meshcore-analyzer

dandri/meshcore-analyzer

Fork 0

mirror of https://github.com/Kpa-clawbot/meshcore-analyzer.git synced 2026-06-05 12:41:36 +00:00

Commit Graph

Author	SHA1	Message	Date
Kpa-clawbot	cb21305dc4	fix(channel-decrypt): replace AES-CBC ECB hack with pure-JS AES-128 ECB (P0) (#1021 ) ## P0: channel decryption broken on prod (`OperationError` in `decryptECB`) ### Symptom ``` Uncaught (in promise) OperationError at decryptECB (channel-decrypt.js:89) at async Object.decrypt (channel-decrypt.js:181) at async decryptCandidates (channels.js:568) ``` Channel message decryption fails for most ciphertext blocks in the browser console on `analyzer.00id.net`. ### Root cause The original `decryptECB()` simulated AES-128-ECB via Web Crypto AES-CBC with a zero IV plus an appended dummy PKCS7 padding block (16 × `0x10`). Web Crypto always validates PKCS7 padding on the decrypted output, and after CBC-decrypting the dummy padding block it almost never produces a valid PKCS7 sequence, so Chrome/Firefox throw `OperationError`. There is no Web Crypto knob to disable that check — and Web Crypto doesn't expose raw ECB at all. This is a well-known dead end: every project that needs ECB in browsers ends up with a small pure-JS AES core. ### Fix - Vendor a minimal pure-JS AES-128 ECB decrypt-only core into `public/vendor/aes-ecb.js`. - Source: [aes-js](https://github.com/ricmoo/aes-js) by Richard Moore — MIT License (cited in the header comment). - Trimmed to: S-boxes, key expansion (FIPS-197 §5.2), inverse cipher (FIPS-197 §5.3). No encrypt path. No other modes. No padding logic. ~150 lines. - `decryptECB(key, ciphertext)` keeps the same API surface: `Promise<Uint8Array \| null>`. It now delegates to `window.AES_ECB.decrypt(...)`. - `verifyMAC` and `computeChannelHash` keep using Web Crypto (HMAC-SHA256 / SHA-256 — no padding pathology). - Wired `vendor/aes-ecb.js` into `public/index.html` immediately before `channel-decrypt.js`. ### TDD - Red commit (`36f6882`) — adds `test-channel-decrypt-ecb.js` pinned to the FIPS-197 Appendix C.1 AES-128 known-answer vector. Compiles, runs, and fails on assertion (`OperationError`) against the existing implementation. - Green commit (`bbbd2d1`) — vendors the pure-JS AES core and rewires `decryptECB`. Test now passes (7/7), including a multi-block assertion that two identical ciphertext blocks decrypt to two identical plaintext blocks (true ECB, no chaining). - Existing `test-channel-decrypt-m345.js` still passes (24/24). ### Files changed - `public/vendor/aes-ecb.js` — new (vendored AES-128 ECB decrypt, MIT, ~150 LOC) - `public/channel-decrypt.js` — `decryptECB()` rewritten to delegate to vendor - `public/index.html` — script tag added for `vendor/aes-ecb.js` - `test-channel-decrypt-ecb.js` — new TDD test (FIPS-197 KAT + multi-block + edge cases) ### Risk / scope - Decrypt-only, client-side, no server changes, no schema changes, no config changes (Config Documentation Rule N/A). - ECB is a single 16-byte block per packet for MeshCore channel traffic, so the perf delta vs Web Crypto is negligible (a single `decryptBlock` is ~10 round transforms on 16 bytes). - HTTP-context safe (no Web Crypto required for ECB anymore). ### Validation - All 7 FIPS-197 KAT + multi-block tests pass. - Existing channel-decrypt M3/M4/M5 tests still pass (24/24). - `test-packet-filter.js` (62/62), `test-aging.js` (18/18) unaffected. - `test-frontend-helpers.js` has a pre-existing failure on master unrelated to this PR (verified by stashing the patch). --------- Co-authored-by: openclaw-bot <bot@openclaw.local>	2026-05-04 00:46:24 +00:00

