mirrors/signal-desktop
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Store IV when encrypting or decrypting attachments

Browse source
This commit is contained in:
trevor-signal 2024-05-28 21:12:14 -04:00 committed by GitHub
parent 1d5690acba
commit 85a75cb28f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 136 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
ts/AttachmentCrypto.ts
View file

@ -27,6 +27,7 @@ import type { ContextType } from './types/Message2';
import { strictAssert } from './util/assert';
import * as Errors from './types/errors';
import { isNotNil } from './util/isNotNil';
import { missingCaseError } from './util/missingCaseError';
// This file was split from ts/Crypto.ts because it pulls things in from node, and
// too many things pull in Crypto.ts, so it broke storybook.
@ -46,12 +47,14 @@ export function _generateAttachmentIv(): Uint8Array {
export type EncryptedAttachmentV2 = {
digest: Uint8Array;
iv: Uint8Array;
plaintextHash: string;
ciphertextSize: number;
};
export type DecryptedAttachmentV2 = {
path: string;
iv: Uint8Array;
plaintextHash: string;
};
@ -59,10 +62,21 @@ export type PlaintextSourceType =
| { data: Uint8Array }
| { absolutePath: string };
export type HardcodedIVForEncryptionType =
| {
reason: 'test';
iv: Uint8Array;
}
| {
reason: 'reencrypting-for-backup';
iv: Uint8Array;
digestToMatch: Uint8Array;
};
type EncryptAttachmentV2PropsType = {
plaintext: PlaintextSourceType;
keys: Readonly<Uint8Array>;
dangerousTestOnlyIv?: Readonly<Uint8Array>;
dangerousIv?: HardcodedIVForEncryptionType;
dangerousTestOnlySkipPadding?: boolean;
};
@ -96,7 +110,7 @@ export async function encryptAttachmentV2ToDisk(
export async function encryptAttachmentV2({
keys,
plaintext,
dangerousTestOnlyIv,
dangerousIv,
dangerousTestOnlySkipPadding,
sink,
}: EncryptAttachmentV2PropsType & {
@ -106,9 +120,26 @@ export async function encryptAttachmentV2({
const { aesKey, macKey } = splitKeys(keys);
if (dangerousTestOnlyIv && window.getEnvironment() !== Environment.Test) {
throw new Error(`${logId}: Used dangerousTestOnlyIv outside tests!`);
if (dangerousIv) {
if (dangerousIv.reason === 'test') {
if (window.getEnvironment() !== Environment.Test) {
throw new Error(
`${logId}: Used dangerousIv with reason test outside tests!`
);
}
} else if (dangerousIv.reason === 'reencrypting-for-backup') {
strictAssert(
dangerousIv.digestToMatch.byteLength === DIGEST_LENGTH,
`${logId}: Must provide valid digest to match if providing iv for re-encryption`
);
log.info(
`${logId}: using hardcoded iv because we are re-encrypting for backup`
);
} else {
throw missingCaseError(dangerousIv);
}
}
if (
dangerousTestOnlySkipPadding &&
window.getEnvironment() !== Environment.Test
@ -117,7 +148,8 @@ export async function encryptAttachmentV2({
`${logId}: Used dangerousTestOnlySkipPadding outside tests!`
);
}
const iv = dangerousTestOnlyIv || _generateAttachmentIv();
const iv = dangerousIv?.iv || _generateAttachmentIv();
const plaintextHash = createHash(HashType.size256);
const digest = createHash(HashType.size256);
@ -167,8 +199,16 @@ export async function encryptAttachmentV2({
strictAssert(ciphertextSize != null, 'Failed to measure ciphertext size!');
if (dangerousIv?.reason === 'reencrypting-for-backup') {
if (!constantTimeEqual(ourDigest, dangerousIv.digestToMatch)) {
throw new Error(
`${logId}: iv was hardcoded for backup re-encryption, but digest does not match`
);
}
}
return {
digest: ourDigest,
iv,
plaintextHash: ourPlaintextHash,
ciphertextSize,
};
@ -230,6 +270,7 @@ export async function decryptAttachmentV2(
let readFd;
let writeFd;
let iv: Uint8Array | undefined;
try {
try {
readFd = await open(ciphertextPath, 'r');
@ -252,7 +293,9 @@ export async function decryptAttachmentV2(
getMacAndUpdateHmac(hmac, theirMacValue => {
theirMac = theirMacValue;
}),
getIvAndDecipher(aesKey),
getIvAndDecipher(aesKey, theirIv => {
iv = theirIv;
}),
trimPadding(options.size),
peekAndUpdateHash(plaintextHash),
writeFd.createWriteStream(),
@ -297,6 +340,11 @@ export async function decryptAttachmentV2(
throw new Error(`${logId}: Bad digest`);
}
strictAssert(
iv != null && iv.byteLength === IV_LENGTH,
`${logId}: failed to find their iv`
);
if (outerEncryption) {
strictAssert(outerHmac, 'outerHmac must exist');
@ -318,6 +366,7 @@ export async function decryptAttachmentV2(
return {
path: relativeTargetPath,
iv,
plaintextHash: ourPlaintextHash,
};
}
@ -404,7 +453,10 @@ export function getMacAndUpdateHmac(
* Gets the IV from the start of the stream and creates a decipher.
* Then deciphers the rest of the stream.
*/
export function getIvAndDecipher(aesKey: Uint8Array): Transform {
export function getIvAndDecipher(
aesKey: Uint8Array,
onFoundIv?: (iv: Buffer) => void
): Transform {
let maybeIvBytes: Buffer | null = Buffer.alloc(0);
let decipher: Decipher | null = null;
return new Transform({
@ -428,6 +480,7 @@ export function getIvAndDecipher(aesKey: Uint8Array): Transform {
// remainder of the bytes through.
const iv = maybeIvBytes.subarray(0, IV_LENGTH);
const remainder = maybeIvBytes.subarray(IV_LENGTH);
onFoundIv?.(iv);
maybeIvBytes = null; // free memory
decipher = createDecipheriv(CipherType.AES256CBC, aesKey, iv);
callback(null, decipher.update(remainder));

