2019-07-17 22:25:42 +00:00
|
|
|
package encryption
|
2018-09-24 18:07:34 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/ecdsa"
|
|
|
|
"database/sql"
|
2023-10-12 15:45:23 +00:00
|
|
|
"errors"
|
2018-11-06 08:05:32 +00:00
|
|
|
"strings"
|
2018-09-24 18:07:34 +00:00
|
|
|
|
|
|
|
dr "github.com/status-im/doubleratchet"
|
2020-01-02 09:10:19 +00:00
|
|
|
|
2019-11-23 17:57:05 +00:00
|
|
|
"github.com/status-im/status-go/eth-node/crypto"
|
2019-07-03 19:13:11 +00:00
|
|
|
|
2019-11-21 16:19:22 +00:00
|
|
|
"github.com/status-im/status-go/protocol/encryption/multidevice"
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
// RatchetInfo holds the current ratchet state.
|
|
|
|
type RatchetInfo struct {
|
|
|
|
ID []byte
|
|
|
|
Sk []byte
|
|
|
|
PrivateKey []byte
|
|
|
|
PublicKey []byte
|
|
|
|
Identity []byte
|
|
|
|
BundleID []byte
|
|
|
|
EphemeralKey []byte
|
|
|
|
InstallationID string
|
2018-09-24 18:07:34 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
// A safe max number of rows.
|
|
|
|
const maxNumberOfRows = 100000000
|
2018-11-28 11:34:39 +00:00
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
type sqlitePersistence struct {
|
|
|
|
DB *sql.DB
|
|
|
|
keysStorage dr.KeysStorage
|
|
|
|
sessionStorage dr.SessionStorage
|
2018-09-24 18:07:34 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
func newSQLitePersistence(db *sql.DB) *sqlitePersistence {
|
|
|
|
return &sqlitePersistence{
|
|
|
|
DB: db,
|
|
|
|
keysStorage: newSQLiteKeysStorage(db),
|
|
|
|
sessionStorage: newSQLiteSessionStorage(db),
|
2018-09-24 18:07:34 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetKeysStorage returns the associated double ratchet KeysStorage object
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) KeysStorage() dr.KeysStorage {
|
2018-09-24 18:07:34 +00:00
|
|
|
return s.keysStorage
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetSessionStorage returns the associated double ratchet SessionStorage object
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) SessionStorage() dr.SessionStorage {
|
2018-09-24 18:07:34 +00:00
|
|
|
return s.sessionStorage
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddPrivateBundle adds the specified BundleContainer to the database
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) AddPrivateBundle(bc *BundleContainer) error {
|
2019-06-03 14:29:14 +00:00
|
|
|
tx, err := s.DB.Begin()
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-11-06 08:05:32 +00:00
|
|
|
for installationID, signedPreKey := range bc.GetBundle().GetSignedPreKeys() {
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
var version uint32
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := tx.Prepare(`SELECT version
|
|
|
|
FROM bundles
|
|
|
|
WHERE installation_id = ? AND identity = ?
|
|
|
|
ORDER BY version DESC
|
|
|
|
LIMIT 1`)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
defer stmt.Close()
|
|
|
|
|
2018-11-06 08:05:32 +00:00
|
|
|
err = stmt.QueryRow(installationID, bc.GetBundle().GetIdentity()).Scan(&version)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
if err != nil && err != sql.ErrNoRows {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err = tx.Prepare(`INSERT INTO bundles(identity, private_key, signed_pre_key, installation_id, version, timestamp)
|
|
|
|
VALUES(?, ?, ?, ?, ?, ?)`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(
|
2018-11-06 08:05:32 +00:00
|
|
|
bc.GetBundle().GetIdentity(),
|
|
|
|
bc.GetPrivateSignedPreKey(),
|
2018-09-24 18:07:34 +00:00
|
|
|
signedPreKey.GetSignedPreKey(),
|
|
|
|
installationID,
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
version+1,
|
2018-11-06 08:05:32 +00:00
|
|
|
bc.GetBundle().GetTimestamp(),
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
_ = tx.Rollback()
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := tx.Commit(); err != nil {
|
|
|
|
_ = tx.Rollback()
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddPublicBundle adds the specified Bundle to the database
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) AddPublicBundle(b *Bundle) error {
|
2019-06-03 14:29:14 +00:00
|
|
|
tx, err := s.DB.Begin()
|
2018-09-24 18:07:34 +00:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
for installationID, signedPreKeyContainer := range b.GetSignedPreKeys() {
|
|
|
|
signedPreKey := signedPreKeyContainer.GetSignedPreKey()
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
version := signedPreKeyContainer.GetVersion()
|
2018-11-28 11:34:39 +00:00
|
|
|
insertStmt, err := tx.Prepare(`INSERT INTO bundles(identity, signed_pre_key, installation_id, version, timestamp)
|
|
|
|
VALUES( ?, ?, ?, ?, ?)`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer insertStmt.Close()
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
|
2018-09-24 18:07:34 +00:00
|
|
|
_, err = insertStmt.Exec(
|
|
|
|
