Merge pull request #1061 from matrix-org/rav/megolm_key_encryption_errors
Improve error logging/reporting in megolm import/export
This commit is contained in:
commit
57b4c422b1
5 changed files with 176 additions and 96 deletions
|
@ -81,11 +81,13 @@ export default React.createClass({
|
|||
FileSaver.saveAs(blob, 'riot-keys.txt');
|
||||
this.props.onFinished(true);
|
||||
}).catch((e) => {
|
||||
console.error("Error exporting e2e keys:", e);
|
||||
if (this._unmounted) {
|
||||
return;
|
||||
}
|
||||
const msg = e.friendlyText || _t('Unknown error');
|
||||
this.setState({
|
||||
errStr: e.message,
|
||||
errStr: msg,
|
||||
phase: PHASE_EDIT,
|
||||
});
|
||||
});
|
||||
|
|
|
@ -89,11 +89,13 @@ export default React.createClass({
|
|||
// TODO: it would probably be nice to give some feedback about what we've imported here.
|
||||
this.props.onFinished(true);
|
||||
}).catch((e) => {
|
||||
console.error("Error importing e2e keys:", e);
|
||||
if (this._unmounted) {
|
||||
return;
|
||||
}
|
||||
const msg = e.friendlyText || _t('Unknown error');
|
||||
this.setState({
|
||||
errStr: e.message,
|
||||
errStr: msg,
|
||||
phase: PHASE_EDIT,
|
||||
});
|
||||
});
|
||||
|
|
|
@ -908,5 +908,8 @@
|
|||
"Username not available": "Username not available",
|
||||
"Something went wrong!": "Something went wrong!",
|
||||
"This will be your account name on the <span></span> homeserver, or you can pick a <a>different server</a>.": "This will be your account name on the <span></span> homeserver, or you can pick a <a>different server</a>.",
|
||||
"If you already have a Matrix account you can <a>log in</a> instead.": "If you already have a Matrix account you can <a>log in</a> instead."
|
||||
"If you already have a Matrix account you can <a>log in</a> instead.": "If you already have a Matrix account you can <a>log in</a> instead.",
|
||||
"Your browser does not support the required cryptography extensions": "Your browser does not support the required cryptography extensions",
|
||||
"Not a valid Riot keyfile": "Not a valid Riot keyfile",
|
||||
"Authentication check failed: incorrect password?": "Authentication check failed: incorrect password?"
|
||||
}
|
||||
|
|
|
@ -27,31 +27,57 @@ if (!TextDecoder) {
|
|||
TextDecoder = TextEncodingUtf8.TextDecoder;
|
||||
}
|
||||
|
||||
import { _t } from '../languageHandler';
|
||||
|
||||
|
||||
const subtleCrypto = window.crypto.subtle || window.crypto.webkitSubtle;
|
||||
|
||||
/**
|
||||
* Make an Error object which has a friendlyText property which is already
|
||||
* translated and suitable for showing to the user.
|
||||
*
|
||||
* @param {string} msg message for the exception
|
||||
* @param {string} friendlyText
|
||||
* @returns {Error}
|
||||
*/
|
||||
function friendlyError(msg, friendlyText) {
|
||||
const e = new Error(msg);
|
||||
e.friendlyText = friendlyText;
|
||||
return e;
|
||||
}
|
||||
|
||||
function cryptoFailMsg() {
|
||||
return _t('Your browser does not support the required cryptography extensions');
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrypt a megolm key file
|
||||
*
|
||||
* @param {ArrayBuffer} data file to decrypt
|
||||
* @param {String} password
|
||||
* @return {Promise<String>} promise for decrypted output
|
||||
*
|
||||
*
|
||||
*/
|
