feat(e2ee) add ability to verify participants using a SAS mechanism

It implements SAS verification as per the Matrix spec, adapted to our environment.

JitsiConference.js

@@ -3896,6 +3896,40 @@ JitsiConference.prototype.setMediaEncryptionKey = function(keyInfo) {
     this._e2eEncryption.setEncryptionKey(keyInfo);
 };
 
+/**
+ * Starts the participant verification process.
+ *
+ * @param {string} participantId The participant which will be marked as verified.
+ * @returns {void}
+ */
+JitsiConference.prototype.startVerification = function(participantId) {
+    const participant = this.getParticipantById(participantId);
+
+    if (!participant) {
+        return;
+    }
+
+    this._e2eEncryption.startVerification(participant);
+};
+
+/**
+ * Marks the given participant as verified. After this is done, MAC verification will
+ * be performed and an event will be emitted with the result.
+ *
+ * @param {string} participantId The participant which will be marked as verified.
+ * @param {boolean} isVerified - whether the verification was succesfull.
+ * @returns {void}
+ */
+JitsiConference.prototype.markParticipantVerified = function(participantId, isVerified) {
+    const participant = this.getParticipantById(participantId);
+
+    if (!participant) {
+        return;
+    }
+
+    this._e2eEncryption.markParticipantVerified(participant, isVerified);
+};
+
 /**
  * Returns <tt>true</tt> if lobby support is enabled in the backend.
  *

JitsiConferenceEvents.spec.ts

@@ -23,6 +23,9 @@ describe( "/JitsiConferenceEvents members", () => {
         DOMINANT_SPEAKER_CHANGED,
         CONFERENCE_CREATED_TIMESTAMP,
         DTMF_SUPPORT_CHANGED,
+        E2EE_VERIFICATION_AVAILABLE,
+        E2EE_VERIFICATION_READY,
+        E2EE_VERIFICATION_COMPLETED,
         ENDPOINT_MESSAGE_RECEIVED,
         ENDPOINT_STATS_RECEIVED,
         JVB121_STATUS,
@@ -228,6 +231,9 @@ describe( "/JitsiConferenceEvents members", () => {
         expect( JitsiConferenceEvents.BREAKOUT_ROOMS_MOVE_TO_ROOM ).toBe( 'conference.breakout-rooms.move-to-room' );
         expect( JitsiConferenceEvents.BREAKOUT_ROOMS_UPDATED ).toBe( 'conference.breakout-rooms.updated' );
         expect( JitsiConferenceEvents.METADATA_UPDATED ).toBe( 'conference.metadata.updated' );
+        expect( JitsiConferenceEvents.E2EE_VERIFICATION_READY ).toBe( 'conference.e2ee.verification.ready' );
+        expect( JitsiConferenceEvents.E2EE_VERIFICATION_COMPLETED ).toBe( 'conference.e2ee.verification.completed' );
+        expect( JitsiConferenceEvents.E2EE_VERIFICATION_AVAILABLE ).toBe( 'conference.e2ee.verification.available' );
     } );
 
 it( "unknown members", () => {

JitsiConferenceEvents.ts

@@ -453,7 +453,13 @@ export enum JitsiConferenceEvents {
     /**
      * Event fired when the conference metadata is updated.
      */
-    METADATA_UPDATED = 'conference.metadata.updated'
+    METADATA_UPDATED = 'conference.metadata.updated',
+
+    E2EE_VERIFICATION_AVAILABLE = 'conference.e2ee.verification.available',
+
+    E2EE_VERIFICATION_READY = 'conference.e2ee.verification.ready',
+
+    E2EE_VERIFICATION_COMPLETED = 'conference.e2ee.verification.completed'
 };
 
 // exported for backward compatibility
@@ -478,6 +484,9 @@ export const CONFERENCE_CREATED_TIMESTAMP = JitsiConferenceEvents.CONFERENCE_CRE
 export const DTMF_SUPPORT_CHANGED = JitsiConferenceEvents.DTMF_SUPPORT_CHANGED;
 export const ENDPOINT_MESSAGE_RECEIVED = JitsiConferenceEvents.ENDPOINT_MESSAGE_RECEIVED;
 export const ENDPOINT_STATS_RECEIVED = JitsiConferenceEvents.ENDPOINT_STATS_RECEIVED;
+export const E2EE_VERIFICATION_AVAILABLE = JitsiConferenceEvents.E2EE_VERIFICATION_AVAILABLE;
+export const E2EE_VERIFICATION_READY = JitsiConferenceEvents.E2EE_VERIFICATION_READY;
+export const E2EE_VERIFICATION_COMPLETED = JitsiConferenceEvents.E2EE_VERIFICATION_COMPLETED;
 export const JVB121_STATUS = JitsiConferenceEvents.JVB121_STATUS;
 export const KICKED = JitsiConferenceEvents.KICKED;
 export const PARTICIPANT_KICKED = JitsiConferenceEvents.PARTICIPANT_KICKED;

