D15546.1765004428.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D15546.1765004428.diff
View Options

	diff --git a/keyserver/src/creators/account-creator.js b/keyserver/src/creators/account-creator.js
	--- a/keyserver/src/creators/account-creator.js
	+++ b/keyserver/src/creators/account-creator.js
	@@ -13,10 +13,12 @@
	import type {
	UserDetail,
	ReservedUsernameMessage,
	+ IdentityKeysBlob,
	} from 'lib/types/crypto-types.js';
	import { messageTypes } from 'lib/types/message-types-enum.js';
	import type { RawMessageInfo } from 'lib/types/message-types.js';
	import { threadTypes } from 'lib/types/thread-types-enum.js';
	+import { identityKeysBlobValidator } from 'lib/utils/crypto-utils.js';
	import { ServerError } from 'lib/utils/errors.js';
	import { values } from 'lib/utils/objects.js';
	import { ignorePromiseRejections } from 'lib/utils/promises.js';
	@@ -91,10 +93,18 @@
	// Olm sessions have to be created before createNewUserCookie is called,
	// to avoid propagating a user cookie in case session creation fails
	const olmNotifSession = await (async () => {
	- if (initialNotificationsEncryptedMessage) {
	+ if (initialNotificationsEncryptedMessage && signedIdentityKeysBlob) {
	+ const identityKeys: IdentityKeysBlob = JSON.parse(
	+ signedIdentityKeysBlob.payload,
	+ );
	+ if (!identityKeysBlobValidator.is(identityKeys)) {
	+ throw new ServerError('invalid_identity_keys_blob');
	+ }
	+
	return await createOlmSession(
	initialNotificationsEncryptedMessage,
	'notifications',
	+ identityKeys.notificationIdentityPublicKeys.curve25519,
	);
	}
	return null;
	diff --git a/keyserver/src/creators/olm-session-creator.js b/keyserver/src/creators/olm-session-creator.js
	--- a/keyserver/src/creators/olm-session-creator.js
	+++ b/keyserver/src/creators/olm-session-creator.js
	@@ -11,7 +11,7 @@
	async function createOlmSession(
	initialEncryptedMessage: string,
	olmSessionType: 'content' \| 'notifications',
	- theirCurve25519Key?: string,
	+ theirCurve25519Key: string,
	): Promise<string> {
	const callback = (account: OlmAccount, picklingKey: string) =>
	createPickledOlmSession(
	@@ -52,7 +52,7 @@
	initialEncryptedMessage: string,
	olmSessionType: 'content' \| 'notifications',
	cookieID: string,
	- theirCurve25519Key?: string,
	+ theirCurve25519Key: string,
	): Promise<void> {
	const pickledOlmSession = await createOlmSession(
	initialEncryptedMessage,
	diff --git a/keyserver/src/responders/user-responders.js b/keyserver/src/responders/user-responders.js
	--- a/keyserver/src/responders/user-responders.js
	+++ b/keyserver/src/responders/user-responders.js
	@@ -292,9 +292,16 @@
	// to avoid propagating a user cookie in case session creation fails
	const olmNotifSession = await (async () => {
	if (initialNotificationsEncryptedMessage && signedIdentityKeysBlob) {
	+ const identityKeys: IdentityKeysBlob = JSON.parse(
	+ signedIdentityKeysBlob.payload,
	+ );
	+ if (!identityKeysBlobValidator.is(identityKeys)) {
	+ throw new ServerError('invalid_identity_keys_blob');
	+ }
	return await createOlmSession(
	initialNotificationsEncryptedMessage,
	'notifications',
	+ identityKeys.notificationIdentityPublicKeys.curve25519,
	);
	}
	return null;
	diff --git a/keyserver/src/session/cookies.js b/keyserver/src/session/cookies.js
	--- a/keyserver/src/session/cookies.js
	+++ b/keyserver/src/session/cookies.js
	@@ -741,6 +741,18 @@
	);
	}

	+async function getSignedIdentityKeysBlobFromCookiesTable(
	+ cookieID: string,
	+): Promise<?string> {
	+ const query = SQL`
	+ SELECT signed_identity_keys
	+ FROM cookies
	+ WHERE id = ${cookieID}
	+ `;
	+ const [queryResult] = await dbQuery(query);
	+ return queryResult[0]?.signed_identity_keys;
	+}
	+
	async function isCookieMissingOlmNotificationsSession(
	viewer: Viewer,
	): Promise<boolean> {
	@@ -823,4 +835,5 @@
	setCookiePlatform,
	setCookiePlatformDetails,
	isCookieMissingOlmNotificationsSession,
	+ getSignedIdentityKeysBlobFromCookiesTable,
	};
	diff --git a/keyserver/src/socket/session-utils.js b/keyserver/src/socket/session-utils.js
	--- a/keyserver/src/socket/session-utils.js
	+++ b/keyserver/src/socket/session-utils.js
	@@ -28,6 +28,8 @@
	type ServerCheckStateServerRequest,
	} from 'lib/types/request-types.js';
	import { sessionCheckFrequency } from 'lib/types/session-types.js';
	+import { identityKeysBlobValidator } from 'lib/utils/crypto-utils.js';
	+import { ServerError } from 'lib/utils/errors.js';
	import { hash, values } from 'lib/utils/objects.js';
	import { getOlmUtility } from 'lib/utils/olm-utility.js';
	import { promiseAll, ignorePromiseRejections } from 'lib/utils/promises.js';
	@@ -40,6 +42,7 @@
	setCookiePlatform,
	setCookiePlatformDetails,
	setCookieSignedIdentityKeysBlob,
	+ getSignedIdentityKeysBlobFromCookiesTable,
	} from '../session/cookies.js';
	import type { Viewer } from '../session/viewer.js';
	import { serverStateSyncSpecs } from '../shared/state-sync/state-sync-specs.js';
	@@ -151,10 +154,23 @@
	);
	const { initialNotificationsEncryptedMessage } = clientResponse;
	try {
	+ const signedIdentityKeysBlob =
	+ await getSignedIdentityKeysBlobFromCookiesTable(viewer.cookieID);
	+ if (!signedIdentityKeysBlob) {
	+ continue;
	+ }
	+ const identityKeys: IdentityKeysBlob = JSON.parse(
	+ signedIdentityKeysBlob,
	+ );
	+ if (!identityKeysBlobValidator.is(identityKeys)) {
	+ throw new ServerError('invalid_identity_keys_blob');
	+ }
	+
	await createAndPersistOlmSession(
	initialNotificationsEncryptedMessage,
	'notifications',
	viewer.cookieID,
	+ identityKeys.notificationIdentityPublicKeys.curve25519,
	);
	} catch (e) {
	continue;
	diff --git a/keyserver/src/utils/olm-objects.js b/keyserver/src/utils/olm-objects.js
	--- a/keyserver/src/utils/olm-objects.js
	+++ b/keyserver/src/utils/olm-objects.js
	@@ -97,20 +97,16 @@
	account: OlmAccount,
	accountPicklingKey: string,
	initialEncryptedMessage: string,
	- theirCurve25519Key?: string,
	+ theirCurve25519Key: string,
	): Promise<string> {
	await olm.init();
	const session = new olm.Session();

	- if (theirCurve25519Key) {
	- session.create_inbound_from(
	- account,
	- theirCurve25519Key,
	- initialEncryptedMessage,
	- );
	- } else {
	- session.create_inbound(account, initialEncryptedMessage);
	- }
	+ session.create_inbound_from(
	+ account,
	+ theirCurve25519Key,
	+ initialEncryptedMessage,
	+ );

	account.remove_one_time_keys(session);
	session.decrypt(olmEncryptedMessageTypes.PREKEY, initialEncryptedMessage);

File Metadata

Mime Type: text/plain
Expires: Sat, Dec 6, 7:00 AM (21 h, 12 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 5828852
Default Alt Text: D15546.1765004428.diff (6 KB)

D15546.1765004428.diffNo OneTemporaryActions

D15546.1765004428.diffView Options

File Metadata

Event Timeline

D15546.1765004428.diff
No OneTemporary
Actions

D15546.1765004428.diff
View Options