||||
export function decryptMegolmKeyFile(data, password) {
|
||||
export async function decryptMegolmKeyFile(data, password) {
|
||||
const body = unpackMegolmKeyFile(data);
|
||||
|
||||
// check we have a version byte
|
||||
if (body.length < 1) {
|
||||
throw new Error('Invalid file: too short');
|
||||
throw friendlyError('Invalid file: too short',
|
||||
_t('Not a valid Riot keyfile'));
|
||||
}
|
||||
|
||||
const version = body[0];
|
||||
if (version !== 1) {
|
||||
throw new Error('Unsupported version');
|
||||
throw friendlyError('Unsupported version',
|
||||
_t('Not a valid Riot keyfile'));
|
||||
}
|
||||
|
||||
const ciphertextLength = body.length-(1+16+16+4+32);
|
||||
if (ciphertextLength < 0) {
|
||||
throw new Error('Invalid file: too short');
|
||||
throw friendlyError('Invalid file: too short',
|
||||
_t('Not a valid Riot keyfile'));
|
||||
}
|
||||
|
||||
const salt = body.subarray(1, 1+16);
|
||||
|
@ -60,33 +86,41 @@ export function decryptMegolmKeyFile(data, password) {
|
|||
const ciphertext = body.subarray(37, 37+ciphertextLength);
|
||||
const hmac = body.subarray(-32);
|
||||
|
||||
return deriveKeys(salt, iterations, password).then((keys) => {
|
||||
const [aesKey, hmacKey] = keys;
|
||||
const [aesKey, hmacKey] = await deriveKeys(salt, iterations, password);
|
||||
const toVerify = body.subarray(0, -32);
|
||||
|
||||
const toVerify = body.subarray(0, -32);
|
||||
return subtleCrypto.verify(
|
||||
let isValid;
|
||||
try {
|
||||
isValid = await subtleCrypto.verify(
|
||||
{name: 'HMAC'},
|
||||
hmacKey,
|
||||
hmac,
|
||||
toVerify,
|
||||
).then((isValid) => {
|
||||
if (!isValid) {
|
||||
throw new Error('Authentication check failed: incorrect password?');
|
||||
}
|
||||
);
|
||||
} catch (e) {
|
||||
throw friendlyError('subtleCrypto.verify failed: ' + e, cryptoFailMsg());
|
||||
}
|
||||
if (!isValid) {
|
||||
throw friendlyError('hmac mismatch',
|
||||
_t('Authentication check failed: incorrect password?'));
|
||||
}
|
||||
|
||||
return subtleCrypto.decrypt(
|
||||
{
|
||||
name: "AES-CTR",
|
||||
counter: iv,
|
||||
length: 64,
|
||||
},
|
||||
aesKey,
|
||||
ciphertext,
|
||||
);
|
||||
});
|
||||
}).then((plaintext) => {
|
||||
return new TextDecoder().decode(new Uint8Array(plaintext));
|
||||
});
|
||||
let plaintext;
|
||||
try {
|
||||
plaintext = await subtleCrypto.decrypt(
|
||||
{
|
||||
name: "AES-CTR",
|
||||
counter: iv,
|
||||
length: 64,
|
||||
},
|
||||
aesKey,
|
||||
ciphertext,
|
||||
);
|
||||
} catch(e) {
|
||||
throw friendlyError('subtleCrypto.decrypt failed: ' + e, cryptoFailMsg());
|
||||
}
|
||||
|
||||
return new TextDecoder().decode(new Uint8Array(plaintext));
|
||||
}
|
||||
|
||||
|
||||
|
@ -100,7 +134,7 @@ export function decryptMegolmKeyFile(data, password) {
|
|||
* key-derivation function.
|
||||
* @return {Promise<ArrayBuffer>} promise for encrypted output
|
||||
*/
|
||||
export function encryptMegolmKeyFile(data, password, options) {
|
||||
export async function encryptMegolmKeyFile(data, password, options) {
|
||||
options = options || {};
|
||||
const kdfRounds = options.kdf_rounds || 500000;
|
||||
|
||||
|
@ -115,44 +149,54 @@ export function encryptMegolmKeyFile(data, password, options) {
|
|||
// of a single bit of iv is a price we have to pay.