modules/e2ee/E2EEErrors.ts

@@ -0,0 +1,8 @@
+export enum E2EEErrors {
+    E2EE_SAS_KEYS_MAC_MISMATCH = 'e2ee.sas.keys-mac-mismatch',
+    E2EE_SAS_MAC_MISMATCH = 'e2ee.sas.mac-mismatch',
+    E2EE_SAS_MISSING_KEY =  'e2ee.sas.missing-key',
+    E2EE_SAS_COMMITMENT_MISMATCHED =  'e2ee.sas.commitment-mismatched',
+    E2EE_SAS_CHANNEL_VERIFICATION_FAILED = 'e2ee.sas.channel-verification-failed',
+    E2EE_SAS_INVALID_SAS_VERIFICATION =  'e2ee.sas.invalid-sas-verification',
+}

modules/e2ee/E2EEncryption.js

@@ -71,4 +71,25 @@ export class E2EEncryption {
     setEncryptionKey(keyInfo) {
         this._keyHandler.setKey(keyInfo);
     }
+
+    /**
+     * Starts the verification process of the participant
+     *
+     * @param {Participant} - participant to be verified.
+     * @returns {void}
+     */
+    startVerification(participant) {
+        this._keyHandler.sasVerification?.startVerification(participant);
+    }
+
+    /**
+     * Marks the channel as verified
+     *
+     * @param {Participant} - participant to be verified.
+     * @param {boolean} isVerified - whether the verification was succesfull.
+     * @returns {void}
+     */
+    markParticipantVerified(participant, isVerified) {
+        this._keyHandler.sasVerification?.markParticipantVerified(participant, isVerified);
+    }
 }

modules/e2ee/ManagedKeyHandler.js

@@ -36,6 +36,18 @@ export class ManagedKeyHandler extends KeyHandler {
             OlmAdapter.events.PARTICIPANT_KEY_UPDATED,
             this._onParticipantKeyUpdated.bind(this));
 
+        this._olmAdapter.on(
+            OlmAdapter.events.PARTICIPANT_SAS_READY,
+            this._onParticipantSasReady.bind(this));
+
+        this._olmAdapter.on(
+            OlmAdapter.events.PARTICIPANT_SAS_AVAILABLE,
+            this._onParticipantSasAvailable.bind(this));
+
+        this._olmAdapter.on(
+            OlmAdapter.events.PARTICIPANT_VERIFICATION_COMPLETED,
+            this._onParticipantVerificationCompleted.bind(this));
+
         this.conference.on(
             JitsiConferenceEvents.PARTICIPANT_PROPERTY_CHANGED,
             this._onParticipantPropertyChanged.bind(this));
@@ -52,6 +64,15 @@ export class ManagedKeyHandler extends KeyHandler {
                 });
     }
 
+    /**
+     * Returns the sasVerficiation object.
+     *
+     * @returns {Object}
+     */
+    get sasVerification() {
+        return this._olmAdapter;
+    }
+
     /**
      * When E2EE is enabled it initializes sessions and sets the key.
      * Cleans up the sessions when disabled.
@@ -167,6 +188,39 @@ export class ManagedKeyHandler extends KeyHandler {
         this.e2eeCtx.setKey(id, key, index);
     }
 
+    /**
+     * Handles the SAS ready event.
+     *
+     * @param {string} pId - The participant ID.
+     * @param {Uint8Array} sas - The bytes from sas.generate_bytes..
+     * @private
+     */
+    _onParticipantSasReady(pId, sas) {
+        this.conference.eventEmitter.emit(JitsiConferenceEvents.E2EE_VERIFICATION_READY, pId, sas);
+    }
+
+    /**
+     * Handles the sas available event.
+     *
+     * @param {string} pId - The participant ID.
+     * @private
+     */
+    _onParticipantSasAvailable(pId) {
+        this.conference.eventEmitter.emit(JitsiConferenceEvents.E2EE_VERIFICATION_AVAILABLE, pId);
+    }
+
+
+    /**
+     * Handles the SAS completed event.
+     *
+     * @param {string} pId - The participant ID.
+     * @param {boolean} success - Wheter the verification was succesfull.
+     * @private
+     */
+    _onParticipantVerificationCompleted(pId, success, message) {
+        this.conference.eventEmitter.emit(JitsiConferenceEvents.E2EE_VERIFICATION_COMPLETED, pId, success, message);
+    }
+
     /**
      * Generates a new 256 bit random key.
      *

modules/e2ee/OlmAdapter.js

@@ -10,6 +10,9 @@ import Deferred from '../util/Deferred';
 import Listenable from '../util/Listenable';
 import { FEATURE_E2EE, JITSI_MEET_MUC_TYPE } from '../xmpp/xmpp';
 
