Session encryption protocol.

Changes from #390 and #101 (service repo)
2025-08-11 20:37:39 +00:00 · 2020-12-18 13:02:33 +11:00
parent 9002606917
commit e33b8a5fa2
11 changed files with 242 additions and 52 deletions
--- a/app/src/main/java/org/thoughtcrime/securesms/ApplicationContext.java
+++ b/app/src/main/java/org/thoughtcrime/securesms/ApplicationContext.java
@@ -562,7 +562,16 @@ public class ApplicationContext extends MultiDexApplication implements Dependenc
    });
  }

-  public void clearData() {
+  //FIXME AC: Using this method to cleanup app data is unsafe due to potential concurrent
+  // activity that still might be using the data that is being deleted here.
+  // The most reliable and safe way to do this is to use official API call:
+  // https://developer.android.com/reference/android/app/ActivityManager.html#clearApplicationUserData()
+  // The downside is it kills the app in the process and there's no any conventional way to start
+  // another activity when the task is done.
+  // Dev community is in demand for such a feature, so check on it some time in the feature
+  // and replace our implementation with the API call when it's safe to do so.
+  // Here's a feature request related https://issuetracker.google.com/issues/174903931
+  public void clearAllData() {
    String token = TextSecurePreferences.getFCMToken(this);
    if (token != null && !token.isEmpty()) {
      LokiPushNotificationManager.unregister(token, this);
--- a/app/src/main/java/org/thoughtcrime/securesms/dependencies/SignalCommunicationModule.java
+++ b/app/src/main/java/org/thoughtcrime/securesms/dependencies/SignalCommunicationModule.java
@@ -31,6 +31,7 @@ import org.thoughtcrime.securesms.jobs.StickerPackDownloadJob;
 import org.thoughtcrime.securesms.jobs.TypingSendJob;
 import org.thoughtcrime.securesms.linkpreview.LinkPreviewRepository;
 import org.thoughtcrime.securesms.logging.Log;
+import org.thoughtcrime.securesms.loki.api.SessionProtocolImpl;
 import org.thoughtcrime.securesms.loki.protocol.SessionResetImplementation;
 import org.thoughtcrime.securesms.preferences.AppProtectionPreferenceFragment;
 import org.thoughtcrime.securesms.push.MessageSenderEventListener;
@@ -100,8 +101,8 @@ public class SignalCommunicationModule {
                                                          DatabaseFactory.getSSKDatabase(context),
                                                          DatabaseFactory.getLokiThreadDatabase(context),
                                                          DatabaseFactory.getLokiMessageDatabase(context),
-//                                                          DatabaseFactory.getLokiPreKeyBundleDatabase(context),
-                                                          null,
+                                                          null, // DatabaseFactory.getLokiPreKeyBundleDatabase(context)
+                                                          new SessionProtocolImpl(context),
                                                          new SessionResetImplementation(context),
                                                          DatabaseFactory.getLokiUserDatabase(context),
                                                          DatabaseFactory.getGroupDatabase(context),
--- a/app/src/main/java/org/thoughtcrime/securesms/jobs/PushDecryptJob.java
+++ b/app/src/main/java/org/thoughtcrime/securesms/jobs/PushDecryptJob.java
@@ -63,6 +63,7 @@ import org.thoughtcrime.securesms.linkpreview.LinkPreview;
 import org.thoughtcrime.securesms.linkpreview.LinkPreviewUtil;
 import org.thoughtcrime.securesms.logging.Log;
 import org.thoughtcrime.securesms.loki.activities.HomeActivity;
+import org.thoughtcrime.securesms.loki.api.SessionProtocolImpl;
 import org.thoughtcrime.securesms.loki.database.LokiMessageDatabase;
 import org.thoughtcrime.securesms.loki.database.LokiThreadDatabase;
 import org.thoughtcrime.securesms.loki.protocol.ClosedGroupsProtocol;
@@ -244,7 +245,7 @@ public class PushDecryptJob extends BaseJob implements InjectableType {
      SignalProtocolStore  axolotlStore         = new SignalProtocolStoreImpl(context);
      SessionResetProtocol sessionResetProtocol = new SessionResetImplementation(context);
      SignalServiceAddress localAddress         = new SignalServiceAddress(TextSecurePreferences.getLocalNumber(context));
-      LokiServiceCipher    cipher               = new LokiServiceCipher(localAddress, axolotlStore, DatabaseFactory.getSSKDatabase(context), sessionResetProtocol, UnidentifiedAccessUtil.getCertificateValidator());
+      LokiServiceCipher    cipher               = new LokiServiceCipher(localAddress, axolotlStore, DatabaseFactory.getSSKDatabase(context), new SessionProtocolImpl(context), sessionResetProtocol, UnidentifiedAccessUtil.getCertificateValidator());

