Random fixes, stuff
This commit is contained in:
Matt Corallo
parent
136da2894c
commit
42de35dd72
4 changed files with 333 additions and 288 deletions
|
|
@ -1,4 +1,4 @@
|
|||
if (localStorage.getItem('first_install_ran')) {
|
||||
if (!localStorage.getItem('first_install_ran')) {
|
||||
localStorage.setItem('first_install_ran', 1);
|
||||
chrome.tabs.create({url: "options.html"});
|
||||
} else {
|
||||
|
|
|
|||
526
helpers.js
526
helpers.js
|
|
@ -34,13 +34,6 @@ function base64DecToArr (sBase64, nBlocksSize) {
|
|||
return taBytes;
|
||||
}
|
||||
|
||||
/****************************
|
||||
*** Forward declarations ***
|
||||
****************************/
|
||||
var crypto = {};
|
||||
crypto._storage = {};
|
||||
var storage = {};
|
||||
|
||||
/*********************************
|
||||
*** Type conversion utilities ***
|
||||
*********************************/
|
||||
|
|
@ -71,7 +64,7 @@ function decodeIncomingPushMessageProtobuf(string) {
|
|||
}
|
||||
|
||||
var PushMessageContentProtobuf = dcodeIO.ProtoBuf.loadProtoFile("IncomingPushMessageSignal.proto").build("textsecure.PushMessageContent");
|
||||
function decodePPushMessageContentProtobuf(string) {
|
||||
function decodePushMessageContentProtobuf(string) {
|
||||
return PushMessageContentProtobuf.decode(btoa(string));
|
||||
}
|
||||
|
||||
|
|
@ -133,6 +126,8 @@ function objectContainsKeys(object) {
|
|||
/************************************************
|
||||
*** Utilities to store data in local storage ***
|
||||
************************************************/
|
||||
var storage = {};
|
||||
|
||||
storage.putEncrypted = function(key, value) {
|
||||
//TODO
|
||||
if (value === undefined)
|
||||
|
|
@ -171,6 +166,8 @@ storage.removeUnencrypted = function(key) {
|
|||
|
||||
function registrationDone() {
|
||||
storage.putUnencrypted("registration_done", "");
|
||||
//TODO: Fix dirty hack:
|
||||
chrome.runtime.reload();
|
||||
}
|
||||
|
||||
function isRegistrationDone() {
|
||||
|
|
@ -256,272 +253,278 @@ function getRandomBytes(size) {
|
|||
}
|
||||
}
|
||||
|
||||
crypto._createNewKeyPair = function() {
|
||||
//TODO
|
||||
var pubKey = "BRTJzsHPUWRRBxyo5MoaBRidMk2fwDlfqvU91b6pzbED";
|
||||
var privKey = "";
|
||||
return { pubKey: pubKey, privKey: privKey };
|
||||
}
|
||||
|
||||
crypto._storage.getNewPubKeySTORINGPrivKey = function(keyName) {
|
||||
var keyPair = _createNewKeyPair();
|
||||
storage.putEncrypted("25519Key" + keyName, keyPair);
|
||||
return keyPair.pubKey;
|
||||
}
|
||||
|
||||
crypto._storage.getStoredPubKey = function(keyName) {
|
||||
return storage.getEncrypted("25519Key" + keyName, { pubKey: undefined }).pubKey;
|
||||
}
|
||||
|
||||
crypto._storage.getStoredKeyPair = function(keyName) {
|
||||
return storage.getEncrypted("25519Key" + keyName);
|
||||
}
|
||||
|
||||
crypto._storage.getAndRemoveStoredKeyPair = function(keyName) {
|
||||
var keyPair = getStoredKeyPair(keyName);
|
||||
storage.removeEncrypted("25519Key" + keyName);
|
||||
return keyPair;
|
||||
}
|
||||
|
||||
crypto._storage.getAndRemovePreKeyPair = function(keyId) {
|
||||
return getAndRemoveStoredKeyPair("preKey" + keyId);
|
||||
}
|
||||
|
||||
crypto._storage.getIdentityPrivKey = function() {
|
||||
return getStoredKeyPair("identityKey").privKey;
|
||||
}
|
||||
|
||||
crypto._storage.saveSession = function(encodedNumber, session) {
|
||||
storage.putEncrypted("session" + getEncodedNumber(encodedNumber), session);
|
||||
}
|
||||
|
||||
crypto._storage.getSession = function(encodedNumber) {
|
||||
return storage.getEncrypted("session" + getEncodedNumber(encodedNumber));
|
||||
}
|
||||
|
||||
|
||||
/*****************************
|
||||
*** Internal Crypto stuff ***
|
||||
*****************************/
|
||||
crypto._ECDHE = function(pubKey, privKey) {
|
||||
return "ECDHE";//TODO
|
||||
}
|
||||
|
||||
crypto._HKDF = function(input, salt, info) {
|
||||
var hkdf = "HKDF(" + input + ", " + salt + ", " + info + ")"; //TODO
|
||||
return [ hkdf.substring(0, 32), hkdf.substring(32, 64) ];
|
||||
}
|
||||
|
||||
crypto._HMACSHA256 = function(input, key) {
|
||||
//TODO: NativeA
|
||||
//TODO: return string
|
||||