71
ts/test-electron/Crypto_test.ts
View file

@ -37,6 +37,7 @@ import {
CipherType,
} from '../Crypto';
import {
type HardcodedIVForEncryptionType,
KEY_SET_LENGTH,
_generateAttachmentIv,
decryptAttachmentV2,
@ -608,19 +609,24 @@ describe('Crypto', () => {
path,
data,
plaintextHash,
encryptionKeys,
dangerousIv,
}: {
path?: string;
data: Uint8Array;
plaintextHash: Uint8Array;
encryptionKeys?: Uint8Array;
dangerousIv?: HardcodedIVForEncryptionType;
}): Promise<void> {
let plaintextPath;
let ciphertextPath;
const keys = generateAttachmentKeys();
const keys = encryptionKeys ?? generateAttachmentKeys();
try {
const encryptedAttachment = await encryptAttachmentV2ToDisk({
keys,
plaintext: path ? { absolutePath: path } : { data },
dangerousIv,
});
ciphertextPath = window.Signal.Migrations.getAbsoluteAttachmentPath(
@ -639,6 +645,21 @@ describe('Crypto', () => {
);
const plaintext = readFileSync(plaintextPath);
assert.deepStrictEqual(
encryptedAttachment.iv,
decryptedAttachment.iv
);
if (dangerousIv) {
assert.deepStrictEqual(encryptedAttachment.iv, dangerousIv.iv);
if (dangerousIv.reason === 'reencrypting-for-backup') {
assert.deepStrictEqual(
encryptedAttachment.digest,
dangerousIv.digestToMatch
);
}
}
assert.isTrue(constantTimeEqual(data, plaintext));
assert.strictEqual(
encryptedAttachment.ciphertextSize,
@ -711,6 +732,52 @@ describe('Crypto', () => {
plaintextHash,
});
});
describe('dangerousIv', () => {
it('uses hardcodedIv in tests', async () => {
await testV2RoundTripData({
data: FILE_CONTENTS,
plaintextHash: FILE_HASH,
dangerousIv: {
reason: 'test',
iv: _generateAttachmentIv(),
},
});
});
it('uses hardcodedIv when re-encrypting for backup', async () => {
const keys = generateAttachmentKeys();
const previouslyEncrypted = await encryptAttachmentV2ToDisk({
keys,
plaintext: { data: FILE_CONTENTS },
});
await testV2RoundTripData({
data: FILE_CONTENTS,
plaintextHash: FILE_HASH,
encryptionKeys: keys,
dangerousIv: {
reason: 'reencrypting-for-backup',
iv: previouslyEncrypted.iv,
digestToMatch: previouslyEncrypted.digest,
},
});
// If the digest is wrong, it should throw
await assert.isRejected(
testV2RoundTripData({
data: FILE_CONTENTS,
plaintextHash: FILE_HASH,
encryptionKeys: keys,
dangerousIv: {
reason: 'reencrypting-for-backup',
iv: previouslyEncrypted.iv,
digestToMatch: getRandomBytes(32),
},
}),
'iv was hardcoded for backup re-encryption, but digest does not match'
);
});
});
});
it('v2 -> v1 (disk -> memory)', async () => {
@ -774,7 +841,7 @@ describe('Crypto', () => {
const encryptedAttachmentV2 = await encryptAttachmentV2ToDisk({
keys,
plaintext: { absolutePath: FILE_PATH },
dangerousTestOnlyIv,
dangerousIv: { iv: dangerousTestOnlyIv, reason: 'test' },
});
ciphertextPath = window.Signal.Migrations.getAbsoluteAttachmentPath(
encryptedAttachmentV2.path

