2015-09-07 21:53:43 +00:00
|
|
|
/*
|
|
|
|
* vim: ts=4:sw=4:expandtab
|
2015-01-16 04:11:08 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
;(function(){
|
|
|
|
'use strict';
|
|
|
|
|
2016-05-08 00:49:45 +00:00
|
|
|
var encrypt = libsignal.crypto.encrypt;
|
|
|
|
var decrypt = libsignal.crypto.decrypt;
|
|
|
|
var calculateMAC = libsignal.crypto.calculateMAC;
|
|
|
|
var verifyMAC = libsignal.crypto.verifyMAC;
|
2015-01-16 04:11:08 +00:00
|
|
|
|
2017-09-11 16:50:35 +00:00
|
|
|
var PROFILE_IV_LENGTH = 12; // bytes
|
|
|
|
var PROFILE_KEY_LENGTH = 32; // bytes
|
|
|
|
var PROFILE_TAG_LENGTH = 128; // bits
|
|
|
|
var PROFILE_NAME_PADDED_LENGTH = 26; // bytes
|
|
|
|
|
2017-03-08 00:54:15 +00:00
|
|
|
function verifyDigest(data, theirDigest) {
|
|
|
|
return crypto.subtle.digest({name: 'SHA-256'}, data).then(function(ourDigest) {
|
|
|
|
var a = new Uint8Array(ourDigest);
|
|
|
|
var b = new Uint8Array(theirDigest);
|
|
|
|
var result = 0;
|
|
|
|
for (var i=0; i < theirDigest.byteLength; ++i) {
|
|
|
|
result = result | (a[i] ^ b[i]);
|
|
|
|
}
|
|
|
|
if (result !== 0) {
|
|
|
|
throw new Error('Bad digest');
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
function calculateDigest(data) {
|
|
|
|
return crypto.subtle.digest({name: 'SHA-256'}, data);
|
|
|
|
}
|
|
|
|
|
2015-01-16 04:11:08 +00:00
|
|
|
window.textsecure = window.textsecure || {};
|
|
|
|
window.textsecure.crypto = {
|
|
|
|
// Decrypts message into a raw string
|
2015-08-07 21:52:33 +00:00
|
|
|
decryptWebsocketMessage: function(message, signaling_key) {
|
2015-01-16 04:11:08 +00:00
|
|
|
var decodedMessage = message.toArrayBuffer();
|
2015-10-27 19:15:08 +00:00
|
|
|
|
|
|
|
if (signaling_key.byteLength != 52) {
|
|
|
|
throw new Error("Got invalid length signaling_key");
|
|
|
|
}
|
|
|
|
if (decodedMessage.byteLength < 1 + 16 + 10) {
|
|
|
|
throw new Error("Got invalid length message");
|
|
|
|
}
|
|
|
|
if (new Uint8Array(decodedMessage)[0] != 1) {
|
2015-01-16 04:11:08 +00:00
|
|
|
throw new Error("Got bad version number: " + decodedMessage[0]);
|
2015-10-27 19:15:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var aes_key = signaling_key.slice(0, 32);
|
|
|
|
var mac_key = signaling_key.slice(32, 32 + 20);
|
2015-01-16 04:11:08 +00:00
|
|
|
|
|
|
|
var iv = decodedMessage.slice(1, 1 + 16);
|
|
|
|
var ciphertext = decodedMessage.slice(1 + 16, decodedMessage.byteLength - 10);
|
|
|
|
var ivAndCiphertext = decodedMessage.slice(0, decodedMessage.byteLength - 10);
|
|
|
|
var mac = decodedMessage.slice(decodedMessage.byteLength - 10, decodedMessage.byteLength);
|
|
|
|
|
2015-11-25 00:14:12 +00:00
|
|
|
return verifyMAC(ivAndCiphertext, mac_key, mac, 10).then(function() {
|
2015-01-16 08:15:00 +00:00
|
|
|
return decrypt(aes_key, ciphertext, iv);
|
2015-01-16 04:11:08 +00:00
|
|
|
});
|
|
|
|
},
|
|
|
|
|
2017-03-08 00:54:15 +00:00
|
|
|
decryptAttachment: function(encryptedBin, keys, theirDigest) {