      SignalServiceContent content = cipher.decrypt(envelope);

--- a/app/src/main/java/org/thoughtcrime/securesms/loki/activities/HomeActivity.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/loki/activities/HomeActivity.kt
@@ -204,7 +204,7 @@ class HomeActivity : PassphraseRequiredActionBarActivity, ConversationClickListe
        // Clear all data if this is a secondary device
        if (TextSecurePreferences.getMasterHexEncodedPublicKey(this) != null) {
            TextSecurePreferences.setWasUnlinked(this, true)
-            ApplicationContext.getInstance(this).clearData()
+            ApplicationContext.getInstance(this).clearAllData()
        }

        // Perform chat sessions reset if requested (usually happens after backup restoration).
@@ -220,36 +220,6 @@ class HomeActivity : PassphraseRequiredActionBarActivity, ConversationClickListe
        if (hasViewedSeed || !isMasterDevice) {
            seedReminderView.visibility = View.GONE
        }
-
-        // Multi device removal sheet
-        if (!TextSecurePreferences.getHasSeenMultiDeviceRemovalSheet(this)) {
-            TextSecurePreferences.setHasSeenMultiDeviceRemovalSheet(this)
-            val userPublicKey = TextSecurePreferences.getLocalNumber(this)
-            val deviceLinks = DatabaseFactory.getLokiAPIDatabase(this).getDeviceLinks(userPublicKey)
-            if (deviceLinks.isNotEmpty()) {
-                val bottomSheet = MultiDeviceRemovalBottomSheet()
-                bottomSheet.onOKTapped = {
-                    bottomSheet.dismiss()
-                }
-                bottomSheet.onLinkTapped = {
-                    bottomSheet.dismiss()
-                    val url = "https://getsession.org/faq"
-                    val intent = Intent(Intent.ACTION_VIEW, Uri.parse(url))
-                    startActivity(intent)
-                }
-                bottomSheet.show(supportFragmentManager, bottomSheet.tag)
-                return
-            }
-        }
-
-        // Light theme introduction sheet
-        if (!TextSecurePreferences.hasSeenLightThemeIntroSheet(this) &&
-                UiModeUtilities.isDayUiMode(this)) {
-            TextSecurePreferences.setHasSeenLightThemeIntroSheet(this)
-            val bottomSheet = LightThemeFeatureIntroBottomSheet()
-            bottomSheet.show(supportFragmentManager, bottomSheet.tag)
-            return
-        }
    }