b.GetIdentity(),
|
|
|
|
signedPreKey,
|
|
|
|
installationID,
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
version,
|
2018-11-06 08:05:32 +00:00
|
|
|
b.GetTimestamp(),
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
_ = tx.Rollback()
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
// Mark old bundles as expired
|
2018-11-28 11:34:39 +00:00
|
|
|
updateStmt, err := tx.Prepare(`UPDATE bundles
|
|
|
|
SET expired = 1
|
|
|
|
WHERE identity = ? AND installation_id = ? AND version < ?`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer updateStmt.Close()
|
|
|
|
|
|
|
|
_, err = updateStmt.Exec(
|
|
|
|
b.GetIdentity(),
|
|
|
|
installationID,
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
version,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
_ = tx.Rollback()
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
return tx.Commit()
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAnyPrivateBundle retrieves any bundle from the database containing a private key
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) GetAnyPrivateBundle(myIdentityKey []byte, installations []*multidevice.Installation) (*BundleContainer, error) {
|
2018-11-06 08:05:32 +00:00
|
|
|
|
2019-05-23 07:54:28 +00:00
|
|
|
versions := make(map[string]uint32)
|
2018-11-06 08:05:32 +00:00
|
|
|
/* #nosec */
|
2018-11-28 11:34:39 +00:00
|
|
|
statement := `SELECT identity, private_key, signed_pre_key, installation_id, timestamp, version
|
|
|
|
FROM bundles
|
2019-05-23 07:54:28 +00:00
|
|
|
WHERE expired = 0 AND identity = ? AND installation_id IN (?` + strings.Repeat(",?", len(installations)-1) + ")"
|
2019-06-03 14:29:14 +00:00
|
|
|
stmt, err := s.DB.Prepare(statement)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
var timestamp int64
|
|
|
|
var identity []byte
|
2018-10-16 10:31:05 +00:00
|
|
|
var privateKey []byte
|
2018-11-28 11:34:39 +00:00
|
|
|
var version uint32
|
2018-09-24 18:07:34 +00:00
|
|
|
|
2019-05-23 07:54:28 +00:00
|
|
|
args := make([]interface{}, len(installations)+1)
|
2018-11-06 08:05:32 +00:00
|
|
|
args[0] = myIdentityKey
|
2019-05-23 07:54:28 +00:00
|
|
|
for i, installation := range installations {
|
|
|
|
// Lookup up map for versions
|
|
|
|
versions[installation.ID] = installation.Version
|
|
|
|
|
|
|
|
args[i+1] = installation.ID
|
2018-11-06 08:05:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
rows, err := stmt.Query(args...)
|
2018-09-24 18:07:34 +00:00
|
|
|
rowCount := 0
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
defer rows.Close()
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
bundle := &Bundle{
|
|
|
|
SignedPreKeys: make(map[string]*SignedPreKey),
|
2018-09-24 18:07:34 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
bundleContainer := &BundleContainer{
|
2018-10-16 10:31:05 +00:00
|
|
|
Bundle: bundle,
|
|
|
|
}
|
|
|
|
|
2018-09-24 18:07:34 +00:00
|
|
|
for rows.Next() {
|
|
|
|
var signedPreKey []byte
|
|
|
|
var installationID string
|
|
|
|
rowCount++
|
|
|
|
err = rows.Scan(
|
|
|
|
&identity,
|
2018-10-16 10:31:05 +00:00
|
|
|
&privateKey,
|
2018-09-24 18:07:34 +00:00
|
|
|
&signedPreKey,
|
|
|
|
&installationID,
|
|
|
|
×tamp,
|
2018-11-28 11:34:39 +00:00
|
|
|
&version,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-10-16 10:31:05 +00:00
|
|
|
// If there is a private key, we set the timestamp of the bundle container
|
|
|
|
if privateKey != nil {
|
2018-11-06 08:05:32 +00:00
|
|
|
bundle.Timestamp = timestamp
|
2018-10-16 10:31:05 +00:00
|
|
|
}
|
2018-09-24 18:07:34 +00:00
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
bundle.SignedPreKeys[installationID] = &SignedPreKey{
|
2019-05-23 07:54:28 +00:00
|
|
|
SignedPreKey: signedPreKey,
|
|
|
|
Version: version,
|
|
|
|
ProtocolVersion: versions[installationID],
|
|
|
|
}
|
2018-09-24 18:07:34 +00:00
|
|
|
bundle.Identity = identity
|
|
|
|
}
|
|
|
|
|
2018-10-16 10:31:05 +00:00
|
|
|
// If no records are found or no record with private key, return nil
|
2018-11-06 08:05:32 +00:00
|
|
|
if rowCount == 0 || bundleContainer.GetBundle().Timestamp == 0 {
|
2018-09-24 18:07:34 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2018-10-16 10:31:05 +00:00
|
|
|
|
|
|
|
return bundleContainer, nil
|
2018-09-24 18:07:34 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetPrivateKeyBundle retrieves a private key for a bundle from the database
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) GetPrivateKeyBundle(bundleID []byte) ([]byte, error) {
|
2019-06-03 14:29:14 +00:00
|
|
|
stmt, err := s.DB.Prepare(`SELECT private_key
|
2018-11-28 11:34:39 +00:00
|
|
|
FROM bundles
|
2019-02-28 12:09:43 +00:00
|
|
|
WHERE signed_pre_key = ? LIMIT 1`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
var privateKey []byte
|
|
|
|
|
|
|
|
err = stmt.QueryRow(bundleID).Scan(&privateKey)
|
|
|
|
switch err {
|
|
|
|