|
2015-10-27 19:15:08 +00:00
|
|
|
if (keys.byteLength != 64) {
|
|
|
|
throw new Error("Got invalid length attachment keys");
|
|
|
|
}
|
|
|
|
if (encryptedBin.byteLength < 16 + 32) {
|
|
|
|
throw new Error("Got invalid length attachment");
|
|
|
|
}
|
|
|
|
|
2015-01-16 04:11:08 +00:00
|
|
|
var aes_key = keys.slice(0, 32);
|
|
|
|
var mac_key = keys.slice(32, 64);
|
|
|
|
|
|
|
|
var iv = encryptedBin.slice(0, 16);
|
|
|
|
var ciphertext = encryptedBin.slice(16, encryptedBin.byteLength - 32);
|
|
|
|
var ivAndCiphertext = encryptedBin.slice(0, encryptedBin.byteLength - 32);
|
|
|
|
var mac = encryptedBin.slice(encryptedBin.byteLength - 32, encryptedBin.byteLength);
|
|
|
|
|
2015-11-25 00:14:12 +00:00
|
|
|
return verifyMAC(ivAndCiphertext, mac_key, mac, 32).then(function() {
|
2017-04-18 18:12:39 +00:00
|
|
|
if (theirDigest !== null) {
|
2017-03-08 00:54:15 +00:00
|
|
|
return verifyDigest(encryptedBin, theirDigest);
|
|
|
|
}
|
|
|
|
}).then(function() {
|
2015-01-16 08:15:00 +00:00
|
|
|
return decrypt(aes_key, ciphertext, iv);
|
2015-01-16 04:11:08 +00:00
|
|
|
});
|
|
|
|
},
|
|
|
|
|
|
|
|
encryptAttachment: function(plaintext, keys, iv) {
|
2018-03-16 19:32:54 +00:00
|
|
|
if (!(plaintext instanceof ArrayBuffer) && !ArrayBuffer.isView(plaintext)) {
|
|
|
|
throw new TypeError(
|
|
|
|
'`plaintext` must be an `ArrayBuffer` or `ArrayBufferView`; got: ' +
|
|
|
|
typeof plaintext
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2015-10-27 19:15:08 +00:00
|
|
|
if (keys.byteLength != 64) {
|
|
|
|
throw new Error("Got invalid length attachment keys");
|
|
|
|
}
|
|
|
|
if (iv.byteLength != 16) {
|
|
|
|
throw new Error("Got invalid length attachment iv");
|
|
|
|
}
|
2015-01-16 04:11:08 +00:00
|
|
|
var aes_key = keys.slice(0, 32);
|
|
|
|
var mac_key = keys.slice(32, 64);
|
|
|
|
|
2015-01-16 08:15:00 +00:00
|
|
|
return encrypt(aes_key, plaintext, iv).then(function(ciphertext) {
|
2015-01-16 04:11:08 +00:00
|
|
|
var ivAndCiphertext = new Uint8Array(16 + ciphertext.byteLength);
|
|
|
|
ivAndCiphertext.set(new Uint8Array(iv));
|
|
|
|
ivAndCiphertext.set(new Uint8Array(ciphertext), 16);
|
|
|
|
|
2015-01-16 08:15:00 +00:00
|
|
|
return calculateMAC(mac_key, ivAndCiphertext.buffer).then(function(mac) {
|
2015-01-16 04:11:08 +00:00
|
|
|
var encryptedBin = new Uint8Array(16 + ciphertext.byteLength + 32);
|
|
|
|
encryptedBin.set(ivAndCiphertext);
|
|
|
|
encryptedBin.set(new Uint8Array(mac), 16 + ciphertext.byteLength);
|
2017-03-08 00:54:15 +00:00
|
|
|
return calculateDigest(encryptedBin.buffer).then(function(digest) {
|
|
|
|
return { ciphertext: encryptedBin.buffer, digest: digest };
|
|
|
|
});
|
2015-01-16 04:11:08 +00:00
|
|
|
});
|
|
|
|
});
|
2015-01-16 07:57:48 +00:00
|
|
|
},
|
2017-09-11 16:50:35 +00:00
|
|
|
encryptProfile: function(data, key) {
|
|
|
|
var iv = libsignal.crypto.getRandomBytes(PROFILE_IV_LENGTH);
|