return CryptoJS.HmacSHA256(input, CryptoJS.enc.Latin1.parse(getString(key)));
|
||||
}
|
||||
|
||||
crypto._verifyMACWithVersionByte = function(data, key, mac) {
|
||||
var calculated_mac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, key);
|
||||
calculated_mac.update(CryptoJS.enc.Latin1.parse(String.fromCharCode(1)));
|
||||
calculated_mac.update(CryptoJS.enc.Latin1.parse(getString(data)));
|
||||
calculated_mac = calculated_mac.finalize();
|
||||
|
||||
if (btoa(calculated_mac.toString(CryptoJS.enc.Base64)).substring(0, mac.length) != mac) {
|
||||
console.log("Got message with bad MAC");
|
||||
throw "Bad MAC";
|
||||
}
|
||||
}
|
||||
|
||||
/******************************
|
||||
*** Ratchet implementation ***
|
||||
******************************/
|
||||
crypto._initSession = function(isInitiator, theirIdentityPubKey, ourEphemeralPrivKey, theirEphemeralPubKey) {
|
||||
var ourIdentityPrivKey = _storage.getIdentityPrivKey();
|
||||
|
||||
var sharedSecret = _ECDHE(theirEphemeralPubKey, ourIdentityPrivKey);
|
||||
if (isInitiator)
|
||||
sharedSecret = sharedSecret + _ECDHE(theirIdentityPubKey, ourEphemeralPrivKey);
|
||||
else
|
||||
sharedSecret = _ECDHE(theirIdentityPubKey, ourEphemeralPrivKey) + sharedSecret;
|
||||
sharedSecret += _ECDHE(theirEphemeralPubKey, ourEphemeralPrivKey);
|
||||
|
||||
var masterKey = _HKDF(sharedSecret, '', "WhisperText");
|
||||
return { rootKey: masterKey[0], chainKey: masterKey[1] };
|
||||
}
|
||||
|
||||
crypto._initSessionFromPreKeyWhisperMessage = function(encodedNumber, message) {
|
||||
//TODO: Check remote identity key matches known-good key
|
||||
|
||||
var preKeyPair = _storage.getAndRemovePreKeyPair(preKeyProto.preKeyId);
|
||||
if (preKeyPair === undefined)
|
||||
throw "Missing preKey for PreKeyWhisperMessage";
|
||||
|
||||
var firstRatchet = _initSession(false, message.identityKey, preKeyPair.privKey, message.baseKey);
|
||||
|
||||
var session = {currentRatchet: { rootKey: firstRatchet.rootKey, ephemeralKeyPair: preKeyPair,
|
||||
lastRemoteEphemeralKey: message.baseKey },
|
||||
oldRatchetList: []
|
||||
};
|
||||
session[preKeyPair.pubKey] = { messageKeys: {}, chainKey: { counter: 0, key: firstRatchet.chainKey } };
|
||||
_storage.saveSession(encodedNumber, session);
|
||||
}
|
||||
|
||||
crypto._fillMessageKeys = function(chain, counter) {
|
||||
var messageKeys = chain.messageKeys;
|
||||
var key = chain.chainKey.key;
|
||||
for (var i = chain.chainKey.counter; i < counter; i++) {
|
||||
messageKeys[counter] = _HMACSHA256(key, String.fromCharCode(1));
|
||||
key = _HMACSHA256(key, String.fromCharCode(2));
|
||||
}
|
||||
chain.chainKey.key = key;
|
||||
chain.chainKey.counter = counter;
|
||||
}
|
||||
|
||||
crypto._maybeStepRatchet = function(session, remoteKey, previousCounter) {
|
||||
if (sesion[remoteKey] !== undefined) //TODO: null???
|
||||
return;
|
||||
|
||||
var ratchet = session.currentRatchet;
|
||||
|
||||
var previousRatchet = session[ratchet.lastRemoteEphemeralKey];
|
||||
_fillMessageKeys(previousRatchet, previousCounter);
|
||||
if (!objectContainsKeys(previousRatchet.messageKeys))
|
||||
delete session[ratchet.lastRemoteEphemeralKey];
|
||||
else
|
||||
session.oldRatchetList[session.oldRatchetList.length] = { added: new Date().getTime(), ephemeralKey: ratchet.lastRemoteEphemeralKey };
|
||||
|
||||
delete session[ratchet.ephemeralKeyPair.pubKey];
|
||||
|
||||
var masterKey = _HKDF(_ECDHE(remoteKey, ratchet.ephemeralKeyPair.privKey), ratchet.rootKey, "WhisperRatchet");
|
||||
session[remoteKey] = { messageKeys: {}, chainKey: { counter: 0, key: masterKey.substring(32, 64) } };
|
||||
|
||||
ratchet.ephemeralKeyPair = _createNewKeyPair();
|
||||
masterKey = _HKDF(_ECDHE(remoteKey, ratchet.ephemeralKeyPair.privKey), masterKey.substring(0, 32), "WhisperRatchet");
|
||||
ratchet.rootKey = masterKey.substring(0, 32);
|
||||
session[nextRatchet.ephemeralKeyPair.pubKey] = { messageKeys: {}, chainKey: { counter: 0, key: masterKey.substring(32, 64) } };
|
||||
|
||||
ratchet.lastRemoteEphemeralKey = remoteKey;
|
||||
}
|
||||
|
||||
crypto._doDecryptWhisperMessage = function(ciphertext, mac, messageKey, counter) {
|
||||
//TODO keys swapped?
