inbound_group_session.c 10.6 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
/* Copyright 2016 OpenMarket Ltd
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "olm/inbound_group_session.h"

#include <string.h>

#include "olm/base64.h"
#include "olm/cipher.h"
Richard van der Hoff's avatar
Richard van der Hoff committed
22
#include "olm/crypto.h"
23
24
#include "olm/error.h"
#include "olm/megolm.h"
25
#include "olm/memory.h"
26
#include "olm/message.h"
27
28
29
#include "olm/pickle.h"
#include "olm/pickle_encoding.h"

30
31

#define OLM_PROTOCOL_VERSION     3
32
#define PICKLE_VERSION           1
33
#define SESSION_KEY_VERSION      2
34
35
36
37
38
39
40
41

struct OlmInboundGroupSession {
    /** our earliest known ratchet value */
    Megolm initial_ratchet;

    /** The most recent ratchet value */
    Megolm latest_ratchet;

Richard van der Hoff's avatar
Richard van der Hoff committed
42
43
44
    /** The ed25519 signing key */
    struct _olm_ed25519_public_key signing_key;

45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
    enum OlmErrorCode last_error;
};

size_t olm_inbound_group_session_size() {
    return sizeof(OlmInboundGroupSession);
}

OlmInboundGroupSession * olm_inbound_group_session(
    void *memory
) {
    OlmInboundGroupSession *session = memory;
    olm_clear_inbound_group_session(session);
    return session;
}

const char *olm_inbound_group_session_last_error(
    const OlmInboundGroupSession *session
) {
    return _olm_error_to_string(session->last_error);
}

size_t olm_clear_inbound_group_session(
    OlmInboundGroupSession *session
) {
69
    _olm_unset(session, sizeof(OlmInboundGroupSession));
70
71
72
    return sizeof(OlmInboundGroupSession);
}

Richard van der Hoff's avatar
Richard van der Hoff committed
73
#define SESSION_KEY_RAW_LENGTH \
74
75
    (1 + 4 + MEGOLM_RATCHET_LENGTH + ED25519_PUBLIC_KEY_LENGTH\
        + ED25519_SIGNATURE_LENGTH)
Richard van der Hoff's avatar
Richard van der Hoff committed
76
77
78
79
80
81
82
83
84
85
86
87
88
89

/** init the session keys from the un-base64-ed session keys */
static size_t _init_group_session_keys(
    OlmInboundGroupSession *session,
    const uint8_t *key_buf
) {
    const uint8_t *ptr = key_buf;
    size_t version = *ptr++;

    if (version != SESSION_KEY_VERSION) {
        session->last_error = OLM_BAD_SESSION_KEY;
        return (size_t)-1;
    }

90
    uint32_t counter = 0;
91
92
93
94
    // Decode counter as a big endian 32-bit number.
    for (unsigned i = 0; i < 4; i++) {
        counter <<= 8; counter |= *ptr++;
    }
95
96
97
98

    megolm_init(&session->initial_ratchet, ptr, counter);
    megolm_init(&session->latest_ratchet, ptr, counter);

Richard van der Hoff's avatar
Richard van der Hoff committed
99
100
101
102
103
    ptr += MEGOLM_RATCHET_LENGTH;
    memcpy(
        session->signing_key.public_key, ptr, ED25519_PUBLIC_KEY_LENGTH
    );
    ptr += ED25519_PUBLIC_KEY_LENGTH;
104
105
106
107
108
109
110

    if (!_olm_crypto_ed25519_verify(
        &session->signing_key, key_buf, ptr - key_buf, ptr
    )) {
        session->last_error = OLM_BAD_SIGNATURE;
        return (size_t)-1;
    }
Richard van der Hoff's avatar
Richard van der Hoff committed
111
112
113
    return 0;
}

114
115
116
117
size_t olm_init_inbound_group_session(
    OlmInboundGroupSession *session,
    const uint8_t * session_key, size_t session_key_length
) {
Richard van der Hoff's avatar
Richard van der Hoff committed
118
    uint8_t key_buf[SESSION_KEY_RAW_LENGTH];
119
    size_t raw_length = _olm_decode_base64_length(session_key_length);
Richard van der Hoff's avatar
Richard van der Hoff committed
120
    size_t result;
121
122
123
124
125
126

    if (raw_length == (size_t)-1) {
        session->last_error = OLM_INVALID_BASE64;
        return (size_t)-1;
    }

Richard van der Hoff's avatar
Richard van der Hoff committed
127
    if (raw_length != SESSION_KEY_RAW_LENGTH) {
128
        session->last_error = OLM_BAD_SESSION_KEY;
129
130
131
132
        return (size_t)-1;
    }

