Remove node-specific crypto bits, use Node 16's WebCrypto (#2762)

Author: t3chguy

spec/integ/megolm-integ.spec.ts

@@ -1133,10 +1133,10 @@ describe("megolm", () => {
             'readonly',
             [IndexedDBCryptoStore.STORE_ACCOUNT],
             (txn) => {
-                beccaTestClient.client.crypto!.cryptoStore.getAccount(txn, (pickledAccount: string) => {
+                beccaTestClient.client.crypto!.cryptoStore.getAccount(txn, (pickledAccount: string | null) => {
                     const account = new global.Olm.Account();
                     try {
-                        account.unpickle(beccaTestClient.client.crypto!.olmDevice.pickleKey, pickledAccount);
+                        account.unpickle(beccaTestClient.client.crypto!.olmDevice.pickleKey, pickledAccount!);
                         p2pSession.create_outbound(account, aliceTestClient.getDeviceKey(), aliceOtk.key);
                     } finally {
                         account.free();
@@ -1271,10 +1271,10 @@ describe("megolm", () => {
             'readonly',
             [IndexedDBCryptoStore.STORE_ACCOUNT],
             (txn) => {
-                beccaTestClient.client.crypto!.cryptoStore.getAccount(txn, (pickledAccount: string) => {
+                beccaTestClient.client.crypto!.cryptoStore.getAccount(txn, (pickledAccount: string | null) => {
                     const account = new global.Olm.Account();
                     try {
-                        account.unpickle(beccaTestClient.client.crypto!.olmDevice.pickleKey, pickledAccount);
+                        account.unpickle(beccaTestClient.client.crypto!.olmDevice.pickleKey, pickledAccount!);
                         p2pSession.create_outbound(account, aliceTestClient.getDeviceKey(), aliceOtk.key);
                     } finally {
                         account.free();

spec/olm-loader.ts

@@ -16,7 +16,6 @@ limitations under the License.
 */
 
 import { logger } from '../src/logger';
-import * as utils from "../src/utils";
 
 // try to load the olm library.
 try {
@@ -26,12 +25,3 @@ try {
 } catch (e) {
     logger.warn("unable to run crypto tests: libolm not available");
 }
-
-// also try to set node crypto
-try {
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
-    const crypto = require('crypto');
-    utils.setCrypto(crypto);
-} catch (err) {
-    logger.log('nodejs was compiled without crypto support: some tests will fail');
-}

spec/unit/crypto/secrets.spec.ts

@@ -23,19 +23,10 @@ import { makeTestClients } from './verification/util';
 import { encryptAES } from "../../../src/crypto/aes";
 import { resetCrossSigningKeys, createSecretStorageKey } from "./crypto-utils";
 import { logger } from '../../../src/logger';
-import * as utils from "../../../src/utils";
 import { ICreateClientOpts } from '../../../src/client';
 import { ISecretStorageKeyInfo } from '../../../src/crypto/api';
 import { DeviceInfo } from '../../../src/crypto/deviceinfo';
 
-try {
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
-    const crypto = require('crypto');
-    utils.setCrypto(crypto);
-} catch (err) {
-    logger.log('nodejs was compiled without crypto support');
-}
-
 async function makeTestClient(userInfo: { userId: string, deviceId: string}, options: Partial<ICreateClientOpts> = {}) {
     const client = (new TestClient(
         userInfo.userId, userInfo.deviceId, undefined, undefined, options,

src/crypto/CrossSigning.ts

@@ -31,7 +31,7 @@ import { ICrossSigningKey, ISignedKey, MatrixClient } from "../client";
 import { OlmDevice } from "./OlmDevice";
 import { ICryptoCallbacks } from "../matrix";
 import { ISignatures } from "../@types/signed";
-import { CryptoStore } from "./store/base";
+import { CryptoStore, SecretStorePrivateKeys } from "./store/base";
 import { ISecretStorageKeyInfo } from "./api";
 
 const KEY_REQUEST_TIMEOUT_MS = 1000 * 60;
@@ -699,7 +699,10 @@ export class DeviceTrustLevel {
 
