matrix_lite_rs/crypto/

mod.rs

use crate::{Error, Result};
use vodozemac::olm::Account as OlmAccount;
use vodozemac::megolm::{GroupSession, InboundGroupSession, MegolmMessage};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use zeroize::Zeroizing;
use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64};

// Security constants
const PBKDF2_ITERATIONS: u32 = 600_000; // OWASP 2023 recommendation for PBKDF2-HMAC-SHA256
const SALT_LENGTH: usize = 32; // 256 bits
const MAX_ONE_TIME_KEYS: usize = 100; // Limit key generation
const MAX_GROUP_SESSIONS: usize = 1000; // Prevent unbounded growth
const MIN_PASSPHRASE_LENGTH: usize = 12; // Minimum secure passphrase length

/// Derive a cryptographic key from a passphrase using PBKDF2
fn derive_key_from_passphrase(passphrase: &str, salt: &[u8]) -> Result<[u8; 32]> {
    use pbkdf2::pbkdf2_hmac;
    use sha2::Sha256;

    if passphrase.len() < MIN_PASSPHRASE_LENGTH {
        return Err(Error::Crypto(format!(
            "Passphrase must be at least {} characters",
            MIN_PASSPHRASE_LENGTH
        )));
    }

    let passphrase_bytes = Zeroizing::new(passphrase.as_bytes().to_vec());
    let mut key = Zeroizing::new([0u8; 32]);

    pbkdf2_hmac::<Sha256>(
        &passphrase_bytes,
        salt,
        PBKDF2_ITERATIONS,
        &mut *key,
    );

    Ok(*key)
}

/// Generate a cryptographically secure random salt
fn generate_salt() -> [u8; SALT_LENGTH] {
    use rand::RngCore;
    let mut salt = [0u8; SALT_LENGTH];
    rand::thread_rng().fill_bytes(&mut salt);
    salt
}

/// Validate room ID format (basic Matrix room ID validation)
fn validate_room_id(room_id: &str) -> Result<()> {
    if !room_id.starts_with('!') || !room_id.contains(':') {
        return Err(Error::Crypto(format!("Invalid room ID format: {}", room_id)));
    }
    if room_id.len() > 255 {
        return Err(Error::Crypto("Room ID too long".to_string()));
    }
    Ok(())
}

/// Cryptographic manager for E2EE using Matrix Olm/Megolm protocols
pub struct CryptoManager {
    account: OlmAccount,
    group_sessions: HashMap<String, GroupSession>,
    inbound_group_sessions: HashMap<String, InboundGroupSession>,
}

impl CryptoManager {
    /// Create a new crypto manager with a new Olm account
    pub fn new() -> Self {
        Self {
            account: OlmAccount::new(),
            group_sessions: HashMap::new(),
            inbound_group_sessions: HashMap::new(),
        }
    }

    /// Get the identity keys for this account
    pub fn identity_keys(&self) -> IdentityKeys {
        let keys = self.account.identity_keys();

        IdentityKeys {
            curve25519: keys.curve25519.to_base64(),
            ed25519: keys.ed25519.to_base64(),
        }
    }

    /// Generate one-time keys with rate limiting
    pub fn generate_one_time_keys(&mut self, count: usize) -> Result<()> {
        if count > MAX_ONE_TIME_KEYS {
            return Err(Error::Crypto(format!(
                "Cannot generate more than {} one-time keys at once",
                MAX_ONE_TIME_KEYS
            )));
        }
        self.account.generate_one_time_keys(count);
        Ok(())
    }

    /// Get one-time keys
    pub fn one_time_keys(&self) -> HashMap<String, String> {
        self.account
            .one_time_keys()
            .iter()
            .enumerate()
            .map(|(idx, (_, key))| {
                (format!("key_{}", idx), key.to_base64())
            })
            .collect()
    }

    /// Mark one-time keys as published
    pub fn mark_keys_as_published(&mut self) {
        self.account.mark_keys_as_published();
    }

    /// Create an outbound group session for a room with validation and limits
    pub fn create_group_session(&mut self, room_id: &str) -> Result<String> {
        // Validate room ID format
        validate_room_id(room_id)?;

        // Check session limit
        if self.group_sessions.len() >= MAX_GROUP_SESSIONS {
            return Err(Error::Crypto(format!(
                "Maximum group sessions limit ({}) reached. Consider cleaning up old sessions.",
                MAX_GROUP_SESSIONS
            )));
        }

