HTML5 client fails to authenticate when AES encryption is used

[mahendrapaipuri]

Describe the bug
When I try to connect to the password protected Xpra server with AES encryption using HTML5 client, the authentication fails with missing encryption tokens message. Here is the relevant log:

2022-02-24 17:38:51,450 FileAuthenticatorBase password_file=/home/usr1/password.txt
2022-02-24 17:38:51,450 FileAuthenticatorBase filename=/home/usr1/password.txt
2022-02-24 17:38:51,450 auth prompt=password for user 'usr1', socket_dirs=['/home/usr1/sdir', '/run/user/$UID/xpra', '/run/xpra', '~/.xpra']
2022-02-24 17:38:51,450 authenticator 0=password file
2022-02-24 17:38:51,450 get_encryption_key((password file,), /home/usr1/key.txt)
2022-02-24 17:38:51,450 loading encryption key from keyfile: /home/usr1/key.txt
2022-02-24 17:38:51,451 setting output cipher using AES encryption key 'b'0123456789ABCDEF''
2022-02-24 17:38:51,451 set_cipher_out('AES-CBC', 'Wºu\x7fû©\x86+r\x94Í\x99\x81Æ¡§', b'0123456789ABCDEF', '\x9fÞ\x7f\x8d\x0c\xa0г\x88\x18Q]½6Ó\x1aÎ\x10²\x9aø\xad,\xad\x85döá\\ÿÌÿ', 'SHA1', 32, 1000, 'legacy')                                                                                                                                                                         
2022-02-24 17:38:51,451 get_encryptor('AES-CBC', 'Wºu\x7fû©\x86+r\x94Í\x99\x81Æ¡§', b'0123456789ABCDEF', '9fde7f8d0ca0d0b38818515dbd36d31ace10b29af8ad2cad8564f6e15cffccff', 'SHA1', 32, 1000)                                                                                                                                                                                            
2022-02-24 17:38:51,451 sending data using AES-CBC encryption
2022-02-24 17:38:51,452 set_cipher_in('AES-CBC', 'dLllY6ROqetUtlDw', b'0123456789ABCDEF', b'\xc1\xf4\x97&\xd4WL7\xb8U\x1fBo&/\xf5:\xa4\xa3\xaa\x19\xd9E\xcf\x88\x07)\x96oc\xe3o<OV%\xca\x1a\xe4\xb2\x98\xc4$\xe7\xa6C\xfa9o\n\n\xda\x1a\x1fOU\xf0\xc3\x87\xe1\x99;\xde\x1f', 'SHA1', 32, 1000)                                                                                            
2022-02-24 17:38:51,452 get_decryptor('AES-CBC', 'dLllY6ROqetUtlDw', b'0123456789ABCDEF', 'c1f49726d4574c37b8551f426f262ff53aa4a3aa19d945cf880729966f63e36f3c4f5625ca1ae4b298c424e7a643fa396f0a0ada1a1f4f55f0c387e1993bde1f', 'SHA1', 32, 1000)                                                                                                                                           
2022-02-24 17:38:51,452 get_decryptor(..) python-cryptography supports_memoryviews(3.2.1)=True
2022-02-24 17:38:51,452 receiving data using AES-CBC encryption