case sql.ErrNoRows:
|
|
|
|
return nil, nil
|
|
|
|
case nil:
|
|
|
|
return privateKey, nil
|
|
|
|
default:
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-11-06 08:05:32 +00:00
|
|
|
// MarkBundleExpired expires any private bundle for a given identity
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) MarkBundleExpired(identity []byte) error {
|
2019-06-03 14:29:14 +00:00
|
|
|
stmt, err := s.DB.Prepare(`UPDATE bundles
|
2018-11-28 11:34:39 +00:00
|
|
|
SET expired = 1
|
|
|
|
WHERE identity = ? AND private_key IS NOT NULL`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(identity)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetPublicBundle retrieves an existing Bundle for the specified public key from the database
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) GetPublicBundle(publicKey *ecdsa.PublicKey, installations []*multidevice.Installation) (*Bundle, error) {
|
2018-11-06 08:05:32 +00:00
|
|
|
|
2019-05-23 07:54:28 +00:00
|
|
|
if len(installations) == 0 {
|
2018-11-06 08:05:32 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2018-09-24 18:07:34 +00:00
|
|
|
|
2019-05-23 07:54:28 +00:00
|
|
|
versions := make(map[string]uint32)
|
2018-09-24 18:07:34 +00:00
|
|
|
identity := crypto.CompressPubkey(publicKey)
|
2018-11-06 08:05:32 +00:00
|
|
|
|
|
|
|
/* #nosec */
|
2018-11-28 11:34:39 +00:00
|
|
|
statement := `SELECT signed_pre_key,installation_id, version
|
|
|
|
FROM bundles
|
2019-05-23 07:54:28 +00:00
|
|
|
WHERE expired = 0 AND identity = ? AND installation_id IN (?` + strings.Repeat(",?", len(installations)-1) + `)
|
2018-11-28 11:34:39 +00:00
|
|
|
ORDER BY version DESC`
|
2019-06-03 14:29:14 +00:00
|
|
|
stmt, err := s.DB.Prepare(statement)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
2019-05-23 07:54:28 +00:00
|
|
|
args := make([]interface{}, len(installations)+1)
|
2018-11-06 08:05:32 +00:00
|
|
|
args[0] = identity
|
2019-05-23 07:54:28 +00:00
|
|
|
for i, installation := range installations {
|
|
|
|
// Lookup up map for versions
|
|
|
|
versions[installation.ID] = installation.Version
|
|
|
|
args[i+1] = installation.ID
|
2018-11-06 08:05:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
rows, err := stmt.Query(args...)
|
2018-09-24 18:07:34 +00:00
|
|
|
rowCount := 0
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
defer rows.Close()
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
bundle := &Bundle{
|
2018-09-24 18:07:34 +00:00
|
|
|
Identity: identity,
|
2019-07-17 22:25:42 +00:00
|
|
|
SignedPreKeys: make(map[string]*SignedPreKey),
|
2018-09-24 18:07:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for rows.Next() {
|
|
|
|
var signedPreKey []byte
|
|
|
|
var installationID string
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
var version uint32
|
2018-09-24 18:07:34 +00:00
|
|
|
rowCount++
|
|
|
|
err = rows.Scan(
|
|
|
|
&signedPreKey,
|
|
|
|
&installationID,
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
&version,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
bundle.SignedPreKeys[installationID] = &SignedPreKey{
|
2019-05-23 07:54:28 +00:00
|
|
|
SignedPreKey: signedPreKey,
|
|
|
|
Version: version,
|
|
|
|
ProtocolVersion: versions[installationID],
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
}
|
2018-09-24 18:07:34 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if rowCount == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return bundle, nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddRatchetInfo persists the specified ratchet info into the database
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) AddRatchetInfo(key []byte, identity []byte, bundleID []byte, ephemeralKey []byte, installationID string) error {
|
2019-06-03 14:29:14 +00:00
|
|
|
stmt, err := s.DB.Prepare(`INSERT INTO ratchet_info_v2(symmetric_key, identity, bundle_id, ephemeral_key, installation_id)
|
2018-11-28 11:34:39 +00:00
|
|
|
VALUES(?, ?, ?, ?, ?)`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(
|
|
|
|
key,
|
|
|
|
identity,
|
|
|
|
bundleID,
|
|
|
|
ephemeralKey,
|
|
|
|
installationID,
|
|
|
|
)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetRatchetInfo retrieves the existing RatchetInfo for a specified bundle ID and interlocutor public key from the database
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) GetRatchetInfo(bundleID []byte, theirIdentity []byte, installationID string) (*RatchetInfo, error) {
|
2019-06-03 14:29:14 +00:00
|
|
|
stmt, err := s.DB.Prepare(`SELECT ratchet_info_v2.identity, ratchet_info_v2.symmetric_key, bundles.private_key, bundles.signed_pre_key, ratchet_info_v2.ephemeral_key, ratchet_info_v2.installation_id
|
2018-11-28 11:34:39 +00:00
|
|
|
FROM ratchet_info_v2 JOIN bundles ON bundle_id = signed_pre_key
|
|
|
|
WHERE ratchet_info_v2.identity = ? AND ratchet_info_v2.installation_id = ? AND bundle_id = ?