        // Warn if overwriting existing session
        if self.group_sessions.contains_key(room_id) {
            tracing::warn!("Overwriting existing group session for room: {}", room_id);
        }

        let session = GroupSession::new(Default::default());
        let session_id = session.session_id();
        let session_id_str = session_id.to_owned();
        self.group_sessions.insert(room_id.to_string(), session);
        Ok(session_id_str)
    }

    /// Encrypt a message for a room using Megolm
    pub fn encrypt_room_message(&mut self, room_id: &str, plaintext: &str) -> Result<EncryptedMessage> {
        let session = self.group_sessions
            .get_mut(room_id)
            .ok_or_else(|| Error::Crypto("No group session for room".to_string()))?;

        let ciphertext = session.encrypt(plaintext.as_bytes());

        Ok(EncryptedMessage {
            algorithm: "m.megolm.v1.aes-sha2".to_string(),
            sender_key: self.account.identity_keys().curve25519.to_base64(),
            ciphertext: ciphertext.to_base64(),
            session_id: session.session_id().to_owned(),
            device_id: String::new(), // Will be filled by caller
        })
    }

    /// Add an inbound group session for decrypting room messages
    pub fn add_inbound_group_session(&mut self, session_key_base64: &str) -> Result<String> {
        use vodozemac::megolm::{SessionKey, SessionConfig};

        // Parse as SessionKey (not ExportedSessionKey)
        let session_key = SessionKey::from_base64(session_key_base64)
            .map_err(|e| Error::Crypto(format!("Invalid session key: {}", e)))?;

        let session = InboundGroupSession::new(&session_key, SessionConfig::default());

        let session_id = session.session_id().to_owned();
        self.inbound_group_sessions.insert(session_id.clone(), session);
        Ok(session_id)
    }

    /// Decrypt a room message using Megolm
    pub fn decrypt_room_message(&mut self, session_id: &str, ciphertext: &str) -> Result<String> {
        let session = self.inbound_group_sessions
            .get_mut(session_id)
            .ok_or_else(|| Error::Crypto("Unknown session".to_string()))?;

        let message = MegolmMessage::from_base64(ciphertext)
            .map_err(|e| Error::Crypto(format!("Invalid ciphertext: {}", e)))?;

        let decrypted = session.decrypt(&message)
            .map_err(|e| Error::Crypto(format!("Decryption failed: {}", e)))?;

        String::from_utf8(decrypted.plaintext)
            .map_err(|e| Error::Crypto(format!("Invalid UTF-8: {}", e)))
    }

    /// Export the account as a pickle (serialized format) with PBKDF2 key derivation
    /// Returns base64-encoded salt + encrypted pickle
    pub fn export_account(&self, passphrase: &str) -> Result<String> {
        // Generate random salt
        let salt = generate_salt();

        // Derive encryption key using PBKDF2
        let key = Zeroizing::new(derive_key_from_passphrase(passphrase, &salt)?);

        // Encrypt the account pickle
        let pickle_str = self.account.pickle().encrypt(&*key);

        // Prepend salt to the encrypted pickle (salt is not secret)
        // Format: base64(salt) + ":" + encrypted_pickle
        let salt_b64 = BASE64.encode(&salt);
        Ok(format!("{}:{}", salt_b64, pickle_str))
    }

    /// Import an account from a pickle with PBKDF2 key derivation
    pub fn import_account(pickle_with_salt: &str, passphrase: &str) -> Result<Self> {
        use vodozemac::olm::AccountPickle;

        // Split salt and encrypted pickle
        let parts: Vec<&str> = pickle_with_salt.splitn(2, ':').collect();
        if parts.len() != 2 {
            return Err(Error::Crypto("Invalid pickle format (missing salt)".to_string()));
        }

        let salt_b64 = parts[0];
        let pickle_str = parts[1];

        // Decode salt
        let salt = BASE64.decode(salt_b64)
            .map_err(|e| Error::Crypto(format!("Invalid salt encoding: {}", e)))?;

        if salt.len() != SALT_LENGTH {
            return Err(Error::Crypto(format!(
                "Invalid salt length: expected {}, got {}",
                SALT_LENGTH,
                salt.len()
            )));
        }

        // Derive decryption key using PBKDF2 with the same salt
        let key = Zeroizing::new(derive_key_from_passphrase(passphrase, &salt)?);

        // Decrypt the pickle
        let pickle = AccountPickle::from_encrypted(pickle_str, &*key)
            .map_err(|e| Error::Crypto(format!("Failed to decrypt pickle: {}", e)))?;

        let account = OlmAccount::from_pickle(pickle);

        Ok(Self {
            account,
            group_sessions: HashMap::new(),
            inbound_group_sessions: HashMap::new(),
        })
    }

