char
/
matrix-rust-sdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

crypto: Respect the encryption settings of a room when creating sessions.

master
Damir Jelić 2020-08-13 14:37:33 +02:00
parent f3e03c66a5
commit 344631b4ee
9 changed files with 171 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
matrix_sdk_base/src/client.rs
View File

@ -1305,7 +1305,12 @@ impl BaseClient {
let joined_members = room.joined_members.keys(); let joined_members = room.joined_members.keys();
let invited_members = room.joined_members.keys(); let invited_members = room.joined_members.keys();
let members: Vec<&UserId> = joined_members.chain(invited_members).collect(); let members: Vec<&UserId> = joined_members.chain(invited_members).collect();
Ok(o.share_group_session(room_id, members.into_iter()).await?) Ok(o.share_group_session(
room_id,
members.into_iter(),
room.encrypted.clone().unwrap_or_default(),
)
.await?)
} }
None => panic!("Olm machine wasn't started"), None => panic!("Olm machine wasn't started"),
} }

32
matrix_sdk_base/src/models/room.rs
View File

@ -13,13 +13,20 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
#[cfg(feature = "messages")]
use std::ops::DerefMut;
use std::{ use std::{
collections::{BTreeMap, HashMap, HashSet}, collections::{BTreeMap, HashMap, HashSet},
convert::TryFrom, convert::TryFrom,
}; };
#[cfg(feature = "messages")]
use std::ops::DerefMut;
#[cfg(feature = "encryption")]
use std::time::Duration;
#[cfg(feature = "encryption")]
use matrix_sdk_crypto::EncryptionSettings;
#[cfg(feature = "messages")] #[cfg(feature = "messages")]
use matrix_sdk_common::events::{ use matrix_sdk_common::events::{
room::redaction::SyncRedactionEvent, AnyPossiblyRedactedSyncMessageEvent, AnySyncMessageEvent, room::redaction::SyncRedactionEvent, AnyPossiblyRedactedSyncMessageEvent, AnySyncMessageEvent,
@ -111,6 +118,16 @@ pub struct EncryptionInfo {
rotation_period_messages: u64, rotation_period_messages: u64,
} }
impl Default for EncryptionInfo {
fn default() -> Self {
Self {
algorithm: Algorithm::MegolmV1AesSha2,
rotation_period_ms: 604_800_000,
rotation_period_messages: 100,
}
}
}
impl EncryptionInfo { impl EncryptionInfo {
/// The encryption algorithm that should be used to encrypt messages in the /// The encryption algorithm that should be used to encrypt messages in the
/// room. /// room.
@ -143,6 +160,17 @@ impl From<&SyncStateEvent<EncryptionEventContent>> for EncryptionInfo {
} }
} }
#[cfg(feature = "encryption")]
impl Into<EncryptionSettings> for EncryptionInfo {
fn into(self) -> EncryptionSettings {
EncryptionSettings {
algorithm: self.algorithm,
rotation_period: Duration::from_millis(self.rotation_period_messages),
rotation_period_msgs: self.rotation_period_messages,
}
}
}
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)] #[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct Tombstone { pub struct Tombstone {
/// A server-defined message. /// A server-defined message.

4
matrix_sdk_crypto/src/lib.rs
View File

@ -39,7 +39,9 @@ pub use device::{Device, TrustState};
pub use error::{MegolmError, OlmError}; pub use error::{MegolmError, OlmError};
pub use machine::{OlmMachine, OneTimeKeys}; pub use machine::{OlmMachine, OneTimeKeys};
pub use memory_stores::{DeviceStore, GroupSessionStore, SessionStore, UserDevices}; pub use memory_stores::{DeviceStore, GroupSessionStore, SessionStore, UserDevices};
pub use olm::{Account, IdentityKeys, InboundGroupSession, OutboundGroupSession, Session}; pub use olm::{
Account, EncryptionSettings, IdentityKeys, InboundGroupSession, OutboundGroupSession, Session,
};
#[cfg(feature = "sqlite_cryptostore")] #[cfg(feature = "sqlite_cryptostore")]
pub use store::sqlite::SqliteStore; pub use store::sqlite::SqliteStore;
pub use store::{CryptoStore, CryptoStoreError}; pub use store::{CryptoStore, CryptoStoreError};