|
||||
var keys = _HKDF(messageKey, /* all 0x00 bytes????? */ '', "WhisperMessageKeys");
|
||||
_verifyMACWithVersionByte(ciphertext, keys[0], mac);
|
||||
|
||||
return AES_CTR_NOPADDING(keys[1], CTR = counter, ciphertext);
|
||||
}
|
||||
|
||||
// returns decrypted protobuf
|
||||
crypto._decryptWhisperMessage = function(encodedNumber, messageBytes) {
|
||||
var session = _storage.getSession(encodedNumber);
|
||||
if (session === undefined)
|
||||
throw "No session currently open with " + encodedNumber;
|
||||
|
||||
if (messageBytes[0] != String.fromCharCode(1))
|
||||
throw "Bad version number on WhisperMessage";
|
||||
|
||||
var messageProto = messageBytes.substring(1, messageBytes.length - 8);
|
||||
var mac = messageBytes.substring(messageBytes.length - 8, messageBytes.length);
|
||||
|
||||
var message = decodeWhisperMessageProtobuf(messageProto);
|
||||
|
||||
_maybeStepRatchet(session, getString(message.ephemeralKey), message.previousCounter);
|
||||
var chain = session[getString(message.ephemeralKey)];
|
||||
|
||||
_fillMessageKeys(chain, message.counter);
|
||||
|
||||
var plaintext = _doDecryptWhisperMessage(message.ciphertext, mac, chain.messageKeys[message.counter], message.counter);
|
||||
delete chain.messageKeys[message.counter];
|
||||
|
||||
_removeOldChains(session);
|
||||
|
||||
_storage.saveSession(encodedNumber, session);
|
||||
return decodeWhisperMessage(atob(plaintext));
|
||||
}
|
||||
|
||||
/*************************
|
||||
*** Public crypto API ***
|
||||
*************************/
|
||||
// Decrypts message into a raw string
|
||||
crypto.decryptWebsocketMessage = function(message) {
|
||||
//TODO: Use a native AES impl (so I dont feel so bad about side-channels)
|
||||
var signaling_key = storage.getEncrypted("signaling_key"); //TODO: in crypto._storage
|
||||
var aes_key = CryptoJS.enc.Latin1.parse(signaling_key.substring(0, 32));//TODO: UTF8 breaks this?????
|
||||
var mac_key = CryptoJS.enc.Latin1.parse(signaling_key.substring(32, 32 + 20));
|
||||
|
||||
//TODO: Can we drop the uint8array in favor of raw strings?
|
||||
var decodedMessage = base64ToUint8Array(message);
|
||||
if (decodedMessage[0] != 1) {
|
||||
console.log("Got bad version number: " + decodedMessage[0]);
|
||||
return;
|
||||
}
|
||||
var iv = CryptoJS.lib.WordArray.create(decodedMessage.subarray(1, 1 + 16));
|
||||
var ciphertext = decodedMessage.subarray(1 + 16, decodedMessage.length - 10);
|
||||
var mac = CryptoJS.lib.WordArray.create(decodedMessage.subarray(decodedMessage.length - 10, decodedMessage.length));
|
||||
|
||||
var calculated_mac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, mac_key);
|
||||
calculated_mac.update(CryptoJS.enc.Latin1.parse(String.fromCharCode(1)));
|
||||
calculated_mac.update(iv);
|
||||
calculated_mac.update(CryptoJS.lib.WordArray.create(ciphertext));
|
||||
calculated_mac = calculated_mac.finalize();
|
||||
|
||||
if (calculated_mac.toString(CryptoJS.enc.Hex).substring(0, 20) != mac.toString(CryptoJS.enc.Hex)) {
|
||||
console.log("Got message with bad MAC");
|
||||
throw "Bad MAC";
|
||||
(function(crypto, $, undefined) {
|
||||
var createNewKeyPair = function() {
|
||||
//TODO
|
||||
var pubKey = "BRTJzsHPUWRRBxyo5MoaBRidMk2fwDlfqvU91b6pzbED";
|
||||
var privKey = "";
|
||||
return { pubKey: pubKey, privKey: privKey };
|
||||
}
|
||||
|
||||
var plaintext = CryptoJS.AES.decrypt(btoa(getString(ciphertext)), aes_key, {iv: iv});//TODO: Does this throw on invalid padding (seems not...)
