diff --git a/Gruntfile.js b/Gruntfile.js index e769102ca..d26ae2ce8 100644 --- a/Gruntfile.js +++ b/Gruntfile.js @@ -63,11 +63,7 @@ module.exports = grunt => { banner: ';(function() {\n', footer: '})();\n', }, - src: [ - 'libtextsecure/errors.js', - 'libtextsecure/libsignal-protocol.js', - 'libtextsecure/crypto.js', - ], + src: ['libtextsecure/errors.js', 'libtextsecure/libsignal-protocol.js'], dest: 'js/libtextsecure.js', }, }, diff --git a/libtextsecure/crypto.d.ts b/libtextsecure/crypto.d.ts deleted file mode 100644 index 54b1d1b65..000000000 --- a/libtextsecure/crypto.d.ts +++ /dev/null @@ -1,17 +0,0 @@ -export interface LibTextsecureCryptoInterface { - encryptAttachment( - plaintext: ArrayBuffer, - keys: ArrayBuffer, - iv: ArrayBuffer - ): Promise<{ - digest: ArrayBuffer; - ciphertext: ArrayBuffer; - }>; - decryptAttachment( - encryptedBin: ArrayBuffer, - keys: ArrayBuffer, - theirDigest: ArrayBuffer - ): Promise; - decryptProfile(data: ArrayBuffer, key: ArrayBuffer): Promise; - encryptProfile(data: ArrayBuffer, key: ArrayBuffer): Promise; -} diff --git a/libtextsecure/crypto.js b/libtextsecure/crypto.js deleted file mode 100644 index feeb28be4..000000000 --- a/libtextsecure/crypto.js +++ /dev/null @@ -1,178 +0,0 @@ -/* global libsignal, crypto, textsecure, dcodeIO, window */ - -/* eslint-disable more/no-then, no-bitwise */ - -// eslint-disable-next-line func-names -(function() { - const { encrypt, decrypt, calculateMAC, verifyMAC } = libsignal.crypto; - - const PROFILE_IV_LENGTH = 12; // bytes - const PROFILE_KEY_LENGTH = 32; // bytes - const PROFILE_TAG_LENGTH = 128; // bits - const PROFILE_NAME_PADDED_LENGTH = 26; // bytes - - function verifyDigest(data, theirDigest) { - return crypto.subtle.digest({ name: 'SHA-256' }, data).then(ourDigest => { - const a = new Uint8Array(ourDigest); - const b = new Uint8Array(theirDigest); - let result = 0; - for (let i = 0; i < theirDigest.byteLength; i += 1) { - result |= a[i] ^ b[i]; - } - if (result !== 0) { - throw new Error('Bad digest'); - } - }); - } - function calculateDigest(data) { - return crypto.subtle.digest({ name: 'SHA-256' }, data); - } - - function getRandomBytesFromLength(n) { - const bytes = new Uint8Array(n); - crypto.getRandomValues(bytes); - return bytes; - } - - window.textsecure = window.textsecure || {}; - window.textsecure.crypto = { - decryptAttachment(encryptedBin, keys, theirDigest) { - if (keys.byteLength !== 64) { - throw new Error('Got invalid length attachment keys'); - } - if (encryptedBin.byteLength < 16 + 32) { - throw new Error('Got invalid length attachment'); - } - - const aesKey = keys.slice(0, 32); - const macKey = keys.slice(32, 64); - - const iv = encryptedBin.slice(0, 16); - const ciphertext = encryptedBin.slice(16, encryptedBin.byteLength - 32); - const ivAndCiphertext = encryptedBin.slice(0, encryptedBin.byteLength - 32); - const mac = encryptedBin.slice(encryptedBin.byteLength - 32, encryptedBin.byteLength); - - return verifyMAC(ivAndCiphertext, macKey, mac, 32) - .then(() => { - if (!theirDigest) { - throw new Error('Failure: Ask sender to update Signal and resend.'); - } - return verifyDigest(encryptedBin, theirDigest); - }) - .then(() => decrypt(aesKey, ciphertext, iv)); - }, - - encryptAttachment(plaintext, keys, iv) { - if (!(plaintext instanceof ArrayBuffer) && !ArrayBuffer.isView(plaintext)) { - throw new TypeError( - `\`plaintext\` must be an \`ArrayBuffer\` or \`ArrayBufferView\`; got: ${typeof plaintext}` - ); - } - - if (keys.byteLength !== 64) { - throw new Error('Got invalid length attachment keys'); - } - if (iv.byteLength !