github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/ephemeral/device_ek_storage.go (about) 1 package ephemeral 2 3 import ( 4 "fmt" 5 "log" 6 "sort" 7 "strconv" 8 "strings" 9 "sync" 10 "time" 11 12 "github.com/keybase/client/go/libkb" 13 "github.com/keybase/client/go/logger" 14 keybase1 "github.com/keybase/client/go/protocol/keybase1" 15 ) 16 17 const ( 18 deviceEKSubDir = "device-eks" 19 deviceEKPrefix = "deviceEphemeralKey" 20 deviceEKSuffix = ".ek" 21 ) 22 23 type deviceEKCacheItem struct { 24 DeviceEK keybase1.DeviceEk 25 Err error 26 } 27 28 type deviceEKCache map[keybase1.EkGeneration]deviceEKCacheItem 29 type DeviceEKMap map[keybase1.EkGeneration]keybase1.DeviceEk 30 31 type DeviceEKStorage struct { 32 sync.Mutex 33 storage libkb.ErasableKVStore 34 cache deviceEKCache 35 indexed bool 36 logger *log.Logger 37 } 38 39 func getLogger(mctx libkb.MetaContext) *log.Logger { 40 filename := mctx.G().Env.GetEKLogFile() 41 lfc := mctx.G().Env.GetLogFileConfig(filename) 42 lfc.SkipRedirectStdErr = true 43 lfw := logger.NewLogFileWriter(*lfc) 44 if err := lfw.Open(mctx.G().GetClock().Now()); err != nil { 45 mctx.Debug("Unable to getLogger %v", err) 46 return nil 47 } 48 l := log.New(lfw, getLogPrefix(mctx), log.LstdFlags|log.Lmicroseconds|log.Lshortfile) 49 return l 50 } 51 52 func getLogPrefix(mctx libkb.MetaContext) string { 53 return fmt.Sprintf("[username=%v] ", mctx.G().Env.GetUsername()) 54 } 55 56 func getLocalStorageSecretBoxKey(mctx libkb.MetaContext) (fkey [32]byte, err error) { 57 // Get secret device key 58 encKey, err := mctx.ActiveDevice().EncryptionKey() 59 if err != nil { 60 return fkey, err 61 } 62 kp, ok := encKey.(libkb.NaclDHKeyPair) 63 if !ok || kp.Private == nil { 64 return fkey, libkb.KeyCannotDecryptError{} 65 } 66 67 // Derive symmetric key from device key 68 skey, err := encKey.SecretSymmetricKey(libkb.EncryptionReasonErasableKVLocalStorage) 69 if err != nil { 70 return fkey, err 71 } 72 73 copy(fkey[:], skey[:]) 74 return fkey, nil 75 } 76 77 func deviceEKKeygen(mctx libkb.MetaContext, noiseBytes libkb.NoiseBytes) (fkey [32]byte, err error) { 78 enckey, err := getLocalStorageSecretBoxKey(mctx) 79 if err != nil { 80 return fkey, err 81 } 82 83 xor, err := libkb.NoiseXOR(enckey, noiseBytes) 84 if err != nil { 85 return fkey, err 86 } 87 copy(fkey[:], xor) 88 return fkey, nil 89 } 90 91 func NewDeviceEKStorage(mctx libkb.MetaContext) *DeviceEKStorage { 92 return &DeviceEKStorage{ 93 storage: libkb.NewFileErasableKVStore(mctx, deviceEKSubDir, deviceEKKeygen), 94 cache: make(deviceEKCache), 95 logger: getLogger(mctx), 96 } 97 } 98 99 func (s *DeviceEKStorage) SetLogPrefix(mctx libkb.MetaContext) { 100 s.Lock() 101 defer s.Unlock() 102 if s.logger != nil { 103 s.logger.SetPrefix(getLogPrefix(mctx)) 104 } 105 } 106 107 // Log sensitive deletion actions to a separate log file so we don't lose the 108 // logs during normal rotation. 