wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Clarify that the key backup MAC is implemented incorrectly (#1712)

Browse source 
* Clarify that the key backup MAC is implemented incorrectly

Due to a bug in libolm, all implementations of the
m.megolm_backup.v1.curve25519-aes-sha2 key backup algorithm incorrectly
pass an empty string through HMAC-SHA-256 to generate the `mac` property
of the `session_data`.

It was intended for the entire raw encrypted data to be passed through
HMAC-SHA-256, but the issue was caught too late in the process, and thus
we are stuck with this until a new key backup algorithm is introduced.

This commit clarifies the real-world behavior of all current
implementations.

Signed-off-by: Sumner Evans <sumner@beeper.com>
This commit is contained in:
Sumner Evans 2024-01-16 12:11:44 -07:00 committed by GitHub
parent 1d35e7aac6
commit 9a5cacda90
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 13 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
changelogs/client_server/newsfragments/1712.clarification Normal file
View file

@ -0,0 +1 @@
Clarify that the key backup MAC is implemented incorrectly and does not pass the ciphertext through HMAC-SHA-256.

16
content/client-server-api/modules/end_to_end_encryption.md
View file

@ -1364,10 +1364,18 @@ The `session_data` field in the backups is constructed as follows:
PKCS\#7 padding. This encrypted data, encoded using unpadded base64, PKCS\#7 padding. This encrypted data, encoded using unpadded base64,
becomes the `ciphertext` property of the `session_data`. becomes the `ciphertext` property of the `session_data`.
5. Pass the raw encrypted data (prior to base64 encoding) through 5. Pass an empty string through HMAC-SHA-256 using the MAC key generated above.
HMAC-SHA-256 using the MAC key generated above. The first 8 bytes of The first 8 bytes of the resulting MAC are base64-encoded, and become the
the resulting MAC are base64-encoded, and become the `mac` property `mac` property of the `session_data`.
of the `session_data`.
{{% boxes/warning %}}
Step 5 was intended to pass the raw encrypted data, but due to a bug in libolm,
all implementations have since passed an empty string instead.
Future versions of the spec will fix this problem. See
[MSC4048](https://github.com/matrix-org/matrix-spec-proposals/pull/4048) for a
potential new key backup algorithm version that would fix this issue.
{{% /boxes/warning %}}
{{% definition path="api/client-server/definitions/key_backup_session_data" %}} {{% definition path="api/client-server/definitions/key_backup_session_data" %}}