|
||||
var crypto_storage = {};
|
||||
|
||||
return atob(plaintext.toString(CryptoJS.enc.Base64));
|
||||
}
|
||||
|
||||
crypto.handleIncomingPushMessageProto = function(proto) {
|
||||
switch(proto.type) {
|
||||
case 0: //TYPE_MESSAGE_PLAINTEXT
|
||||
proto.message = decodePushMessageContent(toString(proto.message));
|
||||
break;
|
||||
case 1: //TYPE_MESSAGE_CIPHERTEXT
|
||||
proto.message = _decryptWhisperMessage(proto.source, toString(proto.message));
|
||||
break;
|
||||
case 3: //TYPE_MESSAGE_PREKEY_BUNDLE
|
||||
var preKeyProto = decodePreKeyWhisperMessageProtobuf(toString(proto.message));
|
||||
_initSessionFromPreKeyWhisperMessage(proto.source, preKeyProto);
|
||||
proto.message = _decryptWhisperMessage(proto.source, toString(preKeyProto.message));
|
||||
break;
|
||||
crypto_storage.getNewPubKeySTORINGPrivKey = function(keyName) {
|
||||
var keyPair = crypto._createNewKeyPair();
|
||||
storage.putEncrypted("25519Key" + keyName, keyPair);
|
||||
return keyPair.pubKey;
|
||||
}
|
||||
}
|
||||
|
||||
crypto.encryptMessageFor = function(deviceObject, message) {
|
||||
return message + " encrypted to " + deviceObject.encodedNumber + " with relay " + deviceObject.relay +
|
||||
" with identityKey " + deviceObject.identityKey + " and public key " + deviceObject.publicKey; //TODO
|
||||
}
|
||||
crypto_storage.getStoredPubKey = function(keyName) {
|
||||
return storage.getEncrypted("25519Key" + keyName, { pubKey: undefined }).pubKey;
|
||||
}
|
||||
|
||||
var GENERATE_KEYS_KEYS_GENERATED = 100;
|
||||
crypto.generateKeys = function() {
|
||||
var identityKey = _storage.getStoredPubKey("identityKey");
|
||||
if (identityKey === undefined)
|
||||
identityKey = _storage.getNewPubKeySTORINGPrivKey("identityKey"); //TODO: should probably just throw?
|
||||
crypto_storage.getStoredKeyPair = function(keyName) {
|
||||
return storage.getEncrypted("25519Key" + keyName);
|
||||
}
|
||||
|
||||
var firstKeyId = storage.getEncrypted("maxPreKeyId", -1) + 1;
|
||||
storage.putEncrypted("maxPreKeyId", firstKeyId + GENERATE_KEYS_KEYS_GENERATED);
|
||||
crypto_storage.getAndRemoveStoredKeyPair = function(keyName) {
|
||||
var keyPair = this.getStoredKeyPair(keyName);
|
||||
storage.removeEncrypted("25519Key" + keyName);
|
||||
return keyPair;
|
||||
}
|
||||
|
||||
if (firstKeyId > 16777000)
|
||||
throw "You crazy motherfucker";
|
||||
crypto_storage.getAndRemovePreKeyPair = function(keyId) {
|
||||
return this.getAndRemoveStoredKeyPair("preKey" + keyId);
|
||||
}
|
||||
|
||||
var keys = {};
|
||||
keys.keys = [];
|
||||
for (var i = firstKeyId; i < firstKeyId + GENERATE_KEYS_KEYS_GENERATED; i++)
|
||||
keys.keys[i] = {keyId: i, publicKey: _storage.getNewPubKeySTORINGPrivKey("preKey" + i), identityKey: identityKey};
|
||||
// 0xFFFFFF == 16777215
|
||||
keys.lastResortKey = {keyId: 16777215, publicKey: _storage.getStoredPubKey("preKey16777215"), identityKey: identityKey};//TODO: Rotate lastResortKey
|
||||
if (keys.lastResortKey.publicKey === undefined)
|
||||
keys.lastResortKey.publicKey = _storage.getNewPubKeySTORINGPrivKey("preKey16777215");
|
||||
return keys;
|
||||
}
|
||||
crypto_storage.getIdentityPrivKey = function() {
|
||||
return this.getStoredKeyPair("identityKey").privKey;
|
||||
}
|
||||
|
||||
crypto_storage.saveSession = function(encodedNumber, session) {
|
||||
storage.putEncrypted("session" + getEncodedNumber(encodedNumber), session);
|
||||
}
|
||||
|
||||
crypto_storage.getSession = function(encodedNumber) {
|
||||
return storage.getEncrypted("session" + getEncodedNumber(encodedNumber));
|
||||
}
|
||||
|
||||
|
||||
/*****************************
|
||||
*** Internal Crypto stuff ***
|
||||
*****************************/
|
||||
var ECDHE = function(pubKey, privKey) {
|
||||
return "ECDHE";//TODO
|
||||
}
|
||||
|
||||
var HKDF = function(input, salt, info) {
|
||||
var hkdf = "HKDF(" + input + ", " + salt + ", " + info + ")"; //TODO
|
||||
return [ hkdf.substring(0, 32), hkdf.substring(32, 64) ];
|
||||
}
|
||||
|
||||
var HMACSHA256 = function(input, key) {
|
||||
//TODO: NativeA
|
||||
//TODO: return string
|
||||
