github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/libkb/lksec.go (about) 1 // Copyright 2015 Keybase, Inc. All rights reserved. Use of 2 // this source code is governed by the included BSD license. 3 4 package libkb 5 6 import ( 7 "crypto/hmac" 8 "crypto/rand" 9 "crypto/sha256" 10 "encoding/hex" 11 "errors" 12 "fmt" 13 "strings" 14 15 keybase1 "github.com/keybase/client/go/protocol/keybase1" 16 "golang.org/x/crypto/nacl/secretbox" 17 ) 18 19 const LKSecVersion = 100 20 const LKSecLen = 32 21 22 type LKSecClientHalf struct { 23 c *[LKSecLen]byte 24 } 25 26 func (c LKSecClientHalf) IsNil() bool { 27 return c.c == nil 28 } 29 30 func (c LKSecClientHalf) Bytes() []byte { 31 if c.c == nil { 32 return nil 33 } 34 return c.c[:] 35 } 36 37 type LKSecServerHalf struct { 38 s *[LKSecLen]byte 39 } 40 41 func (s LKSecServerHalf) IsNil() bool { 42 return s.s == nil 43 } 44 45 func (s LKSecServerHalf) Bytes() []byte { 46 if s.s == nil { 47 return nil 48 } 49 return s.s[:] 50 } 51 52 type LKSecFullSecret struct { 53 f *[LKSecLen]byte 54 } 55 56 type LKSecMask struct { 57 m *[LKSecLen]byte 58 } 59 60 func (f LKSecFullSecret) IsNil() bool { 61 return f.f == nil 62 } 63 64 func (f LKSecFullSecret) Bytes() []byte { 65 if f.f == nil { 66 return nil 67 } 68 return f.f[:] 69 } 70 71 func NewLKSecServerHalfFromHex(s string) (ret LKSecServerHalf, err error) { 72 var b []byte 73 b, err = hex.DecodeString(s) 74 if err != nil { 75 return ret, err 76 } 77 if len(b) != LKSecLen { 78 err = fmt.Errorf("Wrong LKSec server length: %d != %d", len(b), LKSecLen) 79 return ret, err 80 } 81 var v [LKSecLen]byte 82 copy(v[:], b) 83 ret = LKSecServerHalf{s: &v} 84 return ret, nil 85 } 86 87 func newLKSecFullSecretFromBytes(b []byte) (ret LKSecFullSecret, err error) { 88 if len(b) != LKSecLen { 89 err = fmt.Errorf("Wrong LKSecFullSecret len: %d != %d", len(b), LKSecLen) 90 return ret, err 91 } 92 var v [LKSecLen]byte 93 copy(v[:], b) 94 ret = LKSecFullSecret{f: &v} 95 return ret, nil 96 } 97 98 func NewLKSecClientHalfFromBytes(b []byte) (ret LKSecClientHalf, err error) { 99 if len(b) != LKSecLen { 100 err = fmt.Errorf("Wrong LKSecClientHalf len: %d != %d", len(b), LKSecLen) 101 return ret, err 102 } 103 var v [LKSecLen]byte 104 copy(v[:], b) 105 ret = LKSecClientHalf{c: &v} 106 return ret, nil 107 } 108 109 func (f LKSecFullSecret) Equal(f2 LKSecFullSecret) bool { 110 if f.IsNil() { 111 return false 112 } 113 if f2.IsNil() { 114 return false 115 } 116 return hmac.Equal(f.f[:], f2.f[:]) 117 } 118 119 func (c LKSecClientHalf) Equal(c2 LKSecClientHalf) bool { 120 if c.IsNil() { 121 return false 122 } 123 if c2.IsNil() { 124 return false 125 } 126 return hmac.Equal(c.c[:], c2.c[:]) 127 } 128 129 func (s LKSecServerHalf) EncodeToHex() string { 130 if s.IsNil() { 131 return "" 132 } 133 return hex.EncodeToString(s.s[:]) 134 } 135 136 func (m LKSecMask) IsNil() bool { 137 return m.m == nil 138 } 139 140 func (m LKSecMask) EncodeToHex() string { 141 if m.IsNil() { 142 return "" 143 } 144 return hex.EncodeToString(m.m[:]) 145 } 146 147 func NewLKSecServerHalfZeros() LKSecServerHalf { 148 var z [LKSecLen]byte 