109 func (s *DeviceEKStorage) ekLogf(mctx libkb.MetaContext, format string, args ...interface{}) { 110 mctx.Debug(format, args...) 111 if s.logger != nil { 112 s.logger.Printf(format, args...) 113 } 114 } 115 116 func (s *DeviceEKStorage) ekLogCTrace(mctx libkb.MetaContext, msg string, err *error) func() { 117 if s.logger != nil { 118 s.logger.Print(msg) 119 } 120 return mctx.Trace(msg, err) 121 } 122 123 func (s *DeviceEKStorage) keyPrefixFromUsername(username libkb.NormalizedUsername) string { 124 return fmt.Sprintf("%s-%s-", deviceEKPrefix, username) 125 } 126 127 func (s *DeviceEKStorage) keyPrefix(mctx libkb.MetaContext) (prefix string, err error) { 128 uv, err := mctx.G().GetMeUV(mctx.Ctx()) 129 if err != nil { 130 return prefix, err 131 } 132 username := mctx.ActiveDevice().Username(mctx) 133 return fmt.Sprintf("%s%s-", s.keyPrefixFromUsername(username), uv.EldestSeqno), nil 134 } 135 136 func (s *DeviceEKStorage) key(mctx libkb.MetaContext, generation keybase1.EkGeneration) (key string, err error) { 137 prefix, err := s.keyPrefix(mctx) 138 if err != nil { 139 return key, err 140 } 141 return fmt.Sprintf("%s%d%s", prefix, generation, deviceEKSuffix), nil 142 } 143 144 // keyToEldestSeqno parses out the `eldestSeqno` from a key of the form 145 // deviceEKPrefix-username-eldestSeqno-generation.ek. If we have a key for a 146 // eldestSeqno that is not our current, we purge it since we don't want the 147 // ephemeral key to stick around if we've reset. If we are unable to parse out 148 // the value, the key is not valid, or not for the logged in user we return -1 149 func (s *DeviceEKStorage) keyToEldestSeqno(mctx libkb.MetaContext, key string) keybase1.Seqno { 150 if !strings.HasPrefix(key, deviceEKPrefix) { 151 return -1 152 } 153 parts := strings.Split(key, "-") 154 if len(parts) != 4 { 155 return -1 156 } 157 // Make sure this key is for our current user and not a different one. 158 username := mctx.ActiveDevice().Username(mctx) 159 if parts[1] != username.String() { 160 return -1 161 } 162 e, err := strconv.ParseUint(parts[2], 10, 64) 163 if err != nil { 164 return -1 165 } 166 return keybase1.Seqno(e) 167 } 168 169 // keyToEldestSeqno parses out the `generation` from a key of the form 170 // deviceEKPrefix-username-eldestSeqno-generation.ek. Unparseable keys return a 171 // generation of -1 and should be ignored. 172 func (s *DeviceEKStorage) keyToGeneration(mctx libkb.MetaContext, key string) keybase1.EkGeneration { 173 prefix, err := s.keyPrefix(mctx) 174 if err != nil { 175 mctx.Debug("keyToGeneration: unable to get keyPrefix: %v", err) 176 return -1 177 } 178 if !strings.HasPrefix(key, prefix) || !strings.HasSuffix(key, deviceEKSuffix) { 179 mctx.Debug("keyToGeneration: key missing prefix: %v or suffix: %s", prefix, deviceEKSuffix) 180 return -1 181 } 182 183 key = strings.TrimSuffix(key, deviceEKSuffix) 184 parts := strings.Split(key, prefix) 185 if len(parts) != 2 { 186 mctx.Debug("keyToGeneration: unexpected parts: %v, prefix: %v", parts) 187 return -1 188 } 189 g, err := strconv.ParseUint(parts[1], 10, 64) 190 if err != nil { 191 mctx.Debug("keyToGeneration: unable to parseUint: %v", err) 192 return -1 193 } 194 return keybase1.EkGeneration(g) 195 } 196 197 func (s *DeviceEKStorage) Put(mctx libkb.MetaContext, generation keybase1.EkGeneration, deviceEK keybase1.DeviceEk) (err error) { 198 defer mctx.Trace(fmt.Sprintf("DeviceEKStorage#Put: generation:%v", generation), &err)() 199 200 s.Lock() 201 defer s.Unlock() 202 203 // sanity check that we got the right generation 204 if deviceEK.Metadata.Generation != generation { 205 return newEKCorruptedErr(mctx, DeviceEKKind, generation, deviceEK.Metadata.Generation) 206 } 207 208 key, err := s.key(mctx, generation) 209 if err != nil { 210 return err 211 } 212 // Fill in this puppy. 