49
matrix_sdk_crypto/src/machine.rs
View File

@ -53,8 +53,8 @@ use super::{
device::Device, device::Device,
error::{EventError, MegolmError, MegolmResult, OlmError, OlmResult}, error::{EventError, MegolmError, MegolmResult, OlmError, OlmResult},
olm::{ olm::{
Account, GroupSessionKey, IdentityKeys, InboundGroupSession, OlmMessage, Account, EncryptionSettings, GroupSessionKey, IdentityKeys, InboundGroupSession,
OutboundGroupSession, OlmMessage, OutboundGroupSession,
}, },
store::{memorystore::MemoryStore, Result as StoreResult}, store::{memorystore::MemoryStore, Result as StoreResult},
verification::{Sas, VerificationMachine}, verification::{Sas, VerificationMachine},
@ -824,8 +824,16 @@ impl OlmMachine {
/// ///
/// This also creates a matching inbound group session and saves that one in /// This also creates a matching inbound group session and saves that one in
/// the store. /// the store.
async fn create_outbound_group_session(&self, room_id: &RoomId) -> OlmResult<()> { async fn create_outbound_group_session(
let (outbound, inbound) = self.account.create_group_session_pair(room_id).await; &self,
room_id: &RoomId,
settings: EncryptionSettings,
) -> OlmResult<()> {
let (outbound, inbound) = self
.account
.create_group_session_pair(room_id, settings)
.await
.map_err(|_| EventError::UnsupportedAlgorithm)?;
let _ = self.store.save_inbound_group_session(inbound).await?; let _ = self.store.save_inbound_group_session(inbound).await?;
@ -835,6 +843,15 @@ impl OlmMachine {
Ok(()) Ok(())
} }
#[cfg(test)]
async fn create_outnbound_group_session_with_defaults(
&self,
room_id: &RoomId,
) -> OlmResult<()> {
self.create_outbound_group_session(room_id, EncryptionSettings::default())
.await
}
/// Get an outbound group session for a room, if one exists. /// Get an outbound group session for a room, if one exists.
/// ///
/// # Arguments /// # Arguments
@ -961,7 +978,6 @@ impl OlmMachine {
self.outbound_group_sessions.remove(room_id).is_some() self.outbound_group_sessions.remove(room_id).is_some()
} }
// TODO accept an algorithm here
/// Get to-device requests to share a group session with users in a room. /// Get to-device requests to share a group session with users in a room.
/// ///
/// # Arguments /// # Arguments
@ -970,15 +986,18 @@ impl OlmMachine {
/// used. /// used.
/// ///
/// `users` - The list of users that should receive the group session. /// `users` - The list of users that should receive the group session.
pub async fn share_group_session<'a, I>( pub async fn share_group_session<'a, I, S>(
&self, &self,
room_id: &RoomId, room_id: &RoomId,
users: I, users: I,
encryption_settings: S,
) -> OlmResult<Vec<OwnedToDeviceRequest>> ) -> OlmResult<Vec<OwnedToDeviceRequest>>
where where
I: IntoIterator<Item = &'a UserId>, I: IntoIterator<Item = &'a UserId>,
S: Into<EncryptionSettings> + Sized,
{ {
self.create_outbound_group_session(room_id).await?; self.create_outbound_group_session(room_id, encryption_settings.into())
.await?;
let session = self.outbound_group_sessions.get(room_id).unwrap(); let session = self.outbound_group_sessions.get(room_id).unwrap();
if session.shared() { if session.shared() {
@ -1373,7 +1392,7 @@ mod test {
use crate::{ use crate::{
machine::{OlmMachine, OneTimeKeys}, machine::{OlmMachine, OneTimeKeys},
verify_json, Device, verify_json, Device, EncryptionSettings,
}; };
use matrix_sdk_common::{ use matrix_sdk_common::{
@ -1618,7 +1637,7 @@ mod test {
let room_id = room_id!("!test:example.org"); let room_id = room_id!("!test:example.org");
machine machine
.create_outbound_group_session(&room_id) .create_outnbound_group_session_with_defaults(&room_id)
.await .await
.unwrap(); .unwrap();
assert!(machine.outbound_group_sessions.get(&room_id).is_some()); assert!(machine.outbound_group_sessions.get(&room_id).is_some());
@ -1825,7 +1844,11 @@ mod test {
let room_id = room_id!("!test:example.org"); let room_id = room_id!("!test:example.org");
let to_device_requests = alice let to_device_requests = alice
.share_group_session(&room_id, [bob.user_id.clone()].iter()) .share_group_session(
&room_id,
[bob.user_id.clone()].iter(),
EncryptionSettings::default(),
)
.await .await
.unwrap(); .unwrap();
@ -1868,7 +1891,11 @@ mod test {
let room_id = room_id!("!test:example.org"); let room_id = room_id!("!test:example.org");
let to_device_requests = alice let to_device_requests = alice
.share_group_session(&room_id, [bob.user_id().clone()].iter()) .share_group_session(
&room_id,
[bob.user_id().clone()].iter(),
EncryptionSettings::default(),
)
.await .await
.unwrap(); .unwrap();

