages * Populate profile keys on outgoing messages Requires that `profileSharing` be set on the conversation. // FREEBIE * Support for the profile key update flag When receiving a message with this flag, don't init a message record, just process the profile key and move on. // FREEBIE * Display profile names in group member list * Refresh contact's profile on profile key changes // FREEBIE * Catch errors on profile save // FREEBIE * Save our own synced contact info Don't return early if we get a contact sync for our own number // FREEBIE 8 years ago			`encryptProfile: function(data, key) {`
			`var iv = libsignal.crypto.getRandomBytes(PROFILE_IV_LENGTH);`
			`if (key.byteLength != PROFILE_KEY_LENGTH) {`
			`throw new Error("Got invalid length profile key");`
			`}`
			`if (iv.byteLength != PROFILE_IV_LENGTH) {`
			`throw new Error("Got invalid length profile iv");`
			`}`
			`return crypto.subtle.importKey('raw', key, {name: 'AES-GCM'}, false, ['encrypt']).then(function(key) {`
			`return crypto.subtle.encrypt({name: 'AES-GCM', iv: iv, tagLength: PROFILE_TAG_LENGTH}, key, data).then(function(ciphertext) {`
			`var ivAndCiphertext = new Uint8Array(PROFILE_IV_LENGTH + ciphertext.byteLength);`
			`ivAndCiphertext.set(new Uint8Array(iv));`
			`ivAndCiphertext.set(new Uint8Array(ciphertext), PROFILE_IV_LENGTH);`
			`return ivAndCiphertext.buffer;`
			`});`
			`});`
			`},`
			`decryptProfile: function(data, key) {`
			`if (data.byteLength < 12 + 16 + 1) {`
			`throw new Error("Got too short input: " + data.byteLength);`
			`}`
			`var iv = data.slice(0, PROFILE_IV_LENGTH);`
			`var ciphertext = data.slice(PROFILE_IV_LENGTH, data.byteLength);`
			`if (key.byteLength != PROFILE_KEY_LENGTH) {`
			`throw new Error("Got invalid length profile key");`
			`}`
			`if (iv.byteLength != PROFILE_IV_LENGTH) {`
			`throw new Error("Got invalid length profile iv");`
			`}`
			`var error = new Error(); // save stack`
			`return crypto.subtle.importKey('raw', key, {name: 'AES-GCM'}, false, ['decrypt']).then(function(key) {`
			`return crypto.subtle.decrypt({name: 'AES-GCM', iv: iv, tagLength: PROFILE_TAG_LENGTH}, key, ciphertext).catch(function(e) {`
			`if (e.name === 'OperationError') {`
			`// bad mac, basically.`
			`error.message = 'Failed to decrypt profile data. Most likely the profile key has changed.';`
			`error.name = 'ProfileDecryptError';`
			`throw error;`
			`}`
			`});`
			`});`
			`},`
			`encryptProfileName: function(name, key) {`
			`var padded = new Uint8Array(PROFILE_NAME_PADDED_LENGTH);`
			`padded.set(new Uint8Array(name));`
			`return textsecure.crypto.encryptProfile(padded.buffer, key);`
			`},`
			`decryptProfileName: function(encryptedProfileName, key) {`
			`var data = dcodeIO.ByteBuffer.wrap(encryptedProfileName, 'base64').toArrayBuffer();`
			`return textsecure.crypto.decryptProfile(data, key).then(function(decrypted) {`
			`// unpad`
			`var name = '';`
			`var padded = new Uint8Array(decrypted);`
			`for (var i = padded.length; i > 0; i--) {`
			`if (padded[i-1] !== 0x00) {`
			`break;`
			`}`
			`}`

			`return dcodeIO.ByteBuffer.wrap(padded).slice(0, i).toArrayBuffer();`
			`});`
			`},`

Copy getRandomBytes from libaxolotl to libtextsecure 11 years ago
			`getRandomBytes: function(size) {`
Dedupe methods Define textsecure.crypto in terms of libsignal.crypto. // FREEBIE 10 years ago			`return libsignal.crypto.getRandomBytes(size);`
Move attachment/websocket [en\|de]cryption to libtextsecure 11 years ago			`}`
			`};`
			`})();`