    /// Get the session key for a room (for sharing with other devices)
    pub fn export_group_session(&self, room_id: &str) -> Result<String> {
        let session = self.group_sessions
            .get(room_id)
            .ok_or_else(|| Error::Crypto("No group session for room".to_string()))?;

        // Export as ExportedSessionKey which is compatible with import
        Ok(session.session_key().to_base64())
    }

}

impl Default for CryptoManager {
    fn default() -> Self {
        Self::new()
    }
}

/// Identity keys for E2EE
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct IdentityKeys {
    pub curve25519: String,
    pub ed25519: String,
}

/// Encrypted message
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EncryptedMessage {
    pub algorithm: String,
    pub sender_key: String,
    pub ciphertext: String,
    pub session_id: String,
    pub device_id: String,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_crypto_manager_creation() {
        let manager = CryptoManager::new();
        let keys = manager.identity_keys();
        assert!(!keys.curve25519.is_empty());
        assert!(!keys.ed25519.is_empty());
    }

    #[test]
    fn test_one_time_keys() {
        let mut manager = CryptoManager::new();
        manager.generate_one_time_keys(5).unwrap();
        let keys = manager.one_time_keys();
        assert!(keys.len() > 0);
        assert!(keys.len() <= 5);
    }

    #[test]
    fn test_group_session() {
        let mut manager = CryptoManager::new();
        let result = manager.create_group_session("!test:example.com");
        assert!(result.is_ok());
        let session_id = result.unwrap();
        assert!(!session_id.is_empty());
    }

    #[test]
    fn test_encrypt_decrypt() {
        let mut sender = CryptoManager::new();
        let mut receiver = CryptoManager::new();

        // Create group session
        let room_id = "!test:example.com";
        let session_id = sender.create_group_session(room_id).unwrap();

        // Export session key and import to receiver
        let session_key = sender.export_group_session(room_id).unwrap();
        let imported_session_id = receiver.add_inbound_group_session(&session_key).unwrap();
        assert_eq!(session_id, imported_session_id);

        // Encrypt message
        let plaintext = "Hello, encrypted world!";
        let encrypted = sender.encrypt_room_message(room_id, plaintext).unwrap();

        // Decrypt message
        let decrypted = receiver.decrypt_room_message(&session_id, &encrypted.ciphertext).unwrap();
        assert_eq!(plaintext, decrypted);
    }

    #[test]
    fn test_account_export_import() {
        let manager1 = CryptoManager::new();
        let keys1 = manager1.identity_keys();

        let passphrase = "test_password_12345"; // Minimum 12 characters
        let pickle = manager1.export_account(passphrase).unwrap();

        let manager2 = CryptoManager::import_account(&pickle, passphrase).unwrap();
        let keys2 = manager2.identity_keys();

        assert_eq!(keys1.curve25519, keys2.curve25519);
        assert_eq!(keys1.ed25519, keys2.ed25519);
    }

    #[test]
    fn test_multiple_messages() {
        let mut sender = CryptoManager::new();
        let mut receiver = CryptoManager::new();

        let room_id = "!test:example.com";
        let session_id = sender.create_group_session(room_id).unwrap();
        let session_key = sender.export_group_session(room_id).unwrap();
        receiver.add_inbound_group_session(&session_key).unwrap();

        // Send multiple messages
        let messages = vec![
            "First message",
            "Second message",
            "Third message",
        ];

        for msg in &messages {
            let encrypted = sender.encrypt_room_message(room_id, msg).unwrap();
            let decrypted = receiver.decrypt_room_message(&session_id, &encrypted.ciphertext).unwrap();
            assert_eq!(*msg, decrypted);
        }
    }

    #[test]
    fn test_encrypt_without_group_session() {
        let mut manager = CryptoManager::new();
        let result = manager.encrypt_room_message("!test:example.com", "test");
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("No group session for room"));
    }

    #[test]
    fn test_decrypt_with_unknown_session() {
        let mut manager = CryptoManager::new();
        let result = manager.decrypt_room_message("unknown_session_id", "invalid_ciphertext");
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("Unknown session"));
    }

    #[test]
    fn test_decrypt_invalid_ciphertext() {
        let mut sender = CryptoManager::new();
        let mut receiver = CryptoManager::new();

        let room_id = "!test:example.com";
        let session_id = sender.create_group_session(room_id).unwrap();
        let session_key = sender.export_group_session(room_id).unwrap();
        receiver.add_inbound_group_session(&session_key).unwrap();

