Protect against double device reuse

Fixes #131

Author: turt2live

src/e2ee/CryptoClient.ts

@@ -332,7 +332,7 @@ export class CryptoClient {
                     LogService.warn("CryptoClient", `Server injected unexpected user: ${userId} - not claiming keys`);
                     continue;
                 }
-                const storedDevices = await this.client.cryptoStore.getUserDevices(userId);
+                const storedDevices = await this.client.cryptoStore.getActiveUserDevices(userId);
                 for (const deviceId of Object.keys(claimed.one_time_keys[userId])) {
                     try {
                         if (!otkClaimRequest[userId][deviceId]) {
@@ -579,7 +579,7 @@ export class CryptoClient {
         }
 
         const encrypted = event.megolmProperties;
-        const senderDevice = await this.client.cryptoStore.getUserDevice(event.sender, encrypted.device_id);
+        const senderDevice = await this.client.cryptoStore.getActiveUserDevice(event.sender, encrypted.device_id);
         if (!senderDevice) {
             throw new Error("Unable to decrypt: Unknown device for sender");
         }
@@ -650,7 +650,7 @@ export class CryptoClient {
                     return;
                 }
 
-                const userDevices = await this.client.cryptoStore.getUserDevices(message.sender);
+                const userDevices = await this.client.cryptoStore.getActiveUserDevices(message.sender);
                 const senderDevice = userDevices.find(d => d.keys[`${DeviceKeyAlgorithm.Curve25519}:${d.device_id}`] === message.content.sender_key);
                 if (!senderDevice) {
                     LogService.warn("CryptoClient", "Received encrypted message from unknown identity key (ignoring message):", message.content.sender_key);

src/e2ee/DeviceTracker.ts

@@ -30,7 +30,7 @@ export class DeviceTracker {
 
         const userDeviceMap: Record<string, UserDevice[]> = {};
         for (const userId of userIds) {
-            userDeviceMap[userId] = await this.client.cryptoStore.getUserDevices(userId);
+            userDeviceMap[userId] = await this.client.cryptoStore.getActiveUserDevices(userId);
         }
         return userDeviceMap;
     }
@@ -88,7 +88,7 @@ export class DeviceTracker {
                             continue;
                         }
 
-                        const currentDevices = await this.client.cryptoStore.getUserDevices(userId);
+                        const currentDevices = await this.client.cryptoStore.getAllUserDevices(userId);
                         const existingDevice = currentDevices.find(d => d.device_id === deviceId);
 
                         if (existingDevice) {
@@ -114,7 +114,7 @@ export class DeviceTracker {
                         validated.push(device);
                     }
 
-                    await this.client.cryptoStore.setUserDevices(userId, validated);
+                    await this.client.cryptoStore.setActiveUserDevices(userId, validated);
                 }
             } catch (e) {
                 LogService.error("DeviceTracker", "Error updating device lists:", e);

src/models/Crypto.ts

@@ -99,6 +99,18 @@ export interface UserDevice {
     };
 }
 
+/**
+ * Represents a user's stored device.
+ * @category Models
+ */
+export interface StoredUserDevice extends UserDevice {
+    unsigned: {
+        [k: string]: any;
+        device_display_name?: string;
+        bsdkIsActive: boolean;
+    };
+}
+
 /**
  * Device list response for a multi-user query.
  * @category Models

src/storage/ICryptoStorageProvider.ts

@@ -1,5 +1,11 @@
 import { EncryptionEventContent } from "../models/events/EncryptionEvent";
-import { IInboundGroupSession, IOlmSession, IOutboundGroupSession, UserDevice } from "../models/Crypto";
+import {
+    IInboundGroupSession,
+    IOlmSession,
+    IOutboundGroupSession,
+    StoredUserDevice,
+    UserDevice,
+} from "../models/Crypto";
 
 /**
  * A storage provider capable of only providing crypto-related storage.
@@ -70,23 +76,32 @@ export interface ICryptoStorageProvider {
      * @param {UserDevice[]} devices The devices to set for the user.
      * @returns {Promise<void>} Resolves when complete.
      */
-    setUserDevices(userId: string, devices: UserDevice[]): Promise<void>;
+    setActiveUserDevices(userId: string, devices: UserDevice[]): Promise<void>;
 
     /**
-     * Gets the user's stored devices. If no devices are stored, an empty array is returned.
+     * Gets the user's active stored devices. If no devices are stored, an empty array is returned.
      * @param {string} userId The user ID to get devices for.
      * @returns {Promise<UserDevice[]>} Resolves to the array of devices for the user. If no
      * devices are known, the array will be empty.
      */
-    getUserDevices(userId: string): Promise<UserDevice[]>;
+    getActiveUserDevices(userId: string): Promise<UserDevice[]>;
 
