Validate argument lengths in crypto.js

These functions accept an array buffer and extract an AES and MAC key from it without verifying it has the appropriate length. Ciphertext messages are similarly dissected. The slice function does not raise an error on out of bounds accesses but instead returns an empty or partially-filled array. Empty or short arrays will be passed through to the window.crypto.subtle API, where they will raise an error. We should not rely on the Web Crypto API to validate key lengths or for MAC checks to fail. Instead, validate the lengths of given parameters before extracting their components. // FREEBIE
2015-10-27 12:15:08 -07:00 · 2015-10-27 12:15:08 -07:00 · ac7c95fed0
commit ac7c95fed0
parent cb93ad4cff
2 changed files with 50 additions and 8 deletions
--- a/js/libtextsecure.js
+++ b/js/libtextsecure.js
@ -37897,13 +37897,21 @@ axolotlInternal.RecipientRecord = function() {
    window.textsecure.crypto = {
        // Decrypts message into a raw string
        decryptWebsocketMessage: function(message, signaling_key) {
+            var decodedMessage = message.toArrayBuffer();
+
+            if (signaling_key.byteLength != 52) {
+                throw new Error("Got invalid length signaling_key");
+            }
+            if (decodedMessage.byteLength < 1 + 16 + 10) {
+                throw new Error("Got invalid length message");
+            }
+            if (new Uint8Array(decodedMessage)[0] != 1) {
+                throw new Error("Got bad version number: " + decodedMessage[0]);
+            }
+
            var aes_key = signaling_key.slice(0, 32);
            var mac_key = signaling_key.slice(32, 32 + 20);

-            var decodedMessage = message.toArrayBuffer();
-            if (new Uint8Array(decodedMessage)[0] != 1)
-                throw new Error("Got bad version number: " + decodedMessage[0]);
-
            var iv = decodedMessage.slice(1, 1 + 16);
            var ciphertext = decodedMessage.slice(1 + 16, decodedMessage.byteLength - 10);
            var ivAndCiphertext = decodedMessage.slice(0, decodedMessage.byteLength - 10);
@ -37915,6 +37923,13 @@ axolotlInternal.RecipientRecord = function() {
        },

        decryptAttachment: function(encryptedBin, keys) {
+            if (keys.byteLength != 64) {
+                throw new Error("Got invalid length attachment keys");
+            }
+            if (encryptedBin.byteLength < 16 + 32) {
+                throw new Error("Got invalid length attachment");
+            }
+
            var aes_key = keys.slice(0, 32);
            var mac_key = keys.slice(32, 64);

@ -37929,6 +37944,12 @@ axolotlInternal.RecipientRecord = function() {
        },

        encryptAttachment: function(plaintext, keys, iv) {
+            if (keys.byteLength != 64) {
+                throw new Error("Got invalid length attachment keys");
+            }
+            if (iv.byteLength != 16) {
+                throw new Error("Got invalid length attachment iv");
+            }
            var aes_key = keys.slice(0, 32);
            var mac_key = keys.slice(32, 64);