 export function createCryptoStoreCacheCallbacks(store: CryptoStore, olmDevice: OlmDevice): ICacheCallbacks {
     return {
-        getCrossSigningKeyCache: async function(type: string, _expectedPublicKey: string): Promise<Uint8Array> {
+        getCrossSigningKeyCache: async function(
+            type: keyof SecretStorePrivateKeys,
+            _expectedPublicKey: string,
+        ): Promise<Uint8Array> {
             const key = await new Promise<any>((resolve) => {
                 return store.doTxn(
                     'readonly',
@@ -718,7 +721,10 @@ export function createCryptoStoreCacheCallbacks(store: CryptoStore, olmDevice: O
                 return key;
             }
         },
-        storeCrossSigningKeyCache: async function(type: string, key: Uint8Array): Promise<void> {
+        storeCrossSigningKeyCache: async function(
+            type: keyof SecretStorePrivateKeys,
+            key: Uint8Array,
+        ): Promise<void> {
             if (!(key instanceof Uint8Array)) {
                 throw new Error(
                     `storeCrossSigningKeyCache expects Uint8Array, got ${key}`,

src/crypto/OlmDevice.ts

@@ -308,10 +308,10 @@ export class OlmDevice {
      * @private
      */
     private getAccount(txn: unknown, func: (account: Account) => void): void {
-        this.cryptoStore.getAccount(txn, (pickledAccount: string) => {
+        this.cryptoStore.getAccount(txn, (pickledAccount: string | null) => {
             const account = new global.Olm.Account();
             try {
-                account.unpickle(this.pickleKey, pickledAccount);
+                account.unpickle(this.pickleKey, pickledAccount!);
                 func(account);
             } finally {
                 account.free();
@@ -350,8 +350,8 @@ export class OlmDevice {
                 IndexedDBCryptoStore.STORE_SESSIONS,
             ],
             (txn) => {
-                this.cryptoStore.getAccount(txn, (pickledAccount: string) => {
-                    result.pickledAccount = pickledAccount;
+                this.cryptoStore.getAccount(txn, (pickledAccount: string | null) => {
+                    result.pickledAccount = pickledAccount!;
                 });
                 result.sessions = [];
                 // Note that the pickledSession object we get in the callback

src/crypto/aes.ts

@@ -14,137 +14,47 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-import type { BinaryLike } from "crypto";
-import { getCrypto } from '../utils';
 import { decodeBase64, encodeBase64 } from './olmlib';
-
-const subtleCrypto = (typeof window !== "undefined" && window.crypto) ?
-    (window.crypto.subtle || window.crypto.webkitSubtle) : null;
+import { subtleCrypto, crypto, TextEncoder } from "./crypto";
 
 // salt for HKDF, with 8 bytes of zeros
 const zeroSalt = new Uint8Array(8);
 
 export interface IEncryptedPayload {
     [key: string]: any; // extensible
-    iv?: string;
-    ciphertext?: string;
-    mac?: string;
+    iv: string;
+    ciphertext: string;
+    mac: string;
 }
 