== 16) { - throw new Error('Got invalid length attachment iv'); - } - const aesKey = keys.slice(0, 32); - const macKey = keys.slice(32, 64); - - return encrypt(aesKey, plaintext, iv).then(ciphertext => { - const ivAndCiphertext = new Uint8Array(16 + ciphertext.byteLength); - ivAndCiphertext.set(new Uint8Array(iv)); - ivAndCiphertext.set(new Uint8Array(ciphertext), 16); - - return calculateMAC(macKey, ivAndCiphertext.buffer).then(mac => { - const encryptedBin = new Uint8Array(16 + ciphertext.byteLength + 32); - encryptedBin.set(ivAndCiphertext); - encryptedBin.set(new Uint8Array(mac), 16 + ciphertext.byteLength); - return calculateDigest(encryptedBin.buffer).then(digest => ({ - ciphertext: encryptedBin.buffer, - digest, - })); - }); - }); - }, - encryptProfile(data, key) { - const iv = getRandomBytesFromLength(PROFILE_IV_LENGTH); - if (key.byteLength !== PROFILE_KEY_LENGTH) { - throw new Error('Got invalid length profile key'); - } - if (iv.byteLength !== PROFILE_IV_LENGTH) { - throw new Error('Got invalid length profile iv'); - } - return crypto.subtle - .importKey('raw', key, { name: 'AES-GCM' }, false, ['encrypt']) - .then(keyForEncryption => - crypto.subtle - .encrypt({ name: 'AES-GCM', iv, tagLength: PROFILE_TAG_LENGTH }, keyForEncryption, data) - .then(ciphertext => { - const ivAndCiphertext = new Uint8Array(PROFILE_IV_LENGTH + ciphertext.byteLength); - ivAndCiphertext.set(new Uint8Array(iv)); - ivAndCiphertext.set(new Uint8Array(ciphertext), PROFILE_IV_LENGTH); - return ivAndCiphertext.buffer; - }) - ); - }, - decryptProfile(data, key) { - if (data.byteLength < 12 + 16 + 1) { - throw new Error(`Got too short input: ${data.byteLength}`); - } - const iv = data.slice(0, PROFILE_IV_LENGTH); - const ciphertext = data.slice(PROFILE_IV_LENGTH, data.byteLength); - if (key.byteLength !== PROFILE_KEY_LENGTH) { - throw new Error('Got invalid length profile key'); - } - if (iv.byteLength !== PROFILE_IV_LENGTH) { - throw new Error('Got invalid length profile iv'); - } - const error = new Error(); // save stack - return crypto.subtle - .importKey('raw', key, { name: 'AES-GCM' }, false, ['decrypt']) - .then(keyForEncryption => - crypto.subtle - .decrypt( - { name: 'AES-GCM', iv, tagLength: PROFILE_TAG_LENGTH }, - keyForEncryption, - ciphertext - ) - .catch(e => { - if (e.name === 'OperationError') { - // bad mac, basically. - error.message = - 'Failed to decrypt profile data. Most likely the profile key has changed.'; - error.name = 'ProfileDecryptError'; - throw error; - } - }) - ); - }, - encryptProfileName(name, key) { - const padded = new Uint8Array(PROFILE_NAME_PADDED_LENGTH); - padded.set(new Uint8Array(name)); - return textsecure.crypto.encryptProfile(padded.buffer, key); - }, - decryptProfileName(encryptedProfileName, key) { - const data = dcodeIO.ByteBuffer.wrap(encryptedProfileName, 'base64').toArrayBuffer(); - return textsecure.crypto.decryptProfile(data, key).then(decrypted => { - // unpad - const padded = new Uint8Array(decrypted); - let i; - for (i = padded.length; i > 0; i -= 1) { - if (padded[i - 1] !== 0x00) { - break; - } - } - - return dcodeIO.ByteBuffer.wrap(padded) - .slice(0, i) - .toArrayBuffer(); - }); - }, - - getRandomBytes(size) { - return getRandomBytesFromLength(size); - }, - }; -})(); diff --git a/libtextsecure/libsignal-protocol.d.ts b/libtextsecure/libsignal-protocol.d.ts index bcdf1c51b..c25c3566c 100644 --- a/libtextsecure/libsignal-protocol.d.ts +++ b/libtextsecure/libsignal-protocol.d.ts @@ -40,12 +40,8 @@ export interface CryptoInterface { getRandomBytes(size: number): ArrayBuffer; } -export interface KeyHelperInterface { - generateIdentityKeyPair(): Promise; -} export interface LibsignalProtocol { Curve: CurveInterface; crypto: CryptoInterface; - KeyHelper: KeyHelperInterface; } diff --git a/libtextsecure/libsignal-protocol.js b/libtextsecure/libsignal-protocol.js index bf81fe225..93be130bc 100644 --- a/libtextsecure/libsignal-protocol.js +++ b/libtextsecure/libsignal-protocol.js @@ -34736,7 +34736,7 @@ var libsignal 'use strict'; function validatePrivKey(privKey) { - if (privKey === undefined || !