From dd9c9ddf9e8d1a1b45a116eb3e48f1dc03e009cc Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 17 May 2024 14:16:47 +0200 Subject: [PATCH 1/9] Don't store encryption key separately This is unnecessary and was missed in #1565. --- openmls/src/key_packages/mod.rs | 5 ----- openmls/src/messages/tests/test_welcome.rs | 7 ++++--- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/openmls/src/key_packages/mod.rs b/openmls/src/key_packages/mod.rs index 558b73efa..17b8621de 100644 --- a/openmls/src/key_packages/mod.rs +++ b/openmls/src/key_packages/mod.rs @@ -532,11 +532,6 @@ impl KeyPackageBuilder { .write_key_package(&full_kp.key_package.hash_ref(provider.crypto())?, &full_kp) .map_err(|_| KeyPackageNewError::StorageError)?; - // Store the encryption key pair in the key store. - encryption_keypair - .write(provider.storage()) - .map_err(|_| KeyPackageNewError::StorageError)?; - Ok(full_kp) } } diff --git a/openmls/src/messages/tests/test_welcome.rs b/openmls/src/messages/tests/test_welcome.rs index f817bbb07..76b73f939 100644 --- a/openmls/src/messages/tests/test_welcome.rs +++ b/openmls/src/messages/tests/test_welcome.rs @@ -148,9 +148,10 @@ fn test_welcome_context_mismatch( welcome.encrypted_group_info = encrypted_verifiable_group_info.into(); // Create backup of encryption keypair, s.t. we can process the welcome a second time after failing. - let encryption_keypair = - EncryptionKeyPair::read(provider, bob_kpb.key_package().leaf_node().encryption_key()) - .unwrap(); + let encryption_keypair = EncryptionKeyPair::from(( + bob_kpb.key_package().leaf_node().encryption_key().clone(), + bob_kpb.private_encryption_key.clone(), + )); // Bob tries to join the group let err = StagedWelcome::new_from_welcome( From 7fbfd83ac6f595866538135178aa5fbfffe93989 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 17 May 2024 14:20:56 +0200 Subject: [PATCH 2/9] docs: not storing some values causes failures when loading the group --- traits/src/storage.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/traits/src/storage.rs b/traits/src/storage.rs index f0b138fe6..e5aad83e7 100644 --- a/traits/src/storage.rs +++ b/traits/src/storage.rs @@ -21,6 +21,10 @@ pub const V_TEST: u16 = u16::MAX; /// Many getters for lists return a `Result, E>`. In this case, if there was no error but /// the value doesn't exist, an empty vector should be returned. /// +/// Any value that uses the group id as key is required by the group. +/// Returning `None` or an error for any of them will cause a failure when +/// loading a group. +/// /// More details can be taken from the comments on the respective method. pub trait StorageProvider { /// An opaque error returned by all methods on this trait. @@ -349,6 +353,9 @@ pub trait StorageProvider { ) -> Result, Self::Error>; /// Returns the ResumptionPskStore for the group with the given id. + /// + /// Returning `None` here is considered an error because the store is needed + /// by OpenMLS when loading a group. fn resumption_psk_store< GroupId: traits::GroupId, ResumptionPskStore: traits::ResumptionPskStore, From d5905aafced47e9ea5439959fbe48bb5057c3c23 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 17 May 2024 14:52:38 +0200 Subject: [PATCH 3/9] benchmarks for ml-kem --- openmls/benches/benchmark.rs | 242 ++++++++++++++++++++++++++++++++++- 1 file changed, 238 insertions(+), 4 deletions(-) diff --git a/openmls/benches/benchmark.rs b/openmls/benches/benchmark.rs index 0d11c40bd..1516f846f 100644 --- a/openmls/benches/benchmark.rs +++ b/openmls/benches/benchmark.rs @@ -6,11 +6,10 @@ extern crate rand; use criterion::Criterion; use openmls::prelude::*; use openmls_basic_credential::SignatureKeyPair; +use openmls_rust_crypto::OpenMlsRustCrypto; use openmls_traits::{crypto::OpenMlsCrypto, OpenMlsProvider}; -pub type OpenMlsRustCrypto = openmls_rust_crypto::OpenMlsRustCrypto; - -fn criterion_kp_bundle(c: &mut Criterion, provider: &impl OpenMlsProvider) { +fn criterion_key_package(c: &mut Criterion, provider: &impl OpenMlsProvider) { for &ciphersuite in provider.crypto().supported_ciphersuites().iter() { c.bench_function( &format!("KeyPackage create bundle with ciphersuite: {ciphersuite:?}"), @@ -38,14 +37,249 @@ fn criterion_kp_bundle(c: &mut Criterion, provider: &impl OpenMlsProvider) { } } +fn create_welcome(c: &mut Criterion, provider: &impl OpenMlsProvider) { + for &ciphersuite in provider.crypto().supported_ciphersuites().iter() { + c.bench_function( + &format!("Create a welcome message with ciphersuite: {ciphersuite:?