2022-02-24 17:38:51,452 server cipher={'cipher': 'AES', 'cipher.mode': 'CBC', 'cipher.mode.options': ['CBC', 'GCM', 'CFB', 'CTR'], 'cipher.iv': 'dLllY6ROqetUtlDw', 'cipher.key_salt': b'\xc1\xf4\x97&\xd4WL7\xb8U\x1fBo&/\xf5:\xa4\xa3\xaa\x19\xd9E\xcf\x88\x07)\x96oc\xe3o<OV%\xca\x1a\xe4\xb2\x98\xc4$\xe7\xa6C\xfa9o\n\n\xda\x1a\x1fOU\xf0\xc3\x87\xe1\x99;\xde\x1f', 'cipher.key_hash': 'SHA1', 'cipher.key_size': 32, 'cipher.key_stretch': 'PBKDF2', 'cipher.key_stretch.options': ['PBKDF2'], 'cipher.key_stretch_iterations': 1000, 'cipher.padding': 'PKCS#7', 'cipher.padding.options': ['PKCS#7', 'legacy']}
2022-02-24 17:38:51,452 processing authentication with (password file,), remaining=(password file,), digest_modes=('hmac', 'hmac+md5', 'xor', 'hmac+md5', 'hmac+sha256', 'hmac+sha1', 'hmac+sha512', 'hmac+sha384', 'hmac+sha512/256', 'hmac+sha512/224'), salt_digest_modes=('hmac', 'hmac+md5', 'xor', 'hmac+md5', 'hmac+sha256', 'hmac+sha1', 'hmac+sha512', 'hmac+sha384', 'hmac+sha512/256', 'hmac+sha512/224')
2022-02-24 17:38:51,452 authenticator[0]=password file, requires-challenge=True, challenge-sent=False
2022-02-24 17:38:51,453 choose_digest(('hmac', 'hmac+md5', 'xor', 'hmac+md5', 'hmac+sha256', 'hmac+sha1', 'hmac+sha512', 'hmac+sha384', 'hmac+sha512/256', 'hmac+sha512/224'))
2022-02-24 17:38:51,453 get_challenge(('hmac', 'hmac+md5', 'xor', 'hmac+md5', 'hmac+sha256', 'hmac+sha1', 'hmac+sha512', 'hmac+sha384', 'hmac+sha512/256', 'hmac+sha512/224'))= 3af8305039dee0f1d98b58b0a206a36570a297f5d1e38550e1e362495abaaede72c6e6d00659e266e20a780905537f3e23ee755d8aaee6d639e72afe9656565f, hmac+sha512
2022-02-24 17:38:51,453 Authentication required by password file authenticator module
2022-02-24 17:38:51,453  sending challenge using hmac+sha512 digest over tcp connection
2022-02-24 17:38:51,453 choose_digest(('hmac', 'hmac+md5', 'xor', 'hmac+md5', 'hmac+sha256', 'hmac+sha1', 'hmac+sha512', 'hmac+sha384', 'hmac+sha512/256', 'hmac+sha512/224'))
2022-02-24 17:38:51,453 sending challenge: "password for user 'usr1'"
2022-02-24 17:38:51,453 sending 447 bytes AES-CBC encrypted with 1 padding
2022-02-24 17:38:51,532 received 7104 AES-CBC encrypted bytes with 4 padding
2022-02-24 17:38:51,532 Warning: AES-CBC decryption failed: invalid padding
2022-02-24 17:38:51,532  cipher block size=32, data size=7100
2022-02-24 17:38:51,532  data does not end with 4 PKCS#7 padding bytes 04040404 (<class 'bytes'>)
2022-02-24 17:38:51,532  but with 4 bytes: 6e56eeaf (<class 'bytes'>)
2022-02-24 17:38:51,532  decrypted data (7104 bytes): b'\xa5\xff\x07\xbc^\xff\xd4\xd8\xf9\xe0u\xf1\x93\xd9\xaa\xa9\\p\x0b\x14\xd2\xe0\x05H\xaeC\xb2S\x9b\xd61T/XAc%\xf4\xe6qp>\xa2 P\xfc\xb8\x7f\xf9\x85\xda\x1c\xfb *\xc7w\xdeP\xd0\x1f\x90\xe7l\xd15\xa73\xf5\xd6w\xdc\xa1y\xf69\xea\x08.\x86\xf6\xdc\xdd\x84\xd1\xbe\xf9~|\x04\xb7\x9a\x90\x1b\x8b\x07\x04\xc65\xa2\xd0(\xd9\xaa\xa7\\\xf2\x1f#.\xfe\x80\xc5M\xe7\xea)gU\x11\x84\xa8<\x06_\x91\xc5\xc1'..
