From d62e344db708672dee58238be330382b2c903b5b Mon Sep 17 00:00:00 2001 From: Mark Haines Date: Tue, 13 Sep 2016 15:42:47 +0100 Subject: Use the ed22519 public key as the group session id. Some clients expect the session id to be globally unique, so allowing the end devices to pick the session id will cause problems. Include the current ratchet index with the initial keys, this decreases the risk that the client will supply the wrong index causing problems. Sign the initial keys with the ratchet ed25519 key, this reduces the risk of a client claiming a session that they didn't create. --- src/inbound_group_session.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'src/inbound_group_session.c') diff --git a/src/inbound_group_session.c b/src/inbound_group_session.c index 11e3dbe..f2a310a 100644 --- a/src/inbound_group_session.c +++ b/src/inbound_group_session.c @@ -30,7 +30,7 @@ #define OLM_PROTOCOL_VERSION 3 #define PICKLE_VERSION 1 -#define SESSION_KEY_VERSION 1 +#define SESSION_KEY_VERSION 2 struct OlmInboundGroupSession { /** our earliest known ratchet value */ @@ -71,12 +71,12 @@ size_t olm_clear_inbound_group_session( } #define SESSION_KEY_RAW_LENGTH \ - (1 + MEGOLM_RATCHET_LENGTH + ED25519_PUBLIC_KEY_LENGTH) + (1 + 4 + MEGOLM_RATCHET_LENGTH + ED25519_PUBLIC_KEY_LENGTH\ + + ED25519_SIGNATURE_LENGTH) /** init the session keys from the un-base64-ed session keys */ static size_t _init_group_session_keys( OlmInboundGroupSession *session, - uint32_t message_index, const uint8_t *key_buf ) { const uint8_t *ptr = key_buf; @@ -87,13 +87,27 @@ static size_t _init_group_session_keys( return (size_t)-1; } - megolm_init(&session->initial_ratchet, ptr, message_index); - megolm_init(&session->latest_ratchet, ptr, message_index); + uint32_t counter = 0; + counter <<= 8; counter |= *ptr++; + counter <<= 8; counter |= *ptr++; + counter <<= 8; counter |= *ptr++; + counter <<= 8; counter |= *ptr++; + + megolm_init(&session->initial_ratchet, ptr, counter); + megolm_init(&session->latest_ratchet, ptr, counter); + ptr += MEGOLM_RATCHET_LENGTH; memcpy( session->signing_key.public_key, ptr, ED25519_PUBLIC_KEY_LENGTH ); ptr += ED25519_PUBLIC_KEY_LENGTH; + + if (!_olm_crypto_ed25519_verify( + &session->signing_key, key_buf, ptr - key_buf, ptr + )) { + session->last_error = OLM_BAD_SIGNATURE; + return (size_t)-1; + } return 0; } @@ -117,7 +131,7 @@ size_t olm_init_inbound_group_session( } _olm_decode_base64(session_key, session_key_length, key_buf); - result = _init_group_session_keys(session, message_index, key_buf); + result = _init_group_session_keys(session, key_buf); _olm_unset(key_buf, SESSION_KEY_RAW_LENGTH); return result; } @@ -288,7 +302,6 @@ static size_t _decrypt( return (size_t)-1; } - max_length = megolm_cipher->ops->decrypt_max_plaintext_length( megolm_cipher, decoded_results.ciphertext_length -- cgit v1.2.3 From 5926a8fd29ecb997e6c4609e2195e68274d1f9df Mon Sep 17 00:00:00 2001 From: Mark Haines Date: Tue, 13 Sep 2016 16:45:54 +0100 Subject: Comment on the encoding of the message counter. --- src/inbound_group_session.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/inbound_group_session.c') diff --git a/src/inbound_group_session.c b/src/inbound_group_session.c index f2a310a..82ff66f 100644 --- a/src/inbound_group_session.c +++ b/src/inbound_group_session.c @@ -88,10 +88,10 @@ static size_t _init_group_session_keys( } uint32_t counter = 0; - counter <<= 8; counter |= *ptr++; - counter <<= 8; counter |= *ptr++; - counter <<= 8; counter |= *ptr++; - counter <<= 8; counter |= *ptr++; + // Decode counter as a big endian 32-bit number. + for (unsigned i = 0; i < 4; i++) { + counter <<= 8; counter |= *ptr++; + } megolm_init(&session->initial_ratchet, ptr, counter); megolm_init(&session->latest_ratchet, ptr, counter); -- cgit v1.2.3