Crash on recovery key entered

[mormegil-cz]

I wanted to try gomuks web, and after logging to an account, I was prompted for “Recovery key or passphrase”. I entered it, and gomuks crashed. Even if the entered value was invalid, I don’t think it should lead to a panic.

2025-03-04T09:58:41.665+01:00 DBG Request completed command=verify component=hicli duration=6.8565 method=GET req_id=2 request_id=15 response_length=32 response_mime=application/json status_code=200 url=<snip>/account_data/m.secret_storage.default_key
2025-03-04T09:58:41.672+01:00 DBG Request completed command=verify component=hicli duration=6.1329 method=GET req_id=3 request_id=15 response_length=379 response_mime=application/json status_code=200 url=<snip>/account_data/m.secret_storage.key.<snip>
panic: runtime error: index out of range [2] with length 1

goroutine 73 [running]:
encoding/base64.(*Encoding).decodeQuantum(0x20?, {0xc000431937?, 0xc0004318b0?, 0xb84852?}, {0xc0001e20c0?, 0xc000196160?, 0x20?}, 0x20?)
        /usr/local/go/src/encoding/base64/base64.go:389 +0x285
encoding/base64.(*Encoding).Decode(0xc0001182c0, {0xc000431928, 0x10, 0x10}, {0xc0001e20c0, 0x2b, 0x2b})
        /usr/local/go/src/encoding/base64/base64.go:577 +0x514
maunium.net/go/mautrix/crypto/ssss.(*KeyMetadata).calculateHash(0xc0002601e0, {0xc0001e2212?, 0x1c989c8?, 0x0?})
        /builds/tulir/gomuks/.cache/pkg/mod/maunium.net/go/mautrix@v0.23.2-0.20250226205639-b72caa948c18/crypto/ssss/meta.go:74 +0x13d
maunium.net/go/mautrix/crypto/ssss.(*KeyMetadata).VerifyKey(0xc0002601e0, {0xc0001e2212, 0x20, 0x21})
        /builds/tulir/gomuks/.cache/pkg/mod/maunium.net/go/mautrix@v0.23.2-0.20250226205639-b72caa948c18/crypto/ssss/meta.go:65 +0x68
maunium.net/go/mautrix/crypto/ssss.(*KeyMetadata).VerifyRecoveryKey(0xc0002601e0, {0xc00001c438, 0x16}, {0xc000284000?, 0xc000431ac8?})
        /builds/tulir/gomuks/.cache/pkg/mod/maunium.net/go/mautrix@v0.23.2-0.20250226205639-b72caa948c18/crypto/ssss/meta.go:52 +0x5c
go.mau.fi/gomuks/pkg/hicli.(*HiClient).Verify(0xc00017e840, {0x1ca6a98, 0xc0001de000}, {0xc000284000, 0x3b})
        /builds/tulir/gomuks/pkg/hicli/verify.go:135 +0x12f
go.mau.fi/gomuks/pkg/hicli.(*HiClient).handleJSONCommand.func33(0xc0006000a0?)
        /builds/tulir/gomuks/pkg/hicli/json-commands.go:215 +0x29
go.mau.fi/gomuks/pkg/hicli.unmarshalAndCall[...]({0xc0006000a0, 0x4e, 0x50}, 0xc000431b80)
        /builds/tulir/gomuks/pkg/hicli/json-commands.go:252 +0x7a
go.mau.fi/gomuks/pkg/hicli.(*HiClient).handleJSONCommand(0xc00017e840, {0x1ca6a98, 0xc0001de000}, 0xc0003606c0)
        /builds/tulir/gomuks/pkg/hicli/json-commands.go:214 +0x21e
go.mau.fi/gomuks/pkg/hicli.(*HiClient).SubmitJSONCommand(0xc00017e840, {0x1ca6a98, 0xc000588210}, 0xc0003606c0)
        /builds/tulir/gomuks/pkg/hicli/json.go:91 +0x4ab
go.mau.fi/gomuks/pkg/gomuks.(*Gomuks).HandleWebsocket.func7(0xc0003606c0)
        /builds/tulir/gomuks/pkg/gomuks/websocket.go:228 +0x2ac
created by go.mau.fi/gomuks/pkg/gomuks.(*Gomuks).HandleWebsocket in goroutine 50
        /builds/tulir/gomuks/pkg/gomuks/websocket.go:302 +0xfe8

(gomuks web on Windows 10, downloaded from https://mau.dev/tulir/gomuks/-/jobs/artifacts/main/raw/gomuks.exe?job=windows%2Famd64)

[tulir]

That looks like the server-side data about the key is corrupted rather than the key being wrong, but yes, it shouldn't panic even if the key backup is broken