|
|
|
if (key.byteLength != PROFILE_KEY_LENGTH) {
|
|
|
|
throw new Error("Got invalid length profile key");
|
|
|
|
}
|
|
|
|
if (iv.byteLength != PROFILE_IV_LENGTH) {
|
|
|
|
throw new Error("Got invalid length profile iv");
|
|
|
|
}
|
|
|
|
return crypto.subtle.importKey('raw', key, {name: 'AES-GCM'}, false, ['encrypt']).then(function(key) {
|
|
|
|
return crypto.subtle.encrypt({name: 'AES-GCM', iv: iv, tagLength: PROFILE_TAG_LENGTH}, key, data).then(function(ciphertext) {
|
|
|
|
var ivAndCiphertext = new Uint8Array(PROFILE_IV_LENGTH + ciphertext.byteLength);
|
|
|
|
ivAndCiphertext.set(new Uint8Array(iv));
|
|
|
|
ivAndCiphertext.set(new Uint8Array(ciphertext), PROFILE_IV_LENGTH);
|
|
|
|
return ivAndCiphertext.buffer;
|
|
|
|
});
|
|
|
|
});
|
|
|
|
},
|
|
|
|
decryptProfile: function(data, key) {
|
|
|
|
if (data.byteLength < 12 + 16 + 1) {
|
|
|
|
throw new Error("Got too short input: " + data.byteLength);
|
|
|
|
}
|
|
|
|
var iv = data.slice(0, PROFILE_IV_LENGTH);
|
|
|
|
var ciphertext = data.slice(PROFILE_IV_LENGTH, data.byteLength);
|
|
|
|
if (key.byteLength != PROFILE_KEY_LENGTH) {
|
|
|
|
throw new Error("Got invalid length profile key");
|
|
|
|
}
|
|
|
|
if (iv.byteLength != PROFILE_IV_LENGTH) {
|
|
|
|
throw new Error("Got invalid length profile iv");
|
|
|
|
}
|
|
|
|
var error = new Error(); // save stack
|
|
|
|
return crypto.subtle.importKey('raw', key, {name: 'AES-GCM'}, false, ['decrypt']).then(function(key) {
|
|
|
|
return crypto.subtle.decrypt({name: 'AES-GCM', iv: iv, tagLength: PROFILE_TAG_LENGTH}, key, ciphertext).catch(function(e) {
|
|
|
|
if (e.name === 'OperationError') {
|
|
|
|
// bad mac, basically.
|
|
|
|
error.message = 'Failed to decrypt profile data. Most likely the profile key has changed.';
|
|
|
|
error.name = 'ProfileDecryptError';
|
|
|
|
throw error;
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
|
|
|
},
|
|
|
|
encryptProfileName: function(name, key) {
|
|
|
|
var padded = new Uint8Array(PROFILE_NAME_PADDED_LENGTH);
|
|
|
|
padded.set(new Uint8Array(name));
|
|
|
|
return textsecure.crypto.encryptProfile(padded.buffer, key);
|
|
|
|
},
|
|
|
|
decryptProfileName: function(encryptedProfileName, key) {
|
|
|
|
var data = dcodeIO.ByteBuffer.wrap(encryptedProfileName, 'base64').toArrayBuffer();
|
|
|
|
return textsecure.crypto.decryptProfile(data, key).then(function(decrypted) {
|
|
|
|
// unpad
|
|
|
|
var name = '';
|
|
|
|
var padded = new Uint8Array(decrypted);
|
|
|
|
for (var i = padded.length; i > 0; i--) {
|
|
|
|
if (padded[i-1] !== 0x00) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return dcodeIO.ByteBuffer.wrap(padded).slice(0, i).toArrayBuffer();
|
|
|
|
});
|
|
|
|
},
|
|
|
|
|
2015-01-16 07:57:48 +00:00
|
|
|
|
|
|
|
getRandomBytes: function(size) {
|
2016-05-08 00:49:45 +00:00
|
|
|
return libsignal.crypto.getRandomBytes(size);
|
2015-01-16 04:11:08 +00:00
|
|
|
}
|
|
|
|
};
|
|
|
|
})();
|