Check recipient and sender in Olm messages

Embed the sender, recipient, and recipient keys in the plaintext of Olm messages, and check those fields on receipt. Fixes https://github.com/vector-im/vector-web/issues/2483
2025-08-15 07:22:16 +03:00 · 2016-10-19 11:24:59 +01:00
parent c5d738d25c
commit b5c7c700d5
7 changed files with 241 additions and 65 deletions
--- a/lib/crypto/algorithms/megolm.js
+++ b/lib/crypto/algorithms/megolm.js
@@ -244,17 +244,27 @@ MegolmEncryption.prototype._shareKeyWithDevices = function(session_id, shareMap)

                var deviceInfo = sessionResult.device;

+                var encryptedContent = {
+                    algorithm: olmlib.OLM_ALGORITHM,
+                    sender_key: self._olmDevice.deviceCurve25519Key,
+                    ciphertext: {},
+                };
+
+                olmlib.encryptMessageForDevice(
+                    encryptedContent.ciphertext,
+                    self._userId,
+                    self._deviceId,
+                    self._olmDevice,
+                    userId,
+                    deviceInfo,
+                    payload
+                );
+
                if (!contentMap[userId]) {
                    contentMap[userId] = {};
                }

-                contentMap[userId][deviceId] =
-                    olmlib.encryptMessageForDevices(
-                        self._deviceId,
-                        self._olmDevice,
-                        [deviceInfo.getIdentityKey()],
-                        payload
-                    );
+                contentMap[userId][deviceId] = encryptedContent;
                haveTargets = true;
            }
        }
@@ -413,21 +423,35 @@ MegolmDecryption.prototype.decryptEvent = function(event) {
        throw new base.DecryptionError("Missing fields in input");
    }

+    var res;
    try {
-        var res = this._olmDevice.decryptGroupMessage(
+        res = this._olmDevice.decryptGroupMessage(
            event.room_id, content.sender_key, content.session_id, content.ciphertext
        );
-        if (res === null) {
-            return null;
-        }
-        return {
-            payload: JSON.parse(res.result),
-            keysClaimed: res.keysClaimed,
-            keysProved: res.keysProved,
-        };
    } catch (e) {
        throw new base.DecryptionError(e);
    }
+
+    if (res === null) {
+        return null;
+    }
+
+    var payload = JSON.parse(res.result);
+
+    // belt-and-braces check that the room id matches that indicated by the HS
+    // (this is somewhat redundant, since the megolm session is scoped to the
+    // room, so neither the sender nor a MITM can lie about the room_id).
+    if (payload.room_id !== event.room_id) {
+        throw new base.DecryptionError(
+            "Message intended for room " + payload.room_id
+        );
+    }
+
+    return {
+        payload: payload,
+        keysClaimed: res.keysClaimed,
+        keysProved: res.keysProved,
+    };
 };

 /**