Clarify that the key backup MAC is implemented incorrectly (#1712)

* Clarify that the key backup MAC is implemented incorrectly

Due to a bug in libolm, all implementations of the
m.megolm_backup.v1.curve25519-aes-sha2 key backup algorithm incorrectly
pass an empty string through HMAC-SHA-256 to generate the `mac` property
of the `session_data`.

It was intended for the entire raw encrypted data to be passed through
HMAC-SHA-256, but the issue was caught too late in the process, and thus
we are stuck with this until a new key backup algorithm is introduced.

This commit clarifies the real-world behavior of all current
implementations.

Signed-off-by: Sumner Evans <sumner@beeper.com>
pull/1719/head
Sumner Evans 10 months ago committed by GitHub
parent 1d35e7aac6
commit 9a5cacda90
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -0,0 +1 @@
Clarify that the key backup MAC is implemented incorrectly and does not pass the ciphertext through HMAC-SHA-256.

@ -1364,10 +1364,18 @@ The `session_data` field in the backups is constructed as follows:
PKCS\#7 padding. This encrypted data, encoded using unpadded base64, PKCS\#7 padding. This encrypted data, encoded using unpadded base64,
becomes the `ciphertext` property of the `session_data`. becomes the `ciphertext` property of the `session_data`.
5. Pass the raw encrypted data (prior to base64 encoding) through 5. Pass an empty string through HMAC-SHA-256 using the MAC key generated above.
HMAC-SHA-256 using the MAC key generated above. The first 8 bytes of The first 8 bytes of the resulting MAC are base64-encoded, and become the
the resulting MAC are base64-encoded, and become the `mac` property `mac` property of the `session_data`.
of the `session_data`.
{{% boxes/warning %}}
Step 5 was intended to pass the raw encrypted data, but due to a bug in libolm,
all implementations have since passed an empty string instead.
Future versions of the spec will fix this problem. See
[MSC4048](https://github.com/matrix-org/matrix-spec-proposals/pull/4048) for a
potential new key backup algorithm version that would fix this issue.
{{% /boxes/warning %}}
{{% definition path="api/client-server/definitions/key_backup_session_data" %}} {{% definition path="api/client-server/definitions/key_backup_session_data" %}}

Loading…
Cancel
Save