     /**
-     * Gets a user's stored device. If the device is not known or active, falsy is returned.
+     * Gets a user's active stored device. If the device is not known or active, falsy is returned.
      * @param {string} userId The user ID.
      * @param {string} deviceId The device ID.
      * @returns {Promise<UserDevice>} Resolves to the user's device, or falsy if not known.
      */
-    getUserDevice(userId: string, deviceId: string): Promise<UserDevice>;
+    getActiveUserDevice(userId: string, deviceId: string): Promise<UserDevice>;
+
+    /**
+     * Gets all of the user's devices, regardless of whether or not they are active. The active flag
+     * will be stored in the unsigned portion of the returned device.
+     * @param {string} userId The user ID to get devices for.
+     * @returns {Promise<StoredUserDevice[]>} Resolves to the array of devices for the user, or empty
+     * if no devices are known.
+     */
+    getAllUserDevices(userId: string): Promise<StoredUserDevice[]>;
 
     /**
      * Flags multiple user's device lists as outdated.

src/storage/SqliteCryptoStorageProvider.ts

@@ -1,7 +1,13 @@
 import { ICryptoStorageProvider } from "./ICryptoStorageProvider";
 import { EncryptionEventContent } from "../models/events/EncryptionEvent";
 import * as Database from "better-sqlite3";
-import { IInboundGroupSession, IOlmSession, IOutboundGroupSession, UserDevice } from "../models/Crypto";
+import {
+    IInboundGroupSession,
+    IOlmSession,
+    IOutboundGroupSession,
+    StoredUserDevice,
+    UserDevice,
+} from "../models/Crypto";
 
 /**
  * Sqlite crypto storage provider. Requires `better-sqlite3` package to be installed.
@@ -19,7 +25,8 @@ export class SqliteCryptoStorageProvider implements ICryptoStorageProvider {
     private userDeviceUpsert: Database.Statement;
     private userDevicesDelete: Database.Statement;
     private userDevicesSelect: Database.Statement;
-    private userDeviceSelect: Database.Statement;
+    private userActiveDevicesSelect: Database.Statement;
+    private userActiveDeviceSelect: Database.Statement;
     private obGroupSessionUpsert: Database.Statement;
     private obGroupSessionSelect: Database.Statement;
     private obGroupCurrentSessionSelect: Database.Statement;
@@ -45,7 +52,7 @@ export class SqliteCryptoStorageProvider implements ICryptoStorageProvider {
         this.db.exec("CREATE TABLE IF NOT EXISTS kv (name TEXT PRIMARY KEY NOT NULL, value TEXT NOT NULL)");
         this.db.exec("CREATE TABLE IF NOT EXISTS rooms (room_id TEXT PRIMARY KEY NOT NULL, config TEXT NOT NULL)");
         this.db.exec("CREATE TABLE IF NOT EXISTS users (user_id TEXT PRIMARY KEY NOT NULL, outdated TINYINT NOT NULL)");
-        this.db.exec("CREATE TABLE IF NOT EXISTS user_devices (user_id TEXT NOT NULL, device_id TEXT NOT NULL, device TEXT NOT NULL, PRIMARY KEY (user_id, device_id))");
+        this.db.exec("CREATE TABLE IF NOT EXISTS user_devices (user_id TEXT NOT NULL, device_id TEXT NOT NULL, device TEXT NOT NULL, active TINYINT NOT NULL, PRIMARY KEY (user_id, device_id))");
         this.db.exec("CREATE TABLE IF NOT EXISTS outbound_group_sessions (session_id TEXT NOT NULL, room_id TEXT NOT NULL, current TINYINT NOT NULL, pickled TEXT NOT NULL, uses_left NUMBER NOT NULL, expires_ts NUMBER NOT NULL, PRIMARY KEY (session_id, room_id))");
         this.db.exec("CREATE TABLE IF NOT EXISTS sent_outbound_group_sessions (session_id TEXT NOT NULL, room_id TEXT NOT NULL, session_index INT NOT NULL, user_id TEXT NOT NULL, device_id TEXT NOT NULL, PRIMARY KEY (session_id, room_id, user_id, device_id, session_index))");
         this.db.exec("CREATE TABLE IF NOT EXISTS olm_sessions (user_id TEXT NOT NULL, device_id TEXT NOT NULL, session_id TEXT NOT NULL, last_decryption_ts NUMBER NOT NULL, pickled TEXT NOT NULL, PRIMARY KEY (user_id, device_id, session_id))");
@@ -62,10 +69,11 @@ export class SqliteCryptoStorageProvider implements ICryptoStorageProvider {
         this.userUpsert = this.db.prepare("INSERT INTO users (user_id, outdated) VALUES (@userId, @outdated) ON CONFLICT (user_id) DO UPDATE SET outdated = @outdated");
         this.userSelect = this.db.prepare("SELECT user_id, outdated FROM users WHERE user_id = @userId");
 
