crypto: Authenticated backup

Cargo.toml

@@ -35,8 +35,9 @@ futures-executor = "0.3.21"
 futures-util = { version = "0.3.26", default-features = false, features = ["alloc"] }
 http = "0.2.6"
 itertools = "0.11.0"
-ruma = { version = "0.9.2", features = ["client-api-c", "compat-upload-signatures", "compat-user-id", "compat-arbitrary-length-ids", "unstable-msc3401"] }
-ruma-common = "0.12.0"
+ruma = { git = "https://github.com/uhoreg/ruma", rev = "81aa5fc0ab5556ee9918d35298178c586c257100", features = ["client-api-c", "compat-upload-signatures", "compat-user-id", "compat-arbitrary-length-ids", "unstable-msc3401"] }
+ruma-common = { git = "https://github.com/uhoreg/ruma", rev = "81aa5fc0ab5556ee9918d35298178c586c257100" }
+ruma-client-api = { git = "https://github.com/uhoreg/ruma", rev = "81aa5fc0ab5556ee9918d35298178c586c257100" }
 once_cell = "1.16.0"
 rand = "0.8.5"
 serde = "1.0.151"

bindings/matrix-sdk-crypto-ffi/src/backup_recovery_key.rs

@@ -2,10 +2,12 @@ use std::{collections::HashMap, iter, ops::DerefMut, sync::Arc};
 
 use hmac::Hmac;
 use matrix_sdk_crypto::{
-    backups::DecryptionError,
+    backups::{DecryptionError, MessageDecodeError},
+    olm::BackedUpRoomKey,
     store::{BackupDecryptionKey, CryptoStoreError as InnerStoreError},
 };
 use pbkdf2::pbkdf2;
+use ruma::serde::Base64;
 use rand::{distributions::Alphanumeric, thread_rng, Rng};
 use sha2::Sha512;
 use thiserror::Error;
@@ -63,6 +65,20 @@ pub struct MegolmV1BackupKey {
     pub backup_algorithm: String,
 }
 
+#[derive(uniffi::Record)]
+pub struct EncryptedSessionData {
+    /// Unpadded base64-encoded public half of the ephemeral key.
+    pub ephemeral: String,
+    /// Ciphertext, encrypted using AES-CBC-256 with PKCS#7 padding, encoded in base64.
+    pub ciphertext: String,
+    /// First 8 bytes of MAC key, encoded in base64.
+    pub mac: String,
+    /// v2 MAC of the backup data
+    // FIXME: should we be passing the entire `unsigned` field?  Also, how do
+    // we handle other properties?
+    pub mac_v2: Option<String>,
+}
+
 impl BackupRecoveryKey {
     const KEY_SIZE: usize = 32;
     const SALT_SIZE: usize = 32;
@@ -185,17 +201,48 @@ impl BackupRecoveryKey {
     ) -> Result<String, PkDecryptionError> {
         self.inner.decrypt_v1(&ephemeral_key, &mac, &ciphertext).map_err(|e| e.into())
     }
+
+    /// Try to decrypt a message that was encrypted using the public part of the
+    /// backup key.
+    pub fn decrypt_session_data(
+        &self,
+        session_data: EncryptedSessionData,
+    ) -> Result<BackedUpRoomKey, PkDecryptionError> {
+        let ruma_session_data = ruma::api::client::backup::EncryptedSessionDataInit {
+            ephemeral: Base64::new(
+                vodozemac::base64_decode(session_data.ephemeral)
+                    .map_err(|e| DecryptionError::Decoding(MessageDecodeError::Base64(e)).into())?
+            ),
+            ciphertext: Base64::new(
+                vodozemac::base64_decode(session_data.ciphertext)
+                    .map_err(|e| DecryptionError::Decoding(MessageDecodeError::Base64(e)).into())?
+            ),
+            mac: Base64::new(
+                vodozemac::base64_decode(session_data.mac)
+                    .map_err(|e| DecryptionError::Decoding(MessageDecodeError::Base64(e)).into())?
+            ),
+        }.into();
+        if let Some(mac_v2) = session_data.mac_v2 {
+            ruma_session_data.unsigned = ruma::api::client::backup::EncryptedSessionDataUnsignedInit {
+                backup_mac: Base64::new(
+                    vodozemac::base64_decode(mac_v2)
+                        .map_err(|e| DecryptionError::Decoding(MessageDecodeError::Base64(e)))?
+                )
+            }
+        }
+        self.inner.decrypt_session_data(ruma_session_data).map_err(|e| e.into())
+    }
 }
 
