diff options
Diffstat (limited to 'includes/external/matrix/node_modules/matrix-js-sdk/lib/crypto/backup.js')
| -rw-r--r-- | includes/external/matrix/node_modules/matrix-js-sdk/lib/crypto/backup.js | 654 |
1 files changed, 654 insertions, 0 deletions
diff --git a/includes/external/matrix/node_modules/matrix-js-sdk/lib/crypto/backup.js b/includes/external/matrix/node_modules/matrix-js-sdk/lib/crypto/backup.js new file mode 100644 index 0000000..ae42cce --- /dev/null +++ b/includes/external/matrix/node_modules/matrix-js-sdk/lib/crypto/backup.js @@ -0,0 +1,654 @@ +"use strict"; + +var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault"); +Object.defineProperty(exports, "__esModule", { + value: true +}); +exports.algorithmsByName = exports.DefaultAlgorithm = exports.Curve25519 = exports.BackupManager = exports.Aes256 = void 0; +var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty")); +var _client = require("../client"); +var _logger = require("../logger"); +var _olmlib = require("./olmlib"); +var _key_passphrase = require("./key_passphrase"); +var _utils = require("../utils"); +var _indexeddbCryptoStore = require("./store/indexeddb-crypto-store"); +var _recoverykey = require("./recoverykey"); +var _aes = require("./aes"); +var _NamespacedValue = require("../NamespacedValue"); +var _index = require("./index"); +var _crypto = require("./crypto"); +var _httpApi = require("../http-api"); +/* +Copyright 2021 The Matrix.org Foundation C.I.C. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/** + * Classes for dealing with key backup. + */ + +const KEY_BACKUP_KEYS_PER_REQUEST = 200; +const KEY_BACKUP_CHECK_RATE_LIMIT = 5000; // ms + +/** + * Manages the key backup. + */ +class BackupManager { + // The info dict from /room_keys/version + // Have we checked the server for a backup we can use? + // Are we currently sending backups? + // When did we last try to check the server for a given session id? + + constructor(baseApis, getKey) { + this.baseApis = baseApis; + this.getKey = getKey; + (0, _defineProperty2.default)(this, "algorithm", void 0); + (0, _defineProperty2.default)(this, "backupInfo", void 0); + (0, _defineProperty2.default)(this, "checkedForBackup", void 0); + (0, _defineProperty2.default)(this, "sendingBackups", void 0); + (0, _defineProperty2.default)(this, "sessionLastCheckAttemptedTime", {}); + this.checkedForBackup = false; + this.sendingBackups = false; + } + get version() { + return this.backupInfo && this.backupInfo.version; + } + + /** + * Performs a quick check to ensure that the backup info looks sane. + * + * Throws an error if a problem is detected. + * + * @param info - the key backup info + */ + static checkBackupVersion(info) { + const Algorithm = algorithmsByName[info.algorithm]; + if (!Algorithm) { + throw new Error("Unknown backup algorithm: " + info.algorithm); + } + if (typeof info.auth_data !== "object") { + throw new Error("Invalid backup data returned"); + } + return Algorithm.checkBackupVersion(info); + } + static makeAlgorithm(info, getKey) { + const Algorithm = algorithmsByName[info.algorithm]; + if (!Algorithm) { + throw new Error("Unknown backup algorithm"); + } + return Algorithm.init(info.auth_data, getKey); + } + async enableKeyBackup(info) { + this.backupInfo = info; + if (this.algorithm) { + this.algorithm.free(); + } + this.algorithm = await BackupManager.makeAlgorithm(info, this.getKey); + this.baseApis.emit(_index.CryptoEvent.KeyBackupStatus, true); + + // There may be keys left over from a partially completed backup, so + // schedule a send to check. + this.scheduleKeyBackupSend(); + } + + /** + * Disable backing up of keys. + */ + disableKeyBackup() { + if (this.algorithm) { + this.algorithm.free(); + } + this.algorithm = undefined; + this.backupInfo = undefined; + this.baseApis.emit(_index.CryptoEvent.KeyBackupStatus, false); + } + getKeyBackupEnabled() { + if (!this.checkedForBackup) { + return null; + } + return Boolean(this.algorithm); + } + async prepareKeyBackupVersion(key, algorithm) { + const Algorithm = algorithm ? algorithmsByName[algorithm] : DefaultAlgorithm; + if (!Algorithm) { + throw new Error("Unknown backup algorithm"); + } + const [privateKey, authData] = await Algorithm.prepare(key); + const recoveryKey = (0, _recoverykey.encodeRecoveryKey)(privateKey); + return { + algorithm: Algorithm.algorithmName, + auth_data: authData, + recovery_key: recoveryKey, + privateKey + }; + } + async createKeyBackupVersion(info) { + this.algorithm = await BackupManager.makeAlgorithm(info, this.getKey); + } + + /** + * Check the server for an active key backup and + * if one is present and has a valid signature from + * one of the user's verified devices, start backing up + * to it. + */ + async checkAndStart() { + _logger.logger.log("Checking key backup status..."); + if (this.baseApis.isGuest()) { + _logger.logger.log("Skipping key backup check since user is guest"); + this.checkedForBackup = true; + return null; + } + let backupInfo; + try { + var _await$this$baseApis$; + backupInfo = (_await$this$baseApis$ = await this.baseApis.getKeyBackupVersion()) !== null && _await$this$baseApis$ !== void 0 ? _await$this$baseApis$ : undefined; + } catch (e) { + _logger.logger.log("Error checking for active key backup", e); + if (e.httpStatus === 404) { + // 404 is returned when the key backup does not exist, so that + // counts as successfully checking. + this.checkedForBackup = true; + } + return null; + } + this.checkedForBackup = true; + const trustInfo = await this.isKeyBackupTrusted(backupInfo); + if (trustInfo.usable && !this.backupInfo) { + _logger.logger.log(`Found usable key backup v${backupInfo.version}: enabling key backups`); + await this.enableKeyBackup(backupInfo); + } else if (!trustInfo.usable && this.backupInfo) { + _logger.logger.log("No usable key backup: disabling key backup"); + this.disableKeyBackup(); + } else if (!trustInfo.usable && !this.backupInfo) { + _logger.logger.log("No usable key backup: not enabling key backup"); + } else if (trustInfo.usable && this.backupInfo) { + // may not be the same version: if not, we should switch + if (backupInfo.version !== this.backupInfo.version) { + _logger.logger.log(`On backup version ${this.backupInfo.version} but ` + `found version ${backupInfo.version}: switching.`); + this.disableKeyBackup(); + await this.enableKeyBackup(backupInfo); + // We're now using a new backup, so schedule all the keys we have to be + // uploaded to the new backup. This is a bit of a workaround to upload + // keys to a new backup in *most* cases, but it won't cover all cases + // because we don't remember what backup version we uploaded keys to: + // see https://github.com/vector-im/element-web/issues/14833 + await this.scheduleAllGroupSessionsForBackup(); + } else { + _logger.logger.log(`Backup version ${backupInfo.version} still current`); + } + } + return { + backupInfo, + trustInfo + }; + } + + /** + * Forces a re-check of the key backup and enables/disables it + * as appropriate. + * + * @returns Object with backup info (as returned by + * getKeyBackupVersion) in backupInfo and + * trust information (as returned by isKeyBackupTrusted) + * in trustInfo. + */ + async checkKeyBackup() { + this.checkedForBackup = false; + return this.checkAndStart(); + } + + /** + * Attempts to retrieve a session from a key backup, if enough time + * has elapsed since the last check for this session id. + */ + async queryKeyBackupRateLimited(targetRoomId, targetSessionId) { + if (!this.backupInfo) { + return; + } + const now = new Date().getTime(); + if (!this.sessionLastCheckAttemptedTime[targetSessionId] || now - this.sessionLastCheckAttemptedTime[targetSessionId] > KEY_BACKUP_CHECK_RATE_LIMIT) { + this.sessionLastCheckAttemptedTime[targetSessionId] = now; + await this.baseApis.restoreKeyBackupWithCache(targetRoomId, targetSessionId, this.backupInfo, {}); + } + } + + /** + * Check if the given backup info is trusted. + * + * @param backupInfo - key backup info dict from /room_keys/version + */ + async isKeyBackupTrusted(backupInfo) { + const ret = { + usable: false, + trusted_locally: false, + sigs: [] + }; + if (!backupInfo || !backupInfo.algorithm || !backupInfo.auth_data || !backupInfo.auth_data.signatures) { + _logger.logger.info("Key backup is absent or missing required data"); + return ret; + } + const userId = this.baseApis.getUserId(); + const privKey = await this.baseApis.crypto.getSessionBackupPrivateKey(); + if (privKey) { + let algorithm = null; + try { + algorithm = await BackupManager.makeAlgorithm(backupInfo, async () => privKey); + if (await algorithm.keyMatches(privKey)) { + _logger.logger.info("Backup is trusted locally"); + ret.trusted_locally = true; + } + } catch { + // do nothing -- if we have an error, then we don't mark it as + // locally trusted + } finally { + var _algorithm; + (_algorithm = algorithm) === null || _algorithm === void 0 ? void 0 : _algorithm.free(); + } + } + const mySigs = backupInfo.auth_data.signatures[userId] || {}; + for (const keyId of Object.keys(mySigs)) { + const keyIdParts = keyId.split(":"); + if (keyIdParts[0] !== "ed25519") { + _logger.logger.log("Ignoring unknown signature type: " + keyIdParts[0]); + continue; + } + // Could be a cross-signing master key, but just say this is the device + // ID for backwards compat + const sigInfo = { + deviceId: keyIdParts[1] + }; + + // first check to see if it's from our cross-signing key + const crossSigningId = this.baseApis.crypto.crossSigningInfo.getId(); + if (crossSigningId === sigInfo.deviceId) { + sigInfo.crossSigningId = true; + try { + await (0, _olmlib.verifySignature)(this.baseApis.crypto.olmDevice, backupInfo.auth_data, userId, sigInfo.deviceId, crossSigningId); + sigInfo.valid = true; + } catch (e) { + _logger.logger.warn("Bad signature from cross signing key " + crossSigningId, e); + sigInfo.valid = false; + } + ret.sigs.push(sigInfo); + continue; + } + + // Now look for a sig from a device + // At some point this can probably go away and we'll just support + // it being signed by the cross-signing master key + const device = this.baseApis.crypto.deviceList.getStoredDevice(userId, sigInfo.deviceId); + if (device) { + sigInfo.device = device; + sigInfo.deviceTrust = this.baseApis.checkDeviceTrust(userId, sigInfo.deviceId); + try { + await (0, _olmlib.verifySignature)(this.baseApis.crypto.olmDevice, backupInfo.auth_data, userId, device.deviceId, device.getFingerprint()); + sigInfo.valid = true; + } catch (e) { + _logger.logger.info("Bad signature from key ID " + keyId + " userID " + this.baseApis.getUserId() + " device ID " + device.deviceId + " fingerprint: " + device.getFingerprint(), backupInfo.auth_data, e); + sigInfo.valid = false; + } + } else { + sigInfo.valid = null; // Can't determine validity because we don't have the signing device + _logger.logger.info("Ignoring signature from unknown key " + keyId); + } + ret.sigs.push(sigInfo); + } + ret.usable = ret.sigs.some(s => { + var _s$deviceTrust; + return s.valid && (s.device && ((_s$deviceTrust = s.deviceTrust) === null || _s$deviceTrust === void 0 ? void 0 : _s$deviceTrust.isVerified()) || s.crossSigningId); + }); + return ret; + } + + /** + * Schedules sending all keys waiting to be sent to the backup, if not already + * scheduled. Retries if necessary. + * + * @param maxDelay - Maximum delay to wait in ms. 0 means no delay. + */ + async scheduleKeyBackupSend(maxDelay = 10000) { + if (this.sendingBackups) return; + this.sendingBackups = true; + try { + // wait between 0 and `maxDelay` seconds, to avoid backup + // requests from different clients hitting the server all at + // the same time when a new key is sent + const delay = Math.random() * maxDelay; + await (0, _utils.sleep)(delay); + let numFailures = 0; // number of consecutive failures + for (;;) { + if (!this.algorithm) { + return; + } + try { + const numBackedUp = await this.backupPendingKeys(KEY_BACKUP_KEYS_PER_REQUEST); + if (numBackedUp === 0) { + // no sessions left needing backup: we're done + return; + } + numFailures = 0; + } catch (err) { + numFailures++; + _logger.logger.log("Key backup request failed", err); + if (err.data) { + if (err.data.errcode == "M_NOT_FOUND" || err.data.errcode == "M_WRONG_ROOM_KEYS_VERSION") { + // Re-check key backup status on error, so we can be + // sure to present the current situation when asked. + await this.checkKeyBackup(); + // Backup version has changed or this backup version + // has been deleted + this.baseApis.crypto.emit(_index.CryptoEvent.KeyBackupFailed, err.data.errcode); + throw err; + } + } + } + if (numFailures) { + // exponential backoff if we have failures + await (0, _utils.sleep)(1000 * Math.pow(2, Math.min(numFailures - 1, 4))); + } + } + } finally { + this.sendingBackups = false; + } + } + + /** + * Take some e2e keys waiting to be backed up and send them + * to the backup. + * + * @param limit - Maximum number of keys to back up + * @returns Number of sessions backed up + */ + async backupPendingKeys(limit) { + const sessions = await this.baseApis.crypto.cryptoStore.getSessionsNeedingBackup(limit); + if (!sessions.length) { + return 0; + } + let remaining = await this.baseApis.crypto.cryptoStore.countSessionsNeedingBackup(); + this.baseApis.crypto.emit(_index.CryptoEvent.KeyBackupSessionsRemaining, remaining); + const rooms = {}; + for (const session of sessions) { + var _deviceList$getDevice; + const roomId = session.sessionData.room_id; + (0, _utils.safeSet)(rooms, roomId, rooms[roomId] || { + sessions: {} + }); + const sessionData = this.baseApis.crypto.olmDevice.exportInboundGroupSession(session.senderKey, session.sessionId, session.sessionData); + sessionData.algorithm = _olmlib.MEGOLM_ALGORITHM; + const forwardedCount = (sessionData.forwarding_curve25519_key_chain || []).length; + const userId = this.baseApis.crypto.deviceList.getUserByIdentityKey(_olmlib.MEGOLM_ALGORITHM, session.senderKey); + const device = (_deviceList$getDevice = this.baseApis.crypto.deviceList.getDeviceByIdentityKey(_olmlib.MEGOLM_ALGORITHM, session.senderKey)) !== null && _deviceList$getDevice !== void 0 ? _deviceList$getDevice : undefined; + const verified = this.baseApis.crypto.checkDeviceInfoTrust(userId, device).isVerified(); + (0, _utils.safeSet)(rooms[roomId]["sessions"], session.sessionId, { + first_message_index: sessionData.first_known_index, + forwarded_count: forwardedCount, + is_verified: verified, + session_data: await this.algorithm.encryptSession(sessionData) + }); + } + await this.baseApis.sendKeyBackup(undefined, undefined, this.backupInfo.version, { + rooms + }); + await this.baseApis.crypto.cryptoStore.unmarkSessionsNeedingBackup(sessions); + remaining = await this.baseApis.crypto.cryptoStore.countSessionsNeedingBackup(); + this.baseApis.crypto.emit(_index.CryptoEvent.KeyBackupSessionsRemaining, remaining); + return sessions.length; + } + async backupGroupSession(senderKey, sessionId) { + await this.baseApis.crypto.cryptoStore.markSessionsNeedingBackup([{ + senderKey: senderKey, + sessionId: sessionId + }]); + if (this.backupInfo) { + // don't wait for this to complete: it will delay so + // happens in the background + this.scheduleKeyBackupSend(); + } + // if this.backupInfo is not set, then the keys will be backed up when + // this.enableKeyBackup is called + } + + /** + * Marks all group sessions as needing to be backed up and schedules them to + * upload in the background as soon as possible. + */ + async scheduleAllGroupSessionsForBackup() { + await this.flagAllGroupSessionsForBackup(); + + // Schedule keys to upload in the background as soon as possible. + this.scheduleKeyBackupSend(0 /* maxDelay */); + } + + /** + * Marks all group sessions as needing to be backed up without scheduling + * them to upload in the background. + * @returns Promise which resolves to the number of sessions now requiring a backup + * (which will be equal to the number of sessions in the store). + */ + async flagAllGroupSessionsForBackup() { + await this.baseApis.crypto.cryptoStore.doTxn("readwrite", [_indexeddbCryptoStore.IndexedDBCryptoStore.STORE_INBOUND_GROUP_SESSIONS, _indexeddbCryptoStore.IndexedDBCryptoStore.STORE_BACKUP], txn => { + this.baseApis.crypto.cryptoStore.getAllEndToEndInboundGroupSessions(txn, session => { + if (session !== null) { + this.baseApis.crypto.cryptoStore.markSessionsNeedingBackup([session], txn); + } + }); + }); + const remaining = await this.baseApis.crypto.cryptoStore.countSessionsNeedingBackup(); + this.baseApis.emit(_index.CryptoEvent.KeyBackupSessionsRemaining, remaining); + return remaining; + } + + /** + * Counts the number of end to end session keys that are waiting to be backed up + * @returns Promise which resolves to the number of sessions requiring backup + */ + countSessionsNeedingBackup() { + return this.baseApis.crypto.cryptoStore.countSessionsNeedingBackup(); + } +} +exports.BackupManager = BackupManager; +class Curve25519 { + constructor(authData, publicKey, + // FIXME: PkEncryption + getKey) { + this.authData = authData; + this.publicKey = publicKey; + this.getKey = getKey; + } + static async init(authData, getKey) { + if (!authData || !("public_key" in authData)) { + throw new Error("auth_data missing required information"); + } + const publicKey = new global.Olm.PkEncryption(); + publicKey.set_recipient_key(authData.public_key); + return new Curve25519(authData, publicKey, getKey); + } + static async prepare(key) { + const decryption = new global.Olm.PkDecryption(); + try { + const authData = {}; + if (!key) { + authData.public_key = decryption.generate_key(); + } else if (key instanceof Uint8Array) { + authData.public_key = decryption.init_with_private_key(key); + } else { + const derivation = await (0, _key_passphrase.keyFromPassphrase)(key); + authData.private_key_salt = derivation.salt; + authData.private_key_iterations = derivation.iterations; + authData.public_key = decryption.init_with_private_key(derivation.key); + } + const publicKey = new global.Olm.PkEncryption(); + publicKey.set_recipient_key(authData.public_key); + return [decryption.get_private_key(), authData]; + } finally { + decryption.free(); + } + } + static checkBackupVersion(info) { + if (!("public_key" in info.auth_data)) { + throw new Error("Invalid backup data returned"); + } + } + get untrusted() { + return true; + } + async encryptSession(data) { + const plainText = Object.assign({}, data); + delete plainText.session_id; + delete plainText.room_id; + delete plainText.first_known_index; + return this.publicKey.encrypt(JSON.stringify(plainText)); + } + async decryptSessions(sessions) { + const privKey = await this.getKey(); + const decryption = new global.Olm.PkDecryption(); + try { + const backupPubKey = decryption.init_with_private_key(privKey); + if (backupPubKey !