Support decryption

Author: turt2live

examples/encryption_bot.ts

@@ -1,9 +1,10 @@
 import {
+    EncryptedRoomEvent,
     EncryptionAlgorithm,
     LogLevel,
     LogService,
-    MatrixClient,
-    RichConsoleLogger,
+    MatrixClient, MessageEvent,
+    RichConsoleLogger, RichReply,
     SimpleFsStorageProvider
 } from "../src";
 import { SqliteCryptoStorageProvider } from "../src/storage/SqliteCryptoStorageProvider";
@@ -50,21 +51,27 @@ const client = new MatrixClient(homeserverUrl, accessToken, storage, crypto);
             ],
         });
     }
-    await sendEncryptedNotice(encryptedRoomId, "This is an encrypted room");
 
-    client.on("room.event", (roomId: string, event: any) => {
-        if (roomId !== encryptedRoomId) return;
-        LogService.debug("index", `${roomId}`, event);
+    client.on("room.event", async (roomId: string, event: any) => {
+        if (roomId !== encryptedRoomId || event['type'] !== "m.room.encrypted") return;
+
+        try {
+            const decrypted = await client.crypto.decryptRoomEvent(new EncryptedRoomEvent(event), roomId);
+            if (decrypted.type === "m.room.message") {
+                const message = new MessageEvent(decrypted.raw);
+                if (message.messageType !== "m.text") return;
+                if (message.textBody.startsWith("!ping")) {
+                    const reply = RichReply.createFor(roomId, message.raw, "Pong", "Pong");
+                    reply['msgtype'] = "m.notice";
+                    const encrypted = await client.crypto.encryptRoomEvent(roomId, "m.room.message", reply);
+                    await client.sendEvent(roomId, "m.room.encrypted", encrypted);
+                }
+            }
+        } catch (e) {
+            LogService.error("index", e);
+        }
     });
 
     LogService.info("index", "Starting bot...");
     await client.start();
 })();
-
-async function sendEncryptedNotice(roomId: string, text: string) {
-    const encrypted = await client.crypto.encryptRoomEvent(roomId, "m.room.message", {
-        msgtype: "m.notice",
-        body: text,
-    });
-    await client.sendEvent(roomId, "m.room.encrypted", encrypted);
-}

src/e2ee/CryptoClient.ts

@@ -22,6 +22,8 @@ import { requiresReady } from "./decorators";
 import { RoomTracker } from "./RoomTracker";
 import { DeviceTracker } from "./DeviceTracker";
 import { EncryptionEvent } from "../models/events/EncryptionEvent";
+import { EncryptedRoomEvent } from "../models/events/EncryptedRoomEvent";
+import { RoomEvent } from "../models/events/RoomEvent";
 
 /**
  * Manages encryption for a MatrixClient. Get an instance from a MatrixClient directly
@@ -506,6 +508,57 @@ export class CryptoClient {
         }
     }
 