5
matrix_sdk_crypto/src/memory_stores.rs
View File

@ -258,7 +258,10 @@ mod test {
let (account, _) = get_account_and_session().await; let (account, _) = get_account_and_session().await;
let room_id = room_id!("!test:localhost"); let room_id = room_id!("!test:localhost");
let (outbound, _) = account.create_group_session_pair(&room_id).await; let (outbound, _) = account
.create_group_session_pair(&room_id, Default::default())
.await
.unwrap();
assert_eq!(0, outbound.message_index().await); assert_eq!(0, outbound.message_index().await);
assert!(!outbound.shared()); assert!(!outbound.shared());

22
matrix_sdk_crypto/src/olm/account.rs
View File

@ -42,7 +42,7 @@ pub use olm_rs::{
utility::OlmUtility, utility::OlmUtility,
}; };
use super::{InboundGroupSession, OutboundGroupSession, Session}; use super::{EncryptionSettings, InboundGroupSession, OutboundGroupSession, Session};
use crate::{device::Device, error::SessionCreationError}; use crate::{device::Device, error::SessionCreationError};
/// Account holding identity keys for which sessions can be created. /// Account holding identity keys for which sessions can be created.
@ -537,12 +537,24 @@ impl Account {
/// # Arguments /// # Arguments
/// ///
/// * `room_id` - The ID of the room where the group session will be used. /// * `room_id` - The ID of the room where the group session will be used.
///
/// * `settings` - Settings determining the algorithm and rotation period of
/// the outbound group session.
pub(crate) async fn create_group_session_pair( pub(crate) async fn create_group_session_pair(
&self, &self,
room_id: &RoomId, room_id: &RoomId,
) -> (OutboundGroupSession, InboundGroupSession) { settings: EncryptionSettings,
let outbound = ) -> Result<(OutboundGroupSession, InboundGroupSession), ()> {
OutboundGroupSession::new(self.device_id.clone(), self.identity_keys.clone(), room_id); if settings.algorithm != Algorithm::MegolmV1AesSha2 {
return Err(());
}
let outbound = OutboundGroupSession::new(
self.device_id.clone(),
self.identity_keys.clone(),
room_id,
settings,
);
let identity_keys = self.identity_keys(); let identity_keys = self.identity_keys();
let sender_key = identity_keys.curve25519(); let sender_key = identity_keys.curve25519();
@ -556,7 +568,7 @@ impl Account {
) )
.expect("Can't create inbound group session from a newly created outbound group session"); .expect("Can't create inbound group session from a newly created outbound group session");
(outbound, inbound) Ok((outbound, inbound))
} }
} }