return CryptoJS.HmacSHA256(input, CryptoJS.enc.Latin1.parse(getString(key)));
|
||||
}
|
||||
|
||||
var verifyMACWithVersionByte = function(data, key, mac) {
|
||||
var calculated_mac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, key);
|
||||
calculated_mac.update(CryptoJS.enc.Latin1.parse(String.fromCharCode(1)));
|
||||
calculated_mac.update(CryptoJS.enc.Latin1.parse(getString(data)));
|
||||
calculated_mac = calculated_mac.finalize();
|
||||
|
||||
if (btoa(calculated_mac.toString(CryptoJS.enc.Base64)).substring(0, mac.length) != mac) {
|
||||
console.log("Got message with bad MAC");
|
||||
throw "Bad MAC";
|
||||
}
|
||||
}
|
||||
|
||||
/******************************
|
||||
*** Ratchet implementation ***
|
||||
******************************/
|
||||
var initSession = function(isInitiator, theirIdentityPubKey, ourEphemeralPrivKey, theirEphemeralPubKey) {
|
||||
var ourIdentityPrivKey = crypto_storage.getIdentityPrivKey();
|
||||
|
||||
var sharedSecret = ECDHE(theirEphemeralPubKey, ourIdentityPrivKey);
|
||||
if (isInitiator)
|
||||
sharedSecret = sharedSecret + ECDHE(theirIdentityPubKey, ourEphemeralPrivKey);
|
||||
else
|
||||
sharedSecret = ECDHE(theirIdentityPubKey, ourEphemeralPrivKey) + sharedSecret;
|
||||
sharedSecret += ECDHE(theirEphemeralPubKey, ourEphemeralPrivKey);
|
||||
|
||||
var masterKey = HKDF(sharedSecret, '', "WhisperText");
|
||||
return { rootKey: masterKey[0], chainKey: masterKey[1] };
|
||||
}
|
||||
|
||||
var initSessionFromPreKeyWhisperMessage = function(encodedNumber, message) {
|
||||
//TODO: Check remote identity key matches known-good key
|
||||
|
||||
var preKeyPair = crypto_storage.getAndRemovePreKeyPair(preKeyProto.preKeyId);
|
||||
if (preKeyPair === undefined)
|
||||
throw "Missing preKey for PreKeyWhisperMessage";
|
||||
|
||||
var firstRatchet = initSession(false, message.identityKey, preKeyPair.privKey, message.baseKey);
|
||||
|
||||
var session = {currentRatchet: { rootKey: firstRatchet.rootKey, ephemeralKeyPair: preKeyPair,
|
||||
lastRemoteEphemeralKey: message.baseKey },
|
||||
oldRatchetList: []
|
||||
};
|
||||
session[preKeyPair.pubKey] = { messageKeys: {}, chainKey: { counter: 0, key: firstRatchet.chainKey } };
|
||||
storage.saveSession(encodedNumber, session);
|
||||
}
|
||||
|
||||
var fillMessageKeys = function(chain, counter) {
|
||||
var messageKeys = chain.messageKeys;
|
||||
var key = chain.chainKey.key;
|
||||
for (var i = chain.chainKey.counter; i < counter; i++) {
|
||||
messageKeys[counter] = HMACSHA256(key, String.fromCharCode(1));
|
||||
key = HMACSHA256(key, String.fromCharCode(2));
|
||||
}
|
||||
chain.chainKey.key = key;
|
||||
chain.chainKey.counter = counter;
|
||||
}
|
||||
|
||||
var maybeStepRatchet = function(session, remoteKey, previousCounter) {
|
||||
if (sesion[remoteKey] !== undefined) //TODO: null???
|
||||
return;
|
||||
|
||||
var ratchet = session.currentRatchet;
|
||||
|
||||
var previousRatchet = session[ratchet.lastRemoteEphemeralKey];
|
||||
fillMessageKeys(previousRatchet, previousCounter);
|
||||
if (!objectContainsKeys(previousRatchet.messageKeys))
|
||||
delete session[ratchet.lastRemoteEphemeralKey];
|
||||
else
|
||||
session.oldRatchetList[session.oldRatchetList.length] = { added: new Date().getTime(), ephemeralKey: ratchet.lastRemoteEphemeralKey };
|
||||
|
||||
delete session[ratchet.ephemeralKeyPair.pubKey];
|
||||
|
||||
var masterKey = HKDF(ECDHE(remoteKey, ratchet.ephemeralKeyPair.privKey), ratchet.rootKey, "WhisperRatchet");
|
||||
session[remoteKey] = { messageKeys: {}, chainKey: { counter: 0, key: masterKey.substring(32, 64) } };
|
||||
|
||||
ratchet.ephemeralKeyPair = _createNewKeyPair();
|
||||
masterKey = HKDF(ECDHE(remoteKey, ratchet.ephemeralKeyPair.privKey), masterKey.substring(0, 32), "WhisperRatchet");
|
||||
ratchet.rootKey = masterKey.substring(0, 32);
|
||||
session[nextRatchet.ephemeralKeyPair.pubKey] = { messageKeys: {}, chainKey: { counter: 0, key: masterKey.substring(32, 64) } };
|
||||
|
||||
ratchet.lastRemoteEphemeralKey = remoteKey;
|
||||
}
|
||||
|
||||
var doDecryptWhisperMessage = function(ciphertext, mac, messageKey, counter) {
|
||||
//TODO keys swapped?
