mirrors/signal-desktop
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 2 Wiki Activity Actions

Attachment encrypt/decrypt: Validate digest/mac length for better errors

Browse source
This commit is contained in:
Scott Nonnenberg 2024-01-08 16:35:05 -08:00
parent d1aa47544b
commit 038194c946
1 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

38
ts/AttachmentCrypto.ts
View file

@ -41,6 +41,7 @@ import type { ContextType } from './types/Message2';
export const IV_LENGTH = 16; export const IV_LENGTH = 16;
export const KEY_LENGTH = 32; export const KEY_LENGTH = 32;
export const DIGEST_LENGTH = 32;
export const ATTACHMENT_MAC_LENGTH = 32; export const ATTACHMENT_MAC_LENGTH = 32;
export type EncryptedAttachmentV2 = { export type EncryptedAttachmentV2 = {
@ -128,12 +129,20 @@ export async function encryptAttachmentV2({
} }
const { digest: plaintextHash } = plaintextHashTransform; const { digest: plaintextHash } = plaintextHashTransform;
if (!plaintextHash || !plaintextHash.byteLength) { if (
!plaintextHash ||
!plaintextHash.byteLength ||
plaintextHash.byteLength !== DIGEST_LENGTH
) {
throw new Error(`${logId}: Failed to generate plaintext hash!`); throw new Error(`${logId}: Failed to generate plaintext hash!`);
} }
const { digest: ourDigest } = digestTransform; const { digest: ourDigest } = digestTransform;
if (!ourDigest || !ourDigest.byteLength) { if (
!ourDigest ||
!ourDigest.byteLength ||
ourDigest.byteLength !== DIGEST_LENGTH
) {
throw new Error(`${logId}: Failed to generate ourDigest!`); throw new Error(`${logId}: Failed to generate ourDigest!`);
} }
@ -221,10 +230,18 @@ export async function decryptAttachmentV2({
const { ourMac } = macTransform; const { ourMac } = macTransform;
const { theirMac } = coreDecryptionTransform; const { theirMac } = coreDecryptionTransform;
if (!ourMac || !ourMac.byteLength) { if (
!ourMac ||
!ourMac.byteLength ||
ourMac.byteLength !== ATTACHMENT_MAC_LENGTH
) {
throw new Error(`${logId}: Failed to generate ourMac!`); throw new Error(`${logId}: Failed to generate ourMac!`);
} }
if (!theirMac || !theirMac.byteLength) { if (
!theirMac ||
!theirMac.byteLength ||
theirMac.byteLength !== ATTACHMENT_MAC_LENGTH
) {
throw new Error(`${logId}: Failed to find theirMac!`); throw new Error(`${logId}: Failed to find theirMac!`);
} }
if (!constantTimeEqual(ourMac, theirMac)) { if (!constantTimeEqual(ourMac, theirMac)) {
@ -232,9 +249,20 @@ export async function decryptAttachmentV2({
} }
const { digest: ourDigest } = digestTransform; const { digest: ourDigest } = digestTransform;
if (!ourDigest || !ourDigest.byteLength) { if (
!ourDigest ||
!ourDigest.byteLength ||
ourDigest.byteLength !== DIGEST_LENGTH
) {
throw new Error(`${logId}: Failed to generate ourDigest!`); throw new Error(`${logId}: Failed to generate ourDigest!`);
} }
if (
!theirDigest ||
!theirDigest.byteLength ||
theirDigest.byteLength !== DIGEST_LENGTH
) {
throw new Error(`${logId}: Failed to find theirDigest!`);
}
if (!constantTimeEqual(ourDigest, theirDigest)) { if (!constantTimeEqual(ourDigest, theirDigest)) {
throw new Error(`${logId}: Bad digest`); throw new Error(`${logId}: Bad digest`);
} }