|
||||
iv[9] &= 0x7f;
|
||||
|
||||
return deriveKeys(salt, kdfRounds, password).then((keys) => {
|
||||
const [aesKey, hmacKey] = keys;
|
||||
const [aesKey, hmacKey] = await deriveKeys(salt, kdfRounds, password);
|
||||
const encodedData = new TextEncoder().encode(data);
|
||||
|
||||
return subtleCrypto.encrypt(
|
||||
let ciphertext;
|
||||
try {
|
||||
ciphertext = await subtleCrypto.encrypt(
|
||||
{
|
||||
name: "AES-CTR",
|
||||
counter: iv,
|
||||
length: 64,
|
||||
},
|
||||
aesKey,
|
||||
new TextEncoder().encode(data),
|
||||
).then((ciphertext) => {
|
||||
const cipherArray = new Uint8Array(ciphertext);
|
||||
const bodyLength = (1+salt.length+iv.length+4+cipherArray.length+32);
|
||||
const resultBuffer = new Uint8Array(bodyLength);
|
||||
let idx = 0;
|
||||
resultBuffer[idx++] = 1; // version
|
||||
resultBuffer.set(salt, idx); idx += salt.length;
|
||||
resultBuffer.set(iv, idx); idx += iv.length;
|
||||
resultBuffer[idx++] = kdfRounds >> 24;
|
||||
resultBuffer[idx++] = (kdfRounds >> 16) & 0xff;
|
||||
resultBuffer[idx++] = (kdfRounds >> 8) & 0xff;
|
||||
resultBuffer[idx++] = kdfRounds & 0xff;
|
||||
resultBuffer.set(cipherArray, idx); idx += cipherArray.length;
|
||||
encodedData,
|
||||
);
|
||||
} catch (e) {
|
||||
throw friendlyError('subtleCrypto.encrypt failed: ' + e, cryptoFailMsg());
|
||||
}
|
||||
|
||||
const toSign = resultBuffer.subarray(0, idx);
|
||||
const cipherArray = new Uint8Array(ciphertext);
|
||||
const bodyLength = (1+salt.length+iv.length+4+cipherArray.length+32);
|
||||
const resultBuffer = new Uint8Array(bodyLength);
|
||||
let idx = 0;
|
||||
resultBuffer[idx++] = 1; // version
|
||||
resultBuffer.set(salt, idx); idx += salt.length;
|
||||
resultBuffer.set(iv, idx); idx += iv.length;
|
||||
resultBuffer[idx++] = kdfRounds >> 24;
|
||||
resultBuffer[idx++] = (kdfRounds >> 16) & 0xff;
|
||||
resultBuffer[idx++] = (kdfRounds >> 8) & 0xff;
|
||||
resultBuffer[idx++] = kdfRounds & 0xff;
|
||||
resultBuffer.set(cipherArray, idx); idx += cipherArray.length;
|
||||
|
||||
return subtleCrypto.sign(
|
||||
{name: 'HMAC'},
|
||||
hmacKey,
|
||||
toSign,
|
||||
).then((hmac) => {
|
||||
hmac = new Uint8Array(hmac);
|
||||
resultBuffer.set(hmac, idx);
|
||||
return packMegolmKeyFile(resultBuffer);
|
||||
});
|
||||
});
|
||||
});
|
||||
const toSign = resultBuffer.subarray(0, idx);
|
||||
|
||||
let hmac;
|
||||
try {
|
||||
hmac = await subtleCrypto.sign(
|
||||
{name: 'HMAC'},
|
||||
hmacKey,
|
||||
toSign,
|
||||
);
|
||||
} catch (e) {
|
||||
throw friendlyError('subtleCrypto.sign failed: ' + e, cryptoFailMsg());
|
||||
}
|
||||
|
||||
|
||||
const hmacArray = new Uint8Array(hmac);
|
||||
resultBuffer.set(hmacArray, idx);
|
||||
return packMegolmKeyFile(resultBuffer);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -163,16 +207,25 @@ export function encryptMegolmKeyFile(data, password, options) {
|
|||
* @param {String} password password
|
||||
* @return {Promise<[CryptoKey, CryptoKey]>} promise for [aes key, hmac key]
|
||||
*/
|
||||
function deriveKeys(salt, iterations, password) {
|
||||
async function deriveKeys(salt, iterations, password) {
|
||||
const start = new Date();
|
||||
return subtleCrypto.importKey(
|
||||
'raw',
|
||||
new TextEncoder().encode(password),
|
||||
{name: 'PBKDF2'},
|
||||
false,
|
||||
['deriveBits'],
|
||||
).then((key) => {
|
||||
return subtleCrypto.deriveBits(
|
||||
|
||||
let key;
|
||||
try {
|
||||
key = await subtleCrypto.importKey(
|
||||
'raw',
|
||||
new TextEncoder().encode(password),
|
||||
{name: 'PBKDF2'},
|
||||
false,
|
||||
['deriveBits'],
|
||||
);
|
||||
} catch (e) {
|
||||
throw friendlyError('subtleCrypto.importKey failed: ' + e, cryptoFailMsg());
|
||||
}
|
||||
|
||||
let keybits;
|
||||