+    /**
+     * Decrypts a room event. Currently only supports Megolm-encrypted events (default for this SDK).
+     * @param {EncryptedRoomEvent} event The encrypted event.
+     * @param {string} roomId The room ID where the event was sent.
+     * @returns {Promise<RoomEvent<unknown>>} Resolves to a decrypted room event, or rejects/throws with
+     * an error if the event is undecryptable.
+     */
+    public async decryptRoomEvent(event: EncryptedRoomEvent, roomId: string): Promise<RoomEvent<unknown>> {
+        if (event.algorithm !== EncryptionAlgorithm.MegolmV1AesSha2) {
+            throw new Error("Unable to decrypt: Unknown algorithm");
+        }
+
+        const encrypted = event.megolmProperties;
+        const senderDevice = await this.client.cryptoStore.getUserDevice(event.sender, encrypted.device_id);
+        if (!senderDevice) {
+            throw new Error("Unable to decrypt: Unknown device for sender");
+        }
+
+        if (senderDevice.keys[`${DeviceKeyAlgorithm.Curve25519}:${senderDevice.device_id}`] !== encrypted.sender_key) {
+            throw new Error("Unable to decrypt: Device key mismatch");
+        }
+
+        const storedSession = await this.client.cryptoStore.getInboundGroupSession(event.sender, encrypted.device_id, roomId, encrypted.session_id);
+        if (!storedSession) {
+            throw new Error("Unable to decrypt: Unknown inbound session ID");
+        }
+
+        const session = new Olm.InboundGroupSession();
+        try {
+            session.unpickle(this.pickleKey, storedSession.pickled);
+            const cleartext = session.decrypt(encrypted.ciphertext) as { plaintext: string, message_index: number };
+            const eventBody = JSON.parse(cleartext.plaintext);
+            const messageIndex = cleartext.message_index;
+
+            const existingEventId = await this.client.cryptoStore.getEventForMessageIndex(roomId, storedSession.sessionId, messageIndex);
+            if (existingEventId && existingEventId !== event.eventId) {
+                throw new Error("Unable to decrypt: Message replay attack");
+            }
+
+            await this.client.cryptoStore.setMessageIndexForEvent(roomId, event.eventId, storedSession.sessionId, messageIndex);
+
+            return new RoomEvent<unknown>({
+                ...event.raw,
+                type: eventBody.type || "io.t2bot.unknown",
+                content: (typeof(eventBody.content) === 'object') ? eventBody.content : {},
+            });
+        } finally {
+            session.free();
+        }
+    }
+
     /**
      * Handles an inbound to-device message, decrypting it if needed. This will not throw
      * under normal circumstances and should always resolve successfully.
@@ -593,14 +646,14 @@ export class CryptoClient {
                     session.free();
                 }
 
-                const wasForUs = decrypted.recipient !== (await this.client.getUserId());
+                const wasForUs = decrypted.recipient === (await this.client.getUserId());
                 const wasFromThem = decrypted.sender === message.sender;
                 const hasType = typeof(decrypted.type) === 'string';
                 const hasContent = typeof(decrypted.content) === 'object';
                 const ourKeyMatches = decrypted.recipient_keys?.ed25519 === this.deviceEd25519;
                 const theirKeyMatches = decrypted.keys?.ed25519 === senderDevice.keys[`${DeviceKeyAlgorithm.Ed25119}:${senderDevice.device_id}`];
                 if (!wasForUs || !wasFromThem || !hasType || !hasContent || !ourKeyMatches || !theirKeyMatches) {
-                    LogService.warn("CryptoClient", "Successfully decrypted to-device message, but if failed validation. Ignoring message.");
+                    LogService.warn("CryptoClient", "Successfully decrypted to-device message, but it failed validation. Ignoring message.");
                     return;
                 }
 

src/index.ts

@@ -68,6 +68,7 @@ export * from "./models/events/RoomNameEvent";
 export * from "./models/events/RoomTopicEvent";
 export * from "./models/events/SpaceChildEvent";
 export * from "./models/events/EncryptionEvent";
+export * from "./models/events/EncryptedRoomEvent";
 
 // Preprocessors
 export * from "./preprocessors/IPreprocessor";