+import { E2EEErrors } from './E2EEErrors';
+import { generateSas } from './SAS';
+
 const logger = getLogger(__filename);
 
 const REQ_TIMEOUT = 5 * 1000;
@@ -19,15 +22,25 @@ const OLM_MESSAGE_TYPES = {
     KEY_INFO: 'key-info',
     KEY_INFO_ACK: 'key-info-ack',
     SESSION_ACK: 'session-ack',
-    SESSION_INIT: 'session-init'
+    SESSION_INIT: 'session-init',
+    SAS_START: 'sas-start',
+    SAS_ACCEPT: 'sas-accept',
+    SAS_KEY: 'sas-key',
+    SAS_MAC: 'sas-mac'
 };
 
+const OLM_SAS_NUM_BYTES = 6;
+const OLM_KEY_VERIFICATION_MAC_INFO = 'Jitsi-KEY_VERIFICATION_MAC';
+const OLM_KEY_VERIFICATION_MAC_KEY_IDS = 'Jitsi-KEY_IDS';
+
 const kOlmData = Symbol('OlmData');
 
 const OlmAdapterEvents = {
-    OLM_ID_KEY_READY: 'olm.id_key_ready',
     PARTICIPANT_E2EE_CHANNEL_READY: 'olm.participant_e2ee_channel_ready',
-    PARTICIPANT_KEY_UPDATED: 'olm.partitipant_key_updated'
+    PARTICIPANT_SAS_AVAILABLE: 'olm.participant_sas_available',
+    PARTICIPANT_SAS_READY: 'olm.participant_sas_ready',
+    PARTICIPANT_KEY_UPDATED: 'olm.partitipant_key_updated',
+    PARTICIPANT_VERIFICATION_COMPLETED: 'olm.participant_verification_completed'
 };
 
 /**
@@ -59,8 +72,8 @@ export class OlmAdapter extends Listenable {
 
         this._conf = conference;
         this._init = new Deferred();
-        this._key = undefined;
-        this._keyIndex = -1;
+        this._mediaKey = undefined;
+        this._mediaKeyIndex = -1;
         this._reqs = new Map();
         this._sessionInitialization = undefined;
 
@@ -77,6 +90,15 @@ export class OlmAdapter extends Listenable {
         }
     }
 
+    /**
+     * Returns the current participants conference ID.
+     *
+     * @returns {string}
+     */
+    get myId() {
+        return this._conf.myUserId();
+    }
+
     /**
      * Starts new olm sessions with every other participant that has the participantId "smaller" the localParticipantId.
      */
@@ -124,8 +146,8 @@ export class OlmAdapter extends Listenable {
      */
     async updateKey(key) {
         // Store it locally for new sessions.
-        this._key = key;
-        this._keyIndex++;
+        this._mediaKey = key;
+        this._mediaKeyIndex++;
 
         // Broadcast it.
         const promises = [];
@@ -169,7 +191,7 @@ export class OlmAdapter extends Listenable {
 
         // TODO: retry failed ones?
 
-        return this._keyIndex;
+        return this._mediaKeyIndex;
     }
 
     /**
@@ -177,10 +199,10 @@ export class OlmAdapter extends Listenable {
      * @param {Uint8Array|boolean} key - The new key.
      * @returns {number}
     */
-    updateCurrentKey(key) {
-        this._key = key;
+    updateCurrentMediaKey(key) {
+        this._mediaKey = key;
 
-        return this._keyIndex;
+        return this._mediaKeyIndex;
     }
 
     /**
@@ -196,7 +218,6 @@ export class OlmAdapter extends Listenable {
         }
     }
 
-
     /**
      * Frees the olmData sessions for all participants.
      *
@@ -207,6 +228,48 @@ export class OlmAdapter extends Listenable {
         }
     }
 