        // Try to decrypt invalid base64
        let result = receiver.decrypt_room_message(&session_id, "not_valid_base64!!!");
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("Invalid ciphertext"));
    }

    #[test]
    fn test_import_invalid_session_key() {
        let mut manager = CryptoManager::new();
        let result = manager.add_inbound_group_session("invalid_base64_key!!!");
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("Invalid session key"));
    }

    #[test]
    fn test_export_nonexistent_group_session() {
        let manager = CryptoManager::new();
        let result = manager.export_group_session("!nonexistent:example.com");
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("No group session for room"));
    }

    #[test]
    fn test_multiple_rooms() {
        let mut sender = CryptoManager::new();

        // Create sessions for multiple rooms
        let room1 = "!room1:example.com";
        let room2 = "!room2:example.com";

        let session1_id = sender.create_group_session(room1).unwrap();
        let session2_id = sender.create_group_session(room2).unwrap();

        // Sessions should be different
        assert_ne!(session1_id, session2_id);

        // Should be able to encrypt for both rooms
        let encrypted1 = sender.encrypt_room_message(room1, "message for room 1").unwrap();
        let encrypted2 = sender.encrypt_room_message(room2, "message for room 2").unwrap();

        assert_eq!(encrypted1.session_id, session1_id);
        assert_eq!(encrypted2.session_id, session2_id);
    }

    #[test]
    fn test_account_import_wrong_passphrase() {
        let manager = CryptoManager::new();
        let correct_passphrase = "correct_password_123";
        let wrong_passphrase = "wrong_password_456";

        let pickle = manager.export_account(correct_passphrase).unwrap();

        let result = CryptoManager::import_account(&pickle, wrong_passphrase);
        assert!(result.is_err());
        if let Err(e) = result {
            assert!(e.to_string().contains("Failed to decrypt pickle"));
        }
    }

    #[test]
    fn test_account_import_invalid_pickle() {
        let result = CryptoManager::import_account("invalid_pickle_data", "any_password_123");
        assert!(result.is_err());
    }

    #[test]
    fn test_unicode_messages() {
        let mut sender = CryptoManager::new();
        let mut receiver = CryptoManager::new();

        let room_id = "!test:example.com";
        let session_id = sender.create_group_session(room_id).unwrap();
        let session_key = sender.export_group_session(room_id).unwrap();
        receiver.add_inbound_group_session(&session_key).unwrap();

        // Test various Unicode characters
        let unicode_messages = vec![
            "Hello 世界",
            "Здравствуй мир",
            "مرحبا بالعالم",
            "🔐🌍🚀",
            "Emoji test: 😀😎🎉",
        ];

        for msg in &unicode_messages {
            let encrypted = sender.encrypt_room_message(room_id, msg).unwrap();
            let decrypted = receiver.decrypt_room_message(&session_id, &encrypted.ciphertext).unwrap();
            assert_eq!(*msg, decrypted);
        }
    }

    #[test]
    fn test_large_message() {
        let mut sender = CryptoManager::new();
        let mut receiver = CryptoManager::new();

        let room_id = "!test:example.com";
        let session_id = sender.create_group_session(room_id).unwrap();
        let session_key = sender.export_group_session(room_id).unwrap();
        receiver.add_inbound_group_session(&session_key).unwrap();

        // Test a large message (10KB)
        let large_message = "A".repeat(10_000);
        let encrypted = sender.encrypt_room_message(room_id, &large_message).unwrap();
        let decrypted = receiver.decrypt_room_message(&session_id, &encrypted.ciphertext).unwrap();
        assert_eq!(large_message, decrypted);
    }

    #[test]
    fn test_empty_message() {
        let mut sender = CryptoManager::new();
        let mut receiver = CryptoManager::new();

        let room_id = "!test:example.com";
        let session_id = sender.create_group_session(room_id).unwrap();
        let session_key = sender.export_group_session(room_id).unwrap();
        receiver.add_inbound_group_session(&session_key).unwrap();

        let empty_message = "";
        let encrypted = sender.encrypt_room_message(room_id, empty_message).unwrap();
        let decrypted = receiver.decrypt_room_message(&session_id, &encrypted.ciphertext).unwrap();
        assert_eq!(empty_message, decrypted);
    }

    #[test]
    fn test_multi_device_scenario() {
        // Simulate a scenario with one sender and multiple receivers (devices)
        let mut sender = CryptoManager::new();
        let mut device1 = CryptoManager::new();
        let mut device2 = CryptoManager::new();
        let mut device3 = CryptoManager::new();

        let room_id = "!test:example.com";
        let session_id = sender.create_group_session(room_id).unwrap();
        let session_key = sender.export_group_session(room_id).unwrap();