3
ts/textsecure/downloadAttachment.ts
View file

@ -132,7 +132,7 @@ export async function downloadAttachment(
window.Signal.Migrations.getAbsoluteAttachmentPath(downloadedPath);
const { aesKey, macKey } = splitKeys(Bytes.fromBase64(key));
const { path, plaintextHash } = await decryptAttachmentV2({
const { path, plaintextHash, iv } = await decryptAttachmentV2({
ciphertextPath: cipherTextAbsolutePath,
idForLogging: logId,
aesKey,
@ -155,6 +155,7 @@ export async function downloadAttachment(
? MIME.stringToMIMEType(contentType)
: MIME.APPLICATION_OCTET_STREAM,
plaintextHash,
iv: Bytes.toBase64(iv),
};
}

2
ts/types/Attachment.ts
View file

@ -74,6 +74,7 @@ export type AttachmentType = {
cdnId?: string;
cdnKey?: string;
key?: string;
iv?: string;
data?: Uint8Array;
textAttachment?: TextAttachmentType;
wasTooBig?: boolean;
@ -97,6 +98,7 @@ export type UploadedAttachmentType = Proto.IAttachmentPointer &
Readonly<{
// Required fields
cdnKey: string;
iv: Uint8Array;
key: Uint8Array;
size: number;
digest: Uint8Array;

3
ts/util/attachments.ts
View file

@ -77,7 +77,7 @@ export const downscaleOutgoingAttachment = async (
export type CdnFieldsType = Pick<
AttachmentType,
'cdnId' | 'cdnKey' | 'cdnNumber' | 'key' | 'digest' | 'plaintextHash'
'cdnId' | 'cdnKey' | 'cdnNumber' | 'key' | 'digest' | 'iv' | 'plaintextHash'
>;
export function copyCdnFields(
@ -91,6 +91,7 @@ export function copyCdnFields(
cdnKey: uploaded.cdnKey,
cdnNumber: dropNull(uploaded.cdnNumber),
key: Bytes.toBase64(uploaded.key),
iv: Bytes.toBase64(uploaded.iv),
digest: Bytes.toBase64(uploaded.digest),
plaintextHash: uploaded.plaintextHash,
};

1
ts/util/uploadAttachment.ts
View file

@ -40,6 +40,7 @@ export async function uploadAttachment(
cdnKey,
cdnNumber,
key: keys,
iv: encrypted.iv,
size: attachment.data.byteLength,
digest: encrypted.digest,
plaintextHash: encrypted.plaintextHash,