    override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
--- a/app/src/main/java/org/thoughtcrime/securesms/loki/api/SessionProtocolImpl.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/loki/api/SessionProtocolImpl.kt
@@ -0,0 +1,99 @@
+package org.thoughtcrime.securesms.loki.api
+
+import android.content.Context
+import android.util.Log
+import com.goterl.lazycode.lazysodium.LazySodiumAndroid
+import com.goterl.lazycode.lazysodium.SodiumAndroid
+import com.goterl.lazycode.lazysodium.interfaces.Box
+import com.goterl.lazycode.lazysodium.interfaces.Sign
+import org.session.libsignal.libsignal.util.Hex
+import org.session.libsignal.service.api.messages.SignalServiceEnvelope
+import org.session.libsignal.service.internal.push.SignalServiceProtos.Envelope.Type.CLOSED_GROUP_CIPHERTEXT_VALUE
+import org.session.libsignal.service.internal.push.SignalServiceProtos.Envelope.Type.UNIDENTIFIED_SENDER_VALUE
+import org.session.libsignal.service.loki.api.crypto.SessionProtocol
+import org.session.libsignal.service.loki.utilities.removing05PrefixIfNeeded
+import org.session.libsignal.service.loki.utilities.toHexString
+import org.thoughtcrime.securesms.crypto.IdentityKeyUtil
+import org.thoughtcrime.securesms.database.DatabaseFactory
+import org.thoughtcrime.securesms.loki.utilities.KeyPairUtilities
+import org.thoughtcrime.securesms.util.TextSecurePreferences
+
+class SessionProtocolImpl(private val context: Context) : SessionProtocol {
+
+    override fun encrypt(plaintext: ByteArray, recipientHexEncodedX25519PublicKey: String): ByteArray {
+        val userED25519KeyPair = KeyPairUtilities.getUserED25519KeyPair(context) ?: throw SessionProtocol.Exception.NoUserED25519KeyPair
+        val recipientX25519PublicKey = Hex.fromStringCondensed(recipientHexEncodedX25519PublicKey.removing05PrefixIfNeeded())
+        val sodium = LazySodiumAndroid(SodiumAndroid())
+
+        val verificationData = plaintext + userED25519KeyPair.publicKey.asBytes + recipientX25519PublicKey
+        val signature = ByteArray(Sign.BYTES)
+        try {
+            sodium.cryptoSignDetached(signature, verificationData, verificationData.size.toLong(), userED25519KeyPair.secretKey.asBytes)
+        } catch (exception: Exception) {
+            Log.d("Loki", "Couldn't sign message due to error: $exception.")
+            throw SessionProtocol.Exception.SigningFailed
+        }
+        val plaintextWithMetadata = plaintext + userED25519KeyPair.publicKey.asBytes + signature
+        val ciphertext = ByteArray(plaintextWithMetadata.size + Box.SEALBYTES)
+        try {
+            sodium.cryptoBoxSeal(ciphertext, plaintextWithMetadata, plaintextWithMetadata.size.toLong(), recipientX25519PublicKey)
+        } catch (exception: Exception) {
+            Log.d("Loki", "Couldn't encrypt message due to error: $exception.")
+            throw SessionProtocol.Exception.EncryptionFailed
+        }
+
+        return ciphertext
+    }
+
+    override fun decrypt(envelope: SignalServiceEnvelope): Pair<ByteArray, String> {
+        val ciphertext = envelope.content ?: throw SessionProtocol.Exception.NoData
+        val recipientX25519PrivateKey: ByteArray
+        val recipientX25519PublicKey: ByteArray
+        when (envelope.type) {
+            UNIDENTIFIED_SENDER_VALUE -> {
+                recipientX25519PrivateKey = IdentityKeyUtil.getIdentityKeyPair(context).privateKey.serialize()
+                recipientX25519PublicKey = Hex.fromStringCondensed(TextSecurePreferences.getLocalNumber(context).removing05PrefixIfNeeded())
+            }
+            CLOSED_GROUP_CIPHERTEXT_VALUE -> {
+                val hexEncodedGroupPublicKey = envelope.source
+                val sskDB = DatabaseFactory.getSSKDatabase(context)
+                if (!sskDB.isSSKBasedClosedGroup(hexEncodedGroupPublicKey)) { throw SessionProtocol.Exception.InvalidGroupPublicKey }
+                val hexEncodedGroupPrivateKey = sskDB.getClosedGroupPrivateKey(hexEncodedGroupPublicKey) ?: throw SessionProtocol.Exception.NoGroupPrivateKey
+                recipientX25519PrivateKey = Hex.fromStringCondensed(hexEncodedGroupPrivateKey)
+                recipientX25519PublicKey = Hex.fromStringCondensed(hexEncodedGroupPublicKey.removing05PrefixIfNeeded())
+            }
+            else -> throw AssertionError()
+        }
+        val sodium = LazySodiumAndroid(SodiumAndroid())
+        val signatureSize = Sign.BYTES
+        val ed25519PublicKeySize = Sign.PUBLICKEYBYTES
+
+        // 1. ) Decrypt the message
+        val plaintextWithMetadata = ByteArray(ciphertext.size - Box.SEALBYTES)
+        try {
+            sodium.cryptoBoxSealOpen(plaintextWithMetadata, ciphertext, ciphertext.size.toLong(), recipientX25519PublicKey, recipientX25519PrivateKey)
+        } catch (exception: Exception) {
+            Log.d("Loki", "Couldn't decrypt message due to error: $exception.")
+            throw SessionProtocol.Exception.DecryptionFailed
+        }
+        if (plaintextWithMetadata.size <= (signatureSize + ed25519PublicKeySize)) { throw SessionProtocol.Exception.DecryptionFailed }
+        // 2. ) Get the message parts
+        val signature = plaintextWithMetadata.sliceArray(plaintextWithMetadata.size - signatureSize until plaintextWithMetadata.size)
+        val senderED25519PublicKey = plaintextWithMetadata.sliceArray(plaintextWithMetadata.size - (signatureSize + ed25519PublicKeySize) until plaintextWithMetadata.size - signatureSize)
+        val plaintext = plaintextWithMetadata.sliceArray(0 until plaintextWithMetadata.size - (signatureSize + ed25519PublicKeySize))
+        // 3. ) Verify the signature
+        val verificationData = (plaintext + senderED25519PublicKey + recipientX25519PublicKey)
+        try {
+            val isValid = sodium.cryptoSignVerifyDetached(signature, verificationData, verificationData.size, senderED25519PublicKey)
+            if (!isValid) { throw SessionProtocol.Exception.InvalidSignature }
+        } catch (exception: Exception) {
+            Log.d("Loki", "Couldn't verify message signature due to error: $exception.")
+            throw SessionProtocol.Exception.InvalidSignature
+        }
+        // 4. ) Get the sender's X25519 public key
+        val senderX25519PublicKey = ByteArray(Sign.CURVE25519_PUBLICKEYBYTES)
+        sodium.convertPublicKeyEd25519ToCurve25519(senderX25519PublicKey, senderED25519PublicKey)
+
+        return Pair(plaintext, "05" + senderX25519PublicKey.toHexString())
+    }
+}
--- a/app/src/main/java/org/thoughtcrime/securesms/loki/dialogs/ClearAllDataDialog.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/loki/dialogs/ClearAllDataDialog.kt
@@ -27,13 +27,13 @@ class ClearAllDataDialog : DialogFragment() {

