feat: Add support for the libolm PkEncryption feature

This patch introduces support for the libolm PkEncryption/PkDecryption concepts, ensuring bug-for-bug compatibility with libolm. Notably, the libolm implementation has a known flaw that leaves ciphertext unauthenticated, as documented in the Matrix spec [1]. To address this, the feature is gated behind a feature flag to better inform users of this issue. [1]: https://spec.matrix.org/v1.11/client-server-api/#backup-algorithm-mmegolm_backupv1curve25519-aes-sha2 Changelog: Add support for the libolm PkEncryption feature. This allows Matrix clients to implement the [m.megolm_backup.v1.curve25519-aes-sha2](https://spec.matrix.org/v1.11/client-server-api/#backup-algorithm-mmegolm_backupv1curve25519-aes-sha2) room key backup algorithm. Please note that this algorithm contains a critical flaw and should only be used for compatibility reasons.
matrix-org · Sep 11, 2024 · a092040 · a092040
1 parent 4785a08
commit a092040
Show file tree

Hide file tree

Showing 5 changed files with 358 additions and 8 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -24,6 +24,7 @@ default = ["libolm-compat"]
 js = ["getrandom/js"]
 strict-signatures = []
 libolm-compat = []
+insecure-pk-encryption = []
 # The low-level-api feature exposes extra APIs that are only useful in advanced
 # use cases and require extra care to use.
 low-level-api = []

diff --git a/src/cipher/key.rs b/src/cipher/key.rs
@@ -28,7 +28,7 @@ type Aes256Iv = GenericArray<u8, <Aes256CbcEnc as IvSizeUser>::IvSize>;
 type HmacSha256Key = [u8; 32];
 
 #[derive(Zeroize, ZeroizeOnDrop)]
-struct ExpandedKeys(Box<[u8; 80]>);
+pub(crate) struct ExpandedKeys(Box<[u8; 80]>);
 
 impl ExpandedKeys {
     const OLM_HKDF_INFO: &'static [u8] = b"OLM_KEYS";
@@ -47,7 +47,7 @@ impl ExpandedKeys {
         Self::new_helper(pickle_key, b"Pickle")
     }
 
-    fn new_helper(message_key: &[u8], info: &[u8]) -> Self {
+    pub(crate) fn new_helper(message_key: &[u8], info: &[u8]) -> Self {
         let mut expanded_keys = [0u8; 80];
 
         let hkdf: Hkdf<Sha256> = Hkdf::new(Some(&[0]), message_key);
@@ -59,7 +59,7 @@ impl ExpandedKeys {
 }
 
 #[derive(Zeroize, ZeroizeOnDrop)]
-pub(super) struct CipherKeys {
+pub(crate) struct CipherKeys {
     aes_key: Box<[u8; 32]>,
     aes_iv: Box<[u8; 16]>,
     mac_key: Box<[u8; 32]>,
@@ -85,7 +85,7 @@ impl CipherKeys {
         Self::from_expanded_keys(expanded_keys)
     }
 
-    fn from_expanded_keys(expanded_keys: ExpandedKeys) -> Self {
+    pub(crate) fn from_expanded_keys(expanded_keys: ExpandedKeys) -> Self {
         let mut aes_key = Box::new([0u8; 32]);
         let mut mac_key = Box::new([0u8; 32]);
         let mut aes_iv = Box::new([0u8; 16]);

diff --git a/src/cipher/mod.rs b/src/cipher/mod.rs
@@ -13,7 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-mod key;
+pub(crate) mod key;
 
 use aes::{
     cipher::{
@@ -27,9 +27,9 @@ use key::CipherKeys;
 use sha2::Sha256;
 use thiserror::Error;
 
-type Aes256CbcEnc = cbc::Encryptor<Aes256>;
-type Aes256CbcDec = cbc::Decryptor<Aes256>;
-type HmacSha256 = Hmac<Sha256>;
+pub(crate) type Aes256CbcEnc = cbc::Encryptor<Aes256>;
+pub(crate) type Aes256CbcDec = cbc::Decryptor<Aes256>;
+pub(crate) type HmacSha256 = Hmac<Sha256>;
 
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct Mac(pub(crate) [u8; Self::LENGTH]);

diff --git a/src/lib.rs b/src/lib.rs
@@ -217,6 +217,8 @@ pub mod ecies;
 pub mod hazmat;
 pub mod megolm;
 pub mod olm;
+#[cfg(feature = "insecure-pk-encryption")]
+pub mod pk_encryption;
 pub mod sas;
 
 pub use base64::DecodeError as Base64DecodeError;