 #[cfg(test)]
 mod tests {
     use ruma::api::client::backup::KeyBackupData;
     use serde_json::json;
 
-    use super::BackupRecoveryKey;
+    use super::{BackupRecoveryKey, EncryptedSessionData};
 
     #[test]
-    fn test_decrypt_key() {
+    fn test_decrypt_v1_key() {
         let recovery_key = BackupRecoveryKey::from_base64(
             "Ha9cklU/9NqFo9WKdVfGzmqUL/9wlkdxfEitbSIPVXw".to_owned(),
         )
@@ -230,4 +277,48 @@ mod tests {
             .decrypt_v1(ephemeral, mac, ciphertext)
             .expect("The backed up key should be decrypted successfully");
     }
+
+    #[test]
+    fn test_decrypt_key() {
+        let recovery_key = BackupRecoveryKey::from_base64(
+            "Ha9cklU/9NqFo9WKdVfGzmqUL/9wlkdxfEitbSIPVXw".to_owned(),
+        )
+        .unwrap();
+
+        let data = json!({
+            "first_message_index": 0,
+            "forwarded_count": 0,
+            "is_verified": false,
+            "session_data": {
+                "ephemeral": "HlLi76oV6wxHz3PCqE/bxJi6yF1HnYz5Dq3T+d/KpRw",
+                "ciphertext": "MuM8E3Yc6TSAvhVGb77rQ++jE6p9dRepx63/3YPD2wACKAppkZHeFrnTH6wJ/HSyrmzo\
+                               7HfwqVl6tKNpfooSTHqUf6x1LHz+h4B/Id5ITO1WYt16AaI40LOnZqTkJZCfSPuE2oxa\
+                               lwEHnCS3biWybutcnrBFPR3LMtaeHvvkb+k3ny9l5ZpsU9G7vCm3XoeYkWfLekWXvDhb\
+                               qWrylXD0+CNUuaQJ/S527TzLd4XKctqVjjO/cCH7q+9utt9WJAfK8LGaWT/mZ3AeWjf5\
+                               kiqOpKKf5Cn4n5SSil5p/pvGYmjnURvZSEeQIzHgvunIBEPtzK/MYEPOXe/P5achNGlC\
+                               x+5N19Ftyp9TFaTFlTWCTi0mpD7ePfCNISrwpozAz9HZc0OhA8+1aSc7rhYFIeAYXFU3\
+                               26NuFIFHI5pvpSxjzPQlOA+mavIKmiRAtjlLw11IVKTxgrdT4N8lXeMr4ndCSmvIkAzF\
+                               Mo1uZA4fzjiAdQJE4/2WeXFNNpvdfoYmX8Zl9CAYjpSO5HvpwkAbk4/iLEH3hDfCVUwD\
+                               fMh05PdGLnxeRpiEFWSMSsJNp+OWAA+5JsF41BoRGrxoXXT+VKqlUDONd+O296Psu8Q+\
+                               d8/S618",
+                "mac": "GtMrurhDTwo",
+                "unsigned": {
+                    "org.matrix.msc4048.backup_mac": "Q3Z4X36MdXmBzo0TwnCKirEtWYGwJepfRRTft7cM6cU",
+                },
+            }
+        });
+
+        let key_backup_data: KeyBackupData = serde_json::from_value(data).unwrap();
+
+        let encrypted_session_data = EncryptedSessionData {
+            ephemeral: key_backup_data.session_data.ephemeral.encode(),
+            ciphertext: key_backup_data.session_data.ciphertext.encode(),
+            mac: key_backup_data.session_data.mac.encode(),
+            mac_v2: key_backup_data.session_data.unsigned.unwrap().backup_mac.unwrap().encode(),
+        };
+
+        let _ = recovery_key
+            .decrypt_session_data(encrypted_session_data)
+            .expect("The backed up key should be decrypted successfully");
+    }
 }

crates/matrix-sdk-crypto/Cargo.toml

@@ -47,6 +47,7 @@ pbkdf2 = { version = "0.12.2", default-features = false }
 rand = { workspace = true }
 rmp-serde = "1.1.1"
 ruma = { workspace = true, features = ["rand", "canonical-json", "unstable-msc3814"] }
+ruma-client-api = { workspace = true, features = ["unstable-msc4048"] }
 serde = { workspace = true, features = ["derive", "rc"] }
 serde_json = { workspace = true }
 sha2 = { workspace = true }