|
|
|
|
LIMIT 1`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
ratchetInfo := &RatchetInfo{
|
|
|
|
BundleID: bundleID,
|
|
|
|
}
|
|
|
|
|
2018-10-16 10:31:05 +00:00
|
|
|
err = stmt.QueryRow(theirIdentity, installationID, bundleID).Scan(
|
2018-09-24 18:07:34 +00:00
|
|
|
&ratchetInfo.Identity,
|
|
|
|
&ratchetInfo.Sk,
|
|
|
|
&ratchetInfo.PrivateKey,
|
|
|
|
&ratchetInfo.PublicKey,
|
|
|
|
&ratchetInfo.EphemeralKey,
|
|
|
|
&ratchetInfo.InstallationID,
|
|
|
|
)
|
|
|
|
switch err {
|
|
|
|
case sql.ErrNoRows:
|
|
|
|
return nil, nil
|
|
|
|
case nil:
|
|
|
|
ratchetInfo.ID = append(bundleID, []byte(ratchetInfo.InstallationID)...)
|
|
|
|
return ratchetInfo, nil
|
|
|
|
default:
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAnyRatchetInfo retrieves any existing RatchetInfo for a specified interlocutor public key from the database
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) GetAnyRatchetInfo(identity []byte, installationID string) (*RatchetInfo, error) {
|
2019-06-03 14:29:14 +00:00
|
|
|
stmt, err := s.DB.Prepare(`SELECT symmetric_key, bundles.private_key, signed_pre_key, bundle_id, ephemeral_key
|
2018-11-28 11:34:39 +00:00
|
|
|
FROM ratchet_info_v2 JOIN bundles ON bundle_id = signed_pre_key
|
|
|
|
WHERE expired = 0 AND ratchet_info_v2.identity = ? AND ratchet_info_v2.installation_id = ?
|
|
|
|
LIMIT 1`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
ratchetInfo := &RatchetInfo{
|
|
|
|
Identity: identity,
|
|
|
|
InstallationID: installationID,
|
|
|
|
}
|
|
|
|
|
|
|
|
err = stmt.QueryRow(identity, installationID).Scan(
|
|
|
|
&ratchetInfo.Sk,
|
|
|
|
&ratchetInfo.PrivateKey,
|
|
|
|
&ratchetInfo.PublicKey,
|
|
|
|
&ratchetInfo.BundleID,
|
|
|
|
&ratchetInfo.EphemeralKey,
|
|
|
|
)
|
|
|
|
switch err {
|
|
|
|
case sql.ErrNoRows:
|
|
|
|
return nil, nil
|
|
|
|
case nil:
|
|
|
|
ratchetInfo.ID = append(ratchetInfo.BundleID, []byte(installationID)...)
|
|
|
|
return ratchetInfo, nil
|
|
|
|
default:
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// RatchetInfoConfirmed clears the ephemeral key in the RatchetInfo
|
|
|
|
// associated with the specified bundle ID and interlocutor identity public key
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqlitePersistence) RatchetInfoConfirmed(bundleID []byte, theirIdentity []byte, installationID string) error {
|
2019-06-03 14:29:14 +00:00
|
|
|
stmt, err := s.DB.Prepare(`UPDATE ratchet_info_v2
|
2018-11-28 11:34:39 +00:00
|
|
|
SET ephemeral_key = NULL
|
|
|
|
WHERE identity = ? AND bundle_id = ? AND installation_id = ?`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(
|
|
|
|
theirIdentity,
|
|
|
|
bundleID,
|
2018-10-16 10:31:05 +00:00
|
|
|
installationID,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
type sqliteKeysStorage struct {
|
|
|
|
db *sql.DB
|
|
|
|
}
|
|
|
|
|
|
|
|
func newSQLiteKeysStorage(db *sql.DB) *sqliteKeysStorage {
|
|
|
|
return &sqliteKeysStorage{
|
|
|
|
db: db,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-09-24 18:07:34 +00:00
|
|
|
// Get retrieves the message key for a specified public key and message number
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteKeysStorage) Get(pubKey dr.Key, msgNum uint) (dr.Key, bool, error) {
|
2019-11-04 10:08:22 +00:00
|
|
|
var key []byte
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`SELECT message_key
|
|
|
|
FROM keys
|
|
|
|
WHERE public_key = ? AND msg_num = ?
|
|
|
|
LIMIT 1`)
|
2018-09-24 18:07:34 +00:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return key, false, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
2019-11-04 10:08:22 +00:00
|
|
|
err = stmt.QueryRow(pubKey, msgNum).Scan(&key)
|
2018-09-24 18:07:34 +00:00
|
|
|
switch err {
|
|
|
|
case sql.ErrNoRows:
|
|
|
|
return key, false, nil
|
|
|
|
case nil:
|
|
|
|
return key, true, nil
|
|
|
|
default:
|
|
|
|
return key, false, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Put stores a key with the specified public key, message number and message key
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteKeysStorage) Put(sessionID []byte, pubKey dr.Key, msgNum uint, mk dr.Key, seqNum uint) error {
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`INSERT INTO keys(session_id, public_key, msg_num, message_key, seq_num)
|
|
|
|
VALUES(?, ?, ?, ?, ?)`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
sessionID,
|
2019-11-04 10:08:22 +00:00
|
|
|
pubKey,
|
2018-09-24 18:07:34 +00:00
|
|
|
msgNum,
|
2019-11-04 10:08:22 +00:00
|
|
|
mk,
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
seqNum,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
// DeleteOldMks caps remove any key < seq_num, included
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteKeysStorage) DeleteOldMks(sessionID []byte, deleteUntil uint) error {
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`DELETE FROM keys
|
|
|
|
WHERE session_id = ? AND seq_num <= ?`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
sessionID,
|
|
|
|
deleteUntil,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
// TruncateMks caps the number of keys to maxKeysPerSession deleting them in FIFO fashion
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteKeysStorage) TruncateMks(sessionID []byte, maxKeysPerSession int) error {
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`DELETE FROM keys
|
|
|
|
WHERE rowid IN (SELECT rowid FROM keys WHERE session_id = ? ORDER BY seq_num DESC LIMIT ? OFFSET ?)`)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(
|
|
|
|
sessionID,
|
|
|
|
// We LIMIT to the max number of rows here, as OFFSET can't be used without a LIMIT
|
|
|
|
maxNumberOfRows,
|
|
|
|
maxKeysPerSession,
|
|
|
|
)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteMk deletes the key with the specified public key and message key
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteKeysStorage) DeleteMk(pubKey dr.Key, msgNum uint) error {
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`DELETE FROM keys
|
|
|
|
WHERE public_key = ? AND msg_num = ?`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(
|
2019-11-04 10:08:22 +00:00
|
|
|
pubKey,
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
msgNum,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Count returns the count of keys with the specified public key
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteKeysStorage) Count(pubKey dr.Key) (uint, error) {
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`SELECT COUNT(1)
|
|
|
|
FROM keys
|
|
|
|
WHERE public_key = ?`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
var count uint
|
2019-11-04 10:08:22 +00:00
|
|
|
err = stmt.QueryRow(pubKey).Scan(&count)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return count, nil
|
|
|
|
}
|
|
|
|
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
// CountAll returns the count of keys with the specified public key
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteKeysStorage) CountAll() (uint, error) {
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`SELECT COUNT(1)
|
|
|
|
FROM keys`)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
var count uint
|
|
|
|
err = stmt.QueryRow().Scan(&count)
|
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return count, nil
|
|
|
|
}
|
|
|
|
|
2018-09-24 18:07:34 +00:00
|
|
|
// All returns nil
|
2019-11-04 10:08:22 +00:00
|
|
|
func (s *sqliteKeysStorage) All() (map[string]map[uint]dr.Key, error) {
|
2018-09-24 18:07:34 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-07-17 22:25:42 +00:00
|
|
|
type sqliteSessionStorage struct {
|
|
|
|
db *sql.DB
|
|
|
|
}
|
|
|
|
|
|
|
|
func newSQLiteSessionStorage(db *sql.DB) *sqliteSessionStorage {
|
|
|
|
return &sqliteSessionStorage{
|
|
|
|
db: db,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-09-24 18:07:34 +00:00
|
|
|
// Save persists the specified double ratchet state
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteSessionStorage) Save(id []byte, state *dr.State) error {
|
2019-11-04 10:08:22 +00:00