149 return LKSecServerHalf{s: &z} 150 } 151 152 type LKSec struct { 153 serverHalf LKSecServerHalf 154 clientHalf LKSecClientHalf 155 secret LKSecFullSecret 156 ppGen PassphraseGeneration 157 uid keybase1.UID 158 deviceID keybase1.DeviceID 159 } 160 161 func xorBytes(x *[LKSecLen]byte, y *[LKSecLen]byte) *[LKSecLen]byte { 162 var ret [LKSecLen]byte 163 for i := 0; i < LKSecLen; i++ { 164 ret[i] = x[i] ^ y[i] 165 } 166 return &ret 167 } 168 169 func (s LKSecServerHalf) ComputeFullSecret(c LKSecClientHalf) LKSecFullSecret { 170 return LKSecFullSecret{f: xorBytes(s.s, c.c)} 171 } 172 173 func (s LKSecServerHalf) ComputeClientHalf(f LKSecFullSecret) LKSecClientHalf { 174 return LKSecClientHalf{c: xorBytes(s.s, f.f)} 175 } 176 177 func (f LKSecFullSecret) bug3964Remask(s LKSecServerHalf) LKSecFullSecret { 178 return LKSecFullSecret{f: xorBytes(s.s, f.f)} 179 } 180 181 func (c LKSecClientHalf) ComputeMask(c2 LKSecClientHalf) LKSecMask { 182 if c.IsNil() || c2.IsNil() { 183 return LKSecMask{} 184 } 185 return LKSecMask{m: xorBytes(c.c, c2.c)} 186 } 187 188 func NewLKSec(pps *PassphraseStream, uid keybase1.UID) *LKSec { 189 return NewLKSecWithDeviceID(pps, uid, keybase1.DeviceID("")) 190 } 191 192 func NewLKSecWithDeviceID(pps *PassphraseStream, uid keybase1.UID, deviceID keybase1.DeviceID) *LKSec { 193 res := &LKSec{ 194 uid: uid, 195 deviceID: deviceID, 196 } 197 198 if pps != nil { 199 res.clientHalf = pps.LksClientHalf() 200 res.ppGen = pps.Generation() 201 } 202 return res 203 } 204 205 func NewLKSecWithClientHalf(clientHalf LKSecClientHalf, ppgen PassphraseGeneration, uid keybase1.UID) *LKSec { 206 return &LKSec{ 207 clientHalf: clientHalf, 208 ppGen: ppgen, 209 uid: uid, 210 } 211 } 212 213 func NewLKSecWithFullSecret(secret LKSecFullSecret, uid keybase1.UID) *LKSec { 214 return &LKSec{ 215 secret: secret, 216 ppGen: PassphraseGeneration(-1), 217 uid: uid, 218 } 219 } 220 221 func (s *LKSec) CorruptedFullSecretForBug3964Testing(srv LKSecServerHalf) LKSecFullSecret { 222 return s.FullSecret().bug3964Remask(srv) 223 } 224 225 func (s *LKSec) SetUID(u keybase1.UID) { 226 s.uid = u 227 } 228 229 func (s *LKSec) SetClientHalf(b LKSecClientHalf) { 230 s.clientHalf = b 231 } 232 233 func (s *LKSec) SetServerHalf(b LKSecServerHalf) { 234 s.serverHalf = b 235 } 236 237 // Generation returns the passphrase generation that this local key security 238 // object is derived from. 239 func (s LKSec) Generation() PassphraseGeneration { 240 return s.ppGen 241 } 242 243 func (s *LKSec) GenerateServerHalf() error { 244 if s.clientHalf.IsNil() { 245 return errors.New("Can't generate server half without a client half") 246 } 247 if !s.serverHalf.IsNil() { 248 return nil 249 } 250 var v [LKSecLen]byte 251 var n int 252 var err error 253 if n, err = rand.Read(v[:]); err != nil { 254 return err 255 } 256 if n != LKSecLen { 257 return fmt.Errorf("short random read; wanted %d bytes but only got %d", LKSecLen, n) 258 } 259 s.serverHalf = LKSecServerHalf{s: &v} 260 return nil 261 } 262 263 func (s *LKSec) GetServerHalf() LKSecServerHalf { 264 return s.serverHalf 265 } 266 267 func (s *LKSec) Load(m