        // Share session key with all devices
        device1.add_inbound_group_session(&session_key).unwrap();
        device2.add_inbound_group_session(&session_key).unwrap();
        device3.add_inbound_group_session(&session_key).unwrap();

        // Send a message
        let message = "Broadcast to all devices";
        let encrypted = sender.encrypt_room_message(room_id, message).unwrap();

        // All devices should be able to decrypt
        let decrypted1 = device1.decrypt_room_message(&session_id, &encrypted.ciphertext).unwrap();
        let decrypted2 = device2.decrypt_room_message(&session_id, &encrypted.ciphertext).unwrap();
        let decrypted3 = device3.decrypt_room_message(&session_id, &encrypted.ciphertext).unwrap();

        assert_eq!(message, decrypted1);
        assert_eq!(message, decrypted2);
        assert_eq!(message, decrypted3);
    }

    #[test]
    fn test_one_time_keys_generation() {
        let mut manager = CryptoManager::new();

        // Generate 10 one-time keys
        manager.generate_one_time_keys(10).unwrap();
        let keys = manager.one_time_keys();

        assert!(keys.len() > 0);
        assert!(keys.len() <= 10);

        // All keys should be non-empty strings
        for (key_id, key_value) in keys {
            assert!(!key_id.is_empty());
            assert!(!key_value.is_empty());
            // Keys should be base64-encoded (check they contain valid chars)
            assert!(key_value.chars().all(|c| c.is_alphanumeric() || c == '+' || c == '/' || c == '='));
        }
    }

    #[test]
    fn test_mark_keys_as_published() {
        let mut manager = CryptoManager::new();

        manager.generate_one_time_keys(5).unwrap();
        let keys_before = manager.one_time_keys();
        assert!(keys_before.len() > 0);

        manager.mark_keys_as_published();
        let keys_after = manager.one_time_keys();

        // After marking as published, should have fewer or no unpublished keys
        assert!(keys_after.len() <= keys_before.len());
    }

    #[test]
    fn test_encrypted_message_structure() {
        let mut sender = CryptoManager::new();
        let room_id = "!test:example.com";

        sender.create_group_session(room_id).unwrap();
        let encrypted = sender.encrypt_room_message(room_id, "test").unwrap();

        // Verify structure
        assert_eq!(encrypted.algorithm, "m.megolm.v1.aes-sha2");
        assert!(!encrypted.sender_key.is_empty());
        assert!(!encrypted.ciphertext.is_empty());
        assert!(!encrypted.session_id.is_empty());

        // Verify keys contain base64-valid characters
        assert!(encrypted.sender_key.chars().all(|c| c.is_alphanumeric() || c == '+' || c == '/' || c == '='));
        assert!(encrypted.ciphertext.chars().all(|c| c.is_alphanumeric() || c == '+' || c == '/' || c == '='));
    }

    // Security-focused tests
    #[test]
    fn test_rate_limit_one_time_keys() {
        let mut manager = CryptoManager::new();
        // Try to generate too many keys
        let result = manager.generate_one_time_keys(MAX_ONE_TIME_KEYS + 1);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("Cannot generate more than"));
    }

    #[test]
    fn test_passphrase_too_short() {
        let manager = CryptoManager::new();
        let weak_passphrase = "short"; // Less than MIN_PASSPHRASE_LENGTH
        let result = manager.export_account(weak_passphrase);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("at least 12 characters"));
    }

    #[test]
    fn test_invalid_room_id_format() {
        let mut manager = CryptoManager::new();

        // Missing '!' prefix
        let result1 = manager.create_group_session("test:example.com");
        assert!(result1.is_err());

        // Missing ':' separator
        let result2 = manager.create_group_session("!testexample.com");
        assert!(result2.is_err());

        // Too long
        let long_room_id = format!("!{}:example.com", "a".repeat(300));
        let result3 = manager.create_group_session(&long_room_id);
        assert!(result3.is_err());
    }

    #[test]
    fn test_pickle_format_with_salt() {
        let manager = CryptoManager::new();
        let passphrase = "secure_password_123";
        let pickle = manager.export_account(passphrase).unwrap();

        // Verify pickle contains salt (format: salt:pickle)
        assert!(pickle.contains(':'));
        let parts: Vec<&str> = pickle.splitn(2, ':').collect();
        assert_eq!(parts.len(), 2);

        // Verify salt is base64 encoded and correct length
        let salt_bytes = base64::decode(parts[0]).unwrap();
        assert_eq!(salt_bytes.len(), SALT_LENGTH);
    }
}