|
||||
var keys = HKDF(messageKey, /* all 0x00 bytes????? */ '', "WhisperMessageKeys");
|
||||
verifyMACWithVersionByte(ciphertext, keys[0], mac);
|
||||
|
||||
return AES_CTR_NOPADDING(keys[1], CTR = counter, ciphertext);
|
||||
}
|
||||
|
||||
// returns decrypted protobuf
|
||||
var decryptWhisperMessage = function(encodedNumber, messageBytes) {
|
||||
var session = crypto_storage.getSession(encodedNumber);
|
||||
if (session === undefined)
|
||||
throw "No session currently open with " + encodedNumber;
|
||||
|
||||
if (messageBytes[0] != String.fromCharCode(1))
|
||||
throw "Bad version number on WhisperMessage";
|
||||
|
||||
var messageProto = messageBytes.substring(1, messageBytes.length - 8);
|
||||
var mac = messageBytes.substring(messageBytes.length - 8, messageBytes.length);
|
||||
|
||||
var message = decodeWhisperMessageProtobuf(messageProto);
|
||||
|
||||
maybeStepRatchet(session, getString(message.ephemeralKey), message.previousCounter);
|
||||
var chain = session[getString(message.ephemeralKey)];
|
||||
|
||||
fillMessageKeys(chain, message.counter);
|
||||
|
||||
var plaintext = doDecryptWhisperMessage(message.ciphertext, mac, chain.messageKeys[message.counter], message.counter);
|
||||
delete chain.messageKeys[message.counter];
|
||||
|
||||
removeOldChains(session);
|
||||
|
||||
crypto_storage.saveSession(encodedNumber, session);
|
||||
return decodePushMessageContentProtobuf(atob(plaintext));
|
||||
}
|
||||
|
||||
/*************************
|
||||
*** Public crypto API ***
|
||||
*************************/
|
||||
// Decrypts message into a raw string
|
||||
crypto.decryptWebsocketMessage = function(message) {
|
||||
//TODO: Use a native AES impl (so I dont feel so bad about side-channels)
|
||||
var signaling_key = storage.getEncrypted("signaling_key"); //TODO: in crypto_storage
|
||||
var aes_key = CryptoJS.enc.Latin1.parse(signaling_key.substring(0, 32));//TODO: UTF8 breaks this?????
|
||||
var mac_key = CryptoJS.enc.Latin1.parse(signaling_key.substring(32, 32 + 20));
|
||||
|
||||
//TODO: Can we drop the uint8array in favor of raw strings?
|
||||
var decodedMessage = base64ToUint8Array(message);
|
||||
if (decodedMessage[0] != 1) {
|
||||
console.log("Got bad version number: " + decodedMessage[0]);
|
||||
return;
|
||||
}
|
||||
var iv = CryptoJS.lib.WordArray.create(decodedMessage.subarray(1, 1 + 16));
|
||||
var ciphertext = decodedMessage.subarray(1 + 16, decodedMessage.length - 10);
|
||||
var mac = CryptoJS.lib.WordArray.create(decodedMessage.subarray(decodedMessage.length - 10, decodedMessage.length));
|
||||
|
||||
var calculated_mac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, mac_key);
|
||||
calculated_mac.update(CryptoJS.enc.Latin1.parse(String.fromCharCode(1)));
|
||||
calculated_mac.update(iv);
|
||||
calculated_mac.update(CryptoJS.lib.WordArray.create(ciphertext));
|
||||
calculated_mac = calculated_mac.finalize();
|
||||
|
||||
if (calculated_mac.toString(CryptoJS.enc.Hex).substring(0, 20) != mac.toString(CryptoJS.enc.Hex)) {
|
||||
console.log("Got message with bad MAC");
|
||||
throw "Bad MAC";
|
||||
}
|
||||
|
||||
var plaintext = CryptoJS.AES.decrypt(btoa(getString(ciphertext)), aes_key, {iv: iv});//TODO: Does this throw on invalid padding (seems not...)