(privKey instanceof ArrayBuffer)) { + if (privKey === undefined || !(privKey instanceof ArrayBuffer)) { console.log(privKey === undefined, (privKey instanceof ArrayBuffer), privKey.byteLength) throw new Error("Invalid private key", privKey); @@ -34982,13 +34982,7 @@ var libsignal }, }; })(); - var KeyHelper = { - generateIdentityKeyPair: function () { - return Internal.crypto.createKeyPair(); - }, - }; - libsignal.KeyHelper = KeyHelper; })(); \ No newline at end of file diff --git a/ts/interactions/conversationInteractions.ts b/ts/interactions/conversationInteractions.ts index c54089c16..5f05db637 100644 --- a/ts/interactions/conversationInteractions.ts +++ b/ts/interactions/conversationInteractions.ts @@ -47,6 +47,7 @@ import { urlToBlob } from '../types/attachments/VisualAttachment'; import { MIME } from '../types'; import { setLastProfileUpdateTimestamp } from '../util/storage'; import { getSodium } from '../session/crypto'; +import { encryptProfile } from '../util/crypto/profileEncrypter'; export const getCompleteUrlForV2ConvoId = async (convoId: string) => { if (convoId.match(openGroupV2ConversationIdRegex)) { @@ -427,10 +428,7 @@ export async function uploadOurAvatar(newAvatarDecrypted?: ArrayBuffer) { return; } - const encryptedData = await window.textsecure.crypto.encryptProfile( - decryptedAvatarData, - profileKey - ); + const encryptedData = await encryptProfile(decryptedAvatarData, profileKey); const avatarPointer = await FSv2.uploadFileToFsV2(encryptedData); let fileUrl; diff --git a/ts/receiver/attachments.ts b/ts/receiver/attachments.ts index bd929d729..b1a94427a 100644 --- a/ts/receiver/attachments.ts +++ b/ts/receiver/attachments.ts @@ -11,6 +11,7 @@ import { import { OpenGroupRequestCommonType } from '../session/apis/open_group_api/opengroupV2/ApiUtil'; import { FSv2 } from '../session/apis/file_server_api'; import { getUnpaddedAttachment } from '../session/crypto/BufferPadding'; +import { decryptAttachment } from '../util/crypto/attachmentsEncrypter'; export async function downloadAttachment(attachment: { url: string; @@ -60,10 +61,13 @@ export async function downloadAttachment(attachment: { throw new Error('Attachment expected size is 0'); } - const keyBuffer = await window.callWorker('fromBase64ToArrayBuffer', key); - const digestBuffer = await window.callWorker('fromBase64ToArrayBuffer', digest); + const keyBuffer = (await window.callWorker('fromBase64ToArrayBuffer', key)) as ArrayBuffer; + const digestBuffer = (await window.callWorker( + 'fromBase64ToArrayBuffer', + digest + )) as ArrayBuffer; - data = await window.textsecure.crypto.decryptAttachment(data, keyBuffer, digestBuffer); + data = await decryptAttachment(data, keyBuffer, digestBuffer); if (size !