src/models/events/EncryptedRoomEvent.ts

@@ -0,0 +1,58 @@
+import { RoomEvent } from "./RoomEvent";
+import { EncryptionAlgorithm, IMegolmEncrypted } from "../Crypto";
+
+/**
+ * The content definition for m.room.encrypted events
+ * @category Matrix event contents
+ * @see EncryptedRoomEvent
+ */
+export interface EncryptedRoomEventContent {
+    algorithm: EncryptionAlgorithm;
+
+    /**
+     * For m.megolm.v1.aes-sha2 messages. The sender's Curve25519 key.
+     */
+    sender_key?: string;
+
+    /**
+     * For m.megolm.v1.aes-sha2 messages. The session ID established by the sender.
+     */
+    session_id?: string;
+
+    /**
+     * For m.megolm.v1.aes-sha2 messages. The encrypted payload.
+     */
+    ciphertext?: string;
+
+    /**
+     * For m.megolm.v1.aes-sha2 messages. The sender's device ID.
+     */
+    device_id?: string;
+
+    // Other algorithms not supported at the moment
+}
+
+/**
+ * Represents an m.room.encrypted room event
+ * @category Matrix events
+ */
+export class EncryptedRoomEvent extends RoomEvent<EncryptedRoomEventContent> {
+    constructor(event: any) {
+        super(event);
+    }
+
+    /**
+     * The encryption algorithm used on the event. Should match the m.room.encryption
+     * state config.
+     */
+    public get algorithm(): EncryptionAlgorithm {
+        return this.content.algorithm;
+    }
+
+    /**
+     * The Megolm encrypted payload information.
+     */
+    public get megolmProperties(): IMegolmEncrypted {
+        return this.content as IMegolmEncrypted;
+    }
+}

src/storage/ICryptoStorageProvider.ts

@@ -1,5 +1,10 @@
 import { EncryptionEventContent } from "../models/events/EncryptionEvent";
-import { IInboundGroupSession, IOlmSession, IOutboundGroupSession, UserDevice } from "../models/Crypto";
+import {
+    IInboundGroupSession,
+    IOlmSession,
+    IOutboundGroupSession,
+    UserDevice,
+} from "../models/Crypto";
 
 /**
  * A storage provider capable of only providing crypto-related storage.
@@ -198,4 +203,27 @@ export interface ICryptoStorageProvider {
      * @returns {Promise<IInboundGroupSession>} Resolves to the session, or falsy if not known.
      */
     getInboundGroupSession(senderUserId: string, senderDeviceId: string, roomId: string, sessionId: string): Promise<IInboundGroupSession>;
+
+    /**
+     * Sets the successfully decrypted message index for an event. Useful for tracking replay attacks.
+     * @param {string} roomId The room ID where the event was sent.
+     * @param {string} eventId The event ID.
+     * @param {string} sessionId The inbound group session ID for the event.
+     * @param {number} messageIndex The message index, as reported after decryption.
+     * @returns {Promise<void>} Resolves when complete.
+     */
+    setMessageIndexForEvent(roomId: string, eventId: string, sessionId: string, messageIndex: number): Promise<void>;
+
+    /**
+     * Gets the event ID for a previously successful decryption from a session and message index. If
+     * no event ID is known, this will return falsy. The caller can use this function to determine if
+     * a replay attack is being performed by checking the returned event ID, if present, against the
+     * event ID of the event it is decrypting. If the event IDs do not match but are truthy then the
+     * session may have been inappropriately re-used.
+     * @param {string} roomId The room ID.
+     * @param {string} sessionId The inbound group session ID.
+     * @param {number} messageIndex The message index.
+     * @returns {Promise<string>} Resolves to the event ID of the matching event, or falsy if not known.
+     */
+    getEventForMessageIndex(roomId: string, sessionId: string, messageIndex: number): Promise<string>;
 }

src/storage/SqliteCryptoStorageProvider.ts

@@ -32,6 +32,8 @@ export class SqliteCryptoStorageProvider implements ICryptoStorageProvider {
     private olmSessionSelect: Database.Statement;
     private ibGroupSessionUpsert: Database.Statement;
     private ibGroupSessionSelect: Database.Statement;
+    private deMetadataUpsert: Database.Statement;
+    private deMetadataSelect: Database.Statement;
 