213 if deviceEK.Metadata.DeviceCtime == 0 { 214 deviceEK.Metadata.DeviceCtime = keybase1.ToTime(time.Now()) 215 } 216 if err = s.storage.Put(mctx, key, deviceEK); err != nil { 217 return err 218 } 219 220 // cache the result 221 cache, err := s.getCache(mctx) 222 if err != nil { 223 return err 224 } 225 cache[generation] = deviceEKCacheItem{ 226 DeviceEK: deviceEK, 227 Err: nil, 228 } 229 return nil 230 } 231 232 func (s *DeviceEKStorage) Get(mctx libkb.MetaContext, generation keybase1.EkGeneration) (deviceEK keybase1.DeviceEk, err error) { 233 defer mctx.Trace(fmt.Sprintf("DeviceEKStorage#Get: generation:%v", generation), &err)() 234 s.Lock() 235 defer s.Unlock() 236 237 // Try the cache first 238 cache, err := s.getCache(mctx) 239 if err != nil { 240 return deviceEK, err 241 } 242 cacheItem, ok := cache[generation] 243 if ok { 244 return cacheItem.DeviceEK, cacheItem.Err 245 } 246 // Try persistent storage. 247 deviceEK, err = s.get(mctx, generation) 248 switch err.(type) { 249 case nil, libkb.UnboxError: 250 // cache the result 251 cache[generation] = deviceEKCacheItem{ 252 DeviceEK: deviceEK, 253 Err: err, 254 } 255 return deviceEK, err 256 default: 257 return deviceEK, err 258 } 259 } 260 261 func (s *DeviceEKStorage) get(mctx libkb.MetaContext, generation keybase1.EkGeneration) (deviceEK keybase1.DeviceEk, err error) { 262 defer mctx.Trace(fmt.Sprintf("DeviceEKStorage#get: generation:%v", generation), &err)() 263 264 key, err := s.key(mctx, generation) 265 if err != nil { 266 return deviceEK, err 267 } 268 269 if err = s.storage.Get(mctx, key, &deviceEK); err != nil { 270 if _, ok := err.(libkb.UnboxError); ok { 271 s.ekLogf(mctx, "DeviceEKStorage#get: corrupted generation: %v -> %v: %v", key, generation, err) 272 if ierr := s.storage.Erase(mctx, key); ierr != nil { 273 s.ekLogf(mctx, "DeviceEKStorage#get: unable to delete corrupted generation: %v", ierr) 274 } 275 } 276 return deviceEK, err 277 } 278 // sanity check that we got the right generation 279 if deviceEK.Metadata.Generation != generation { 280 return deviceEK, newEKCorruptedErr(mctx, DeviceEKKind, generation, deviceEK.Metadata.Generation) 281 } 282 return deviceEK, nil 283 } 284 285 func (s *DeviceEKStorage) Delete(mctx libkb.MetaContext, generation keybase1.EkGeneration, 286 reason string, args ...interface{}) (err error) { 287 s.Lock() 288 defer s.Unlock() 289 return s.delete(mctx, generation, reason, args...) 290 } 291 292 func (s *DeviceEKStorage) delete(mctx libkb.MetaContext, generation keybase1.EkGeneration, 293 reason string, args ...interface{}) (err error) { 294 defer s.ekLogCTrace(mctx, fmt.Sprintf("DeviceEKStorage#delete: generation:%v reason: %s", generation, fmt.Sprintf(reason, args...)), &err)() 295 296 // clear the cache 297 cache, err := s.getCache(mctx) 298 if err != nil { 299 return err 300 } 301 key, err := s.key(mctx, generation) 302 if err != nil { 303 return err 304 } 305 if err = s.storage.Erase(mctx, key); err != nil { 306 return err 307 } 308 delete(cache, generation) 309 return nil 310 } 311 312 func (s *DeviceEKStorage) getCache(mctx libkb.MetaContext) (cache deviceEKCache, err error) { 313 if !s.indexed { 314 keys, err := s.storage.AllKeys(mctx, deviceEKSuffix) 315 if err != nil { 316 return nil, err 317 } 318 for _, key := range keys { 319 generation := s.keyToGeneration(mctx, key) 320 if generation < 0 { 321 mctx.Debug("DeviceEKStorage#getCache: unable to get generation from key: %s", key) 322 continue 323 } 324 deviceEK, err := s.get(mctx, generation) 325 switch err.