|
|
|
dhr := state.DHr
|
2018-09-24 18:07:34 +00:00
|
|
|
dhs := state.DHs
|
|
|
|
dhsPublic := dhs.PublicKey()
|
|
|
|
dhsPrivate := dhs.PrivateKey()
|
|
|
|
pn := state.PN
|
|
|
|
step := state.Step
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
keysCount := state.KeysCount
|
2018-09-24 18:07:34 +00:00
|
|
|
|
2019-11-04 10:08:22 +00:00
|
|
|
rootChainKey := state.RootCh.CK
|
2018-09-24 18:07:34 +00:00
|
|
|
|
2019-11-04 10:08:22 +00:00
|
|
|
sendChainKey := state.SendCh.CK
|
2018-09-24 18:07:34 +00:00
|
|
|
sendChainN := state.SendCh.N
|
|
|
|
|
2019-11-04 10:08:22 +00:00
|
|
|
recvChainKey := state.RecvCh.CK
|
2018-09-24 18:07:34 +00:00
|
|
|
recvChainN := state.RecvCh.N
|
|
|
|
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`INSERT INTO sessions(id, dhr, dhs_public, dhs_private, root_chain_key, send_chain_key, send_chain_n, recv_chain_key, recv_chain_n, pn, step, keys_count)
|
|
|
|
VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
_, err = stmt.Exec(
|
|
|
|
id,
|
|
|
|
dhr,
|
2019-11-04 10:08:22 +00:00
|
|
|
dhsPublic,
|
|
|
|
dhsPrivate,
|
2018-09-24 18:07:34 +00:00
|
|
|
rootChainKey,
|
|
|
|
sendChainKey,
|
|
|
|
sendChainN,
|
|
|
|
recvChainKey,
|
|
|
|
recvChainN,
|
|
|
|
pn,
|
|
|
|
step,
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
keysCount,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Load retrieves the double ratchet state for a given ID
|
2019-07-17 22:25:42 +00:00
|
|
|
func (s *sqliteSessionStorage) Load(id []byte) (*dr.State, error) {
|
2018-11-28 11:34:39 +00:00
|
|
|
stmt, err := s.db.Prepare(`SELECT dhr, dhs_public, dhs_private, root_chain_key, send_chain_key, send_chain_n, recv_chain_key, recv_chain_n, pn, step, keys_count
|
|
|
|
FROM sessions
|
|
|
|
WHERE id = ?`)
|
2018-09-24 18:07:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
var (
|
|
|
|
dhr []byte
|
|
|
|
dhsPublic []byte
|
|
|
|
dhsPrivate []byte
|
|
|
|
rootChainKey []byte
|
|
|
|
sendChainKey []byte
|
|
|
|
sendChainN uint
|
|
|
|
recvChainKey []byte
|
|
|
|
recvChainN uint
|
|
|
|
pn uint
|
|
|
|
step uint
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
keysCount uint
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
err = stmt.QueryRow(id).Scan(
|
|
|
|
&dhr,
|
|
|
|
&dhsPublic,
|
|
|
|
&dhsPrivate,
|
|
|
|
&rootChainKey,
|
|
|
|
&sendChainKey,
|
|
|
|
&sendChainN,
|
|
|
|
&recvChainKey,
|
|
|
|
&recvChainN,
|
|
|
|
&pn,
|
|
|
|
&step,
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
&keysCount,
|
2018-09-24 18:07:34 +00:00
|
|
|
)
|
|
|
|
switch err {
|
|
|
|
case sql.ErrNoRows:
|
|
|
|
return nil, nil
|
|
|
|
case nil:
|
2019-11-04 10:08:22 +00:00
|
|
|
state := dr.DefaultState(rootChainKey)
|
2018-09-24 18:07:34 +00:00
|
|
|
|
|
|
|
state.PN = uint32(pn)
|
|
|
|
state.Step = step
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 19:00:04 +00:00
|
|
|
state.KeysCount = keysCount
|
2018-09-24 18:07:34 +00:00
|
|
|
|
2019-11-23 17:57:05 +00:00
|
|
|
state.DHs = crypto.DHPair{
|
2019-11-04 10:08:22 +00:00
|
|
|
PrvKey: dhsPrivate,
|
|
|
|
PubKey: dhsPublic,
|
2018-09-24 18:07:34 +00:00
|
|
|
}
|
|
|
|
|
2019-11-04 10:08:22 +00:00
|
|
|
state.DHr = dhr
|
2018-09-24 18:07:34 +00:00
|
|
|
|
2019-11-04 10:08:22 +00:00
|
|
|
state.SendCh.CK = sendChainKey
|
2018-09-24 18:07:34 +00:00
|
|
|
state.SendCh.N = uint32(sendChainN)
|
|
|
|
|
2019-11-04 10:08:22 +00:00
|
|
|
state.RecvCh.CK = recvChainKey
|
2018-09-24 18:07:34 +00:00
|
|
|
state.RecvCh.N = uint32(recvChainN)
|
|
|
|
|
|
|
|
return &state, nil
|
|
|
|
default:
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
2021-09-21 15:47:04 +00:00
|
|
|
|
|
|
|
type HRCache struct {
|
2023-10-12 15:45:23 +00:00
|
|
|
GroupID []byte
|
|
|
|
KeyID []byte
|
|
|
|
DeprecatedKeyID uint32
|
|
|
|
Key []byte
|
|
|
|
Hash []byte
|
|
|
|
SeqNo uint32
|
2021-09-21 15:47:04 +00:00
|
|
|
}
|
|
|
|
|
2023-11-29 17:21:21 +00:00
|
|
|
// GetHashRatchetCache retrieves a hash ratchet key by group ID and seqNo.
|
2021-09-21 15:47:04 +00:00
|
|
|
// If cache data with given seqNo (e.g. 0) is not found,
|
|
|
|
// then the query will return the cache data with the latest seqNo
|
2023-11-29 17:21:21 +00:00
|
|
|
func (s *sqlitePersistence) GetHashRatchetCache(ratchet *HashRatchetKeyCompatibility, seqNo uint32) (*HRCache, error) {
|
2023-10-12 15:45:23 +00:00
|
|
|
stmt, err := s.DB.Prepare(`WITH input AS (
|
|
|
|
select ? AS group_id, ? AS key_id, ? as seq_no, ? AS old_key_id
|
2021-09-21 15:47:04 +00:00
|
|
|
),
|
|
|
|
cec AS (
|
|
|
|
SELECT e.key, c.seq_no, c.hash FROM hash_ratchet_encryption e, input i
|