}"), + move |b| { + b.iter_with_setup( + || { + let alice_credential = BasicCredential::new("Alice".into()); + let alice_signer = + SignatureKeyPair::new(ciphersuite.signature_algorithm()).unwrap(); + let alice_credential_with_key = CredentialWithKey { + credential: alice_credential.into(), + signature_key: alice_signer.to_public_vec().into(), + }; + + let bob_credential = BasicCredential::new("Bob".into()); + let bob_signer = + SignatureKeyPair::new(ciphersuite.signature_algorithm()).unwrap(); + let bob_credential_with_key = CredentialWithKey { + credential: bob_credential.into(), + signature_key: bob_signer.to_public_vec().into(), + }; + let bob_key_package = KeyPackage::builder() + .build( + ciphersuite, + provider, + &bob_signer, + bob_credential_with_key.clone(), + ) + .expect("An unexpected error occurred."); + + let mls_group_create_config = MlsGroupCreateConfig::builder() + .wire_format_policy(PURE_PLAINTEXT_WIRE_FORMAT_POLICY) + .ciphersuite(ciphersuite) + .build(); + + // === Alice creates a group === + let alice_group = MlsGroup::new( + provider, + &alice_signer, + &mls_group_create_config, + alice_credential_with_key.clone(), + ) + .expect("An unexpected error occurred."); + + (alice_signer, alice_group, bob_key_package) + }, + |(alice_signer, mut alice_group, bob_key_package)| { + let _welcome = match alice_group.add_members( + provider, + &alice_signer, + &[bob_key_package.key_package().clone()], + ) { + Ok((_, welcome, _)) => welcome, + Err(e) => panic!("Could not add member to group: {e:?}"), + }; + }, + ); + }, + ); + } +} + +fn join_group(c: &mut Criterion, provider: &impl OpenMlsProvider) { + for &ciphersuite in provider.crypto().supported_ciphersuites().iter() { + c.bench_function( + &format!("Join a group with ciphersuite: {ciphersuite:?}"), + move |b| { + b.iter_with_setup( + || { + let alice_credential = BasicCredential::new("Alice".into()); + let alice_signer = + SignatureKeyPair::new(ciphersuite.signature_algorithm()).unwrap(); + let alice_credential_with_key = CredentialWithKey { + credential: alice_credential.into(), + signature_key: alice_signer.to_public_vec().into(), + }; + + let bob_credential = BasicCredential::new("Bob".into()); + let bob_signer = + SignatureKeyPair::new(ciphersuite.signature_algorithm()).unwrap(); + let bob_credential_with_key = CredentialWithKey { + credential: bob_credential.into(), + signature_key: bob_signer.to_public_vec().into(), + }; + let bob_key_package = KeyPackage::builder() + .build( + ciphersuite, + provider, + &bob_signer, + bob_credential_with_key.clone(), + ) + .expect("An unexpected error occurred."); + + let mls_group_create_config = MlsGroupCreateConfig::builder() + .wire_format_policy(PURE_PLAINTEXT_WIRE_FORMAT_POLICY) + .ciphersuite(ciphersuite) + .build(); + + // === Alice creates a group === + let mut alice_group = MlsGroup::new( + provider, + &alice_signer, + &mls_group_create_config, + alice_credential_with_key.clone(), + ) + .expect("An unexpected error occurred."); + + let welcome = match alice_group.add_members( + provider, + &alice_signer, + &[bob_key_package.key_package().clone()], + ) { + Ok((_, welcome, _)) => welcome, + Err(e) => panic!("Could not add member to group: {e:?}"), + }; + + alice_group + .merge_pending_commit(provider) + .expect("error merging pending commit"); + + (alice_group, mls_group_create_config, welcome) + }, + |(alice_group, mls_group_create_config, welcome)| { + let welcome: MlsMessageIn = welcome.into(); + let welcome = welcome + .into_welcome() + .expect("expected the message to be a welcome message"); + let _bob_group = StagedWelcome::new_from_welcome( + provider, + mls_group_create_config.join_config(), + welcome, + Some(alice_group.export_ratchet_tree().into()), + ) + .unwrap() + .into_group(provider); + }, + ); + }, + ); + } +} + +fn create_commit(c: &mut Criterion, provider: &impl OpenMlsProvider) { + for &ciphersuite in provider.crypto().supported_ciphersuites().iter() { + c.bench_function( + &format!("Create a commit with ciphersuite: {ciphersuite:?}"), + move |b| { + b.iter_with_setup( + || { + let alice_credential = BasicCredential::new("Alice".into()); + let alice_signer = + SignatureKeyPair::new(ciphersuite.signature_algorithm()).unwrap(); + let alice_credential_with_key = CredentialWithKey { + credential: alice_credential.into(), + signature_key: alice_signer.to_public_vec().into(), + }; + + let bob_credential = BasicCredential::new("Bob".into()); + let bob_signer = + SignatureKeyPair::new(ciphersuite.signature_algorithm()).unwrap(); + let bob_credential_with_key = CredentialWithKey { + credential: bob_credential.into(), + signature_key: bob_signer.to_public_vec().into(), + }; + let bob_key_package = KeyPackage::builder() + .build( + ciphersuite, + provider, + &bob_signer, + bob_credential_with_key.clone(), + ) + .expect("An unexpected error occurred."); + + let mls_group_create_config = MlsGroupCreateConfig::builder() + .wire_format_policy(PURE_PLAINTEXT_WIRE_FORMAT_POLICY) + .ciphersuite(ciphersuite) + .build(); + + // === Alice creates a group === + let mut alice_group = MlsGroup::new( + provider, + &alice_signer, + &mls_group_create_config, + alice_credential_with_key.clone(), + ) + .expect("An unexpected error occurred."); + + let welcome = match alice_group.add_members( + provider, + &alice_signer, + &[bob_key_package.key_package().clone()], + ) { + Ok((_, welcome, _)) => welcome, + Err(e) => panic!("Could not add member to group: {e:?