2022-02-24 17:38:51,532  decrypted data (hex): a5ff07bc5effd4d8f9e075f193d9aaa95c700b14d2e00548ae43b2539bd631542f58416325f4e671703ea22050fcb87ff985da1cfb202ac777de50d01f90e76cd135a733f5d677dca179f639ea082e86f6dcdd84d1bef97e7c04b79a901b8b0704c635a2d028d9aaa75cf21f232efe80c54de7ea2967551184a83c065f91c5c1..
2022-02-24 17:38:51,533 Error: AES-CBC encryption padding error - wrong key?
2022-02-24 17:38:57,916 crypto_backend_init() backend=<module 'xpra.net.pycryptography_backend' from '/usr/lib64/python3.6/site-packages/xpra/net/pycryptography_backend.py'>
2022-02-24 17:38:57,916 socktype=ws, encryption=AES, keyfile=/home/usr1/key.txt
2022-02-24 17:38:58,245 make_authenticators('tcp', {'uuid': 'a33f7bbd-e323-4dbc-5b9c-7da7ecfa9c87', 'username': 'usr1'}, ws socket: 172.16.66.66:10004 <- 172.16.66.66:41886) socket options={'encryption': 'AES', 'auth': 'file:filename=/home/usr1/password.txt', 'keyfile': '/home/usr1/key.txt'}
2022-02-24 17:38:58,245 get_auth_modules(ws, ['file:filename=/home/usr1/password.txt'], {..})
2022-02-24 17:38:58,245 get_auth_module(file:filename=/home/usr1/password.txt, {..})
2022-02-24 17:38:58,245 auth module name for 'file': 'xpra.server.auth.file_auth'
2022-02-24 17:38:58,245 auth module for 'file': <module 'xpra.server.auth.file_auth' from '/usr/lib64/python3.6/site-packages/xpra/server/auth/file_auth.py'>
2022-02-24 17:38:58,245 creating authenticators ('file', <module 'xpra.server.auth.file_auth' from '/usr/lib64/python3.6/site-packages/xpra/server/auth/file_auth.py'>, <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': '/home/usr1/password.txt', 'exec_cwd': '/home/usr1'}) for tcp
2022-02-24 17:38:58,245 file : <class 'xpra.server.auth.file_auth.Authenticator'>({'filename': '/home/usr1/password.txt', 'exec_cwd': '/home/usr1', 'remote': {'uuid': 'a33f7bbd-e323-4dbc-5b9c-7da7ecfa9c87', 'username': 'usr1'}, 'encryption': 'AES', 'auth': 'file:filename=/home/usr1/password.txt', 'keyfile': '/home/usr1/key.txt', 'connection': ws socket: 172.16.66.66:10004 <- 172.16.66.66:41886, 'socket-dirs': ['/home/usr1/sdir', '/run/user/$UID/xpra', '/run/xpra', '~/.xpra']})
2022-02-24 17:38:58,245 FileAuthenticatorBase password_file=/home/usr1/password.txt
2022-02-24 17:38:58,245 FileAuthenticatorBase filename=/home/usr1/password.txt
2022-02-24 17:38:58,246 auth prompt=password for user 'usr1', socket_dirs=['/home/usr1/sdir', '/run/user/$UID/xpra', '/run/xpra', '~/.xpra']
2022-02-24 17:38:58,246 authenticator 0=password file
2022-02-24 17:38:58,246 client does not provide encryption tokens
2022-02-24 17:38:58,246 Warning: authentication failed
2022-02-24 17:38:58,246  missing encryption tokens
2022-02-24 17:38:59,249 Disconnecting client 172.16.66.66:41886:
2022-02-24 17:38:59,249  missing encryption tokens
  