    _olm_decode_base64(session_key, session_key_length, key_buf);
133
    result = _init_group_session_keys(session, key_buf);
Richard van der Hoff's avatar
Richard van der Hoff committed
134
135
    _olm_unset(key_buf, SESSION_KEY_RAW_LENGTH);
    return result;
136
137
}

138
139
140
141
142
143
144
static size_t raw_pickle_length(
    const OlmInboundGroupSession *session
) {
    size_t length = 0;
    length += _olm_pickle_uint32_length(PICKLE_VERSION);
    length += megolm_pickle_length(&session->initial_ratchet);
    length += megolm_pickle_length(&session->latest_ratchet);
Richard van der Hoff's avatar
Richard van der Hoff committed
145
    length += _olm_pickle_ed25519_public_key_length(&session->signing_key);
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
    return length;
}

size_t olm_pickle_inbound_group_session_length(
    const OlmInboundGroupSession *session
) {
    return _olm_enc_output_length(raw_pickle_length(session));
}

size_t olm_pickle_inbound_group_session(
    OlmInboundGroupSession *session,
    void const * key, size_t key_length,
    void * pickled, size_t pickled_length
) {
    size_t raw_length = raw_pickle_length(session);
    uint8_t *pos;

    if (pickled_length < _olm_enc_output_length(raw_length)) {
        session->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
        return (size_t)-1;
    }

    pos = _olm_enc_output_pos(pickled, raw_length);
    pos = _olm_pickle_uint32(pos, PICKLE_VERSION);
    pos = megolm_pickle(&session->initial_ratchet, pos);
    pos = megolm_pickle(&session->latest_ratchet, pos);
Richard van der Hoff's avatar
Richard van der Hoff committed
172
    pos = _olm_pickle_ed25519_public_key(pos, &session->signing_key);
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201

    return _olm_enc_output(key, key_length, pickled, raw_length);
}

size_t olm_unpickle_inbound_group_session(
    OlmInboundGroupSession *session,
    void const * key, size_t key_length,
    void * pickled, size_t pickled_length
) {
    const uint8_t *pos;
    const uint8_t *end;
    uint32_t pickle_version;

    size_t raw_length = _olm_enc_input(
        key, key_length, pickled, pickled_length, &(session->last_error)
    );
    if (raw_length == (size_t)-1) {
        return raw_length;
    }

    pos = pickled;
    end = pos + raw_length;
    pos = _olm_unpickle_uint32(pos, end, &pickle_version);
    if (pickle_version != PICKLE_VERSION) {
        session->last_error = OLM_UNKNOWN_PICKLE_VERSION;
        return (size_t)-1;
    }
    pos = megolm_unpickle(&session->initial_ratchet, pos, end);
    pos = megolm_unpickle(&session->latest_ratchet, pos, end);
Richard van der Hoff's avatar
Richard van der Hoff committed
202
    pos = _olm_unpickle_ed25519_public_key(pos, end, &session->signing_key);
203
204
205
206
207
208
209
210
211
212

    if (end != pos) {
        /* We had the wrong number of bytes in the input. */
        session->last_error = OLM_CORRUPTED_PICKLE;
        return (size_t)-1;
    }

    return pickled_length;
}

213
214
215
216
/**
 * get the max plaintext length in an un-base64-ed message
 */
static size_t _decrypt_max_plaintext_length(
217
218
219
220
221
222
223
    OlmInboundGroupSession *session,
    uint8_t * message, size_t message_length
) {
    struct _OlmDecodeGroupMessageResults decoded_results;

    _olm_decode_group_message(
        message, message_length,
224
        megolm_cipher->ops->mac_length(megolm_cipher),
Richard van der Hoff's avatar
Richard van der Hoff committed
225
        ED25519_SIGNATURE_LENGTH,
226
227
228
229
230
231
232
233
234
235
236
237
        &decoded_results);

    if (decoded_results.version != OLM_PROTOCOL_VERSION) {
        session->last_error = OLM_BAD_MESSAGE_VERSION;
        return (size_t)-1;
    }

    if (!decoded_results.ciphertext) {
        session->last_error = OLM_BAD_MESSAGE_FORMAT;
        return (size_t)-1;
    }

238
239
    return megolm_cipher->ops->decrypt_max_plaintext_length(
        megolm_cipher, decoded_results.ciphertext_length);
240
241
}

242
243
244
245
246
size_t olm_group_decrypt_max_plaintext_length(
    OlmInboundGroupSession *session,
    uint8_t * message, size_t message_length
) {
    size_t raw_length;
247