Author

SHA1

Message

Date

Kpa-clawbot

cb21305dc4

fix(channel-decrypt): replace AES-CBC ECB hack with pure-JS AES-128 ECB (P0) (#1021 )

## P0: channel decryption broken on prod (`OperationError` in
`decryptECB`)

### Symptom
```
Uncaught (in promise) OperationError
    at decryptECB (channel-decrypt.js:89)
    at async Object.decrypt (channel-decrypt.js:181)
    at async decryptCandidates (channels.js:568)
```
Channel message decryption fails for most ciphertext blocks in the
browser console on `analyzer.00id.net`.

### Root cause
The original `decryptECB()` simulated AES-128-ECB via Web Crypto AES-CBC
with a zero IV plus an appended dummy PKCS7 padding block (16 × `0x10`).
Web Crypto **always** validates PKCS7 padding on the decrypted output,
and after CBC-decrypting the dummy padding block it almost never
produces a valid PKCS7 sequence, so Chrome/Firefox throw
`OperationError`. There is no Web Crypto knob to disable that check —
and Web Crypto doesn't expose raw ECB at all.

This is a well-known dead end: every project that needs ECB in browsers
ends up with a small pure-JS AES core.

### Fix
- Vendor a minimal pure-JS **AES-128 ECB decrypt-only** core into
`public/vendor/aes-ecb.js`.
- **Source:** [aes-js](https://github.com/ricmoo/aes-js) by Richard
Moore — MIT License (cited in the header comment).
- **Trimmed to:** S-boxes, key expansion (FIPS-197 §5.2), inverse cipher
(FIPS-197 §5.3). No encrypt path. No other modes. No padding logic. ~150
lines.
- `decryptECB(key, ciphertext)` keeps the same API surface:
`Promise<Uint8Array | null>`. It now delegates to
`window.AES_ECB.decrypt(...)`.
- `verifyMAC` and `computeChannelHash` keep using Web Crypto
(HMAC-SHA256 / SHA-256 — no padding pathology).
- Wired `vendor/aes-ecb.js` into `public/index.html` immediately before
`channel-decrypt.js`.

### TDD
- **Red commit (`36f6882`)** — adds `test-channel-decrypt-ecb.js` pinned
to the **FIPS-197 Appendix C.1** AES-128 known-answer vector. Compiles,
runs, and fails on assertion (`OperationError`) against the existing
implementation.
- **Green commit (`bbbd2d1`)** — vendors the pure-JS AES core and
rewires `decryptECB`. Test now passes (7/7), including a multi-block
assertion that two identical ciphertext blocks decrypt to two identical
plaintext blocks (true ECB, no chaining).
- Existing `test-channel-decrypt-m345.js` still passes (24/24).

### Files changed
- `public/vendor/aes-ecb.js` — **new** (vendored AES-128 ECB decrypt,
MIT, ~150 LOC)
- `public/channel-decrypt.js` — `decryptECB()` rewritten to delegate to
vendor
- `public/index.html` — script tag added for `vendor/aes-ecb.js`
- `test-channel-decrypt-ecb.js` — **new** TDD test (FIPS-197 KAT +
multi-block + edge cases)

### Risk / scope
- Decrypt-only, client-side, no server changes, no schema changes, no
config changes (Config Documentation Rule N/A).
- ECB is a single 16-byte block per packet for MeshCore channel traffic,
so the perf delta vs Web Crypto is negligible (a single `decryptBlock`
is ~10 round transforms on 16 bytes).
- HTTP-context safe (no Web Crypto required for ECB anymore).

### Validation
- All 7 FIPS-197 KAT + multi-block tests pass.
- Existing channel-decrypt M3/M4/M5 tests still pass (24/24).
- `test-packet-filter.js` (62/62), `test-aging.js` (18/18) unaffected.
- `test-frontend-helpers.js` has a pre-existing failure on master
unrelated to this PR (verified by stashing the patch).

---------

Co-authored-by: openclaw-bot <bot@openclaw.local>

2026-05-04 00:46:24 +00:00

1 Commits