    private fun clearAllData() {
        if (KeyPairUtilities.hasV2KeyPair(requireContext())) {
-            ApplicationContext.getInstance(context).clearData()
+            ApplicationContext.getInstance(context).clearAllData()
        } else {
            val dialog = AlertDialog.Builder(requireContext())
            val message = "We’ve upgraded the way Session IDs are generated, so you will be unable to restore your current Session ID."
            dialog.setMessage(message)
            dialog.setPositiveButton("Yes") { _, _ ->
-                ApplicationContext.getInstance(context).clearData()
+                ApplicationContext.getInstance(context).clearAllData()
            }
            dialog.setNegativeButton("Cancel") { _, _ ->
                // Do nothing
--- a/app/src/main/java/org/thoughtcrime/securesms/loki/utilities/KeyPairUtilities.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/loki/utilities/KeyPairUtilities.kt
@@ -3,6 +3,7 @@ package org.thoughtcrime.securesms.loki.utilities
 import android.content.Context
 import com.goterl.lazycode.lazysodium.LazySodiumAndroid
 import com.goterl.lazycode.lazysodium.SodiumAndroid
+import com.goterl.lazycode.lazysodium.utils.Key
 import com.goterl.lazycode.lazysodium.utils.KeyPair
 import org.thoughtcrime.securesms.crypto.IdentityKeyUtil
 import org.thoughtcrime.securesms.util.Base64
@@ -44,6 +45,13 @@ object KeyPairUtilities {
        return (IdentityKeyUtil.retrieve(context, IdentityKeyUtil.ED25519_SECRET_KEY) != null)
    }

+    fun getUserED25519KeyPair(context: Context): KeyPair? {
+        val hexEncodedED25519PublicKey = IdentityKeyUtil.retrieve(context, IdentityKeyUtil.ED25519_PUBLIC_KEY) ?: return null
+        val hexEncodedED25519SecretKey = IdentityKeyUtil.retrieve(context, IdentityKeyUtil.ED25519_SECRET_KEY) ?: return null
+        val ed25519PublicKey = Key.fromBase64String(hexEncodedED25519PublicKey)
+        val ed25519SecretKey = Key.fromBase64String(hexEncodedED25519SecretKey)
+        return KeyPair(ed25519PublicKey, ed25519SecretKey)
+    }

    data class KeyPairGenerationResult(
            val seed: ByteArray,