2023-10-12 15:45:23 +00:00
|
|
|
LEFT JOIN hash_ratchet_encryption_cache c ON e.group_id=c.group_id AND (e.key_id=c.key_id OR e.deprecated_key_id=c.key_id)
|
|
|
|
WHERE (e.key_id=i.key_id OR e.deprecated_key_id=i.old_key_id) AND e.group_id=i.group_id),
|
2021-09-21 15:47:04 +00:00
|
|
|
seq_nos AS (
|
2023-10-12 15:45:23 +00:00
|
|
|
select CASE
|
|
|
|
WHEN EXISTS (SELECT c.seq_no from cec c, input i where c.seq_no=i.seq_no)
|
|
|
|
THEN i.seq_no
|
|
|
|
ELSE (select max(seq_no) from cec)
|
2021-09-21 15:47:04 +00:00
|
|
|
END as seq_no from input i
|
|
|
|
)
|
|
|
|
SELECT c.key, c.seq_no, c.hash FROM cec c, input i, seq_nos s
|
2023-10-12 15:45:23 +00:00
|
|
|
where case when not exists(select seq_no from seq_nos where seq_no is not null)
|
2021-09-21 15:47:04 +00:00
|
|
|
then 1 else c.seq_no = s.seq_no end`)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
var key, hash []byte
|
|
|
|
var seqNoPtr *uint32
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
oldFormat := ratchet.IsOldFormat()
|
|
|
|
if oldFormat {
|
|
|
|
// Query using the deprecated format
|
2023-10-29 08:04:01 +00:00
|
|
|
err = stmt.QueryRow(ratchet.GroupID, nil, seqNo, ratchet.DeprecatedKeyID()).Scan(&key, &seqNoPtr, &hash) //nolint: ineffassign
|
2023-10-12 15:45:23 +00:00
|
|
|
|
|
|
|
} else {
|
|
|
|
keyID, err := ratchet.GetKeyID()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2023-10-29 08:04:01 +00:00
|
|
|
err = stmt.QueryRow(ratchet.GroupID, keyID, seqNo, ratchet.DeprecatedKeyID()).Scan(&key, &seqNoPtr, &hash) //nolint: ineffassign,staticcheck
|
2023-10-12 15:45:23 +00:00
|
|
|
}
|
2023-10-29 08:04:01 +00:00
|
|
|
if len(hash) == 0 && len(key) == 0 {
|
|
|
|
return nil, nil
|
2021-09-21 15:47:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
switch err {
|
|
|
|
case sql.ErrNoRows:
|
|
|
|
return nil, nil
|
|
|
|
case nil:
|
2023-10-29 08:04:01 +00:00
|
|
|
var seqNoResult uint32
|
|
|
|
if seqNoPtr == nil {
|
|
|
|
seqNoResult = 0
|
|
|
|
} else {
|
|
|
|
seqNoResult = *seqNoPtr
|
|
|
|
}
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
ratchet.Key = key
|
|
|
|
keyID, err := ratchet.GetKeyID()
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
res := &HRCache{
|
|
|
|
KeyID: keyID,
|
|
|
|
Key: key,
|
|
|
|
Hash: hash,
|
|
|
|
SeqNo: seqNoResult,
|
|
|
|
}
|
|
|
|
|
2021-09-21 15:47:04 +00:00
|
|
|
return res, nil
|
|
|
|
default:
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
type HashRatchetKeyCompatibility struct {
|
|
|
|
GroupID []byte
|
|
|
|
keyID []byte
|
|
|
|
Timestamp uint64
|
|
|
|
Key []byte
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *HashRatchetKeyCompatibility) DeprecatedKeyID() uint32 {
|
|
|
|
return uint32(h.Timestamp)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *HashRatchetKeyCompatibility) IsOldFormat() bool {
|
|
|
|
return len(h.keyID) == 0 && len(h.Key) == 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *HashRatchetKeyCompatibility) GetKeyID() ([]byte, error) {
|
|
|
|
if len(h.keyID) != 0 {
|
|
|
|
return h.keyID, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(h.GroupID) == 0 || h.Timestamp == 0 || len(h.Key) == 0 {
|
|
|
|
return nil, errors.New("could not create key")
|
|
|
|
}
|
|
|
|
|
|
|
|
return generateHashRatchetKeyID(h.GroupID, h.Timestamp, h.Key), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *HashRatchetKeyCompatibility) GenerateNext() (*HashRatchetKeyCompatibility, error) {
|
|
|
|
|
|
|
|
ratchet := &HashRatchetKeyCompatibility{
|
|
|
|
GroupID: h.GroupID,
|
|
|
|
}
|
|
|
|
|
|
|
|
// Randomly generate a hash ratchet key
|
|
|
|
hrKey, err := crypto.GenerateKey()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
hrKeyBytes := crypto.FromECDSA(hrKey)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
currentTime := GetCurrentTime()
|
|
|
|
if h.Timestamp < currentTime {
|
|
|
|
ratchet.Timestamp = bumpKeyID(currentTime)
|
|
|
|
} else {
|
|
|
|
ratchet.Timestamp = h.Timestamp + 1
|
|
|
|
}
|
|
|
|
|
|
|
|
ratchet.Key = hrKeyBytes
|
|
|
|
|
|
|
|
_, err = ratchet.GetKeyID()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return ratchet, nil
|
|
|
|
}
|
|
|
|
|
2023-05-04 22:17:54 +00:00
|
|
|
// GetCurrentKeyForGroup retrieves a key ID for given group ID
|
2021-09-21 15:47:04 +00:00
|
|
|
// (with an assumption that key ids are shared in the group, and
|
|
|
|
// at any given time there is a single key used)
|
2023-10-12 15:45:23 +00:00
|
|
|
func (s *sqlitePersistence) GetCurrentKeyForGroup(groupID []byte) (*HashRatchetKeyCompatibility, error) {
|
|
|
|
ratchet := &HashRatchetKeyCompatibility{
|
|
|
|
GroupID: groupID,
|
|
|
|
}
|
2021-09-21 15:47:04 +00:00
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
stmt, err := s.DB.Prepare(`SELECT key_id, key_timestamp, key
|
2021-09-21 15:47:04 +00:00
|
|
|
FROM hash_ratchet_encryption
|
2023-10-12 15:45:23 +00:00
|
|
|
WHERE group_id = ? order by key_timestamp desc limit 1`)
|
2021-09-21 15:47:04 +00:00
|
|
|
if err != nil {
|
2023-10-12 15:45:23 +00:00
|
|
|
return nil, err
|
2021-09-21 15:47:04 +00:00
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
var keyID, key []byte
|
|
|
|
var timestamp uint64
|
|
|
|
err = stmt.QueryRow(groupID).Scan(&keyID, ×tamp, &key)
|
2021-09-21 15:47:04 +00:00
|
|
|
|
|
|
|
switch err {
|
|
|
|
case sql.ErrNoRows:
|
2023-10-12 15:45:23 +00:00
|
|
|
return ratchet, nil
|
2021-09-21 15:47:04 +00:00
|
|
|
case nil:
|
2023-10-12 15:45:23 +00:00
|
|
|
ratchet.Key = key
|
|
|
|
ratchet.Timestamp = timestamp
|
|
|
|
_, err = ratchet.GetKeyID()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return ratchet, nil
|
2021-09-21 15:47:04 +00:00
|
|
|
default:
|
2023-10-12 15:45:23 +00:00
|
|
|
return nil, err
|
2021-09-21 15:47:04 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
// GetKeysForGroup retrieves all key IDs for given group ID
|
|
|
|
func (s *sqlitePersistence) GetKeysForGroup(groupID []byte) ([]*HashRatchetKeyCompatibility, error) {
|
2022-09-21 16:05:29 +00:00
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
var ratchets []*HashRatchetKeyCompatibility
|
|
|
|
stmt, err := s.DB.Prepare(`SELECT key_id, key_timestamp, key
|
2022-09-21 16:05:29 +00:00
|
|
|
FROM hash_ratchet_encryption
|
2023-10-12 15:45:23 +00:00
|
|
|
WHERE group_id = ? order by key_timestamp desc`)
|
2022-09-21 16:05:29 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
|
|
|
rows, err := stmt.Query(groupID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
for rows.Next() {
|
2023-10-12 15:45:23 +00:00
|
|
|
ratchet := &HashRatchetKeyCompatibility{GroupID: groupID}
|
|
|
|
err := rows.Scan(&ratchet.keyID, &ratchet.Timestamp, &ratchet.Key)
|
2022-09-21 16:05:29 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2023-10-12 15:45:23 +00:00
|
|
|
ratchets = append(ratchets, ratchet)
|
2022-09-21 16:05:29 +00:00
|
|
|
}
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
return ratchets, nil
|
2022-09-21 16:05:29 +00:00
|
|
|
}
|
|
|
|
|
2023-05-04 22:17:54 +00:00
|
|
|
// SaveHashRatchetKeyHash saves a hash ratchet key cache data
|
2021-09-21 15:47:04 +00:00
|
|
|
func (s *sqlitePersistence) SaveHashRatchetKeyHash(
|
2023-10-12 15:45:23 +00:00
|
|
|
ratchet *HashRatchetKeyCompatibility,
|
2021-09-21 15:47:04 +00:00
|
|
|
hash []byte,
|
|
|
|
seqNo uint32,
|
|
|
|
) error {
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
stmt, err := s.DB.Prepare(`INSERT INTO hash_ratchet_encryption_cache(group_id, key_id, hash, seq_no)
|
2021-09-21 15:47:04 +00:00
|
|
|
VALUES(?, ?, ?, ?)`)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
keyID, err := ratchet.GetKeyID()
|
2022-11-07 17:30:00 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
_, err = stmt.Exec(ratchet.GroupID, keyID, hash, seqNo)
|
2022-11-07 17:30:00 +00:00
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// SaveHashRatchetKey saves a hash ratchet key
|
|
|
|
func (s *sqlitePersistence) SaveHashRatchetKey(ratchet *HashRatchetKeyCompatibility) error {
|
|
|
|
stmt, err := s.DB.Prepare(`INSERT INTO hash_ratchet_encryption(group_id, key_id, key_timestamp, deprecated_key_id, key)
|
|
|
|
VALUES(?,?,?,?,?)`)
|
2022-11-07 17:30:00 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer stmt.Close()
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
keyID, err := ratchet.GetKeyID()
|
2021-09-21 15:47:04 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-10-12 15:45:23 +00:00
|
|
|
_, err = stmt.Exec(ratchet.GroupID, keyID, ratchet.Timestamp, ratchet.DeprecatedKeyID(), ratchet.Key)
|
2021-09-21 15:47:04 +00:00
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
2023-11-29 17:21:21 +00:00
|
|
|
|
|
|
|
func (s *sqlitePersistence) GetHashRatchetKeyByID(keyID []byte) (*HashRatchetKeyCompatibility, error) {
|
|
|
|
ratchet := &HashRatchetKeyCompatibility{
|
|
|
|
keyID: keyID,
|
|
|
|
}
|
|
|
|
|
|
|
|
err := s.DB.QueryRow(`
|
|
|
|
SELECT group_id, key_timestamp, key
|
|
|
|
FROM hash_ratchet_encryption
|
|
|
|
WHERE key_id = ?`, keyID).Scan(&ratchet.GroupID, &ratchet.Timestamp, &ratchet.Key)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
if err == sql.ErrNoRows {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return ratchet, nil
|
|
|
|
}
|