|
||||
|
||||
return atob(plaintext.toString(CryptoJS.enc.Base64));
|
||||
}
|
||||
|
||||
crypto.handleIncomingPushMessageProto = function(proto) {
|
||||
switch(proto.type) {
|
||||
case 0: //TYPE_MESSAGE_PLAINTEXT
|
||||
proto.message = decodePushMessageContentProtobuf(getString(proto.message));
|
||||
break;
|
||||
case 1: //TYPE_MESSAGE_CIPHERTEXT
|
||||
proto.message = decryptWhisperMessage(proto.source, getString(proto.message));
|
||||
break;
|
||||
case 3: //TYPE_MESSAGE_PREKEY_BUNDLE
|
||||
var preKeyProto = decodePreKeyWhisperMessageProtobuf(getString(proto.message));
|
||||
initSessionFromPreKeyWhisperMessage(proto.source, preKeyProto);
|
||||
proto.message = decryptWhisperMessage(proto.source, getString(preKeyProto.message));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
crypto.encryptMessageFor = function(deviceObject, message) {
|
||||
return message + " encrypted to " + deviceObject.encodedNumber + " with relay " + deviceObject.relay +
|
||||
" with identityKey " + deviceObject.identityKey + " and public key " + deviceObject.publicKey; //TODO
|
||||
}
|
||||
|
||||
var GENERATE_KEYS_KEYS_GENERATED = 100;
|
||||
crypto.generateKeys = function() {
|
||||
var identityKey = crypto_storage.getStoredPubKey("identityKey");
|
||||
if (identityKey === undefined)
|
||||
identityKey = crypto_storage.getNewPubKeySTORINGPrivKey("identityKey"); //TODO: should probably just throw?
|
||||
|
||||
var firstKeyId = storage.getEncrypted("maxPreKeyId", -1) + 1;
|
||||
storage.putEncrypted("maxPreKeyId", firstKeyId + GENERATE_KEYS_KEYS_GENERATED);
|
||||
|
||||
if (firstKeyId > 16777000)
|
||||
throw "You crazy motherfucker";
|
||||
|
||||
var keys = {};
|
||||
keys.keys = [];
|
||||
for (var i = firstKeyId; i < firstKeyId + GENERATE_KEYS_KEYS_GENERATED; i++)
|
||||
keys.keys[i] = {keyId: i, publicKey: crypto_storage.getNewPubKeySTORINGPrivKey("preKey" + i), identityKey: identityKey};
|
||||
// 0xFFFFFF == 16777215
|
||||
keys.lastResortKey = {keyId: 16777215, publicKey: crypto_storage.getStoredPubKey("preKey16777215"), identityKey: identityKey};//TODO: Rotate lastResortKey
|
||||
if (keys.lastResortKey.publicKey === undefined)
|
||||
keys.lastResortKey.publicKey = crypto_storage.getNewPubKeySTORINGPrivKey("preKey16777215");
|
||||
return keys;
|
||||
}
|
||||
|
||||
}( window.crypto = window.crypto || {}, jQuery ));
|
||||
|
||||
/************************************************
|
||||
*** Utilities to communicate with the server ***
|
||||
************************************************/
|
||||
var URL_BASE = "http://textsecure-test.herokuapp.com";
|
||||
var URL_CALLS = {};
|
||||
URL_CALLS['accounts'] = "/v1/accounts";
|
||||
URL_CALLS['devices'] = "/v1/devices";
|
||||
URL_CALLS['keys'] = "/v1/keys";
|
||||
URL_CALLS['push'] = "/v1/messagesocket";
|
||||
|
|
@ -562,6 +565,11 @@ function doAjax(param) {
|
|||
},
|
||||
error: function(jqXHR, textStatus, errorThrown) {
|
||||
var code = jqXHR.status;
|
||||
if (code == 200) {// happens sometimes when we get no response
|
||||
if (param.success_callback !== undefined)
|
||||
param.success_callback(null);
|
||||
return;
|
||||
}
|
||||
if (code > 999 || code < 100)
|
||||
code = -1;
|
||||
if (param.error_callback !== undefined)
|
||||
|
|
|
|||
|
|
@ -8,14 +8,15 @@
|
|||
<div id="init-setup" style="display: none;">
|
||||
<h2>Welcome to TextSecure. To get startet please get a 6-digit setup code from your phone and enter it below.</h2>
|
||||
Phone number (including country code): +<input type="text" size="2" id="countrycode" /><input type="text" size="8" id="number" /><br>
|
||||
<button id="init-go-single-client" >Send single-client code</button><br>
|
||||
Code: <input type="text" pattern="[0-9]{3}-?[0-9]{3}" title="Enter the 6-didgit verificaion code displayed on your phone." size="8" id="code" /><br>
|
||||
<button id="init-go" >Sync</button>
|
||||
</div>
|
||||
<div id="verify" style="display: none;">
|
||||
<div id="verify1">Verifying number and setup code...<span id="verify1done"></span></div>
|
||||
<div id="verify3">Syncing with existing devices...<span id="verify2done"></span></div>
|
||||
<div id="verify2">Generating keys...<span id="verify3done"></span></div>
|
||||
<div id="verify3">Registering...<span id="verify4done"></span></div>
|
||||
<div id="verify2">Syncing with existing devices...<span id="verify2done"></span></div>
|
||||
<div id="verify3">Generating keys...<span id="verify3done"></span></div>
|
||||
<div id="verify4">Registering...<span id="verify4done"></span></div>