(type) { 326 case nil, libkb.UnboxError: 327 s.cache[generation] = deviceEKCacheItem{ 328 DeviceEK: deviceEK, 329 Err: err, 330 } 331 default: 332 return nil, err 333 } 334 } 335 s.indexed = true 336 } 337 return s.cache, nil 338 } 339 340 func (s *DeviceEKStorage) ClearCache() { 341 s.Lock() 342 defer s.Unlock() 343 s.clearCache() 344 } 345 346 func (s *DeviceEKStorage) clearCache() { 347 s.cache = make(deviceEKCache) 348 s.indexed = false 349 } 350 351 func (s *DeviceEKStorage) GetAll(mctx libkb.MetaContext) (deviceEKs DeviceEKMap, err error) { 352 defer mctx.Trace("DeviceEKStorage#GetAll", &err)() 353 354 s.Lock() 355 defer s.Unlock() 356 357 cache, err := s.getCache(mctx) 358 if err != nil { 359 return nil, err 360 } 361 deviceEKs = make(DeviceEKMap) 362 for gen, cacheItem := range cache { 363 if cacheItem.Err != nil { 364 continue 365 } 366 deviceEKs[gen] = cacheItem.DeviceEK 367 } 368 return deviceEKs, nil 369 } 370 371 func (s *DeviceEKStorage) GetAllActive(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot) (metadatas []keybase1.DeviceEkMetadata, err error) { 372 defer mctx.Trace("GetAllActive", &err)() 373 374 s.Lock() 375 defer s.Unlock() 376 377 cache, err := s.getCache(mctx) 378 if err != nil { 379 return nil, err 380 } 381 382 activeKeysInOrder := []keybase1.DeviceEkMetadata{} 383 for _, cacheItem := range cache { 384 if cacheItem.Err != nil { 385 continue 386 } 387 deviceEK := cacheItem.DeviceEK 388 // Skip expired keys. Expired keys are spared from deletion past for a 389 // window past their expiry date, in case they're needed for 390 // decryption, but they're never signed over or used for encryption. 391 if ctimeIsStale(deviceEK.Metadata.Ctime.Time(), merkleRoot) { 392 continue 393 } 394 // Collect out of order, then sort below. 395 activeKeysInOrder = append(activeKeysInOrder, deviceEK.Metadata) 396 } 397 sort.Slice(activeKeysInOrder, func(a, b int) bool { return activeKeysInOrder[a].Generation < activeKeysInOrder[b].Generation }) 398 399 return activeKeysInOrder, nil 400 } 401 402 // ListAllForUser lists the internal storage name of deviceEKs of the logged in 403 // user. This is used for logsend purposes to debug ek state. 404 func (s *DeviceEKStorage) ListAllForUser(mctx libkb.MetaContext) (all []string, err error) { 405 defer mctx.Trace("DeviceEKStorage#ListAllForUser", &err)() 406 407 s.Lock() 408 defer s.Unlock() 409 410 return s.listAllForUser(mctx, mctx.ActiveDevice().Username(mctx)) 411 } 412 413 func (s *DeviceEKStorage) listAllForUser(mctx libkb.MetaContext, username libkb.NormalizedUsername) (all []string, err error) { 414 // key in the sense of a key-value pair, not a crypto key! 415 keys, err := s.storage.AllKeys(mctx, deviceEKSuffix) 416 if err != nil { 417 return nil, err 418 } 419 prefix := s.keyPrefixFromUsername(username) 420 for _, key := range keys { 421 if strings.HasPrefix(key, prefix) { 422 all = append(all, key) 423 } 424 } 425 return all, nil 426 } 427 428 func (s *DeviceEKStorage) MaxGeneration(mctx libkb.MetaContext, includeErrs bool) (maxGeneration keybase1.EkGeneration, err error) { 429 defer