MetaContext) (err error) { 268 defer m.Trace("LKSec::Load()", &err)() 269 270 if !s.secret.IsNil() { 271 m.Debug("| Short-circuit; we already know the full secret") 272 return nil 273 } 274 275 if s.clientHalf.IsNil() { 276 err = fmt.Errorf("client half not set") 277 return err 278 } 279 280 if err = s.LoadServerHalf(m); err != nil { 281 return err 282 } 283 284 s.SetFullSecret(m) 285 return nil 286 } 287 288 func (s *LKSec) SetFullSecret(m MetaContext) { 289 m.Debug("| Making XOR'ed secret key for Local Key Security (LKS)") 290 s.secret = s.serverHalf.ComputeFullSecret(s.clientHalf) 291 } 292 293 func (s *LKSec) LoadServerHalf(m MetaContext) (err error) { 294 defer m.Trace("LKSec::LoadServerHalf()", &err)() 295 296 if !s.serverHalf.IsNil() { 297 m.Debug("| short-circuit: already have serverHalf") 298 return nil 299 } 300 _, err = s.LoadServerDetails(m) 301 return err 302 } 303 304 func (s *LKSec) LoadServerDetails(m MetaContext) (ret DeviceKeyMap, err error) { 305 defer m.Trace("LKSec#LoadServerDetails", &err)() 306 307 devid := s.deviceID 308 if devid.IsNil() { 309 devid = m.G().Env.GetDeviceIDForUID(s.uid) 310 } 311 if devid.IsNil() { 312 return ret, fmt.Errorf("lksec load: no device id set, thus can't fetch server half") 313 } 314 315 if ret, err = s.apiServerHalf(m, devid); err != nil { 316 m.Debug("apiServerHalf(%s) error: %s", devid, err) 317 return ret, err 318 } 319 if s.serverHalf.IsNil() { 320 return ret, fmt.Errorf("after apiServerHalf(%s), serverHalf still empty", devid) 321 } 322 323 return ret, nil 324 } 325 326 func (s *LKSec) GetSecret(m MetaContext) (secret LKSecFullSecret, err error) { 327 defer m.Trace("LKsec:GetSecret()", &err)() 328 if err = s.Load(m); err != nil { 329 return secret, err 330 } 331 secret = s.secret 332 return secret, nil 333 } 334 335 func (s *LKSec) Encrypt(m MetaContext, src []byte) (res []byte, err error) { 336 defer m.Trace("LKsec:Encrypt()", &err)() 337 if err = s.Load(m); err != nil { 338 return nil, err 339 } 340 var nonce []byte 341 nonce, err = RandBytes(24) 342 if err != nil { 343 return nil, err 344 } 345 var fnonce [24]byte 346 copy(fnonce[:], nonce) 347 box := secretbox.Seal(nil, src, &fnonce, s.secret.f) 348 349 ret := nonce 350 ret = append(ret, box...) 351 return ret, nil 352 } 353 354 func (s *LKSec) attemptBug3964Recovery(m MetaContext, data []byte, nonce *[24]byte) (res []byte, gen PassphraseGeneration, erroneousMask LKSecServerHalf, err error) { 355 ss, err := s.loadSecretSyncer(m) 356 if err != nil { 357 return nil, 0, LKSecServerHalf{}, err 358 } 359 devices := ss.AllDevices() 360 res, serverHalf, err := s.tryAllDevicesForBug3964Recovery(m, devices, data, nonce) 361 return res, s.ppGen, serverHalf, err 362 } 363 364 func (s *LKSec) tryAllDevicesForBug3964Recovery(m MetaContext, devices DeviceKeyMap, data []byte, nonce *[24]byte) (res []byte, erroneousMask LKSecServerHalf, err error) { 365 366 // This logline is asserted in testing in bug_3964_repairman_test 367 defer m.Trace("LKSec#tryAllDevicesForBug3964Recovery()", &err)() 368 369 for devid, dev := range devices { 370 371 // This logline is asserted in testing in bug_3964_repairman_test 372 m.Debug("| Trying Bug 3964 Recovery w/ device %q {id: %s, lks: %s...