248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
    raw_length = _olm_decode_base64(message, message_length, message);
    if (raw_length == (size_t)-1) {
        session->last_error = OLM_INVALID_BASE64;
        return (size_t)-1;
    }

    return _decrypt_max_plaintext_length(
        session, message, raw_length
    );
}

/**
 * decrypt an un-base64-ed message
 */
static size_t _decrypt(
263
264
265
266
267
    OlmInboundGroupSession *session,
    uint8_t * message, size_t message_length,
    uint8_t * plaintext, size_t max_plaintext_length
) {
    struct _OlmDecodeGroupMessageResults decoded_results;
268
    size_t max_length, r;
269
270
271
272
    Megolm *megolm;
    Megolm tmp_megolm;

    _olm_decode_group_message(
273
        message, message_length,
274
        megolm_cipher->ops->mac_length(megolm_cipher),
Richard van der Hoff's avatar
Richard van der Hoff committed
275
        ED25519_SIGNATURE_LENGTH,
276
277
278
279
280
281
282
        &decoded_results);

    if (decoded_results.version != OLM_PROTOCOL_VERSION) {
        session->last_error = OLM_BAD_MESSAGE_VERSION;
        return (size_t)-1;
    }

Richard van der Hoff's avatar
Richard van der Hoff committed
283
    if (!decoded_results.has_message_index || !decoded_results.ciphertext) {
284
285
286
287
        session->last_error = OLM_BAD_MESSAGE_FORMAT;
        return (size_t)-1;
    }

Richard van der Hoff's avatar
Richard van der Hoff committed
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
    /* verify the signature. We could do this before decoding the message, but
     * we allow for the possibility of future protocol versions which use a
     * different signing mechanism; we would rather throw "BAD_MESSAGE_VERSION"
     * than "BAD_SIGNATURE" in this case.
     */
    message_length -= ED25519_SIGNATURE_LENGTH;
    r = _olm_crypto_ed25519_verify(
        &session->signing_key,
        message, message_length,
        message + message_length
    );
    if (!r) {
        session->last_error = OLM_BAD_SIGNATURE;
        return (size_t)-1;
    }

304
305
    max_length = megolm_cipher->ops->decrypt_max_plaintext_length(
        megolm_cipher,
306
307
308
309
310
311
312
313
314
        decoded_results.ciphertext_length
    );
    if (max_plaintext_length < max_length) {
        session->last_error = OLM_OUTPUT_BUFFER_TOO_SMALL;
        return (size_t)-1;
    }

    /* pick a megolm instance to use. If we're at or beyond the latest ratchet
     * value, use that */
315
    if ((decoded_results.message_index - session->latest_ratchet.counter) < (1U << 31)) {
316
        megolm = &session->latest_ratchet;
317
    } else if ((decoded_results.message_index - session->initial_ratchet.counter) >= (1U << 31)) {
318
        /* the counter is before our intial ratchet - we can't decode this. */
319
        session->last_error = OLM_UNKNOWN_MESSAGE_INDEX;
320
321
322
323
324
325
326
327
        return (size_t)-1;
    } else {
        /* otherwise, start from the initial megolm. Take a copy so that we
         * don't overwrite the initial megolm */
        tmp_megolm = session->initial_ratchet;
        megolm = &tmp_megolm;
    }

328
    megolm_advance_to(megolm, decoded_results.message_index);
329
330

    /* now try checking the mac, and decrypting */
331
332
    r = megolm_cipher->ops->decrypt(
        megolm_cipher,
333
        megolm_get_data(megolm), MEGOLM_RATCHET_LENGTH,
334
        message, message_length,
335
336
337
338
        decoded_results.ciphertext, decoded_results.ciphertext_length,
        plaintext, max_plaintext_length
    );

339
    _olm_unset(&tmp_megolm, sizeof(tmp_megolm));
340
341
342
343
344
345
346
    if (r == (size_t)-1) {
        session->last_error = OLM_BAD_MESSAGE_MAC;
        return r;
    }

    return r;
}
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365

size_t olm_group_decrypt(
    OlmInboundGroupSession *session,
    uint8_t * message, size_t message_length,
    uint8_t * plaintext, size_t max_plaintext_length
) {
    size_t raw_message_length;

    raw_message_length = _olm_decode_base64(message, message_length, message);
    if (raw_message_length == (size_t)-1) {
        session->last_error = OLM_INVALID_BASE64;
        return (size_t)-1;
    }

    return _decrypt(
        session, message, raw_message_length,
        plaintext, max_plaintext_length
    );
}