From 4674ab63e990c47d3fa0ed0ff6583fd4dd0404fe Mon Sep 17 00:00:00 2001 From: Neeraj Gupta <254676+ua741@users.noreply.github.com> Date: Fri, 31 May 2024 21:28:00 +0530 Subject: [PATCH] [cli] Fix Ente Auth export decryption --- cli/internal/crypto/crypto.go | 20 ++++++++++++++++++++ cli/internal/crypto/crypto_libsodium.go | 17 +++++++++++++++++ cli/main.go | 2 +- cli/pkg/authenticator/decrypt.go | 2 +- 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/cli/internal/crypto/crypto.go b/cli/internal/crypto/crypto.go index 11868c0ba6..e01ac52d1f 100644 --- a/cli/internal/crypto/crypto.go +++ b/cli/internal/crypto/crypto.go @@ -113,3 +113,23 @@ func DecryptChaChaBase64(data string, key []byte, nonce string) (string, []byte, } return base64.StdEncoding.EncodeToString(decryptedData), decryptedData, nil } + +func DecryptChaChaBase64Auth(data string, key []byte, nonce string) (string, []byte, error) { + // Decode data from base64 + dataBytes, err := base64.StdEncoding.DecodeString(data) + if err != nil { + // safe to log the encrypted data + return "", nil, fmt.Errorf("invalid base64 data %s: %v", data, err) + } + // Decode nonce from base64 + nonceBytes, err := base64.StdEncoding.DecodeString(nonce) + if err != nil { + return "", nil, fmt.Errorf("invalid nonce: %v", err) + } + // Decrypt data + decryptedData, err := decryptChaCha20poly1305V2(dataBytes, key, nonceBytes) + if err != nil { + return "", nil, fmt.Errorf("failed to decrypt data: %v", err) + } + return base64.StdEncoding.EncodeToString(decryptedData), decryptedData, nil +} diff --git a/cli/internal/crypto/crypto_libsodium.go b/cli/internal/crypto/crypto_libsodium.go index a7c193c995..81768c830b 100644 --- a/cli/internal/crypto/crypto_libsodium.go +++ b/cli/internal/crypto/crypto_libsodium.go @@ -88,6 +88,23 @@ func decryptChaCha20poly1305(data []byte, key []byte, nonce []byte) ([]byte, err return decoded, nil } +// decryptChaCha20poly1305V2 is used only to decrypt Ente Auth data. Ente Auth use new version of LibSodium. +// In that version, the final tag value is 0x0 instead of TagFinal. +func decryptChaCha20poly1305V2(data []byte, key []byte, nonce []byte) ([]byte, error) { + decryptor, err := NewDecryptor(key, nonce) + if err != nil { + return nil, err + } + decoded, tag, err := decryptor.Pull(data) + if tag != TagFinal && tag != TagMessage { + return nil, errors.New("invalid tag") + } + if err != nil { + return nil, err + } + return decoded, nil +} + //func SecretBoxOpenLibSodium(c []byte, n []byte, k []byte) ([]byte, error) { // var cp sodium.Bytes = c // res, err := cp.SecretBoxOpen(sodium.SecretBoxNonce{Bytes: n}, sodium.SecretBoxKey{Bytes: k}) diff --git a/cli/main.go b/cli/main.go index d62cdcffad..05ea3a6e27 100644 --- a/cli/main.go +++ b/cli/main.go @@ -15,7 +15,7 @@ import ( "strings" ) -var AppVersion = "0.1.13" +var AppVersion = "0.1.14" func main() { cliDBPath, err := GetCLIConfigPath() diff --git a/cli/pkg/authenticator/decrypt.go b/cli/pkg/authenticator/decrypt.go index 6ae6056c69..f841de2717 100644 --- a/cli/pkg/authenticator/decrypt.go +++ b/cli/pkg/authenticator/decrypt.go @@ -55,7 +55,7 @@ func DecryptExport(inputPath string, outputPath string) error { return fmt.Errorf("error deriving key: %v", err) } - _, decryptedData, err := eCrypto.DecryptChaChaBase64(export.EncryptedData, key, export.EncryptionNonce) + _, decryptedData, err := eCrypto.DecryptChaChaBase64Auth(export.EncryptedData, key, export.EncryptionNonce) if err != nil { fmt.Printf("\nerror decrypting data %v", err) fmt.Println("\nPlease check your password and try again")