-        this.userDeviceUpsert = this.db.prepare("INSERT INTO user_devices (user_id, device_id, device) VALUES (@userId, @deviceId, @device) ON CONFLICT (user_id, device_id) DO UPDATE SET device = @device");
-        this.userDevicesDelete = this.db.prepare("DELETE FROM user_devices WHERE user_id = @userId");
-        this.userDevicesSelect = this.db.prepare("SELECT user_id, device_id, device FROM user_devices WHERE user_id = @userId");
-        this.userDeviceSelect = this.db.prepare("SELECT user_id, device_id, device FROM user_devices WHERE user_id = @userId AND device_id = @deviceId");
+        this.userDeviceUpsert = this.db.prepare("INSERT INTO user_devices (user_id, device_id, device, active) VALUES (@userId, @deviceId, @device, @active) ON CONFLICT (user_id, device_id) DO UPDATE SET device = @device, active = @active");
+        this.userDevicesDelete = this.db.prepare("UPDATE user_devices SET active = 0 WHERE user_id = @userId");
+        this.userDevicesSelect = this.db.prepare("SELECT user_id, device_id, device, active FROM user_devices WHERE user_id = @userId");
+        this.userActiveDevicesSelect = this.db.prepare("SELECT user_id, device_id, device, active FROM user_devices WHERE user_id = @userId AND active = 1");
+        this.userActiveDeviceSelect = this.db.prepare("SELECT user_id, device_id, device, active FROM user_devices WHERE user_id = @userId AND device_id = @deviceId AND active = 1");
 
         this.obGroupSessionUpsert = this.db.prepare("INSERT INTO outbound_group_sessions (session_id, room_id, current, pickled, uses_left, expires_ts) VALUES (@sessionId, @roomId, @current, @pickled, @usesLeft, @expiresTs) ON CONFLICT (session_id, room_id) DO UPDATE SET pickled = @pickled, current = @current, uses_left = @usesLeft, expires_ts = @expiresTs");
         this.obGroupSessionSelect = this.db.prepare("SELECT session_id, room_id, current, pickled, uses_left, expires_ts FROM outbound_group_sessions WHERE session_id = @sessionId AND room_id = @roomId");
@@ -135,28 +143,34 @@ export class SqliteCryptoStorageProvider implements ICryptoStorageProvider {
         return val ? JSON.parse(val) : null;
     }
 
-    public async setUserDevices(userId: string, devices: UserDevice[]): Promise<void> {
+    public async setActiveUserDevices(userId: string, devices: UserDevice[]): Promise<void> {
         this.db.transaction(() => {
             this.userUpsert.run({userId: userId, outdated: 0});
             this.userDevicesDelete.run({userId: userId});
             for (const device of devices) {
-                this.userDeviceUpsert.run({userId: userId, deviceId: device.device_id, device: JSON.stringify(device)});
+                this.userDeviceUpsert.run({userId: userId, deviceId: device.device_id, device: JSON.stringify(device), active: 1});
             }
         })();
     }
 
-    public async getUserDevices(userId: string): Promise<UserDevice[]> {
-        const results = this.userDevicesSelect.all({userId: userId})
+    public async getActiveUserDevices(userId: string): Promise<UserDevice[]> {
+        const results = this.userActiveDevicesSelect.all({userId: userId})
         if (!results) return [];
         return results.map(d => JSON.parse(d.device));
     }
 
-    public async getUserDevice(userId: string, deviceId: string): Promise<UserDevice> {
-        const result = this.userDeviceSelect.get({userId: userId, deviceId: deviceId});
+    public async getActiveUserDevice(userId: string, deviceId: string): Promise<UserDevice> {
+        const result = this.userActiveDeviceSelect.get({userId: userId, deviceId: deviceId});
         if (!result) return null;
         return JSON.parse(result.device);
     }
 
+    public async getAllUserDevices(userId: string): Promise<StoredUserDevice[]> {
+        const results = this.userDevicesSelect.all({userId: userId})
+        if (!results) return [];
+        return results.map(d => Object.assign({}, JSON.parse(d.device), {unsigned: {bsdkIsActive: d.active === 1}}));
+    }
+
     public async flagUsersOutdated(userIds: string[]): Promise<void> {
         this.db.transaction(() => {
             for (const userId of userIds) {

test/encryption/CryptoClientTest.ts

@@ -712,7 +712,7 @@ describe('CryptoClient', () => {
                 throw new Error("Not called appropriately");
             };
 
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(targetUserId);
                 return [{
                     user_id: targetUserId,
@@ -800,7 +800,7 @@ describe('CryptoClient', () => {
                 return session;
             };
 
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(claimUserId);
                 return [{
                     user_id: claimUserId,
@@ -892,7 +892,7 @@ describe('CryptoClient', () => {
                 return null;
             };
 