 /**
- * encrypt a string in Node.js
+ * encrypt a string
  *
  * @param {string} data the plaintext to encrypt
  * @param {Uint8Array} key the encryption key to use
  * @param {string} name the name of the secret
  * @param {string} ivStr the initialization vector to use
  */
-async function encryptNode(data: string, key: Uint8Array, name: string, ivStr?: string): Promise<IEncryptedPayload> {
-    const crypto = getCrypto();
-    if (!crypto) {
-        throw new Error("No usable crypto implementation");
-    }
-
-    let iv;
-    if (ivStr) {
-        iv = decodeBase64(ivStr);
-    } else {
-        iv = crypto.randomBytes(16);
-
-        // clear bit 63 of the IV to stop us hitting the 64-bit counter boundary
-        // (which would mean we wouldn't be able to decrypt on Android). The loss
-        // of a single bit of iv is a price we have to pay.
-        iv[8] &= 0x7f;
-    }
-
-    const [aesKey, hmacKey] = deriveKeysNode(key, name);
-
-    const cipher = crypto.createCipheriv("aes-256-ctr", aesKey, iv);
-    const ciphertext = Buffer.concat([
-        cipher.update(data, "utf8"),
-        cipher.final(),
-    ]);
-
-    const hmac = crypto.createHmac("sha256", hmacKey)
-        .update(ciphertext).digest("base64");
-
-    return {
-        iv: encodeBase64(iv),
-        ciphertext: ciphertext.toString("base64"),
-        mac: hmac,
-    };
-}
-
-/**
- * decrypt a string in Node.js
- *
- * @param {object} data the encrypted data
- * @param {string} data.ciphertext the ciphertext in base64
- * @param {string} data.iv the initialization vector in base64
- * @param {string} data.mac the HMAC in base64
- * @param {Uint8Array} key the encryption key to use
- * @param {string} name the name of the secret
- */
-async function decryptNode(data: IEncryptedPayload, key: Uint8Array, name: string): Promise<string> {
-    const crypto = getCrypto();
-    if (!crypto) {
-        throw new Error("No usable crypto implementation");
-    }
-
-    const [aesKey, hmacKey] = deriveKeysNode(key, name);
-
-    const hmac = crypto.createHmac("sha256", hmacKey)
-        .update(Buffer.from(data.ciphertext, "base64"))
-        .digest("base64").replace(/=+$/g, '');
-
-    if (hmac !== data.mac.replace(/=+$/g, '')) {
-        throw new Error(`Error decrypting secret ${name}: bad MAC`);
-    }
-
-    const decipher = crypto.createDecipheriv(
-        "aes-256-ctr", aesKey, decodeBase64(data.iv),
-    );
-    return decipher.update(data.ciphertext, "base64", "utf8")
-          + decipher.final("utf8");
-}
-
-function deriveKeysNode(key: BinaryLike, name: string): [Buffer, Buffer] {
-    const crypto = getCrypto();
-    const prk = crypto.createHmac("sha256", zeroSalt).update(key).digest();
-
-    const b = Buffer.alloc(1, 1);
-    const aesKey = crypto.createHmac("sha256", prk)
-        .update(name, "utf8").update(b).digest();
-    b[0] = 2;
-    const hmacKey = crypto.createHmac("sha256", prk)
-        .update(aesKey).update(name, "utf8").update(b).digest();
-
-    return [aesKey, hmacKey];
-}
-
-/**
- * encrypt a string in Node.js
- *
- * @param {string} data the plaintext to encrypt
- * @param {Uint8Array} key the encryption key to use
- * @param {string} name the name of the secret
- * @param {string} ivStr the initialization vector to use
- */
-async function encryptBrowser(data: string, key: Uint8Array, name: string, ivStr?: string): Promise<IEncryptedPayload> {
-    let iv;
+export async function encryptAES(
+    data: string,
+    key: Uint8Array,
+    name: string,
+    ivStr?: string,
+): Promise<IEncryptedPayload> {
+    let iv: Uint8Array;
     if (ivStr) {
         iv = decodeBase64(ivStr);
     } else {
         iv = new Uint8Array(16);
-        window.crypto.getRandomValues(iv);
+        crypto.getRandomValues(iv);
 
         // clear bit 63 of the IV to stop us hitting the 64-bit counter boundary
         // (which would mean we wouldn't be able to decrypt on Android). The loss
         // of a single bit of iv is a price we have to pay.
         iv[8] &= 0x7f;
     }
 
-    const [aesKey, hmacKey] = await deriveKeysBrowser(key, name);
+    const [aesKey, hmacKey] = await deriveKeys(key, name);
     const encodedData = new TextEncoder().encode(data);
 
     const ciphertext = await subtleCrypto.encrypt(
@@ -171,7 +81,7 @@ async function encryptBrowser(data: string, key: Uint8Array, name: string, ivStr
 }
 
 /**
- * decrypt a string in the browser
+ * decrypt a string
  *
  * @param {object} data the encrypted data
  * @param {string} data.ciphertext the ciphertext in base64
@@ -180,8 +90,8 @@ async function encryptBrowser(data: string, key: Uint8Array, name: string, ivStr
  * @param {Uint8Array} key the encryption key to use
  * @param {string} name the name of the secret
  */
-async function decryptBrowser(data: IEncryptedPayload, key: Uint8Array, name: string): Promise<string> {
-    const [aesKey, hmacKey] = await deriveKeysBrowser(key, name);
+export async function decryptAES(data: IEncryptedPayload, key: Uint8Array, name: string): Promise<string> {
+    const [aesKey, hmacKey] = await deriveKeys(key, name);
 
     const ciphertext = decodeBase64(data.ciphertext);
 
@@ -207,7 +117,7 @@ async function decryptBrowser(data: IEncryptedPayload, key: Uint8Array, name: st
     return new TextDecoder().decode(new Uint8Array(plaintext));
 }
 
-async function deriveKeysBrowser(key: Uint8Array, name: string): Promise<[CryptoKey, CryptoKey]> {
+async function deriveKeys(key: Uint8Array, name: string): Promise<[CryptoKey, CryptoKey]> {
     const hkdfkey = await subtleCrypto.importKey(
         'raw',
         key,
@@ -253,14 +163,6 @@ async function deriveKeysBrowser(key: Uint8Array, name: string): Promise<[Crypto
     return Promise.all([aesProm, hmacProm]);
 }
 