|
||||
</div>
|
||||
<div id="setup-complete" style="display: none;">
|
||||
<h2>You are now registered on TextSecure with number <span id="complete-number"></span></h2>
|
||||
|
|
|
|||
86
options.js
86
options.js
|
|
@ -22,49 +22,85 @@ $('#number').on('change', function() {//TODO
|
|||
$('#number').attr('style', '');
|
||||
});
|
||||
|
||||
var single_device = false;
|
||||
var signaling_key = getRandomBytes(32 + 20);
|
||||
var password = btoa(getRandomBytes(16));
|
||||
password = password.substring(0, password.length - 2);
|
||||
|
||||
$('#init-go-single-client').click(function() {
|
||||
if (numberMatches()) {
|
||||
var number = "+" + $('#countrycode').val().replace(/\D/g, '') + $('#number').val().replace(/\D/g, '');
|
||||
|
||||
$('#init-go').html('Setup');
|
||||
$('#countrycode').prop('disabled', 'disabled');
|
||||
$('#number').prop('disabled', 'disabled');
|
||||
$('#init-go-single-client').prop('disabled', 'disabled');
|
||||
|
||||
single_device = true;
|
||||
|
||||
doAjax({call: 'accounts', httpType: 'GET', urlParameters: '/sms/code/' + number,
|
||||
success_callback: function(response) { },
|
||||
error_callback: function(code) {
|
||||
alert("Failed to send key?" + code); //TODO
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
$('#init-go').click(function() {
|
||||
if (codeMatches() && numberMatches()) {
|
||||
var signaling_key = getRandomBytes(32 + 20);
|
||||
var password = btoa(getRandomBytes(16));
|
||||
password = password.substring(0, password.length - 2);
|
||||
var number = "+" + $('#countrycode').val().replace(/\D/g, '') + $('#number').val().replace(/\D/g, '');
|
||||
|
||||
$('#init-setup').hide();
|
||||
$('#verify1done').html('');
|
||||
$('#verify2done').html('');
|
||||
$('#verify2').hide();
|
||||
$('#verify3done').html('');
|
||||
$('#verify4done').html('');
|
||||
$('#verify').show();
|
||||
|
||||
doAjax({call: 'devices', httpType: 'PUT', urlParameters: '/' + $('#code').val(), user: number, password: password,
|
||||
var call = single_device ? 'accounts' : 'devices';
|
||||
var urlPrefix = single_device ? '/code/' : '/';
|
||||
|
||||
doAjax({call: call, httpType: 'PUT', urlParameters: urlPrefix + $('#code').val(), user: number, password: password,
|
||||
jsonData: {signalingKey: btoa(getString(signaling_key)), supportsSms: false, fetchesMessages: true},
|
||||
success_callback: function(response) {
|
||||
if (single_device)
|
||||
response = 1;
|
||||
var number_id = number + "." + response;
|
||||
storage.putEncrypted("password", password);
|
||||
storage.putEncrypted('signaling_key', signaling_key);
|
||||
storage.putUnencrypted("number_id", number_id);
|
||||
$('#verify1done').html('done');
|
||||
|
||||
getKeysForNumber(number, function(identityKey) {
|
||||
subscribeToPush(function(message) {
|
||||
//TODO receive spuhared identity key
|
||||
$('#verify2done').html('done');
|
||||
var keys = crypto.generateKeys();
|
||||
$('#verify3done').html('done');
|
||||
doAjax({call: 'keys', httpType: 'PUT', do_auth: true, jsonData: keys,
|
||||
success_callback: function(response) {
|
||||
$('#complete-number').html(number);
|
||||
$('#verify').hide();
|
||||
$('#setup-complete').show();
|
||||
registrationDone();
|
||||
}, error_callback: function(code) {
|
||||
alert(code); //TODO
|
||||
}
|
||||
});
|
||||
var register_keys_func = function() {
|
||||
$('#verify2done').html('done');
|
||||
var keys = crypto.generateKeys();
|
||||
$('#verify3done').html('done');
|
||||
doAjax({call: 'keys', httpType: 'PUT', do_auth: true, jsonData: keys,
|
||||
success_callback: function(response) {
|
||||
$('#complete-number').html(number);
|
||||
$('#verify').hide();
|
||||
$('#setup-complete').show();
|
||||
registrationDone();
|
||||
}, error_callback: function(code) {
|
||||
alert(code); //TODO
|
||||
}
|
||||
});
|
||||
requestIdentityPrivKeyFromMasterDevice(number);
|
||||
}, function(error_msg) {
|
||||
alert(error_msg); //TODO
|
||||
});
|
||||
}
|
||||
|
||||
if (!single_device) {
|
||||
getKeysForNumber(number, function(identityKey) {
|
||||
subscribeToPush(function(message) {
|
||||
//TODO receive shared identity key
|
||||
register_keys_func();
|
||||
});
|
||||
requestIdentityPrivKeyFromMasterDevice(number);
|
||||
}, function(error_msg) {
|
||||
alert(error_msg); //TODO
|
||||
});
|
||||
} else {
|
||||
register_keys_func();
|
||||
}
|
||||
}, error_callback: function(code) {
|
||||
var error;
|
||||
switch(code) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue