crypto: Authenticated backup

[uhoreg]

Initial implementation for authenticated backups (MSC4048)

Requires changes to Ruma: ruma/ruma#1677 (but needs to be updated to use unstable prefix)

Only touches matrix-sdk-crypto so far.

[uhoreg]

I think this is basically ready (modulo merge conflicts). Some notes:

• after a backed-up key is decrypted and deserialized, the authenticated field must be set to false if there was no mac2 field. I couldn't find any existing code outside of the tests that actually decrypts a backed-up key, so I don't think any existing code needs to be changed.
• keys coming from key exports and forwards will have authenticated set to false. MSC3879 adds a trusted flag to key forwards (which should be renamed to be consistent). I don't know if we want to implement that at the same time as this. I don't think we have an MSC for adding an authenticated flag to key exports -- I guess we should add that at some point.
• the ruma patch should be fixed so that at least one of mac or mac2 must be set. I'm not sure what's the best way to implement that
• in the pickled inbound group session, I made authenticated default to false. I'm not sure if this is what we want to do -- if the client has only received keys directly from the sender and not from any key forwards, then we could default it to true.

[poljar]

after a backed-up key is decrypted and deserialized, the authenticated field must be set to false if there was no mac2 field. I couldn't find any existing code outside of the tests that actually decrypts a backed-up key, so I don't think any existing code needs to be changed.

Can't we enforce this in the decryption method?

in the pickled inbound group session, I made authenticated default to false. I'm not sure if this is what we want to do -- if the client has only received keys directly from the sender and not from any key forwards, then we could default it to true.

Well we know if a key was received directly via the imported flag, so it sounds like this flag should be taken into consideration. Perhaps we'll want an enum instead of mutliple booleans:

enum KeySource {
    Direct
    Backup { authenticated: bool },
    OldStyleImport,
}

[poljar]

Generally looks sane. I think the biggest improvement would be to have a very descriptive enum where we can also properly document what each of the variants means.

[poljar]

Not really a fan of this function signature, wasn't a fan before this PR either.

I added a different one here:

matrix-rust-sdk/crates/matrix-sdk-crypto/src/backups/keys/decryption.rs

Lines 225 to 242 in 2f41fe1

	/// Try to decrypt the given session data using this
	/// [`BackupDecryptionKey`].
	pub fn decrypt_session_data(
	&self,
	session_data: EncryptedSessionData,
	) -> Result<Vec<u8>, DecryptionError> {
	let message = Message {
	ciphertext: session_data.ciphertext.into_inner(),
	mac: session_data.mac.into_inner(),
	// TODO: Remove the unwrap.
	ephemeral_key: Curve25519PublicKey::from_slice(session_data.ephemeral.as_bytes())
	.unwrap(),
	};
	let pk = self.get_pk_decryption();
	pk.decrypt(&message)
	}

.

[poljar]

We usually use Box<[u8; 32]> for this. And add derive Zeroize and ZeroizeOnDrop on the container type.

[uhoreg]

If I do that, and pass the Box[<u8; 32]> as a function argument, as in MegolmV1BackupKey::new, then it will automagically do the right thing when it becomes part of the struct?

[poljar]

If by right thing you mean that it will zeroize the Box<[u8; 32]> when the whole struct gets dropped, then yes.

[uhoreg]

I tried deriving Zeroize and ZeroizeOnDrop on the container type, which is InnerBackupKey

pub type HmacSha256Key = Box<[u8; 32]>;

#[derive(Debug, Zeroize, ZeroizeOnDrop)]
struct InnerBackupKey {
    key: Curve25519PublicKey,
    mac_key: Option<HmacSha256Key>,
    signatures: BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, String>>,
    version: Mutex<Option<String>>,
}

but that gives me errors:

error[E0599]: the method `zeroize` exists for mutable reference `&mut Curve25519PublicKey`, but its trait bounds were not satisfied
   --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:38:17
    |
38  | #[derive(Debug, Zeroize, ZeroizeOnDrop)]
    |                 ^^^^^^^ method cannot be called on `&mut Curve25519PublicKey` due to unsatisfied trait bounds
    |
   ::: /home/hubert/.cargo/registry/src/index.crates.io-6f17d22bba15001f/vodozemac-0.5.0/src/types/curve25519.rs:110:1
    |
110 | pub struct Curve25519PublicKey {
    | ------------------------------
    | |
    | doesn't satisfy `Curve25519PublicKey: DefaultIsZeroes`
    | doesn't satisfy `Curve25519PublicKey: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `Curve25519PublicKey: DefaultIsZeroes`
            which is required by `Curve25519PublicKey: Zeroize`
            `&mut Curve25519PublicKey: DefaultIsZeroes`
            which is required by `&mut Curve25519PublicKey: Zeroize`
    = note: this error originates in the derive macro `Zeroize` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0599]: the method `zeroize` exists for mutable reference `&mut Option<Box<[u8; 32]>>`, but its trait bounds were not satisfied
  --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:38:17
   |
38 | #[derive(Debug, Zeroize, ZeroizeOnDrop)]
   |                 ^^^^^^^ method cannot be called on `&mut Option<Box<[u8; 32]>>` due to unsatisfied trait bounds
   |
   = note: the following trait bounds were not satisfied:
           `&mut std::option::Option<Box<[u8; 32]>>: DefaultIsZeroes`
           which is required by `&mut std::option::Option<Box<[u8; 32]>>: Zeroize`
   = note: this error originates in the derive macro `Zeroize` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0599]: the method `zeroize` exists for mutable reference `&mut BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, String>>`, but its trait bounds were not satisfied
   --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:38:17
    |
38  |   #[derive(Debug, Zeroize, ZeroizeOnDrop)]
    |                   ^^^^^^^ method cannot be called due to unsatisfied trait bounds
    |
   ::: /home/hubert/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/collections/btree/map.rs:172:1
    |
172 | / pub struct BTreeMap<
173 | |     K,
174 | |     V,
175 | |     #[unstable(feature = "allocator_api", issue = "32838")] A: Allocator + Clone = Global,
176 | | > {
    | | -
    | | |
    | |_doesn't satisfy `_: DefaultIsZeroes`
    |   doesn't satisfy `_: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: DefaultIsZeroes`
            which is required by `BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: Zeroize`
            `&mut BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: DefaultIsZeroes`
            which is required by `&mut BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: Zeroize`
    = note: this error originates in the derive macro `Zeroize` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0599]: the method `zeroize` exists for mutable reference `&mut Mutex<Option<String>>`, but its trait bounds were not satisfied
   --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:38:17
    |
38  | #[derive(Debug, Zeroize, ZeroizeOnDrop)]
    |                 ^^^^^^^ method cannot be called on `&mut Mutex<Option<String>>` due to unsatisfied trait bounds
    |
   ::: /home/hubert/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sync/mutex.rs:175:1
    |
175 | pub struct Mutex<T: ?Sized> {
    | ---------------------------
    | |
    | doesn't satisfy `_: DefaultIsZeroes`
    | doesn't satisfy `_: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `std::sync::Mutex<std::option::Option<std::string::String>>: DefaultIsZeroes`
            which is required by `std::sync::Mutex<std::option::Option<std::string::String>>: Zeroize`
            `&mut std::sync::Mutex<std::option::Option<std::string::String>>: DefaultIsZeroes`
            which is required by `&mut std::sync::Mutex<std::option::Option<std::string::String>>: Zeroize`
    = note: this error originates in the derive macro `Zeroize` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0599]: the method `zeroize_or_on_drop` exists for mutable reference `&mut Curve25519PublicKey`, but its trait bounds were not satisfied
   --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:38:26
    |
38  | #[derive(Debug, Zeroize, ZeroizeOnDrop)]
    |                          ^^^^^^^^^^^^^ method cannot be called on `&mut Curve25519PublicKey` due to unsatisfied trait bounds
    |
   ::: /home/hubert/.cargo/registry/src/index.crates.io-6f17d22bba15001f/vodozemac-0.5.0/src/types/curve25519.rs:110:1
    |
110 | pub struct Curve25519PublicKey {
    | ------------------------------
    | |
    | doesn't satisfy `Curve25519PublicKey: AssertZeroize`
    | doesn't satisfy `Curve25519PublicKey: ZeroizeOnDrop`
    | doesn't satisfy `Curve25519PublicKey: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `Curve25519PublicKey: Zeroize`
            which is required by `Curve25519PublicKey: AssertZeroize`
            `Curve25519PublicKey: ZeroizeOnDrop`
            which is required by `&&mut Curve25519PublicKey: AssertZeroizeOnDrop`
            `&mut Curve25519PublicKey: Zeroize`
            which is required by `&mut Curve25519PublicKey: AssertZeroize`
    = note: this error originates in the derive macro `ZeroizeOnDrop` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0599]: the method `zeroize_or_on_drop` exists for mutable reference `&mut Option<Box<[u8; 32]>>`, but its trait bounds were not satisfied
   --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:38:26
    |
38  | #[derive(Debug, Zeroize, ZeroizeOnDrop)]
    |                          ^^^^^^^^^^^^^ method cannot be called on `&mut Option<Box<[u8; 32]>>` due to unsatisfied trait bounds
    |
   ::: /home/hubert/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/option.rs:563:1
    |
563 | pub enum Option<T> {
    | ------------------
    | |
    | doesn't satisfy `std::option::Option<Box<[u8; 32]>>: AssertZeroize`
    | doesn't satisfy `std::option::Option<Box<[u8; 32]>>: ZeroizeOnDrop`
    | doesn't satisfy `std::option::Option<Box<[u8; 32]>>: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `std::option::Option<Box<[u8; 32]>>: Zeroize`
            which is required by `std::option::Option<Box<[u8; 32]>>: AssertZeroize`
            `std::option::Option<Box<[u8; 32]>>: ZeroizeOnDrop`
            which is required by `&&mut std::option::Option<Box<[u8; 32]>>: AssertZeroizeOnDrop`
            `&mut std::option::Option<Box<[u8; 32]>>: Zeroize`
            which is required by `&mut std::option::Option<Box<[u8; 32]>>: AssertZeroize`
    = note: this error originates in the derive macro `ZeroizeOnDrop` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0599]: the method `zeroize_or_on_drop` exists for mutable reference `&mut BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, String>>`, but its trait bounds were not satisfied
   --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:38:26
    |
38  |   #[derive(Debug, Zeroize, ZeroizeOnDrop)]
    |                            ^^^^^^^^^^^^^ method cannot be called due to unsatisfied trait bounds
    |
   ::: /home/hubert/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/collections/btree/map.rs:172:1
    |
172 | / pub struct BTreeMap<
173 | |     K,
174 | |     V,
175 | |     #[unstable(feature = "allocator_api", issue = "32838")] A: Allocator + Clone = Global,
176 | | > {
    | | -
    | | |
    | | doesn't satisfy `_: AssertZeroize`
    | |_doesn't satisfy `_: ZeroizeOnDrop`
    |   doesn't satisfy `_: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: Zeroize`
            which is required by `BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: AssertZeroize`
            `BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: ZeroizeOnDrop`
            which is required by `&&mut BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: AssertZeroizeOnDrop`
            `&mut BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: Zeroize`
            which is required by `&mut BTreeMap<OwnedUserId, BTreeMap<OwnedDeviceKeyId, std::string::String>>: AssertZeroize`
    = note: this error originates in the derive macro `ZeroizeOnDrop` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0599]: the method `zeroize_or_on_drop` exists for mutable reference `&mut Mutex<Option<String>>`, but its trait bounds were not satisfied
   --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:38:26
    |
38  | #[derive(Debug, Zeroize, ZeroizeOnDrop)]
    |                          ^^^^^^^^^^^^^ method cannot be called on `&mut Mutex<Option<String>>` due to unsatisfied trait bounds
    |
   ::: /home/hubert/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sync/mutex.rs:175:1
    |
175 | pub struct Mutex<T: ?Sized> {
    | ---------------------------
    | |
    | doesn't satisfy `_: AssertZeroize`
    | doesn't satisfy `_: ZeroizeOnDrop`
    | doesn't satisfy `_: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `std::sync::Mutex<std::option::Option<std::string::String>>: Zeroize`
            which is required by `std::sync::Mutex<std::option::Option<std::string::String>>: AssertZeroize`
            `std::sync::Mutex<std::option::Option<std::string::String>>: ZeroizeOnDrop`
            which is required by `&&mut std::sync::Mutex<std::option::Option<std::string::String>>: AssertZeroizeOnDrop`
            `&mut std::sync::Mutex<std::option::Option<std::string::String>>: Zeroize`
            which is required by `&mut std::sync::Mutex<std::option::Option<std::string::String>>: AssertZeroize`
    = note: this error originates in the derive macro `ZeroizeOnDrop` (in Nightly builds, run with -Z macro-backtrace for more info)

For more information about this error, try `rustc --explain E0599`.

Should I do something else, or is there a way to fix this?

[poljar]

The error complains that not all the types in the fields of the struct implement Zeroize. But this is completely fine since only one field contains private key material which should be zeroized.

You can make the compiler happy by implementing Zeroize manually, or use the #[zeroize(skip) attribute on the fields which don't need to be zeroized, more info about this macro can be found in the zeroize crate docs: https://docs.rs/zeroize/latest/zeroize/index.html#custom-derive-support

[uhoreg]

I did

pub type HmacSha256Key = Box<[u8; 32]>;

#[derive(Debug, Zeroize, ZeroizeOnDrop)]
struct InnerBackupKey {
    #[zeroize(skip)]
    key: Curve25519PublicKey,
    mac_key: Option<HmacSha256Key>,
    #[zeroize(skip)]
    signatures: Signatures,
    #[zeroize(skip)]
    version: Mutex<Option<String>>,
}

but I get

error[E0599]: the method `zeroize` exists for mutable reference `&mut Option<Box<[u8; 32]>>`, but its trait bounds were not satisfied
  --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:34:17
   |
34 | #[derive(Debug, Zeroize, ZeroizeOnDrop)]
   |                 ^^^^^^^ method cannot be called on `&mut Option<Box<[u8; 32]>>` due to unsatisfied trait bounds
   |
   = note: the following trait bounds were not satisfied:
           `&mut std::option::Option<Box<[u8; 32]>>: DefaultIsZeroes`
           which is required by `&mut std::option::Option<Box<[u8; 32]>>: Zeroize`
   = note: this error originates in the derive macro `Zeroize` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0599]: the method `zeroize_or_on_drop` exists for mutable reference `&mut Option<Box<[u8; 32]>>`, but its trait bounds were not satisfied
   --> crates/matrix-sdk-crypto/src/backups/keys/backup.rs:34:26
    |
34  | #[derive(Debug, Zeroize, ZeroizeOnDrop)]
    |                          ^^^^^^^^^^^^^ method cannot be called on `&mut Option<Box<[u8; 32]>>` due to unsatisfied trait bounds
    |
   ::: /home/hubert/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/option.rs:563:1
    |
563 | pub enum Option<T> {
    | ------------------
    | |
    | doesn't satisfy `std::option::Option<Box<[u8; 32]>>: AssertZeroize`
    | doesn't satisfy `std::option::Option<Box<[u8; 32]>>: ZeroizeOnDrop`
    | doesn't satisfy `std::option::Option<Box<[u8; 32]>>: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `std::option::Option<Box<[u8; 32]>>: Zeroize`
            which is required by `std::option::Option<Box<[u8; 32]>>: AssertZeroize`
            `std::option::Option<Box<[u8; 32]>>: ZeroizeOnDrop`
            which is required by `&&mut std::option::Option<Box<[u8; 32]>>: AssertZeroizeOnDrop`
            `&mut std::option::Option<Box<[u8; 32]>>: Zeroize`
            which is required by `&mut std::option::Option<Box<[u8; 32]>>: AssertZeroize`
    = note: this error originates in the derive macro `ZeroizeOnDrop` (in Nightly builds, run with -Z macro-backtrace for more info)

So it seems like zeroize doesn't like Option. One solution that I can think of is to make mac_key: HmacSha256Key, so it always has some sort of key stored, but add a boolean flag that indicates whether the key is actually used. But that doesn't seem very Rust-y to me. Are there any better solutions?

[poljar]

It's not the Option<T> per se, it's the Option<Box<T>>, not quite sure why that would be since zeroizing implements Zeroize for both Option<T> and Box<T>. Alright, let's stick to the Zeroizing thing since this seems to be too annoying.

