Skip to content

Commit

Permalink
feat: verify sha256sum of downloaded attachments (whisperfish#224)
Browse files Browse the repository at this point in the history
  • Loading branch information
boxdot authored Dec 21, 2023
1 parent e06b9ed commit 6d7003f
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 1 deletion.
1 change: 1 addition & 0 deletions presage/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ thiserror = "1.0"
url = "2.2"
parking_lot = "0.11"
tokio = { version = "1.0", default-features = false, features = ["sync", "time"] }
sha2 = "0.10.8"

[dev-dependencies]
quickcheck = "1.0.3"
Expand Down
3 changes: 3 additions & 0 deletions presage/src/errors.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ use crate::store::StoreError;

/// The error type of Signal manager
#[derive(thiserror::Error, Debug)]
#[non_exhaustive]
pub enum Error<S: std::error::Error> {
#[error("captcha from https://signalcaptchas.org/registration/generate.html required")]
CaptchaRequired,
Expand Down Expand Up @@ -65,6 +66,8 @@ pub enum Error<S: std::error::Error> {
PushChallengeRequired,
#[error("Not allowed to request verification code, reason unknown: {0:?}")]
RequestingCodeForbidden(libsignal_service::push_service::RegistrationSessionMetadataResponse),
#[error("attachment sha256 checksum did not match")]
UnexpectedAttachmentChecksum,
#[error("Unverified registration session (i.e. wrong verification code)")]
UnverifiedRegistrationSession,
}
Expand Down
12 changes: 11 additions & 1 deletion presage/src/manager/registered.rs
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ use log::{debug, error, info, trace, warn};
use rand::rngs::StdRng;
use rand::SeedableRng;
use serde::{Deserialize, Serialize};
use sha2::Digest;
use tokio::sync::Mutex;

use crate::cache::CacheCell;
Expand Down Expand Up @@ -845,15 +846,24 @@ impl<S: Store> Manager<S, Registered> {
&self,
attachment_pointer: &AttachmentPointer,
) -> Result<Vec<u8>, Error<S::Error>> {
let expected_digest = attachment_pointer
.digest
.as_ref()
.ok_or_else(|| Error::UnexpectedAttachmentChecksum)?;

let mut service = self.identified_push_service();
let mut attachment_stream = service.get_attachment(attachment_pointer).await?;

// We need the whole file for the crypto to check out
let mut ciphertext = Vec::new();
let len = attachment_stream.read_to_end(&mut ciphertext).await?;

trace!("downloaded encrypted attachment of {} bytes", len);

let digest = sha2::Sha256::digest(&ciphertext);
if &digest[..] != expected_digest {
return Err(Error::UnexpectedAttachmentChecksum);
}

let key: [u8; 64] = attachment_pointer.key().try_into()?;
decrypt_in_place(key, &mut ciphertext)?;

Expand Down

0 comments on commit 6d7003f

Please sign in to comment.