== data.byteLength) { // we might have padding, check that all the remaining bytes are padding bytes diff --git a/ts/receiver/dataMessage.ts b/ts/receiver/dataMessage.ts index 02a0b64aa..7aea04fbf 100644 --- a/ts/receiver/dataMessage.ts +++ b/ts/receiver/dataMessage.ts @@ -27,6 +27,7 @@ import { } from '../models/messageFactory'; import { MessageModel } from '../models/message'; import { isUsFromCache } from '../session/utils/User'; +import { decryptProfile } from '../util/crypto/profileEncrypter'; export async function updateProfileOneAtATime( conversation: ConversationModel, @@ -51,7 +52,7 @@ async function createOrUpdateProfile( profile: SignalService.DataMessage.ILokiProfile, profileKey?: Uint8Array | null ) { - const { dcodeIO, textsecure } = window; + const { dcodeIO } = window; // Retain old values unless changed: const newProfile = conversation.get('profile') || {}; @@ -79,10 +80,7 @@ async function createOrUpdateProfile( profileKey, encoding ).toArrayBuffer(); - const decryptedData = await textsecure.crypto.decryptProfile( - downloaded.data, - profileKeyArrayBuffer - ); + const decryptedData = await decryptProfile(downloaded.data, profileKeyArrayBuffer); const scaledData = await autoScaleForIncomingAvatar(decryptedData); const upgraded = await processNewAttachment({ diff --git a/ts/session/utils/Attachments.ts b/ts/session/utils/Attachments.ts index 36bc18f1a..20a92ce4e 100644 --- a/ts/session/utils/Attachments.ts +++ b/ts/session/utils/Attachments.ts @@ -11,6 +11,7 @@ import { import { FSv2 } from '../apis/file_server_api'; import { addAttachmentPadding } from '../crypto/BufferPadding'; import _ from 'lodash'; +import { encryptAttachment } from '../../util/crypto/attachmentsEncrypter'; interface UploadParams { attachment: Attachment; @@ -70,11 +71,7 @@ export class AttachmentFsV2Utils { const iv = new Uint8Array(crypto.randomBytes(16)); const dataToEncrypt = !shouldPad ? attachment.data : addAttachmentPadding(attachment.data); - const data = await window.textsecure.crypto.encryptAttachment( - dataToEncrypt, - pointer.key.buffer, - iv.buffer - ); + const data = await encryptAttachment(dataToEncrypt, pointer.key.buffer, iv.buffer); pointer.digest = new Uint8Array(data.digest); attachmentData = data.ciphertext; } diff --git a/ts/util/crypto/attachmentsEncrypter.ts b/ts/util/crypto/attachmentsEncrypter.ts new file mode 100644 index 000000000..a8355ecb5 --- /dev/null +++ b/ts/util/crypto/attachmentsEncrypter.ts @@ -0,0 +1,88 @@ +const { encrypt, decrypt, calculateMAC, verifyMAC } = window.libsignal.crypto; +// tslint:disable: binary-expression-operand-order +// tslint:disable: restrict-plus-operands + +async function verifyDigest(data: ArrayBuffer, theirDigest: ArrayBuffer) { + return crypto.subtle.digest({ name: 'SHA-256' }, data).then(ourDigest => { + const a = new Uint8Array(ourDigest); + const b = new Uint8Array(theirDigest); + let result = 0; + for (let i = 0; i < theirDigest.byteLength; i += 1) { + // tslint:disable-next-line: no-bitwise + result |= a[i] ^ b[i]; + } + if (result !== 0) { + throw new Error('Bad digest'); + } + }); +} +async function calculateDigest(data: ArrayBuffer) { + return crypto.subtle.digest({ name: 'SHA-256' }, data); +} + +export async function decryptAttachment( + encryptedBin: ArrayBuffer, + keys: ArrayBuffer, + theirDigest: ArrayBuffer +) { + if (keys.byteLength !== 64) { + throw new Error('Got invalid length attachment keys'); + } + if (encryptedBin.byteLength < 16 + 32) { + throw new Error('Got invalid length attachment'); + } + + const aesKey = keys.slice(0, 32); + const macKey = keys.slice(32, 64); + + const iv = encryptedBin.slice(0, 16); + const ciphertext = encryptedBin.slice(16, encryptedBin.byteLength - 32); + const ivAndCiphertext = encryptedBin.slice(0, encryptedBin.byteLength - 32); + const mac = encryptedBin.slice(encryptedBin.byteLength - 32, encryptedBin.byteLength); + + return verifyMAC(ivAndCiphertext, macKey, mac, 32) + .then(async () => { + if (!theirDigest) { + throw new Error('Failure: Ask sender to update Signal and resend.'); + } + return verifyDigest(encryptedBin, theirDigest); + }) + .then(() => decrypt(aesKey, ciphertext, iv)); +} + +export async function encryptAttachment( + plaintext: ArrayBuffer, + keys: ArrayBuffer, + iv: ArrayBuffer +) { + if (!