archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clarify that the key backup MAC is implemented incorrectly (#1712)

Browse Source 
* Clarify that the key backup MAC is implemented incorrectly

Due to a bug in libolm, all implementations of the
m.megolm_backup.v1.curve25519-aes-sha2 key backup algorithm incorrectly
pass an empty string through HMAC-SHA-256 to generate the `mac` property
of the `session_data`.

It was intended for the entire raw encrypted data to be passed through
HMAC-SHA-256, but the issue was caught too late in the process, and thus
we are stuck with this until a new key backup algorithm is introduced.

This commit clarifies the real-world behavior of all current
implementations.

Signed-off-by: Sumner Evans <sumner@beeper.com>
pull/1719/head
Sumner Evans 10 months ago committed by GitHub
parent 1d35e7aac6
commit 9a5cacda90
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File

1
changelogs/client_server/newsfragments/1712.clarification
Unescape Escape View File

@ -0,0 +1 @@
Clarify that the key backup MAC is implemented incorrectly and does not pass the ciphertext through HMAC-SHA-256.

16
content/client-server-api/modules/end_to_end_encryption.md
Unescape Escape View File

@ -1364,10 +1364,18 @@ The `session_data` field in the backups is constructed as follows:
PKCS\#7 padding. This encrypted data, encoded using unpadded base64,
becomes the `ciphertext` property of the `session_data`.
5. Pass the raw encrypted data (prior to base64 encoding) through
HMAC-SHA-256 using the MAC key generated above. The first 8 bytes of
the resulting MAC are base64-encoded, and become the `mac` property
of the `session_data`.
5. Pass an empty string through HMAC-SHA-256 using the MAC key generated above.
The first 8 bytes of the resulting MAC are base64-encoded, and become the
`mac` property of the `session_data`.
{{% boxes/warning %}}
Step 5 was intended to pass the raw encrypted data, but due to a bug in libolm,
all implementations have since passed an empty string instead.
Future versions of the spec will fix this problem. See
[MSC4048](https://github.com/matrix-org/matrix-spec-proposals/pull/4048) for a
potential new key backup algorithm version that would fix this issue.
{{% /boxes/warning %}}
{{% definition path="api/client-server/definitions/key_backup_session_data" %}}

Write Preview
Loading…
Cancel
Save