mctx.Trace("DeviceEKStorage#MaxGeneration", &err)() 430 431 s.Lock() 432 defer s.Unlock() 433 434 maxGeneration = -1 435 cache, err := s.getCache(mctx) 436 if err != nil { 437 return maxGeneration, err 438 } 439 for generation, cacheItem := range cache { 440 if cacheItem.Err != nil && !includeErrs { 441 continue 442 } 443 if generation > maxGeneration { 444 maxGeneration = generation 445 } 446 } 447 return maxGeneration, nil 448 } 449 450 func (s *DeviceEKStorage) DeleteExpired(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot) (expired []keybase1.EkGeneration, err error) { 451 defer mctx.Trace("DeviceEKStorage#DeleteExpired", &err)() 452 453 s.Lock() 454 defer s.Unlock() 455 456 cache, err := s.getCache(mctx) 457 if err != nil { 458 return nil, err 459 } 460 461 // Fall back to the device's local time if we don't have a merkle root so 462 // we can complete deletions offline. 463 var now time.Time 464 if merkleRoot.IsNil() { 465 now = time.Now() 466 } else { 467 now = keybase1.TimeFromSeconds(merkleRoot.Ctime()).Time() 468 } 469 470 keyMap := make(keyExpiryMap) 471 // We delete expired and invalid cache entries but only return the expired. 472 for generation, cacheItem := range cache { 473 if cacheItem.Err != nil { 474 continue 475 } else { 476 deviceEK := cacheItem.DeviceEK 477 var ctime keybase1.Time 478 // If we have a nil root _and_ a valid DeviceCtime, use that. If we're 479 // missing a DeviceCtime it's better to use the slightly off 480 // merkleCtime than a 0 481 if merkleRoot.IsNil() && deviceEK.Metadata.DeviceCtime > 0 { 482 ctime = deviceEK.Metadata.DeviceCtime 483 } else { 484 ctime = deviceEK.Metadata.Ctime 485 } 486 keyMap[generation] = ctime 487 } 488 } 489 490 expired = s.getExpiredGenerations(mctx, keyMap, now) 491 epick := libkb.FirstErrorPicker{} 492 for _, generation := range expired { 493 epick.Push(s.delete(mctx, generation, "generation expired")) 494 } 495 496 epick.Push(s.deletedWrongEldestSeqno(mctx)) 497 return expired, epick.Error() 498 } 499 500 // getExpiredGenerations calculates which keys have expired and are safe to 501 // delete. Keys normally expire after `libkb.MaxEphemeralContentLifetime` 502 // unless there has been a gap in their generation. If there has been a gap of 503 // more than a day (the normal generation time), a key can be re-used for up to 504 // `libkb.MaxEphemeralKeyStaleness` until it is considered expired. To 505 // determine expiration, we look at all of the current keys and account for any 506 // gaps since we don't want to expire a key if it is still used to encrypt a 507 // different key or ephemeral content. With deviceEKs we also have to account 508 // for a deviceEK being created out of lock step with a userEK. Consider the 509 // following scenario: 510 // 511 // At t=0, deviceA creates deviceEK_A_1 and userEK_1. At t=0.5, deviceB creates 512 // devicekEK_B_1. At t=1, deviceEK_A_2 and userEK_2 are created and at t=1.5 513 // deviceEK_B_2 is created. deviceEK_B_1 cannot be deleted until userEK_2 is 514 // expired, or deviceB will delete it's deviceEK early. Since userEK_3 has not 515 // yet been created, we may have to keep deviceEK_B_1 around until userEK_2 is 516 // stale, at which time no more teamEKs will be encrypted by it. To account for 517 // this (without having to interact with the userEK level via server 518 // assistance) we extend the lifetime of deviceEK_B_1 to expire 519 // `libkb.MaxEphemeralContentLifetime` after the creation of deviceEK_B_3, with 520 // a maximum window of `libkb.MaxEphemeralKeyStaleness`. This is correct 521 // because userEK_3 *must* be created at or before deviceEK_B_3's creation. 