-export function encryptAES(data: string, key: Uint8Array, name: string, ivStr?: string): Promise<IEncryptedPayload> {
-    return subtleCrypto ? encryptBrowser(data, key, name, ivStr) : encryptNode(data, key, name, ivStr);
-}
-
-export function decryptAES(data: IEncryptedPayload, key: Uint8Array, name: string): Promise<string> {
-    return subtleCrypto ? decryptBrowser(data, key, name) : decryptNode(data, key, name);
-}
-
 // string of zeroes, for calculating the key check
 const ZERO_STR = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
 

src/crypto/backup.ts

@@ -26,13 +26,20 @@ import { MEGOLM_ALGORITHM, verifySignature } from "./olmlib";
 import { DeviceInfo } from "./deviceinfo";
 import { DeviceTrustLevel } from './CrossSigning';
 import { keyFromPassphrase } from './key_passphrase';
-import { getCrypto, sleep } from "../utils";
+import { sleep } from "../utils";
 import { IndexedDBCryptoStore } from './store/indexeddb-crypto-store';
 import { encodeRecoveryKey } from './recoverykey';
-import { calculateKeyCheck, decryptAES, encryptAES } from './aes';
-import { IAes256AuthData, ICurve25519AuthData, IKeyBackupInfo, IKeyBackupSession } from "./keybackup";
+import { calculateKeyCheck, decryptAES, encryptAES, IEncryptedPayload } from './aes';
+import {
+    Curve25519SessionData,
+    IAes256AuthData,
+    ICurve25519AuthData,
+    IKeyBackupInfo,
+    IKeyBackupSession,
+} from "./keybackup";
 import { UnstableValue } from "../NamespacedValue";
 import { CryptoEvent, IMegolmSessionData } from "./index";
+import { crypto } from "./crypto";
 
 const KEY_BACKUP_KEYS_PER_REQUEST = 200;
 const KEY_BACKUP_CHECK_RATE_LIMIT = 5000; // ms
@@ -677,7 +684,9 @@ export class Curve25519 implements BackupAlgorithm {
         return this.publicKey.encrypt(JSON.stringify(plainText));
     }
 
-    public async decryptSessions(sessions: Record<string, IKeyBackupSession>): Promise<IMegolmSessionData[]> {
+    public async decryptSessions(
+        sessions: Record<string, IKeyBackupSession<Curve25519SessionData>>,
+    ): Promise<IMegolmSessionData[]> {
         const privKey = await this.getKey();
         const decryption = new global.Olm.PkDecryption();
         try {
@@ -711,7 +720,7 @@ export class Curve25519 implements BackupAlgorithm {
 
     public async keyMatches(key: Uint8Array): Promise<boolean> {
         const decryption = new global.Olm.PkDecryption();
-        let pubKey;
+        let pubKey: string;
         try {
             pubKey = decryption.init_with_private_key(key);
         } finally {
@@ -727,18 +736,9 @@ export class Curve25519 implements BackupAlgorithm {
 }
 
 function randomBytes(size: number): Uint8Array {
-    const crypto: {randomBytes: (n: number) => Uint8Array} | undefined = getCrypto() as any;
-    if (crypto) {
-        // nodejs version
-        return crypto.randomBytes(size);
-    }
-    if (window?.crypto) {
-        // browser version
-        const buf = new Uint8Array(size);
-        window.crypto.getRandomValues(buf);
-        return buf;
-    }
-    throw new Error("No usable crypto implementation");
+    const buf = new Uint8Array(size);
+    crypto.getRandomValues(buf);
+    return buf;
 }
 
 const UNSTABLE_MSC3270_NAME = new UnstableValue(null, "org.matrix.msc3270.v1.aes-hmac-sha2");
@@ -807,7 +807,9 @@ export class Aes256 implements BackupAlgorithm {
         return encryptAES(JSON.stringify(plainText), this.key, data.session_id);
     }
 
-    public async decryptSessions(sessions: Record<string, IKeyBackupSession>): Promise<IMegolmSessionData[]> {
+    public async decryptSessions(
+        sessions: Record<string, IKeyBackupSession<IEncryptedPayload>>,
+    ): Promise<IMegolmSessionData[]> {
         const keys: IMegolmSessionData[] = [];
 
         for (const [sessionId, sessionData] of Object.entries(sessions)) {