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(claimUserId);
                 return [{
                     user_id: claimUserId,
@@ -978,7 +978,7 @@ describe('CryptoClient', () => {
                 return null;
             };
 
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(claimUserId);
                 return [{
                     user_id: claimUserId,
@@ -1063,7 +1063,7 @@ describe('CryptoClient', () => {
                 return null;
             };
 
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(claimUserId);
                 return [{
                     user_id: claimUserId,
@@ -1135,7 +1135,7 @@ describe('CryptoClient', () => {
                 return null;
             };
 
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(claimUserId);
                 return [{
                     user_id: claimUserId,
@@ -1199,7 +1199,7 @@ describe('CryptoClient', () => {
                 return null;
             };
 
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(claimUserId);
                 return [{
                     user_id: claimUserId,
@@ -1279,7 +1279,7 @@ describe('CryptoClient', () => {
             });
             client.claimOneTimeKeys = claimSpy;
 
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(claimUserId);
                 return [{
                     user_id: claimUserId,
@@ -2147,7 +2147,7 @@ describe('CryptoClient', () => {
             LogService.setLogger({ warn: logSpy } as any as ILogger);
 
             const sender = "@bob:example.org";
-            client.cryptoStore.getUserDevices = async (uid) => {
+            client.cryptoStore.getActiveUserDevices = async (uid) => {
                 expect(uid).toEqual(sender);
                 return [STATIC_TEST_DEVICES["NTTFKSVBSI"]];
             };
@@ -2256,7 +2256,7 @@ describe('CryptoClient', () => {
 
             beforeEach(async () => {
                 await client.crypto.prepare([]);
-                client.cryptoStore.getUserDevices = async (uid) => {
+                client.cryptoStore.getActiveUserDevices = async (uid) => {
                     expect(uid).toEqual(senderDevice.user_id);
                     return [senderDevice];
                 };
@@ -2873,7 +2873,7 @@ describe('CryptoClient', () => {
                 expect(did).toEqual(event.content.device_id);
                 return null;
             });
-            client.cryptoStore.getUserDevice = getSpy;
+            client.cryptoStore.getActiveUserDevice = getSpy;
 
             try {
                 await client.crypto.decryptRoomEvent(event, roomId);
@@ -2907,7 +2907,7 @@ describe('CryptoClient', () => {
                 expect(did).toEqual(event.content.device_id);
                 return RECEIVER_DEVICE;
             });
-            client.cryptoStore.getUserDevice = getSpy;
+            client.cryptoStore.getActiveUserDevice = getSpy;
 
             try {
                 await client.crypto.decryptRoomEvent(event, roomId);
@@ -2941,7 +2941,7 @@ describe('CryptoClient', () => {
                 expect(did).toEqual(event.content.device_id);
                 return RECEIVER_DEVICE;
             });
-            client.cryptoStore.getUserDevice = getDeviceSpy;
+            client.cryptoStore.getActiveUserDevice = getDeviceSpy;
 
             const getSessionSpy = simple.stub().callFn(async (uid, did, rid, sid) => {
                 expect(uid).toEqual(userId);
@@ -2968,7 +2968,7 @@ describe('CryptoClient', () => {
         it('should fail the decryption looks like a replay attack', async () => {
             await client.crypto.prepare([]);
 
-            await client.cryptoStore.setUserDevices(RECEIVER_DEVICE.user_id, [RECEIVER_DEVICE]);
+            await client.cryptoStore.setActiveUserDevices(RECEIVER_DEVICE.user_id, [RECEIVER_DEVICE]);
 
             // Make an encrypted event, and store the outbound keys as inbound
             const plainType = "org.example.plain";
@@ -3030,7 +3030,7 @@ describe('CryptoClient', () => {
         it('should succeed at re-decryption (valid replay)', async () => {
             await client.crypto.prepare([]);
 
-            await client.cryptoStore.setUserDevices(RECEIVER_DEVICE.user_id, [RECEIVER_DEVICE]);
+            await client.cryptoStore.setActiveUserDevices(RECEIVER_DEVICE.user_id, [RECEIVER_DEVICE]);
 
             // Make an encrypted event, and store the outbound keys as inbound
             const plainType = "org.example.plain";
@@ -3097,7 +3097,7 @@ describe('CryptoClient', () => {
         it('should succeed at decryption', async () => {
             await client.crypto.prepare([]);
 
-            await client.cryptoStore.setUserDevices(RECEIVER_DEVICE.user_id, [RECEIVER_DEVICE]);
+            await client.cryptoStore.setActiveUserDevices(RECEIVER_DEVICE.user_id, [RECEIVER_DEVICE]);
 
             // Make an encrypted event, and store the outbound keys as inbound
             const plainType = "org.example.plain";