68
matrix_sdk_crypto/src/olm/group_sessions.rs
View File

@ -16,14 +16,18 @@ use std::{
convert::TryInto, convert::TryInto,
fmt, fmt,
sync::{ sync::{
atomic::{AtomicBool, AtomicUsize, Ordering}, atomic::{AtomicBool, AtomicU64, Ordering},
Arc, Arc,
}, },
time::Duration,
}; };
use matrix_sdk_common::{ use matrix_sdk_common::{
events::{ events::{
room::{encrypted::EncryptedEventContent, message::MessageEventContent}, room::{
encrypted::EncryptedEventContent, encryption::EncryptionEventContent,
message::MessageEventContent,
},
Algorithm, AnySyncRoomEvent, EventType, SyncMessageEvent, Algorithm, AnySyncRoomEvent, EventType, SyncMessageEvent,
}, },
identifiers::{DeviceId, RoomId}, identifiers::{DeviceId, RoomId},
@ -47,6 +51,49 @@ pub use olm_rs::{
use crate::error::{EventError, MegolmResult}; use crate::error::{EventError, MegolmResult};
const ROTATION_PERIOD: Duration = Duration::from_millis(604800000);
const ROTATION_MESSAGES: u64 = 100;
/// Settings for an encrypted room.
///
/// This determines the algorithm and rotation periods of a group session.
#[derive(Debug)]
pub struct EncryptionSettings {
/// The encryption algorithm that should be used in the room.
pub algorithm: Algorithm,
/// How long the session should be used before changing it.
pub rotation_period: Duration,
/// How many messages should be sent before changing the session.
pub rotation_period_msgs: u64,
}
impl Default for EncryptionSettings {
fn default() -> Self {
Self {
algorithm: Algorithm::MegolmV1AesSha2,
rotation_period: ROTATION_PERIOD,
rotation_period_msgs: ROTATION_MESSAGES,
}
}
}
impl From<&EncryptionEventContent> for EncryptionSettings {
fn from(content: &EncryptionEventContent) -> Self {
let rotation_period: Duration = content
.rotation_period_ms
.map_or(ROTATION_PERIOD, |r| Duration::from_millis(r.into()));
let rotation_period_msgs: u64 = content
.rotation_period_msgs
.map_or(ROTATION_MESSAGES, Into::into);
Self {
algorithm: content.algorithm.clone(),
rotation_period,
rotation_period_msgs,
}
}
}
/// The private session key of a group session. /// The private session key of a group session.
/// Can be used to create a new inbound group session. /// Can be used to create a new inbound group session.
#[derive(Clone, Debug, Serialize, Zeroize)] #[derive(Clone, Debug, Serialize, Zeroize)]
@ -250,8 +297,9 @@ pub struct OutboundGroupSession {
session_id: Arc<String>, session_id: Arc<String>,
room_id: Arc<RoomId>, room_id: Arc<RoomId>,
creation_time: Arc<Instant>, creation_time: Arc<Instant>,
message_count: Arc<AtomicUsize>, message_count: Arc<AtomicU64>,
shared: Arc<AtomicBool>, shared: Arc<AtomicBool>,
settings: Arc<EncryptionSettings>,
} }
impl OutboundGroupSession { impl OutboundGroupSession {
@ -267,10 +315,14 @@ impl OutboundGroupSession {
/// session. /// session.
/// ///
/// * `room_id` - The id of the room that the session is used in. /// * `room_id` - The id of the room that the session is used in.
///
/// * `settings` - Settings determining the algorithm and rotation period of
/// the outbound group session.
pub fn new( pub fn new(
device_id: Arc<Box<DeviceId>>, device_id: Arc<Box<DeviceId>>,
identity_keys: Arc<IdentityKeys>, identity_keys: Arc<IdentityKeys>,
room_id: &RoomId, room_id: &RoomId,
settings: EncryptionSettings,
) -> Self { ) -> Self {
let session = OlmOutboundGroupSession::new(); let session = OlmOutboundGroupSession::new();
let session_id = session.session_id(); let session_id = session.session_id();
@ -282,8 +334,9 @@ impl OutboundGroupSession {
account_identity_keys: identity_keys, account_identity_keys: identity_keys,
session_id: Arc::new(session_id), session_id: Arc::new(session_id),
creation_time: Arc::new(Instant::now()), creation_time: Arc::new(Instant::now()),
message_count: Arc::new(AtomicUsize::new(0)), message_count: Arc::new(AtomicU64::new(0)),
shared: Arc::new(AtomicBool::new(false)), shared: Arc::new(AtomicBool::new(false)),
settings: Arc::new(settings),
} }
} }
@ -296,6 +349,7 @@ impl OutboundGroupSession {
/// * `plaintext` - The plaintext that should be encrypted. /// * `plaintext` - The plaintext that should be encrypted.
pub(crate) async fn encrypt_helper(&self, plaintext: String) -> String { pub(crate) async fn encrypt_helper(&self, plaintext: String) -> String {
let session = self.inner.lock().await; let session = self.inner.lock().await;
self.message_count.fetch_add(1, Ordering::SeqCst);
session.encrypt(plaintext) session.encrypt(plaintext)
} }
@ -349,8 +403,10 @@ impl OutboundGroupSession {
/// A session will expire after some time or if enough messages have been /// A session will expire after some time or if enough messages have been
/// encrypted using it. /// encrypted using it.
pub fn expired(&self) -> bool { pub fn expired(&self) -> bool {
// TODO implement this. let count = self.message_count.load(Ordering::SeqCst);
false
count >= self.settings.rotation_period_msgs
|| self.creation_time.elapsed() >= self.settings.rotation_period
} }
/// Mark the session as shared. /// Mark the session as shared.