522 func (s *DeviceEKStorage) getExpiredGenerations(mctx libkb.MetaContext, keyMap keyExpiryMap, now time.Time) (expired []keybase1.EkGeneration) { 523 // Sort the generations we have so we can walk through them in order. 524 var keys []keybase1.EkGeneration 525 for k := range keyMap { 526 keys = append(keys, k) 527 } 528 sort.Slice(keys, func(i, j int) bool { return keys[i] < keys[j] }) 529 530 for i, generation := range keys { 531 keyCtime := keyMap[generation].Time() 532 533 // Offset between the current key and the generation after it. Allowed 534 // to be at most libkb.MaxEphemeralKeyStaleness 535 expiryOffset1 := libkb.MaxEphemeralKeyStaleness 536 if i < len(keys)-1 { 537 expiryOffset1 = keyMap[keys[i+1]].Time().Sub(keyCtime) 538 // Offset can be max libkb.MaxEphemeralKeyStaleness 539 if expiryOffset1 > libkb.MaxEphemeralKeyStaleness { 540 expiryOffset1 = libkb.MaxEphemeralKeyStaleness 541 } 542 } 543 544 // Offset between the key one generation older and two generations 545 // older than the current key. Allowed to be at most 546 // libkb.MaxEphemeralKeyStaleness 547 expiryOffset2 := libkb.MaxEphemeralKeyStaleness 548 if i < len(keys)-2 { 549 expiryOffset2 = keyMap[keys[i+2]].Time().Sub(keyMap[keys[i+1]].Time()) 550 if expiryOffset2 > libkb.MaxEphemeralKeyStaleness { 551 expiryOffset2 = libkb.MaxEphemeralKeyStaleness 552 } 553 } 554 555 expiryOffset := expiryOffset1 + expiryOffset2 556 if now.Sub(keyCtime) >= (libkb.MinEphemeralKeyLifetime + expiryOffset) { 557 s.ekLogf(mctx, "getExpiredGenerations: expired generation:%v, now: %v, keyCtime:%v, expiryOffset:%v, keyMap: %v, i:%v", 558 generation, now, keyCtime, expiryOffset, keyMap, i) 559 expired = append(expired, generation) 560 } 561 } 562 return expired 563 } 564 565 func (s *DeviceEKStorage) deletedWrongEldestSeqno(mctx libkb.MetaContext) (err error) { 566 keys, err := s.storage.AllKeys(mctx, deviceEKSuffix) 567 if err != nil { 568 return err 569 } 570 uv, err := mctx.G().GetMeUV(mctx.Ctx()) 571 if err != nil { 572 return err 573 } 574 epick := libkb.FirstErrorPicker{} 575 for _, key := range keys { 576 eldestSeqno := s.keyToEldestSeqno(mctx, key) 577 if eldestSeqno < 0 { 578 continue 579 } 580 if eldestSeqno != uv.EldestSeqno { 581 s.ekLogf(mctx, "DeviceEKStorage#deletedWrongEldestSeqno: key: %v, uv: %v", key, uv) 582 epick.Push(s.storage.Erase(mctx, key)) 583 } 584 } 585 return epick.Error() 586 } 587 588 func (s *DeviceEKStorage) ForceDeleteAll(mctx libkb.MetaContext, username libkb.NormalizedUsername) (err error) { 589 defer s.ekLogCTrace(mctx, "DeviceEKStorage#ForceDeleteAll", &err)() 590 591 s.Lock() 592 defer s.Unlock() 593 594 // only delete if the key is owned by the current user 595 keys, err := s.listAllForUser(mctx, username) 596 if err != nil { 597 return err 598 } 599 epick := libkb.FirstErrorPicker{} 600 for _, key := range keys { 601 s.ekLogf(mctx, "DeviceEKStorage#ForceDeleteAll: key: %v", key) 602 epick.Push(s.storage.Erase(mctx, key)) 603 } 604 605 s.clearCache() 606 return epick.Error() 607 }