[uhoreg]

after a backed-up key is decrypted and deserialized, the authenticated field must be set to false if there was no mac2 field. I couldn't find any existing code outside of the tests that actually decrypts a backed-up key, so I don't think any existing code needs to be changed.

Can't we enforce this in the decryption method?

I was planning on doing that, but the decryption function decrypt_v1 only returns a string rather than the parsed object, and I don't see anywhere where that function is getting called and then the result gets parsed.

[uhoreg]

I've made all the requested changes except for:

• crypto: Authenticated backup #2659 (comment) because the compiler is unhappy when I do that, and I'm not sure how to fix it
• crypto: Authenticated backup #2659 (comment) because it depends on another (unmerged) PR
• crypto: Authenticated backup #2659 (comment) because I'm not sure what it's referring to
• the first part of crypto: Authenticated backup #2659 (comment) because I don't think I can do anything about that right now, unless I change the return value for the decrypt_v1 function

The account pickle format has changed, so I think we need to handle upgrading, but I'm not sure how that's supposed to be done.

[uhoreg]

The functionality is mostly there, but I have some questions.

[uhoreg]

How do we migrate data?

[uhoreg]

I've implemented migration for here. How do we migrate in the FFI part? Do we just replace imported with key_source in PickledInboundGroupSession and leave it up to the app to migrate?

[uhoreg]

Should be mostly ready now. Just a few minor questions.

[uhoreg]

I know this should be behind a feature flag, but how do I make a feature flag here enable the unstable-msc4048 feature flag in Ruma?

[uhoreg]

should we be passing the entire unsigned field? Also, how do we handle other properties?

[uhoreg]

I've implemented migration for here. How do we migrate in the FFI part? Do we just replace imported with key_source in PickledInboundGroupSession and leave it up to the app to migrate?

[uhoreg]

The compiler complains here about:

error[E0277]: the trait bound `BackedUpRoomKey: LowerReturn<UniFfiTag>` is not satisfied
  --> bindings/matrix-sdk-crypto-ffi/src/backup_recovery_key.rs:88:1
   |
88 | #[uniffi::export]
   | ^^^^^^^^^^^^^^^^^ the trait `LowerReturn<UniFfiTag>` is not implemented for `BackedUpRoomKey`
   |
   = help: the following other types implement trait `LowerReturn<UT>`:
             <bool as LowerReturn<UT>>
             <i8 as LowerReturn<UT>>
             <i16 as LowerReturn<UT>>
             <i32 as LowerReturn<UT>>
             <i64 as LowerReturn<UT>>
             <u8 as LowerReturn<UT>>
             <u16 as LowerReturn<UT>>
             <u32 as LowerReturn<UT>>
           and 59 others
   = note: required for `Result<BackedUpRoomKey, PkDecryptionError>` to implement `LowerReturn<UniFfiTag>`
   = note: this error originates in the attribute macro `uniffi::export` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0277]: the trait bound `BackedUpRoomKey: LowerReturn<UniFfiTag>` is not satisfied
   --> bindings/matrix-sdk-crypto-ffi/src/backup_recovery_key.rs:210:10
    |
210 |     ) -> Result<BackedUpRoomKey, PkDecryptionError> {
    |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the trait `LowerReturn<UniFfiTag>` is not implemented for `BackedUpRoomKey`
    |
    = help: the following other types implement trait `LowerReturn<UT>`:
              <bool as LowerReturn<UT>>
              <i8 as LowerReturn<UT>>
              <i16 as LowerReturn<UT>>
              <i32 as LowerReturn<UT>>
              <i64 as LowerReturn<UT>>
              <u8 as LowerReturn<UT>>
              <u16 as LowerReturn<UT>>
              <u32 as LowerReturn<UT>>
            and 59 others
    = note: required for `Result<BackedUpRoomKey, PkDecryptionError>` to implement `LowerReturn<UniFfiTag>`

I'm not sure what's the best way to fix it. Does BackedUpRoomKey need to implement some trait? Or get wrapped in something?

[poljar]

Closing since this has been put on the back-burner for now.