To Reproduce
Steps to reproduce the behavior:
server command

PASSWORD=YOURPASSWORD
AES_KEY=0123456789ABCDEF
echo -n $PASSWORD > $HOME/password.txt
echo -n $AES_KEY > $HOME/key.txt
xpra start :10 --socket-dir=$HOME/sdir --bind-tcp=0.0.0.0:10000,encryption=AES,auth=file:filename=$HOME/password.txt,keyfile=$HOME/key.txt -d auth,crypto --html=on --start=xterm --no-daemon 

client command
xdg-open "http://localhost:10000/index.html?username=$USER&password=$PASSWORD&encryption=AES&key=$AES_KEY"

System Information (please complete the following information):

• Server OS: CentOS 8
• Client OS: CentOS 8
• Xpra Server Version: xpra-4.4-10.r30890.el8.x86_64
• Xpra Client Version: xpra-html5-5.0-1.r1160.el8.noarch

Additional context
Add any other context about the problem here.
Please see "reporting bugs" in the wiki section.

[totaam]

Confirmed.

Comparing a working python client:

socktype=tcp, encryption=AES, keyfile=/path/key.txt
get_encryptor('AES-CBC', 'ZDmZV3UoOetTtcWF', b'01f8d796-f007-438b-852e-cfc12af2884d', 'ca3a7c51adae3614851b79b75438bd7331c60b7b58945fae75fa737ffef1c89dabccfa8c78c9fda779cfbd2bb05b4a9645f7ec1ac73fec11f2a9c53c0a90ff83', 'SHA1', 32, 1000)
sending data using AES-CBC encryption
get_decryptor('AES-CBC', 'PcM2-TJVQI9jRaqH', b'01f8d796-f007-438b-852e-cfc12af2884d', 'c5406605f6874d6c7b9b9656c398d8213225debfa1cf3b3c832da702f6a60eea70c25754cc4ae2f1c790ba262c04ceb20d5153ac76d6999183d5ea1399d692bf', 'SHA1', 32, 1000)
receiving data using AES-CBC encryption
authenticator[0]=password file, requires-challenge=True, challenge-sent=False
Authentication required by password file authenticator module
 sending challenge using hmac+sha512 digest over tcp connection
sending 476 bytes AES-CBC encrypted with 4 bytes of padding
received 40864 AES-CBC encrypted bytes with 26 padding
found PKCS#7 AES-CBC padding

with the failing html5 client:

socktype=ws, encryption=AES, keyfile=/path/key.txt
get_encryptor('AES-CBC', 'F«5ð½É²y\x00E\x1c;\x19Î\x8fn', b'01f8d796-f007-438b-852e-cfc12af2884d', 'a65a8b94f405a988c2a1a70e9fa5dce1b4ab1c501bee68f70abb2f82e3e052f1', 'SHA1', 32, 1000)
sending data using AES-CBC encryption
get_decryptor('AES-CBC', 'KVJFuiNO6DgU83t1', b'01f8d796-f007-438b-852e-cfc12af2884d', 'bd51d045fcf3750410b6740adb5a2a581d8430e1a801d688e9e7ae5e76310d72267207967d55e70d32009173094603f32314acb98f948e0833336bd4fbd9052c', 'SHA1', 32, 1000)
receiving data using AES-CBC encryption
authenticator[0]=password file, requires-challenge=True, challenge-sent=False
Authentication required by password file authenticator module
 sending challenge using hmac+sha512 digest over tcp connection
sending 449 bytes AES-CBC encrypted with 31 bytes of padding
received 7360 AES-CBC encrypted bytes with 18 padding

[totaam]

I have found the problem, this was caused by #3229.

The quick and dirty fix for the server is this one:

--- a/xpra/net/crypto.py
+++ b/xpra/net/crypto.py
@@ -141,7 +141,7 @@ def get_iterations() -> int:
 def new_cipher_caps(proto, cipher, cipher_mode, encryption_key, padding_options) -> dict:
     assert backend
     iv = get_iv()
-    key_salt = get_salt()
+    key_salt = get_salt().decode("latin1")
     key_size = DEFAULT_KEYSIZE
     key_hash = DEFAULT_KEY_HASH
     key_stretch = DEFAULT_KEY_STRETCH

But I'm not sure that this is the solution I'm going to apply.

[totaam]

The correct fix:
Xpra-org/xpra-html5@0d2d584

This will be included in the next html5 client release.
In the meantime, you can apply the change by hand or use the beta packages released today: https://xpra.org/beta/

[jhgoebbert]

Your xpra-html5-only fix Xpra-org/xpra-html5@0d2d584 was not enough for us. I needed to add the fix from aboce #3475 (comment)
We start Xpra inside of JupyterLab through https://github.com/FZJ-JSC/jupyter-xprahtml5-proxy
It starts xpra with

xpra start --html=on --bind-tcp=0.0.0.0:{port} --start=xterm -fa Monospace --tcp-auth=file:filename=/tmp/tmpm43ebsry --tcp-encryption=AES --tcp-encryption-keyfile=/tmp/tmp7n2aoq0z --clipboard-direction=both --no-mdns --no-bell --no-speaker --no-printing --no-microphone --no-notifications --no-systemd-run --sharing --no-daemon

and open it in the browser with

https://jupyter-jsc.fz-juelich.de/user/<username>/<jlabname>/xprahtml5/index.html?username=<uid>&password=KXXG0Q7MIr9av3sL&encryption=AES&key=Se8rFprU5NzOmgtJ&sharing=true

(we are using the current Xpra release 4.3.2)

[totaam]

@jhgoebbert is your connection using rencodeplus as it should?
What datatype are you getting for the salt?