}"), + }; + + alice_group + .merge_pending_commit(provider) + .expect("error merging pending commit"); + + let welcome: MlsMessageIn = welcome.into(); + let welcome = welcome + .into_welcome() + .expect("expected the message to be a welcome message"); + let bob_group = StagedWelcome::new_from_welcome( + provider, + mls_group_create_config.join_config(), + welcome, + Some(alice_group.export_ratchet_tree().into()), + ) + .unwrap() + .into_group(provider) + .unwrap(); + + (bob_group, bob_signer) + }, + |(mut bob_group, bob_signer)| { + let (queued_message, welcome_option, _group_info) = + bob_group.self_update(provider, &bob_signer).unwrap(); + + bob_group + .merge_pending_commit(provider) + .expect("error merging pending commit"); + }, + ); + }, + ); + } +} + fn kp_bundle_rust_crypto(c: &mut Criterion) { let provider = &OpenMlsRustCrypto::default(); println!("provider: RustCrypto"); - criterion_kp_bundle(c, provider); + criterion_key_package(c, provider); } fn criterion_benchmark(c: &mut Criterion) { kp_bundle_rust_crypto(c); + criterion_key_package(c, &openmls_libcrux_crypto::Provider::default()); + create_welcome(c, &openmls_libcrux_crypto::Provider::default()); + join_group(c, &openmls_libcrux_crypto::Provider::default()); + create_commit(c, &openmls_libcrux_crypto::Provider::default()); } criterion_group!(benches, criterion_benchmark); From 5523a063e66ee2ee2245b5f210af88a8ac96fcd6 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 22 May 2024 08:50:23 +0200 Subject: [PATCH 4/9] check that staged commit has gce proposal applied --- openmls/tests/test_mls_group.rs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/openmls/tests/test_mls_group.rs b/openmls/tests/test_mls_group.rs index f86cc90db..3f83faff7 100644 --- a/openmls/tests/test_mls_group.rs +++ b/openmls/tests/test_mls_group.rs @@ -1229,6 +1229,10 @@ fn group_context_extensions_proposal( // No required capabilities, so no specifically required extensions. assert!(alice_group.extensions().required_capabilities().is_none()); + // The old group context + let group_context_before = alice_group.export_group_context().clone(); + assert_eq!(group_context_before.extensions(), &Extensions::empty()); + let new_extensions = Extensions::single(Extension::RequiredCapabilities( RequiredCapabilitiesExtension::new(&[ExtensionType::RequiredCapabilities], &[], &[]), )); @@ -1247,6 +1251,14 @@ fn group_context_extensions_proposal( .commit_to_pending_proposals(provider, &alice_signer) .expect("failed to commit to pending proposals"); + // The staged commit has the new group context extensions. + let group_context_staged = alice_group + .pending_commit() + .unwrap() + .group_context() + .clone(); + assert_eq!(group_context_staged.extensions(), &new_extensions); + alice_group .merge_pending_commit(provider) .expect("error merging pending commit"); From 9ae58bc022cadbe65c836fa66e69d6ea17c6f465 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 22 May 2024 08:50:35 +0200 Subject: [PATCH 5/9] add logging to all tests --- openmls_test/src/lib.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openmls_test/src/lib.rs b/openmls_test/src/lib.rs index 8908ec750..8ae2cd39a 100644 --- a/openmls_test/src/lib.rs +++ b/openmls_test/src/lib.rs @@ -32,6 +32,7 @@ pub fn openmls_test(_attr: TokenStream, item: TokenStream) -> TokenStream { use openmls_traits::{types::Ciphersuite, crypto::OpenMlsCrypto}; type Provider = OpenMlsRustCrypto; + let _ = pretty_env_logger::try_init(); let ciphersuite = Ciphersuite::try_from(#val).unwrap(); let provider = OpenMlsRustCrypto::default(); @@ -67,6 +68,7 @@ pub fn openmls_test(_attr: TokenStream, item: TokenStream) -> TokenStream { use openmls_traits::{types::Ciphersuite, prelude::*}; type Provider = OpenMlsLibcrux; + let _ = pretty_env_logger::try_init(); let ciphersuite = Ciphersuite::try_from(#val).unwrap(); let provider = OpenMlsLibcrux::default(); From 4952fcb24a2e9067eddbb8670d08ccbc5ce79a2c Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 22 May 2024 12:04:56 +0200 Subject: [PATCH 6/9] add changelog for new storage API --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c68edd5b..f939c6bd3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [#1506](https://github.com/openmls/openmls/pull/1506): Add `StagedWelcome` and `StagedCoreWelcome` to make joining a group staged in order to inspect the `Welcome` message. This was followed up with PR [#1533](https://github.com/openmls/openmls/pull/1533) to adjust the API. - [#1516](https://github.com/openmls/openmls/pull/1516): Add `MlsGroup::clear_pending_proposals` to the public API; this allows users to clear a group's internal `ProposalStore` +- [#1565](https://github.com/openmls/openmls/pull/1565): Add new `StorageProvider` trait to the `openmls_traits` crate. ### Changed @@ -27,6 +28,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [#1548](https://github.com/openmls/openmls/pull/1548): CryptoConfig is now replaced by just Ciphersuite. - [#1542](https://github.com/openmls/openmls/pull/1542): Add support for custom proposals. ProposalType::Unknown is now called ProposalType::Other. Proposal::Unknown is now called Proposal::Other. - [#1559](https://github.com/openmls/openmls/pull/1559): Remove the `PartialEq` type constraint on the error type of both the `OpenMlsRand` and `OpenMlsKeyStore` traits. Additionally, remove the `Clone` type constraint on the error type of the `OpenMlsRand` trait. +- [#1565](https://github.com/openmls/openmls/pull/1565): Removed `OpenMlsKeyStore` and replace it with a new `StorageProvider` trait in the `openmls_traits` crate. ### Fixed From 9d2f01870ac198422d542019b12021cd6e9c7cf4 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Tue, 4 Jun 2024 10:52:14 +0200 Subject: [PATCH 7/9] API for processed welcome Fixes #1585 --- openmls/src/group/core_group/mod.rs | 2 +- .../src/group/core_group/new_from_welcome.rs | 421 ++++++++++-------- openmls/src/group/mls_group/creation.rs | 131 ++++-- openmls/src/group/mls_group/mod.rs | 22 +- openmls/src/messages/group_info.rs | 4 +- openmls/src/messages/tests/test_welcome.rs | 80 +++- 6 files changed, 432 insertions(+), 228 deletions(-) diff --git a/openmls/src/group/core_group/mod.rs b/openmls/src/group/core_group/mod.rs index a78fff0fc..4004ba822 100644 --- a/openmls/src/group/core_group/mod.rs +++ b/openmls/src/group/core_group/mod.rs @@ -6,7 +6,7 @@ //! error, will still return a `Result` since they may throw a `LibraryError`. // Private -mod new_from_welcome; +pub(super) mod new_from_welcome; // Crate pub(crate) mod create_commit_params; diff --git a/openmls/src/group/core_group/new_from_welcome.rs b/openmls/src/group/core_group/new_from_welcome.rs index 0bb4a7c12..345faa00b 100644 --- a/openmls/src/group/core_group/new_from_welcome.rs +++ b/openmls/src/group/core_group/new_from_welcome.rs @@ -19,207 +19,26 @@ impl StagedCoreWelcome { ratchet_tree: Option, key_package_bundle: KeyPackageBundle, provider: &Provider, - mut resumption_psk_store: ResumptionPskStore, + resumption_psk_store: ResumptionPskStore, ) -> Result> { log::debug!("CoreGroup::new_from_welcome_internal"); - let ciphersuite = welcome.ciphersuite(); - - // Find key_package in welcome secrets - let egs = if let Some(egs) = CoreGroup::find_key_package_from_welcome_secrets( - key_package_bundle - .key_package() - .hash_ref(provider.crypto())?, - welcome.secrets(), - ) { - egs - } else { - return Err(WelcomeError::JoinerSecretNotFound); - }; - if ciphersuite != key_package_bundle.key_package().ciphersuite() { - let e = WelcomeError::CiphersuiteMismatch; - debug!("new_from_welcome {:?}", e); - return Err(e); - } - - let group_secrets = GroupSecrets::try_from_ciphertext( - key_package_bundle.init_private_key(), - egs.encrypted_group_secrets(), - welcome.encrypted_group_info(), - ciphersuite, - provider.crypto(), - )?; - - // Prepare the PskSecret - let psk_secret = { - let psks = load_psks( - provider.storage(), - &resumption_psk_store, - &group_secrets.psks, - )?; - - PskSecret::new(provider.crypto(), ciphersuite, psks)? - }; - - // Create key schedule - let mut key_schedule = KeySchedule::init( - ciphersuite, - provider.crypto(), - &group_secrets.joiner_secret, - psk_secret, - )?; - - // Derive welcome key & nonce from the key schedule - let (welcome_key, welcome_nonce) = key_schedule - .welcome(provider.crypto(), ciphersuite) - .map_err(|_| LibraryError::custom("Using the key schedule in the wrong state"))? - .derive_welcome_key_nonce(provider.crypto(), ciphersuite) - .map_err(LibraryError::unexpected_crypto_error)?; - - let verifiable_group_info = VerifiableGroupInfo::try_from_ciphertext( - &welcome_key, - &welcome_nonce, - welcome.encrypted_group_info(), - &[], - provider.crypto(), - )?; - - // Make sure that we can support the required capabilities in the group info. - if let Some(required_capabilities) = - verifiable_group_info.extensions().required_capabilities() - { - // Also check that our key package actually supports the extensions. - // Per spec the sender must have checked this. But you never know. - key_package_bundle - .key_package() - .leaf_node() - .capabilities() - .supports_required_capabilities(required_capabilities)?; - } - - // Build the ratchet tree - - // Set nodes either from the extension or from the `nodes_option`. - // If we got a ratchet tree extension in the welcome, we enable it for - // this group. Note that this is not strictly necessary. But there's - // currently no other mechanism to enable the extension. - let (ratchet_tree, enable_ratchet_tree_extension) = - match verifiable_group_info.extensions().ratchet_tree() { - Some(extension) => (extension.ratchet_tree().clone(), true), - None => match ratchet_tree { - Some(ratchet_tree) => (ratchet_tree, false), - None => return Err(WelcomeError::MissingRatchetTree), - }, - }; - - // Since there is currently only the external pub extension, there is no - // group info extension of interest here. - let (public_group, _group_info_extensions) = PublicGroup::from_external( + let (ciphersuite, group_secrets, key_schedule, verifiable_group_info) = process_welcome( + welcome, + &key_package_bundle, provider, - ratchet_tree, - verifiable_group_info.clone(), - ProposalStore::new(), + &resumption_psk_store, )?; - // Find our own leaf in the tree. - let own_leaf_index = public_group - .members() - .find_map(|m| { - if m.signature_key - == key_package_bundle - .key_package() - .leaf_node() - .signature_key() - .as_slice() - { - Some(m.index) - } else { - None - } - }) - .ok_or(WelcomeError::PublicTreeError( - PublicTreeError::MalformedTree, - ))?; - - let (group_epoch_secrets, message_secrets) = { - let serialized_group_context = public_group - .group_context() - .tls_serialize_detached() - .map_err(LibraryError::missing_bound_check)?; - - // TODO #751: Implement PSK - key_schedule - .add_context(provider.crypto(), &serialized_group_context) - .map_err(|_| LibraryError::custom("Using the key schedule in the wrong state"))?; - - let epoch_secrets = key_schedule - .epoch_secrets(provider.crypto(), ciphersuite) - .map_err(|_| LibraryError::custom("Using the key schedule in the wrong state"))?; - - epoch_secrets.split_secrets( - serialized_group_context, - public_group.tree_size(), - own_leaf_index, - ) - }; - - let confirmation_tag = message_secrets - .confirmation_key() - .tag( - provider.crypto(), - ciphersuite, - public_group.group_context().confirmed_transcript_hash(), - ) - .map_err(LibraryError::unexpected_crypto_error)?; - - // Verify confirmation tag - if &confirmation_tag != public_group.confirmation_tag() { - log::error!("Confirmation tag mismatch"); - log_crypto!(trace, " Got: {:x?}", confirmation_tag); - log_crypto!(trace, " Expected: {:x?}", public_group.confirmation_tag()); - debug_assert!(false, "Confirmation tag mismatch"); - return Err(WelcomeError::ConfirmationTagMismatch); - } - - let message_secrets_store = MessageSecretsStore::new_with_secret(0, message_secrets); - - // Extract and store the resumption PSK for the current epoch. - let resumption_psk = group_epoch_secrets.resumption_psk(); - resumption_psk_store.add(public_group.group_context().epoch(), resumption_psk.clone()); - - let welcome_sender_index = verifiable_group_info.signer(); - let path_keypairs = if let Some(path_secret) = group_secrets.path_secret { - let (path_keypairs, _commit_secret) = public_group - .derive_path_secrets( - provider.crypto(), - ciphersuite, - path_secret, - welcome_sender_index, - own_leaf_index, - ) - .map_err(|e| match e { - DerivePathError::LibraryError(e) => e.into(), - DerivePathError::PublicKeyMismatch => { - WelcomeError::PublicTreeError(PublicTreeError::PublicKeyMismatch) - } - })?; - Some(path_keypairs) - } else { - None - }; - - let group = StagedCoreWelcome { - public_group, - group_epoch_secrets, - own_leaf_index, - use_ratchet_tree_extension: enable_ratchet_tree_extension, - message_secrets_store, - resumption_psk_store, + build_staged_welcome( verifiable_group_info, + ratchet_tree, + provider, key_package_bundle, - path_keypairs, - }; - - Ok(group) + key_schedule, + ciphersuite, + resumption_psk_store, + group_secrets, + ) } /// Returns the [`LeafNodeIndex`] of the group member that authored the [`Welcome`] message. @@ -272,6 +91,220 @@ impl StagedCoreWelcome { } } +pub(in crate::group) fn build_staged_welcome( + verifiable_group_info: VerifiableGroupInfo, + ratchet_tree: Option, + provider: &Provider, + key_package_bundle: KeyPackageBundle, + mut key_schedule: KeySchedule, + ciphersuite: Ciphersuite, + mut resumption_psk_store: ResumptionPskStore, + group_secrets: GroupSecrets, +) -> Result> { + // Build the ratchet tree and group + + // Set nodes either from the extension or from the `nodes_option`. + // If we got a ratchet tree extension in the welcome, we enable it for + // this group. Note that this is not strictly necessary. But there's + // currently no other mechanism to enable the extension. + let (ratchet_tree, enable_ratchet_tree_extension) = + match verifiable_group_info.extensions().ratchet_tree() { + Some(extension) => (extension.ratchet_tree().clone(), true), + None => match ratchet_tree { + Some(ratchet_tree) => (ratchet_tree, false), + None => return Err(WelcomeError::MissingRatchetTree), + }, + }; + + // Since there is currently only the external pub extension, there is no + // group info extension of interest here. + let (public_group, _group_info_extensions) = PublicGroup::from_external( + provider, + ratchet_tree, + verifiable_group_info.clone(), + ProposalStore::new(), + )?; + + // Find our own leaf in the tree. + let own_leaf_index = public_group + .members() + .find_map(|m| { + if m.signature_key + == key_package_bundle + .key_package() + .leaf_node() + .signature_key() + .as_slice() + { + Some(m.index) + } else { + None + } + }) + .ok_or(WelcomeError::PublicTreeError( + PublicTreeError::MalformedTree, + ))?; + + let (group_epoch_secrets, message_secrets) = { + let serialized_group_context = public_group + .group_context() + .tls_serialize_detached() + .map_err(LibraryError::missing_bound_check)?; + + // TODO #751: Implement PSK + key_schedule + .add_context(provider.crypto(), &serialized_group_context) + .map_err(|_| LibraryError::custom("Using the key schedule in the wrong state"))?; + + let epoch_secrets = key_schedule + .epoch_secrets(provider.crypto(), ciphersuite) + .map_err(|_| LibraryError::custom("Using the key schedule in the wrong state"))?; + + epoch_secrets.split_secrets( + serialized_group_context, + public_group.tree_size(), + own_leaf_index, + ) + }; + + let confirmation_tag = message_secrets + .confirmation_key() + .tag( + provider.crypto(), + ciphersuite, + public_group.group_context().confirmed_transcript_hash(), + ) + .map_err(LibraryError::unexpected_crypto_error)?; + + // Verify confirmation tag + if &confirmation_tag != public_group.confirmation_tag() { + log::error!("Confirmation tag mismatch"); + log_crypto!(trace, " Got: {:x?