/* * vim: ts=4:sw=4:expandtab */ ;(function(){ 'use strict'; var encrypt = libsignal.crypto.encrypt; var decrypt = libsignal.crypto.decrypt; var calculateMAC = libsignal.crypto.calculateMAC; var verifyMAC = libsignal.crypto.verifyMAC; var PROFILE_IV_LENGTH = 12; // bytes var PROFILE_KEY_LENGTH = 32; // bytes var PROFILE_TAG_LENGTH = 128; // bits var PROFILE_NAME_PADDED_LENGTH = 26; // bytes function verifyDigest(data, theirDigest) { return crypto.subtle.digest({name: 'SHA-256'}, data).then(function(ourDigest) { var a = new Uint8Array(ourDigest); var b = new Uint8Array(theirDigest); var result = 0; for (var i=0; i < theirDigest.byteLength; ++i) { result = result | (a[i] ^ b[i]); } if (result !== 0) { throw new Error('Bad digest'); } }); } function calculateDigest(data) { return crypto.subtle.digest({name: 'SHA-256'}, data); } window.textsecure = window.textsecure || {}; window.textsecure.crypto = { // Decrypts message into a raw string decryptWebsocketMessage: function(message, signaling_key) { var decodedMessage = message.toArrayBuffer(); if (signaling_key.byteLength != 52) { throw new Error("Got invalid length signaling_key"); } if (decodedMessage.byteLength < 1 + 16 + 10) { throw new Error("Got invalid length message"); } if (new Uint8Array(decodedMessage)[0] != 1) { throw new Error("Got bad version number: " + decodedMessage[0]); } var aes_key = signaling_key.slice(0, 32); var mac_key = signaling_key.slice(32, 32 + 20); var iv = decodedMessage.slice(1, 1 + 16); var ciphertext = decodedMessage.slice(1 + 16, decodedMessage.byteLength - 10); var ivAndCiphertext = decodedMessage.slice(0, decodedMessage.byteLength - 10); var mac = decodedMessage.slice(decodedMessage.byteLength - 10, decodedMessage.byteLength); return verifyMAC(ivAndCiphertext, mac_key, mac, 10).then(function() { return decrypt(aes_key, ciphertext, iv); }); }, decryptAttachment: function(encryptedBin, keys, theirDigest) { if (keys.byteLength != 64) { throw new Error("Got invalid length attachment keys"); } if (encryptedBin.byteLength < 16 + 32) { throw new Error("Got invalid length attachment"); } var aes_key = keys.slice(0, 32); var mac_key = keys.slice(32, 64); var iv = encryptedBin.slice(0, 16); var ciphertext = encryptedBin.slice(16, encryptedBin.byteLength - 32); var ivAndCiphertext = encryptedBin.slice(0, encryptedBin.byteLength - 32); var mac = encryptedBin.slice(encryptedBin.byteLength - 32, encryptedBin.byteLength); return verifyMAC(ivAndCiphertext, mac_key, mac, 32).then(function() { if (theirDigest !== null) { return verifyDigest(encryptedBin, theirDigest); } }).then(function() { return decrypt(aes_key, ciphertext, iv); }); }, encryptAttachment: function(plaintext, keys, iv) { if (keys.byteLength != 64) { throw new Error("Got invalid length attachment keys"); } if (iv.byteLength != 16) { throw new Error("Got invalid length attachment iv"); } var aes_key = keys.slice(0, 32); var mac_key = keys.slice(32, 64); return encrypt(aes_key, plaintext, iv).then(function(ciphertext) { var ivAndCiphertext = new Uint8Array(16 + ciphertext.byteLength); ivAndCiphertext.set(new Uint8Array(iv)); ivAndCiphertext.set(new Uint8Array(ciphertext), 16); return calculateMAC(mac_key, ivAndCiphertext.buffer).then(function(mac) { var encryptedBin = new Uint8Array(16 + ciphertext.byteLength + 32); encryptedBin.set(ivAndCiphertext); encryptedBin.set(new Uint8Array(mac), 16 + ciphertext.byteLength); return calculateDigest(encryptedBin.buffer).then(function(digest) { return { ciphertext: encryptedBin.buffer, digest: digest }; }); }); }); }, encryptProfile: function(data, key) { var iv = libsignal.crypto.getRandomBytes(PROFILE_IV_LENGTH); if (key.byteLength != PROFILE_KEY_LENGTH) { throw new Error("Got invalid length profile key"); } if (iv.byteLength != PROFILE_IV_LENGTH) { throw new Error("Got invalid length profile iv"); } return crypto.subtle.importKey('raw', key, {name: 'AES-GCM'}, false, ['encrypt']).then(function(key) { return crypto.subtle.encrypt({name: 'AES-GCM', iv: iv, tagLength: PROFILE_TAG_LENGTH}, key, data).then(function(ciphertext) { var ivAndCiphertext = new Uint8Array(PROFILE_IV_LENGTH + ciphertext.byteLength); ivAndCiphertext.set(new Uint8Array(iv)); ivAndCiphertext.set(new Uint8Array(ciphertext), PROFILE_IV_LENGTH); return ivAndCiphertext.buffer; }); }); }, decryptProfile: function(data, key) { if (data.byteLength < 12 + 16 + 1) { throw new Error("Got too short input: " + data.byteLength); } var iv = data.slice(0, PROFILE_IV_LENGTH); var ciphertext = data.slice(PROFILE_IV_LENGTH, data.byteLength); if (key.byteLength != PROFILE_KEY_LENGTH) { throw new Error("Got invalid length profile key"); } if (iv.byteLength != PROFILE_IV_LENGTH) { throw new Error("Got invalid length profile iv"); } var error = new Error(); // save stack return crypto.subtle.importKey('raw', key, {name: 'AES-GCM'}, false, ['decrypt']).then(function(key) { return crypto.subtle.decrypt({name: 'AES-GCM', iv: iv, tagLength: PROFILE_TAG_LENGTH}, key, ciphertext).catch(function(e) { if (e.name === 'OperationError') { // bad mac, basically. error.message = 'Failed to decrypt profile data. Most likely the profile key has changed.'; error.name = 'ProfileDecryptError'; throw error; } }); }); }, encryptProfileName: function(name, key) { var padded = new Uint8Array(PROFILE_NAME_PADDED_LENGTH); padded.set(new Uint8Array(name)); return textsecure.crypto.encryptProfile(padded.buffer, key); }, decryptProfileName: function(encryptedProfileName, key) { var data = dcodeIO.ByteBuffer.wrap(encryptedProfileName, 'base64').toArrayBuffer(); return textsecure.crypto.decryptProfile(data, key).then(function(decrypted) { // unpad var name = ''; var padded = new Uint8Array(decrypted); for (var i = padded.length; i > 0; i--) { if (padded[i-1] !== 0x00) { break; } } return dcodeIO.ByteBuffer.wrap(padded).slice(0, i).toArrayBuffer(); }); }, getRandomBytes: function(size) { return libsignal.crypto.getRandomBytes(size); } }; })();