try {
|
||||
keybits = await subtleCrypto.deriveBits(
|
||||
{
|
||||
name: 'PBKDF2',
|
||||
salt: salt,
|
||||
|
@ -182,32 +235,40 @@ function deriveKeys(salt, iterations, password) {
|
|||
key,
|
||||
512,
|
||||
);
|
||||
}).then((keybits) => {
|
||||
const now = new Date();
|
||||
console.log("E2e import/export: deriveKeys took " + (now - start) + "ms");
|
||||
} catch (e) {
|
||||
throw friendlyError('subtleCrypto.deriveBits failed: ' + e, cryptoFailMsg());
|
||||
}
|
||||
|
||||
const aesKey = keybits.slice(0, 32);
|
||||
const hmacKey = keybits.slice(32);
|
||||
const now = new Date();
|
||||
console.log("E2e import/export: deriveKeys took " + (now - start) + "ms");
|
||||
|
||||
const aesProm = subtleCrypto.importKey(
|
||||
'raw',
|
||||
aesKey,
|
||||
{name: 'AES-CTR'},
|
||||
false,
|
||||
['encrypt', 'decrypt'],
|
||||
);
|
||||
const hmacProm = subtleCrypto.importKey(
|
||||
'raw',
|
||||
hmacKey,
|
||||
{
|
||||
name: 'HMAC',
|
||||
hash: {name: 'SHA-256'},
|
||||
},
|
||||
false,
|
||||
['sign', 'verify'],
|
||||
);
|
||||
return Promise.all([aesProm, hmacProm]);
|
||||
const aesKey = keybits.slice(0, 32);
|
||||
const hmacKey = keybits.slice(32);
|
||||
|
||||
const aesProm = subtleCrypto.importKey(
|
||||
'raw',
|
||||
aesKey,
|
||||
{name: 'AES-CTR'},
|
||||
false,
|
||||
['encrypt', 'decrypt'],
|
||||
).catch((e) => {
|
||||
throw friendlyError('subtleCrypto.importKey failed for AES key: ' + e, cryptoFailMsg());
|
||||
});
|
||||
|
||||
const hmacProm = subtleCrypto.importKey(
|
||||
'raw',
|
||||
hmacKey,
|
||||
{
|
||||
name: 'HMAC',
|
||||
hash: {name: 'SHA-256'},
|
||||
},
|
||||
false,
|
||||
['sign', 'verify'],
|
||||
).catch((e) => {
|
||||
throw friendlyError('subtleCrypto.importKey failed for HMAC key: ' + e, cryptoFailMsg());
|
||||
});
|
||||
|
||||
return await Promise.all([aesProm, hmacProm]);
|
||||
}
|
||||
|
||||
const HEADER_LINE = '-----BEGIN MEGOLM SESSION DATA-----';
|
||||
|
|
|
@ -81,15 +81,23 @@ describe('MegolmExportEncryption', function() {
|
|||
describe('decrypt', function() {
|
||||
it('should handle missing header', function() {
|
||||
const input=stringToArray(`-----`);
|
||||
expect(()=>MegolmExportEncryption.decryptMegolmKeyFile(input, ''))
|
||||
.toThrow('Header line not found');
|
||||
return MegolmExportEncryption.decryptMegolmKeyFile(input, '')
|
||||
.then((res) => {
|
||||
throw new Error('expected to throw');
|
||||
}, (error) => {
|
||||
expect(error.message).toEqual('Header line not found');
|
||||
});
|
||||
});
|
||||
|
||||
it('should handle missing trailer', function() {
|
||||
const input=stringToArray(`-----BEGIN MEGOLM SESSION DATA-----
|
||||
-----`);
|
||||
expect(()=>MegolmExportEncryption.decryptMegolmKeyFile(input, ''))
|
||||
.toThrow('Trailer line not found');
|
||||
return MegolmExportEncryption.decryptMegolmKeyFile(input, '')
|
||||
.then((res) => {
|
||||
throw new Error('expected to throw');
|
||||
}, (error) => {
|
||||
expect(error.message).toEqual('Trailer line not found');
|
||||
});
|
||||
});
|
||||
|
||||
it('should handle a too-short body', function() {
|
||||
|
@ -98,8 +106,12 @@ AXNhbHRzYWx0c2FsdHNhbHSIiIiIiIiIiIiIiIiIiIiIAAAACmIRUW2OjZ3L2l6j9h0lHlV3M2dx
|
|||
cissyYBxjsfsAn
|
||||
-----END MEGOLM SESSION DATA-----
|
||||
`);
|
||||
expect(()=>MegolmExportEncryption.decryptMegolmKeyFile(input, ''))
|
||||
.toThrow('Invalid file: too short');
|
||||
return MegolmExportEncryption.decryptMegolmKeyFile(input, '')
|
||||
.then((res) => {
|
||||
throw new Error('expected to throw');
|
||||
}, (error) => {
|
||||
expect(error.message).toEqual('Invalid file: too short');
|
||||
});
|
||||
});
|
||||
|
||||
it('should decrypt a range of inputs', function(done) {
|
||||
|
|
Loading…
Reference in a new issue