Skip to content

Commit

Permalink
AES-GCM
Browse files Browse the repository at this point in the history
  • Loading branch information
raxod502 committed Nov 9, 2022
1 parent 3454c81 commit 3f8aed8
Show file tree
Hide file tree
Showing 6 changed files with 55 additions and 8 deletions.
6 changes: 5 additions & 1 deletion extension/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,11 @@ The format is based on [Keep a Changelog].

## 0.0.7

Tbd
End-to-end encryption is now used, so the server has no knowledge of
what data is passing between clients, except for at what timestamps
data is sent, and no ability to tamper with the contents. The usage
model is the same, but all clients in a session must upgrade to 0.0.7
to communicate.

## 0.0.6

Expand Down
2 changes: 1 addition & 1 deletion extension/Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
SHARED_FILES := background.js content-script.js icon128.png icon64.png icon32.png options.css options.html options.js
SHARED_FILES := background.js content-script.js forge.min.js icon128.png icon64.png icon32.png options.css options.html options.js
ALL_FILES := $(SHARED_FILES) manifest.json
ALL_PATHS := $(foreach dir,chrome firefox,$(foreach file,$(ALL_FILES),$(dir)/$(file)))
EXTRA_PATHS := $(filter-out $(ALL_PATHS),$(wildcard chrome/* firefox/*))
Expand Down
48 changes: 44 additions & 4 deletions extension/content-script.js
Original file line number Diff line number Diff line change
Expand Up @@ -223,20 +223,60 @@ const hypercastInit = () => {

loadStorage()
.then(({ hypercastInstance, accessToken, sessionId, clientId }) => {
globalWebsocket = dialWebsocket(
const md = forge.md.sha256.create();
md.update(sessionId);
const hashedSessionId = md.digest().toHex();
// Quick hack to just use the same salts globally. Needs to be
// replaced asap with salt that is dynamically generated and
// then shared between clients, to ensure defense against
// dictionary attacks.
const keySalt = forge.util.decode64(
"fozeFuJBd8MVILhXBWCfcbSt3XRT7MFUhYcnLbcbR/KgNzB54FWhi+liwdHSHH4zduMZSuY74cE6tACbyRLtefDN62D4Ko2P7jtJwvyBN/m9uhkbRpTuNHByicn3PSwr5O+Wq7Cm/HvNYdC/1Ypsk41kbiZF6Ji0DEVbJyigoxk="
);
const ivSalt = forge.util.decode64(
"NfkV0ly0UZkq5RvjgnKtfjfORQHCZ8UFjam6qYheoiYFkAGRmGBGTukaYfshn9NuCQgY00axFA5gv70zz5D5bUxNEFZLQXX0YSLPjYEyd/TkrE/TOC6sF0DG422De5RFBkOAoVlt5521e6pOgABZShafA8Z9XdQkT0oAdPs0Zos=%"
);
const key = forge.pkcs5.pbkdf2(sessionId, keySalt, 5000, 16);
const iv = forge.pkcs5.pbkdf2(sessionId, ivSalt, 5000, 12);
const underlying = dialWebsocket(
`${hypercastInstance
.replace("http://", "ws://")
.replace(
"https://",
"wss://"
)}/ws?token=${accessToken}&session=${sessionId}&client=${clientId}`,
(msg) => {
log(`Websocket: received message ${msg}`);
)}/ws?token=${accessToken}&session=${hashedSessionId}&client=${clientId}`,
(rawmsg) => {
log(`Websocket: received message ${rawmsg}`);
const { ciphertext, tag } = JSON.parse(rawmsg);
const decipher = forge.cipher.createDecipher("AES-GCM", key);
decipher.start({
iv: iv,
tag: forge.util.decode64(tag),
});
decipher.update(
forge.util.createBuffer(forge.util.decode64(ciphertext))
);
if (!decipher.finish()) {
logError(`Failed to decrypt AES-GCM`);
return;
}
const msg = decipher.output.getBytes();
if (globalVideoUpdater) {
globalVideoUpdater(JSON.parse(msg));
}
}
);
globalWebsocket = {
send: (msg) => {
const cipher = forge.cipher.createCipher("AES-GCM", key);
cipher.start({ iv: iv });
cipher.update(forge.util.createBuffer(msg));
cipher.finish();
const ciphertext = forge.util.encode64(cipher.output.getBytes());
const tag = forge.util.encode64(cipher.mode.tag.getBytes());
underlying.send(JSON.stringify({ ciphertext, tag }));
},
};
})
.catch(logError);
};
Expand Down
3 changes: 3 additions & 0 deletions extension/forge.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion extension/manifest-chrome.json
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"https://*.hbomax.com/*",
"https://*.youtube.com/*"
],
"js": ["content-script.js"]
"js": ["forge.min.js", "content-script.js"]
}
],
"background": {
Expand Down
2 changes: 1 addition & 1 deletion extension/manifest-firefox.json
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"https://*.hbomax.com/*",
"https://*.youtube.com/*"
],
"js": ["content-script.js"]
"js": ["forge.min.js", "content-script.js"]
}
],
"background": {
Expand Down

0 comments on commit 3f8aed8

Please sign in to comment.