}", dev.Description, devid, dev.LksServerHalf[0:8]) 373 374 serverHalf, err := dev.ToLKSec() 375 if err != nil { 376 m.Debug("| Failed with error: %s\n", err) 377 continue 378 } 379 fs := s.secret.bug3964Remask(serverHalf) 380 res, ok := secretbox.Open(nil, data, nonce, fs.f) 381 382 if ok { 383 // This logline is asserted in testing in bug_3964_repairman_test 384 m.Debug("| Success") 385 return res, serverHalf, nil 386 } 387 } 388 389 err = PassphraseError{"failed to open secretbox"} 390 return nil, LKSecServerHalf{}, err 391 } 392 393 func splitCiphertext(src []byte) ([]byte, *[24]byte) { 394 var nonce [24]byte 395 copy(nonce[:], src[0:24]) 396 data := src[24:] 397 return data, &nonce 398 } 399 400 func (s *LKSec) Decrypt(m MetaContext, src []byte) (res []byte, gen PassphraseGeneration, erroneousMask LKSecServerHalf, err error) { 401 // This logline is asserted in testing in bug_3964_repairman_test 402 defer m.Trace("LKSec#Decrypt()", &err)() 403 404 if err = s.Load(m); err != nil { 405 return nil, 0, LKSecServerHalf{}, err 406 } 407 var ok bool 408 data, nonce := splitCiphertext(src) 409 res, ok = secretbox.Open(nil, data, nonce, s.secret.f) 410 if !ok { 411 secretHash := sha256.New() 412 _, _ = secretHash.Write((*s.secret.f)[:]) 413 m.Debug("secretbox.Open failed: used a secret of length %d", len(s.secret.f)) 414 m.Debug("secretbox.Open failed: used secret of hash prefix %x and nonce prefix %x", 415 secretHash.Sum(nil)[:4], nonce[:4]) 416 m.Debug("secretbox.Open failed: attempting recovery") 417 return s.attemptBug3964Recovery(m, data, nonce) 418 } 419 420 return res, s.ppGen, LKSecServerHalf{}, nil 421 } 422 423 func (s *LKSec) decryptForBug3964Repair(m MetaContext, src []byte, dkm DeviceKeyMap) (res []byte, erroneousMask LKSecServerHalf, err error) { 424 defer m.Trace("LKSec#decryptForBug3964Repair()", &err)() 425 data, nonce := splitCiphertext(src) 426 res, ok := secretbox.Open(nil, data, nonce, s.secret.f) 427 if ok { 428 m.Debug("| Succeeded with intended mask") 429 return res, LKSecServerHalf{}, nil 430 } 431 return s.tryAllDevicesForBug3964Recovery(m, dkm, data, nonce) 432 } 433 434 func (s *LKSec) ComputeClientHalf() (ret LKSecClientHalf, err error) { 435 if !s.clientHalf.IsNil() { 436 return s.clientHalf, nil 437 } 438 if s.serverHalf.IsNil() { 439 return ret, errors.New("LKSec: tried to compute client half, but no server half loaded") 440 } 441 if s.secret.IsNil() { 442 return ret, errors.New("LKSec: tried to compute client half, but no full secret loaded") 443 } 444 return s.serverHalf.ComputeClientHalf(s.secret), nil 445 } 446 447 func (s *LKSec) loadSecretSyncer(m MetaContext) (ss *SecretSyncer, err error) { 448 return m.SyncSecrets() 449 } 450 451 func (s *LKSec) apiServerHalf(m MetaContext, devid keybase1.DeviceID) (dkm DeviceKeyMap, err error) { 452 var dev DeviceKey 453 ss, err := s.loadSecretSyncer(m) 454 if err != nil { 455 return dkm, err 456 } 457 dev, err = ss.FindDevice(devid) 458 if err != nil { 459 return dkm, err 460 } 461 462 s.serverHalf, err = dev.ToLKSec() 463 if err != nil { 464 return dkm, err 465 } 466 s.ppGen = dev.PPGen 467 return ss.AllDevices(), nil 468 } 469 470 // NewLKSForEncrypt gets a verified passphrase stream, and returns 471 // an LKS that works for encryption. 