9
matrix_sdk_crypto/src/olm/mod.rs
View File

@ -17,7 +17,9 @@ mod group_sessions;
mod session; mod session;
pub use account::{Account, IdentityKeys}; pub use account::{Account, IdentityKeys};
pub use group_sessions::{GroupSessionKey, InboundGroupSession, OutboundGroupSession}; pub use group_sessions::{
EncryptionSettings, GroupSessionKey, InboundGroupSession, OutboundGroupSession,
};
pub use session::{OlmMessage, Session}; pub use session::{OlmMessage, Session};
#[cfg(test)] #[cfg(test)]
@ -179,7 +181,10 @@ pub(crate) mod test {
let alice = Account::new(&alice_id(), &alice_device_id()); let alice = Account::new(&alice_id(), &alice_device_id());
let room_id = room_id!("!test:localhost"); let room_id = room_id!("!test:localhost");
let (outbound, _) = alice.create_group_session_pair(&room_id).await; let (outbound, _) = alice
.create_group_session_pair(&room_id, Default::default())
.await
.unwrap();
assert_eq!(0, outbound.message_index().await); assert_eq!(0, outbound.message_index().await);
assert!(!outbound.shared()); assert!(!outbound.shared());

5
matrix_sdk_crypto/src/store/memorystore.rs
View File

@ -165,7 +165,10 @@ mod test {
let (account, _) = get_account_and_session().await; let (account, _) = get_account_and_session().await;
let room_id = room_id!("!test:localhost"); let room_id = room_id!("!test:localhost");
let (outbound, _) = account.create_group_session_pair(&room_id).await; let (outbound, _) = account
.create_group_session_pair(&room_id, Default::default())
.await
.unwrap();
let inbound = InboundGroupSession::new( let inbound = InboundGroupSession::new(
"test_key", "test_key",
"test_key", "test_key",