(plaintext instanceof ArrayBuffer) && !ArrayBuffer.isView(plaintext)) { + throw new TypeError( + `\`plaintext\` must be an \`ArrayBuffer\` or \`ArrayBufferView\`; got: ${typeof plaintext}` + ); + } + + if (keys.byteLength !== 64) { + throw new Error('Got invalid length attachment keys'); + } + if (iv.byteLength !== 16) { + throw new Error('Got invalid length attachment iv'); + } + const aesKey = keys.slice(0, 32); + const macKey = keys.slice(32, 64); + + return encrypt(aesKey, plaintext, iv).then((ciphertext: any) => { + const ivAndCiphertext = new Uint8Array(16 + ciphertext.byteLength); + ivAndCiphertext.set(new Uint8Array(iv)); + ivAndCiphertext.set(new Uint8Array(ciphertext), 16); + + return calculateMAC(macKey, ivAndCiphertext.buffer).then(async (mac: any) => { + const encryptedBin = new Uint8Array(16 + ciphertext.byteLength + 32); + encryptedBin.set(ivAndCiphertext); + encryptedBin.set(new Uint8Array(mac), 16 + ciphertext.byteLength); + return calculateDigest(encryptedBin.buffer).then(digest => ({ + ciphertext: encryptedBin.buffer, + digest, + })); + }); + }); +} diff --git a/ts/util/crypto/profileEncrypter.ts b/ts/util/crypto/profileEncrypter.ts new file mode 100644 index 000000000..105f26452 --- /dev/null +++ b/ts/util/crypto/profileEncrypter.ts @@ -0,0 +1,66 @@ +import { getSodium } from '../../session/crypto'; + +const PROFILE_IV_LENGTH = 12; // bytes +const PROFILE_KEY_LENGTH = 32; // bytes +const PROFILE_TAG_LENGTH = 128; // bits + +export async function decryptProfile(data: ArrayBuffer, key: ArrayBuffer): Promise { + if (data.byteLength < 12 + 16 + 1) { + throw new Error(`Got too short input: ${data.byteLength}`); + } + const iv = data.slice(0, PROFILE_IV_LENGTH); + const ciphertext = data.slice(PROFILE_IV_LENGTH, data.byteLength); + if (key.byteLength !== PROFILE_KEY_LENGTH) { + throw new Error('Got invalid length profile key'); + } + if (iv.byteLength !== PROFILE_IV_LENGTH) { + throw new Error('Got invalid length profile iv'); + } + const error = new Error(); // save stack + return crypto.subtle + .importKey('raw', key, { name: 'AES-GCM' }, false, ['decrypt']) + .then(keyForEncryption => + crypto.subtle + .decrypt( + { name: 'AES-GCM', iv, tagLength: PROFILE_TAG_LENGTH }, + keyForEncryption, + ciphertext + ) + .catch(e => { + if (e.name === 'OperationError') { + // bad mac, basically. + error.message = + 'Failed to decrypt profile data. Most likely the profile key has changed.'; + error.name = 'ProfileDecryptError'; + throw error; + } + }) + ); +} + +async function getRandomBytesFromLength(n: number) { + return (await getSodium()).randombytes_buf(n); +} + +export async function encryptProfile(data: ArrayBuffer, key: ArrayBuffer): Promise { + const iv = await getRandomBytesFromLength(PROFILE_IV_LENGTH); + if (key.byteLength !== PROFILE_KEY_LENGTH) { + throw new Error('Got invalid length profile key'); + } + if (iv.byteLength !== PROFILE_IV_LENGTH) { + throw new Error('Got invalid length profile iv'); + } + return crypto.subtle + .importKey('raw', key, { name: 'AES-GCM' }, false, ['encrypt']) + .then(keyForEncryption => + crypto.subtle + .encrypt({ name: 'AES-GCM', iv, tagLength: PROFILE_TAG_LENGTH }, keyForEncryption, data) + .then(ciphertext => { + // tslint:disable-next-line: restrict-plus-operands + const ivAndCiphertext = new Uint8Array(PROFILE_IV_LENGTH + ciphertext.byteLength); + ivAndCiphertext.set(new Uint8Array(iv)); + ivAndCiphertext.set(new Uint8Array(ciphertext), PROFILE_IV_LENGTH); + return ivAndCiphertext.buffer; + }) + ); +}