472 func NewLKSecForEncrypt(m MetaContext, ui SecretUI, uid keybase1.UID) (ret *LKSec, err error) { 473 m = m.WithUIs(UIs{SecretUI: ui}) 474 pps, err := GetPassphraseStreamStored(m) 475 if err != nil { 476 return nil, err 477 } 478 ret = NewLKSec(pps, uid) 479 return ret, nil 480 } 481 482 // EncryptClientHalfRecovery takes the client half of the LKS secret 483 // and encrypts it for the given key. This is for recovery of passphrases 484 // on device recovery operations. 485 func (s *LKSec) EncryptClientHalfRecovery(key GenericKey) (string, error) { 486 if s.clientHalf.IsNil() { 487 return "", errors.New("Nil LKS Client Half") 488 } 489 return key.EncryptToString(s.clientHalf.Bytes(), nil) 490 } 491 492 // ToSKB exports a generic key with the given LKSec to a SecretKeyBundle, 493 // performing all necessary encryption. 494 func (s *LKSec) ToSKB(m MetaContext, key GenericKey) (ret *SKB, err error) { 495 defer m.Trace("LKSec#ToSKB", &err)() 496 if s == nil { 497 return nil, errors.New("nil lks") 498 } 499 ret = NewSKBWithGlobalContext(m.G()) 500 501 var publicKey RawPublicKey 502 var privateKey RawPrivateKey 503 504 publicKey, privateKey, err = key.ExportPublicAndPrivate() 505 if err != nil { 506 return nil, err 507 } 508 509 ret.Priv.Data, err = s.Encrypt(m, []byte(privateKey)) 510 if err != nil { 511 return nil, err 512 } 513 ret.Priv.Encryption = LKSecVersion 514 ret.Priv.PassphraseGeneration = int(s.Generation()) 515 ret.Pub = []byte(publicKey) 516 ret.Type = key.GetAlgoType() 517 ret.uid = s.uid 518 return ret, nil 519 } 520 521 func WriteLksSKBToKeyring(m MetaContext, k GenericKey, lks *LKSec) (skb *SKB, err error) { 522 defer m.Trace("WriteLksSKBToKeyring", &err)() 523 skb, err = lks.ToSKB(m, k) 524 if err != nil { 525 return nil, fmt.Errorf("k.ToLksSKB() error: %s", err) 526 } 527 if err = skbPushAndSave(m, skb); err != nil { 528 return nil, err 529 } 530 return skb, nil 531 } 532 533 func (s *LKSec) FullSecret() LKSecFullSecret { 534 if !s.secret.IsNil() { 535 return s.secret 536 } 537 if s.serverHalf.IsNil() || s.clientHalf.IsNil() { 538 return LKSecFullSecret{} 539 } 540 return s.serverHalf.ComputeFullSecret(s.clientHalf) 541 } 542 543 func (s LKSec) ServerHalf() LKSecServerHalf { 544 return s.serverHalf 545 } 546 547 func (s LKSec) ClientHalf() LKSecClientHalf { 548 return s.clientHalf 549 } 550 551 type LKSecServerHalfSet struct { 552 index map[[LKSecLen]byte]bool 553 } 554 555 func NewLKSecServerHalfSet() *LKSecServerHalfSet { 556 return &LKSecServerHalfSet{ 557 index: make(map[[LKSecLen]byte]bool), 558 } 559 } 560 561 func (l *LKSecServerHalfSet) Add(s LKSecServerHalf) { 562 if !s.IsNil() { 563 l.index[*s.s] = true 564 } 565 } 566 567 func (l *LKSecServerHalfSet) EncodeToHexList() string { 568 var s []string 569 for k := range l.index { 570 s = append(s, hex.EncodeToString(k[:])) 571 } 572 return strings.Join(s, ",") 573 }