}", confirmation_tag); + log_crypto!(trace, " Expected: {:x?}", public_group.confirmation_tag()); + debug_assert!(false, "Confirmation tag mismatch"); + return Err(WelcomeError::ConfirmationTagMismatch); + } + + let message_secrets_store = MessageSecretsStore::new_with_secret(0, message_secrets); + + // Extract and store the resumption PSK for the current epoch. + let resumption_psk = group_epoch_secrets.resumption_psk(); + resumption_psk_store.add(public_group.group_context().epoch(), resumption_psk.clone()); + + let welcome_sender_index = verifiable_group_info.signer(); + let path_keypairs = if let Some(path_secret) = group_secrets.path_secret { + let (path_keypairs, _commit_secret) = public_group + .derive_path_secrets( + provider.crypto(), + ciphersuite, + path_secret, + welcome_sender_index, + own_leaf_index, + ) + .map_err(|e| match e { + DerivePathError::LibraryError(e) => e.into(), + DerivePathError::PublicKeyMismatch => { + WelcomeError::PublicTreeError(PublicTreeError::PublicKeyMismatch) + } + })?; + Some(path_keypairs) + } else { + None + }; + + let group = StagedCoreWelcome { + public_group, + group_epoch_secrets, + own_leaf_index, + use_ratchet_tree_extension: enable_ratchet_tree_extension, + message_secrets_store, + resumption_psk_store, + verifiable_group_info, + key_package_bundle, + path_keypairs, + }; + + Ok(group) +} + +/// Process a Welcome message up to the point where the ratchet tree is is required. +pub(in crate::group) fn process_welcome( + welcome: Welcome, + key_package_bundle: &KeyPackageBundle, + provider: &Provider, + resumption_psk_store: &ResumptionPskStore, +) -> Result< + (Ciphersuite, GroupSecrets, KeySchedule, VerifiableGroupInfo), + WelcomeError, +> { + let ciphersuite = welcome.ciphersuite(); + let egs = if let Some(egs) = CoreGroup::find_key_package_from_welcome_secrets( + key_package_bundle + .key_package() + .hash_ref(provider.crypto())?, + welcome.secrets(), + ) { + egs + } else { + return Err(WelcomeError::JoinerSecretNotFound); + }; + if ciphersuite != key_package_bundle.key_package().ciphersuite() { + let e = WelcomeError::CiphersuiteMismatch; + debug!("new_from_welcome {:?}", e); + return Err(e); + } + let group_secrets = GroupSecrets::try_from_ciphertext( + key_package_bundle.init_private_key(), + egs.encrypted_group_secrets(), + welcome.encrypted_group_info(), + ciphersuite, + provider.crypto(), + )?; + let psk_secret = { + let psks = load_psks( + provider.storage(), + resumption_psk_store, + &group_secrets.psks, + )?; + + PskSecret::new(provider.crypto(), ciphersuite, psks)? + }; + let key_schedule = KeySchedule::init( + ciphersuite, + provider.crypto(), + &group_secrets.joiner_secret, + psk_secret, + )?; + let (welcome_key, welcome_nonce) = key_schedule + .welcome(provider.crypto(), ciphersuite) + .map_err(|_| LibraryError::custom("Using the key schedule in the wrong state"))? + .derive_welcome_key_nonce(provider.crypto(), ciphersuite) + .map_err(LibraryError::unexpected_crypto_error)?; + let verifiable_group_info = VerifiableGroupInfo::try_from_ciphertext( + &welcome_key, + &welcome_nonce, + welcome.encrypted_group_info(), + &[], + provider.crypto(), + )?; + if let Some(required_capabilities) = verifiable_group_info.extensions().required_capabilities() + { + // Also check that our key package actually supports the extensions. + // Per spec the sender must have checked this. But you never know. + key_package_bundle + .key_package() + .leaf_node() + .capabilities() + .supports_required_capabilities(required_capabilities)?; + } + Ok(( + ciphersuite, + group_secrets, + key_schedule, + verifiable_group_info, + )) +} + impl CoreGroup { // Helper functions diff --git a/openmls/src/group/mls_group/creation.rs b/openmls/src/group/mls_group/creation.rs index ff0522bb8..d15caae04 100644 --- a/openmls/src/group/mls_group/creation.rs +++ b/openmls/src/group/mls_group/creation.rs @@ -147,6 +147,74 @@ fn transpose_err_opt(v: Result, E>) -> Option> { } } +impl ProcessedWelcome { + /// Creates a new processed [`Welcome`] message that can be used to parse + /// it before creating a [`StagedWelcome`]. + /// + /// This does not require a ratchet tree yet. + /// + /// [`Welcome`]: crate::messages::Welcome + pub fn new_from_welcome( + provider: &Provider, + mls_group_config: &MlsGroupJoinConfig, + welcome: Welcome, + ) -> Result> { + let (resumption_psk_store, key_package_bundle) = + keys_for_welcome(mls_group_config, &welcome, provider)?; + + let (ciphersuite, group_secrets, key_schedule, verifiable_group_info) = + crate::group::core_group::new_from_welcome::process_welcome( + welcome, + &key_package_bundle, + provider, + &resumption_psk_store, + )?; + + Ok(Self { + mls_group_config: mls_group_config.clone(), + ciphersuite, + group_secrets, + key_schedule, + verifiable_group_info, + resumption_psk_store, + key_package_bundle, + }) + } + + /// Get a reference to the GroupInfo in this Welcome message. + /// + /// **NOTE:** The group info contains **unverified** values. Use with caution. + pub fn unverified_group_info(&self) -> &VerifiableGroupInfo { + &self.verifiable_group_info + } + + /// Consume the `ProcessedWelcome` and combine it witht he ratchet tree into + /// a `StagedWelcome`. + pub fn into_staged_welcome( + self, + provider: &Provider, + ratchet_tree: Option, + ) -> Result> { + let group = crate::group::core_group::new_from_welcome::build_staged_welcome( + self.verifiable_group_info, + ratchet_tree, + provider, + self.key_package_bundle, + self.key_schedule, + self.ciphersuite, + self.resumption_psk_store, + self.group_secrets, + )?; + + let staged_welcome = StagedWelcome { + mls_group_config: self.mls_group_config, + group, + }; + + Ok(staged_welcome) + } +} + impl StagedWelcome { /// Creates a new staged welcome from a [`Welcome`] message. Returns an error /// ([`WelcomeError::NoMatchingKeyPackage`]) if no [`KeyPackage`] @@ -161,33 +229,8 @@ impl StagedWelcome { welcome: Welcome, ratchet_tree: Option, ) -> Result> { - let resumption_psk_store = - ResumptionPskStore::new(mls_group_config.number_of_resumption_psks); - let key_package_bundle: KeyPackageBundle = welcome - .secrets() - .iter() - .find_map(|egs| { - let hash_ref = egs.new_member(); - - transpose_err_opt( - provider - .storage() - .key_package(&hash_ref) - .map_err(WelcomeError::StorageError), - ) - }) - .ok_or(WelcomeError::NoMatchingKeyPackage)??; - - // Delete the [`KeyPackage`] and the corresponding private key from the - // key store, but only if it doesn't have a last resort extension. - if !key_package_bundle.key_package().last_resort() { - provider - .storage() - .delete_key_package(&key_package_bundle.key_package.hash_ref(provider.crypto())?) - .map_err(WelcomeError::StorageError)?; - } else { - log::debug!("Key package has last resort extension, not deleting"); - } + let (resumption_psk_store, key_package_bundle) = + keys_for_welcome(mls_group_config, &welcome, provider)?; let group = StagedCoreWelcome::new_from_welcome( welcome, @@ -248,3 +291,37 @@ impl StagedWelcome { Ok(mls_group) } } + +fn keys_for_welcome( + mls_group_config: &MlsGroupJoinConfig, + welcome: &Welcome, + provider: &Provider, +) -> Result< + (ResumptionPskStore, KeyPackageBundle), + WelcomeError<::StorageError>, +> { + let resumption_psk_store = ResumptionPskStore::new(mls_group_config.number_of_resumption_psks); + let key_package_bundle: KeyPackageBundle = welcome + .secrets() + .iter() + .find_map(|egs| { + let hash_ref = egs.new_member(); + + transpose_err_opt( + provider + .storage() + .key_package(&hash_ref) + .map_err(WelcomeError::StorageError), + ) + }) + .ok_or(WelcomeError::NoMatchingKeyPackage)??; + if !key_package_bundle.key_package().last_resort() { + provider + .storage() + .delete_key_package(&key_package_bundle.key_package.hash_ref(provider.crypto())?) + .map_err(WelcomeError::StorageError)?; + } else { + log::debug!("Key package has last resort extension, not deleting"); + } + Ok((resumption_psk_store, key_package_bundle)) +} diff --git a/openmls/src/group/mls_group/mod.rs b/openmls/src/group/mls_group/mod.rs index 501dc9c0d..b32b229bf 100644 --- a/openmls/src/group/mls_group/mod.rs +++ b/openmls/src/group/mls_group/mod.rs @@ -11,7 +11,7 @@ use crate::{ framing::{mls_auth_content::AuthenticatedContent, *}, group::*, key_packages::{KeyPackage, KeyPackageBundle}, - messages::proposals::*, + messages::{proposals::*, GroupSecrets}, schedule::ResumptionPskSecret, storage::{OpenMlsProvider, StorageProvider}, treesync::{node::leaf_node::LeafNode, RatchetTree}, @@ -494,3 +494,23 @@ pub struct StagedWelcome { // information. group: StagedCoreWelcome, } + +/// A parsed, but not fully processed `Welcome` message. +/// +/// This may be used in order to retrieve information from the `Welcome` about +/// the ratchet tree. +/// +/// Use `into_staged_welcome` to get the [`StagedWelcome`] on this. +pub struct ProcessedWelcome { + // The group configuration. See [`MlsGroupJoinConfig`] for more information. + mls_group_config: MlsGroupJoinConfig, + + // The following is the state after parsing the Welcome message, before actually + // building the group. + ciphersuite: Ciphersuite, + group_secrets: GroupSecrets, + key_schedule: crate::schedule::KeySchedule, + verifiable_group_info: crate::messages::group_info::VerifiableGroupInfo, + resumption_psk_store: crate::schedule::psk::store::ResumptionPskStore, + key_package_bundle: KeyPackageBundle, +} diff --git a/openmls/src/messages/group_info.rs b/openmls/src/messages/group_info.rs index 39871c9fd..f5d9a7d75 100644 --- a/openmls/src/messages/group_info.rs +++ b/openmls/src/messages/group_info.rs @@ -103,7 +103,7 @@ impl VerifiableGroupInfo { /// Get (unverified) extensions of the verifiable group info. /// /// Note: This method should only be used when necessary to verify the group info signature. - pub(crate) fn extensions(&self) -> &Extensions { + pub fn extensions(&self) -> &Extensions { &self.payload.extensions } @@ -111,7 +111,7 @@ impl VerifiableGroupInfo { /// /// Note: This method should only be used when necessary to verify the group /// info signature. - pub(crate) fn group_id(&self) -> &GroupId { + pub fn group_id(&self) -> &GroupId { self.payload.group_context.group_id() } } diff --git a/openmls/src/messages/tests/test_welcome.rs b/openmls/src/messages/tests/test_welcome.rs index 76b73f939..888f94fd8 100644 --- a/openmls/src/messages/tests/test_welcome.rs +++ b/openmls/src/messages/tests/test_welcome.rs @@ -9,7 +9,8 @@ use crate::{ }, extensions::Extensions, group::{ - errors::WelcomeError, GroupContext, GroupId, MlsGroup, MlsGroupCreateConfig, StagedWelcome, + errors::WelcomeError, GroupContext, GroupId, MlsGroup, MlsGroupCreateConfig, + ProcessedWelcome, StagedWelcome, }, messages::{ group_info::{GroupInfoTBS, VerifiableGroupInfo}, @@ -31,8 +32,6 @@ fn test_welcome_context_mismatch( ciphersuite: Ciphersuite, provider: &impl crate::storage::OpenMlsProvider, ) { - let _ = pretty_env_logger::try_init(); - // We need a ciphersuite that is different from the current one to create // the mismatch let mismatched_ciphersuite = match ciphersuite { @@ -297,6 +296,81 @@ fn test_welcome_message(ciphersuite: Ciphersuite, provider: &impl crate::storage ); } +/// Test the parsed welcome flow where the Welcome is first processed to give +/// the caller the GroupInfo. +/// This allows transporting information in the Welcome for retrieving the ratchet +/// tree. +#[openmls_test::openmls_test] +fn test_welcome_processing() { + let group_id = GroupId::random(provider.rand()); + let mls_group_create_config = MlsGroupCreateConfig::builder() + .ciphersuite(ciphersuite) + .build(); + + let (alice_credential_with_key, _alice_kpb, alice_signer, _alice_signature_key) = + crate::group::test_core_group::setup_client("Alice", ciphersuite, provider); + let (_bob_credential, bob_kpb, _bob_signer, _bob_signature_key) = + crate::group::test_core_group::setup_client("Bob", ciphersuite, provider); + + let bob_kp = bob_kpb.key_package(); + + // === Alice creates a group and adds Bob === + let mut alice_group = MlsGroup::new_with_group_id( + provider, + &alice_signer, + &mls_group_create_config, + group_id, + alice_credential_with_key, + ) + .expect("An unexpected error occurred."); + + let (_queued_message, welcome, _group_info) = alice_group + .add_members(provider, &alice_signer, &[bob_kp.clone()]) + .expect("Could not add member to group."); + + alice_group + .merge_pending_commit(provider) + .expect("error merging pending commit"); + + let welcome = welcome.into_welcome().expect("Unexpected message type."); + + provider + .storage() + .write_key_package(&bob_kp.hash_ref(provider.crypto()).unwrap(), &bob_kpb) + .unwrap(); + + // Process the welcome + let processed_welcome = ProcessedWelcome::new_from_welcome( + provider, + mls_group_create_config.join_config(), + welcome, + ) + .unwrap(); + + // Check values in processed welcome + let unverified_group_info = processed_welcome.unverified_group_info(); + let group_id = unverified_group_info.group_id(); + assert_eq!(group_id, alice_group.group_id()); + let alice_group_info = alice_group + .export_group_info(provider, &alice_signer, false) + .unwrap() + .into_verifiable_group_info() + .unwrap(); + assert_eq!( + unverified_group_info.extensions(), + alice_group_info.extensions() + ); + // Use the group id or extensions to get the ratchet tree. + + // Stage the welcome + let staged_welcome = processed_welcome + .into_staged_welcome(provider, Some(alice_group.export_ratchet_tree().into())) + .unwrap(); + let _group = staged_welcome + .into_group(provider) + .expect("Error creating group from a valid staged join."); +} + #[test] fn invalid_welcomes() { // An almost good welcome message. From 0eae551105daf01e20ca998077c377faf414f02a Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 5 Jun 2024 10:43:04 +0200 Subject: [PATCH 8/9] silence clippy --- openmls/src/group/core_group/new_from_welcome.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openmls/src/group/core_group/new_from_welcome.rs b/openmls/src/group/core_group/new_from_welcome.rs index 345faa00b..eb8e46c66 100644 --- a/openmls/src/group/core_group/new_from_welcome.rs +++ b/openmls/src/group/core_group/new_from_welcome.rs @@ -91,6 +91,7 @@ impl StagedCoreWelcome { } } +#[allow(clippy::too_many_arguments)] pub(in crate::group) fn build_staged_welcome( verifiable_group_info: VerifiableGroupInfo, ratchet_tree: Option, From 703fb763a2eef40d401c9ecfcbc9bab188663b6a Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 6 Jun 2024 14:06:53 +0200 Subject: [PATCH 9/9] also expose PSKs from welcome --- openmls/src/group/mls_group/creation.rs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/openmls/src/group/mls_group/creation.rs b/openmls/src/group/mls_group/creation.rs index d15caae04..7aafcbc83 100644 --- a/openmls/src/group/mls_group/creation.rs +++ b/openmls/src/group/mls_group/creation.rs @@ -11,7 +11,7 @@ use crate::{ group_info::{GroupInfo, VerifiableGroupInfo}, Welcome, }, - schedule::psk::store::ResumptionPskStore, + schedule::psk::{store::ResumptionPskStore, PreSharedKeyId}, storage::OpenMlsProvider, treesync::RatchetTreeIn, }; @@ -188,6 +188,13 @@ impl ProcessedWelcome { &self.verifiable_group_info } + /// Get a reference to the PSKs in this Welcome message. + /// + /// **NOTE:** The group info contains **unverified** values. Use with caution. + pub fn psks(&self) -> &[PreSharedKeyId] { + &self.group_secrets.psks + } + /// Consume the `ProcessedWelcome` and combine it witht he ratchet tree into /// a `StagedWelcome`. pub fn into_staged_welcome(