     /**
      * Creates a new Sqlite storage provider.
@@ -49,6 +51,8 @@ export class SqliteCryptoStorageProvider implements ICryptoStorageProvider {
         this.db.exec("CREATE TABLE IF NOT EXISTS sent_outbound_group_sessions (session_id TEXT NOT NULL, room_id TEXT NOT NULL, session_index INT NOT NULL, user_id TEXT NOT NULL, device_id TEXT NOT NULL, PRIMARY KEY (session_id, room_id, user_id, device_id, session_index))");
         this.db.exec("CREATE TABLE IF NOT EXISTS olm_sessions (user_id TEXT NOT NULL, device_id TEXT NOT NULL, session_id TEXT NOT NULL, last_decryption_ts NUMBER NOT NULL, pickled TEXT NOT NULL, PRIMARY KEY (user_id, device_id, session_id))");
         this.db.exec("CREATE TABLE IF NOT EXISTS inbound_group_sessions (session_id TEXT NOT NULL, room_id TEXT NOT NULL, user_id TEXT NOT NULL, device_id TEXT NOT NULL, pickled TEXT NOT NULL, PRIMARY KEY (session_id, room_id, user_id, device_id))");
+        this.db.exec("CREATE TABLE IF NOT EXISTS decrypted_event_metadata (room_id TEXT NOT NULL, event_id TEXT NOT NULL, session_id TEXT NOT NULL, message_index INT NOT NULL, PRIMARY KEY (room_id, event_id))");
+        this.db.exec("CREATE INDEX IF NOT EXISTS idx_decrypted_event_metadata_by_message_index ON decrypted_event_metadata (room_id, session_id, message_index)");
 
         this.kvUpsert = this.db.prepare("INSERT INTO kv (name, value) VALUES (@name, @value) ON CONFLICT (name) DO UPDATE SET value = @value");
         this.kvSelect = this.db.prepare("SELECT name, value FROM kv WHERE name = @name");
@@ -79,6 +83,9 @@ export class SqliteCryptoStorageProvider implements ICryptoStorageProvider {
 
         this.ibGroupSessionUpsert = this.db.prepare("INSERT INTO inbound_group_sessions (session_id, room_id, user_id, device_id, pickled) VALUES (@sessionId, @roomId, @userId, @deviceId, @pickled) ON CONFLICT (session_id, room_id, user_id, device_id) DO UPDATE SET pickled = @pickled");
         this.ibGroupSessionSelect = this.db.prepare("SELECT session_id, room_id, user_id, device_id, pickled FROM inbound_group_sessions WHERE session_id = @sessionId AND room_id = @roomId AND user_id = @userId AND device_id = @deviceId");
+
+        this.deMetadataUpsert = this.db.prepare("INSERT INTO decrypted_event_metadata (room_id, event_id, session_id, message_index) VALUES (@roomId, @eventId, @sessionId, @messageIndex) ON CONFLICT (room_id, event_id) DO UPDATE SET message_index = @messageIndex, session_id = @sessionId");
+        this.deMetadataSelect = this.db.prepare("SELECT room_id, event_id, session_id, message_index FROM decrypted_event_metadata WHERE room_id = @roomId AND session_id = @sessionId AND message_index = @messageIndex LIMIT 1");
     }
 
     public async setDeviceId(deviceId: string): Promise<void> {
@@ -296,6 +303,20 @@ export class SqliteCryptoStorageProvider implements ICryptoStorageProvider {
         return null;
     }
 
+    public async setMessageIndexForEvent(roomId: string, eventId: string, sessionId: string, messageIndex: number): Promise<void> {
+        this.deMetadataUpsert.run({
+            roomId: roomId,
+            eventId: eventId,
+            sessionId: sessionId,
+            messageIndex: messageIndex,
+        });
+    }
+
+    public async getEventForMessageIndex(roomId: string, sessionId: string, messageIndex: number): Promise<string> {
+        const result = this.deMetadataSelect.get({roomId: roomId, sessionId: sessionId, messageIndex: messageIndex});
+        return result?.event_id;
+    }
+
     /**
      * Closes the crypto store. Primarily for testing purposes.
      */