== this.authData.public_key) { + throw new _httpApi.MatrixError({ + errcode: _client.MatrixClient.RESTORE_BACKUP_ERROR_BAD_KEY + }); + } + const keys = []; + for (const [sessionId, sessionData] of Object.entries(sessions)) { + try { + const decrypted = JSON.parse(decryption.decrypt(sessionData.session_data.ephemeral, sessionData.session_data.mac, sessionData.session_data.ciphertext)); + decrypted.session_id = sessionId; + keys.push(decrypted); + } catch (e) { + _logger.logger.log("Failed to decrypt megolm session from backup", e, sessionData); + } + } + return keys; + } finally { + decryption.free(); + } + } + async keyMatches(key) { + const decryption = new global.Olm.PkDecryption(); + let pubKey; + try { + pubKey = decryption.init_with_private_key(key); + } finally { + decryption.free(); + } + return pubKey === this.authData.public_key; + } + free() { + this.publicKey.free(); + } +} +exports.Curve25519 = Curve25519; +(0, _defineProperty2.default)(Curve25519, "algorithmName", "m.megolm_backup.v1.curve25519-aes-sha2"); +function randomBytes(size) { + const buf = new Uint8Array(size); + _crypto.crypto.getRandomValues(buf); + return buf; +} +const UNSTABLE_MSC3270_NAME = new _NamespacedValue.UnstableValue("m.megolm_backup.v1.aes-hmac-sha2", "org.matrix.msc3270.v1.aes-hmac-sha2"); +class Aes256 { + constructor(authData, key) { + this.authData = authData; + this.key = key; + } + static async init(authData, getKey) { + if (!authData) { + throw new Error("auth_data missing"); + } + const key = await getKey(); + if (authData.mac) { + const { + mac + } = await (0, _aes.calculateKeyCheck)(key, authData.iv); + if (authData.mac.replace(/=+$/g, "") !== mac.replace(/=+/g, "")) { + throw new Error("Key does not match"); + } + } + return new Aes256(authData, key); + } + static async prepare(key) { + let outKey; + const authData = {}; + if (!key) { + outKey = randomBytes(32); + } else if (key instanceof Uint8Array) { + outKey = new Uint8Array(key); + } else { + const derivation = await (0, _key_passphrase.keyFromPassphrase)(key); + authData.private_key_salt = derivation.salt; + authData.private_key_iterations = derivation.iterations; + outKey = derivation.key; + } + const { + iv, + mac + } = await (0, _aes.calculateKeyCheck)(outKey); + authData.iv = iv; + authData.mac = mac; + return [outKey, authData]; + } + static checkBackupVersion(info) { + if (!("iv" in info.auth_data && "mac" in info.auth_data)) { + throw new Error("Invalid backup data returned"); + } + } + get untrusted() { + return false; + } + encryptSession(data) { + const plainText = Object.assign({}, data); + delete plainText.session_id; + delete plainText.room_id; + delete plainText.first_known_index; + return (0, _aes.encryptAES)(JSON.stringify(plainText), this.key, data.session_id); + } + async decryptSessions(sessions) { + const keys = []; + for (const [sessionId, sessionData] of Object.entries(sessions)) { + try { + const decrypted = JSON.parse(await (0, _aes.decryptAES)(sessionData.session_data, this.key, sessionId)); + decrypted.session_id = sessionId; + keys.push(decrypted); + } catch (e) { + _logger.logger.log("Failed to decrypt megolm session from backup", e, sessionData); + } + } + return keys; + } + async keyMatches(key) { + if (this.authData.mac) { + const { + mac + } = await (0, _aes.calculateKeyCheck)(key, this.authData.iv); + return this.authData.mac.replace(/=+$/g, "") === mac.replace(/=+/g, ""); + } else { + // if we have no information, we have to assume the key is right + return true; + } + } + free() { + this.key.fill(0); + } +} +exports.Aes256 = Aes256; +(0, _defineProperty2.default)(Aes256, "algorithmName", UNSTABLE_MSC3270_NAME.name); +const algorithmsByName = { + [Curve25519.algorithmName]: Curve25519, + [Aes256.algorithmName]: Aes256 +}; +exports.algorithmsByName = algorithmsByName; +const DefaultAlgorithm = Curve25519; +exports.DefaultAlgorithm = DefaultAlgorithm; +//# sourceMappingURL=backup.js.map
\ No newline at end of file |