[jhgoebbert]

I can find this in xpra info:

network.encoders=('rencode', 'bencode', 'yaml', 'rencodeplus', 'none')
network.rencode=True
network.rencode.version=('Cython', 1, 0, 5)
network.rencodeplus=True
network.rencodeplus.version=('Cython', 1, 0, 7)

So I expect to have both installed. rencode and rencodeplus

[jhgoebbert]

When I connect to Xpra's Windows client and check xpra info then on the server side I get:

[goebbert@server xpra]$ xpra info | grep client | grep rencode
client.connection.encoder=rencodeplus

But that is already after the error message which pops ups at Xpra's server start anyway.

[jhgoebbert]

key_salt = get_salt() from xpra/net/crypto.py has the type <class 'bytes'>

[totaam]

client.connection.encoder=rencodeplus

Good!
Now I have to figure out why Xpra-org/xpra-html5@0d2d584 doesn't solve this.

rencodeplus will be sending the salt untouched, so the html5 client should now be receiving a Uint8Array instead of a string.
It just happens that the crypto library used by the html5 client requires strings instead, so we have to convert it - this is what the fix above does, by unrolling this function
https://github.com/Xpra-org/xpra-html5/blob/1a5dde30ded9e28032d56cbe3f28ce5ad68b5abf/html5/js/Utilities.js#L429-L436

My guess is that the python conversion to bytes preserves one byte for every latin1 character whereas the Javascript version does not.
(still does not explain why the fix worked for me.. perhaps I tested wrong)

[totaam]

@jhgoebbert I'm out of ideas, I cannot make it break no matter how hard I try.
I'm using the latest version from master and I've also tried with the plain 4.3.2 release.

There must be something different in your setup. Please try the steps from the OP to confirm that these do work.
To see the datatype used for the salt value, I have used this patch:

--- a/html5/js/Protocol.js
+++ b/html5/js/Protocol.js
@@ -633,6 +633,10 @@ XpraProtocol.prototype.setup_cipher = function(caps, key, setup_fn) {
                throw "unsupported encryption specified: '"+cipher+"'";
        }
        let key_salt = caps["cipher.key_salt"];
+       console.warn("key_salt=", key_salt);
+       console.log("key_salt=", key_salt.constructor);
+       console.log("key_salt=", typeof key_salt);
+       console.log("from packet encoder", this.packet_encoder);
        if (typeof key_salt !== 'string') {
                key_salt = String.fromCharCode.apply(null, key_salt);
        }

And the salt always arrives as a string from the bencode packet encoder. It is using bencode because this all happens before the handshake, before we can enabled rencodeplus.

I even tried forcing a different initial packet encoder by starting the server with --packet-encoders=rencodeplus then using:

--- a/html5/js/Protocol.js
+++ b/html5/js/Protocol.js
@@ -110,7 +110,7 @@ function XpraProtocol() {
 
        //Queue processing via intervals
        this.process_interval = 0;  //milliseconds
-       this.packet_encoder = "bencode";
+       this.packet_encoder = "rencodeplus";
 }
 
 XpraProtocol.prototype.close_event_str = function(event) {

Still works fine.

[jhgoebbert]

Sorry, for my late reply. I could not go on before the weekend.
I double checked, but this-fix-only (1) does not work for me:

--- a/html5/js/Protocol.js
+++ b/html5/js/Protocol.js
@@ -632,7 +632,10 @@ XpraProtocol.prototype.setup_cipher = function(caps, key, setup_fn) {
        if (cipher!="AES") {
                throw "unsupported encryption specified: '"+cipher+"'";
        }
-       const key_salt = caps["cipher.key_salt"];
+       let key_salt = caps["cipher.key_salt"];
+       if (typeof key_salt !== 'string') {
+               key_salt = String.fromCharCode.apply(null, key_salt);
+       }
        const iterations = caps["cipher.key_stretch_iterations"];
        if (iterations<0) {
                throw "invalid number of iterations: "+iterations;

I need to add this (2):

--- a/xpra/net/crypto.py
+++ b/xpra/net/crypto.py
@@ -141,7 +141,7 @@ def get_iterations() -> int:
 def new_cipher_caps(proto, cipher, cipher_mode, encryption_key, padding_options) -> dict:
     assert backend
     iv = get_iv()
-    key_salt = get_salt()
+    key_salt = get_salt().decode("latin1")
     key_size = DEFAULT_KEYSIZE
     key_hash = DEFAULT_KEY_HASH
     key_stretch = DEFAULT_KEY_STRETCH

Let me check now, if I can get more details ...

[jhgoebbert]

I added the patch for more console.logs from your comment above and build Xpra 4.3.2 (without patching crypto.py) with:

python setup.py build --without-strict --with-nvenc --with-nvjpeg --with-Xdummy
python setup.py install --prefix=<instpath> --with-tests --without-service

The URL parameter are:

https://<..>/xprahtml5/index.html?username=goebbert1&password=VqPHC7stC239lNt7&encryption=AES&key=He0WqN140zJUwiZe&sharing=true

and I get this output in the Firefox console:

[jhgoebbert]

Here a more complete screenshot:

[totaam]

We start Xpra inside of JupyterLab through...

Are you still running through JupyterLab or are you using the exact command lines from this ticket.
I'll copy them again here:

PASSWORD=YOURPASSWORD
AES_KEY=0123456789ABCDEF
echo -n $PASSWORD > $HOME/password.txt
echo -n $AES_KEY > $HOME/key.txt
xpra start :10 --socket-dir=$HOME/sdir --bind-tcp=0.0.0.0:10000,encryption=AES,auth=file:filename=$HOME/password.txt,keyfile=$HOME/key.txt -d auth,crypto --html=on --start=xterm --no-daemon

xdg-open "http://localhost:10000/index.html?username=$USER&password=$PASSWORD&encryption=AES&key=$AES_KEY"

These instructions work for me with all the versions I've tried (xpra git master, 4.3.2) as long as I use the latest html5 client running in Firefox and Chrome.
@mahendrapaipuri does that work for you now?

@jhgoebbert : If you are still having problems with these exact steps then perhaps you are not using the versions that you think you are, or somehow you are deviating from them in some way.

[jhgoebbert]

I build Xpra from the sources
https://github.com/Xpra-org/xpra/archive/v4.3.2.tar.gz
with the sha256-checksum:
1e548b8d20c243fba40692abb0aa2759e3bd3f2d3b6b51a160f82746cdf1d782
and I used now also the exact command from your last comment - but I still get the error message:

2022-03-28 09:38:50,571 client does not provide encryption tokens
2022-03-28 09:38:50,571 Warning: authentication failed
2022-03-28 09:38:50,571  missing encryption tokens

so I need to patch Xpra's crypto.py as discussed, which fixes the problem without changing anything else.

[totaam]

I build Xpra from the sources

Please try the official xpra.org builds instead - you will need the beta area to get the latest html5 client.
Something may be missing when you build it yourself. lz4, rencode, etc.

so I need to patch Xpra's crypto.py as discussed

This change is not an acceptable solution and will not be applied without really understanding the issue.

[jhgoebbert]

Perhaps I have been on the wrong track :(

This happens just before the switch to http://localhost:10000/connect.html and the reason why I missed it.

The problem seems to occur just after that

Thank you for your time. I will do some more investigations but I might look at the wrong place.
I am very sorry for wasting your time.

[totaam]

error accepting new connection

Run your server with -d server and log in the output / server log to see the details of this one.
This is very likely to be a completely different error, but perhaps with a similar cause (the change of packet encoders and the stricter data types this brings)

[jhgoebbert]

I was really looking at the wrong place. The issue came from a non-existing path on our system, which was used by Xpra.
I fixed it in this MR: #3507 (beside a second small thing)

[totaam]

The issue came from a non-existing path on our system, which was used by Xpra.

As per https://github.com/Xpra-org/xpra/wiki/Reporting-Bugs
This should have been a red flag to report early and save us all some time.

[jhgoebbert]

You are right. I was wasting time of you (and also of myself). Sorry.