+    /**
+     * Sends sacMac if channel verification waas successful.
+     *
+     */
+    markParticipantVerified(participant, isVerified) {
+        const olmData = this._getParticipantOlmData(participant);
+
+        const pId = participant.getId();
+
+        if (!isVerified) {
+            olmData.sasVerification = undefined;
+            logger.warn(`Verification failed for participant ${pId}`);
+            this.eventEmitter.emit(
+                OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                pId,
+                false,
+                E2EEErrors.E2EE_SAS_CHANNEL_VERIFICATION_FAILED);
+
+            return;
+        }
+
+        if (!olmData.sasVerification) {
+            logger.warn(`Participant ${pId} does not have valid sasVerification`);
+            this.eventEmitter.emit(
+                OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                pId,
+                false,
+                E2EEErrors.E2EE_SAS_INVALID_SAS_VERIFICATION);
+
+            return;
+        }
+
+        const { sas, sasMacSent } = olmData.sasVerification;
+
+        if (sas && sas.is_their_key_set() && !sasMacSent) {
+            this._sendSasMac(participant);
+
+            // Mark the MAC as sent so we don't send it multiple times.
+            olmData.sasVerification.sasMacSent = true;
+        }
+    }
+
     /**
      * Internal helper to bootstrap the olm library.
      *
@@ -222,29 +285,99 @@ export class OlmAdapter extends Listenable {
             this._olmAccount = new Olm.Account();
             this._olmAccount.create();
 
-            const idKeys = JSON.parse(this._olmAccount.identity_keys());
-
-            this._idKey = idKeys.curve25519;
+            this._idKeys = JSON.parse(this._olmAccount.identity_keys());
 
             logger.debug(`Olm ${Olm.get_library_version().join('.')} initialized`);
             this._init.resolve();
-            this._onIdKeyReady(this._idKey);
+            this._onIdKeysReady(this._idKeys);
         } catch (e) {
             logger.error('Failed to initialize Olm', e);
             this._init.reject(e);
         }
+    }
+
+    /**
+     * Starts the verification process for the given participant as described here
+     * https://spec.matrix.org/latest/client-server-api/#short-authentication-string-sas-verification
+     *
+     *    |                                 |
+          | m.key.verification.start        |
+          |-------------------------------->|
+          |                                 |
+          |       m.key.verification.accept |
+          |<--------------------------------|
+          |                                 |
+          | m.key.verification.key          |
+          |-------------------------------->|
+          |                                 |
+          |          m.key.verification.key |
+          |<--------------------------------|
+          |                                 |
+          | m.key.verification.mac          |
+          |-------------------------------->|
+          |                                 |
+          |          m.key.verification.mac |
+          |<--------------------------------|
+          |                                 |
+     *
+     * @param {JitsiParticipant} participant - The target participant.
+     * @returns {Promise<void>}
+     * @private
+     */
+    startVerification(participant) {
+        const pId = participant.getId();
+        const olmData = this._getParticipantOlmData(participant);
+
+        if (!olmData.session) {
+            logger.warn(`Tried to start verification with participant ${pId} but we have no session`);
+
+            return;
+        }
+
+        if (olmData.sasVerification) {
+            logger.warn(`There is already a verification in progress with participant ${pId}`);
+
+            return;
+        }
+
+        olmData.sasVerification = {
+            sas: new Olm.SAS(),
+            transactionId: uuidv4()
+        };
 
+        const startContent = {
+            transactionId: olmData.sasVerification.transactionId
+        };
+
+        olmData.sasVerification.startContent = startContent;
+        olmData.sasVerification.isInitiator = true;
+
+        const startMessage = {
+            [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+            olm: {
+                type: OLM_MESSAGE_TYPES.SAS_START,
+                data: startContent
+            }
+        };
+
+        this._sendMessage(startMessage, pId);
     }
 
     /**
      * Publishes our own Olmn id key in presence.
      * @private
      */
-    _onIdKeyReady(idKey) {
-        logger.debug(`Olm id key ready: ${idKey}`);
+    _onIdKeysReady(idKeys) {
+        logger.debug(`Olm id key ready: ${idKeys}`);
 
         // Publish it in presence.
-        this._conf.setLocalParticipantProperty('e2ee.idKey', idKey);
+        for (const keyType in idKeys) {
+            if (idKeys.hasOwnProperty(keyType)) {
+                const key = idKeys[keyType];
+
+                this._conf.setLocalParticipantProperty(`e2ee.idKey.${keyType}`, key);
+            }
+        }
     }
 
     /**
@@ -265,9 +398,9 @@ export class OlmAdapter extends Listenable {
     _encryptKeyInfo(session) {
         const keyInfo = {};
 
-        if (this._key !== undefined) {
-            keyInfo.key = this._key ? base64js.fromByteArray(this._key) : false;
-            keyInfo.keyIndex = this._keyIndex;
+        if (this._mediaKey !== undefined) {
+            keyInfo.key = this._mediaKey ? base64js.fromByteArray(this._mediaKey) : false;
+            keyInfo.keyIndex = this._mediaKeyIndex;
         }
 
         return session.encrypt(JSON.stringify(keyInfo));
@@ -470,6 +603,266 @@ export class OlmAdapter extends Listenable {
             }
             break;
         }
+        case OLM_MESSAGE_TYPES.SAS_START: {
+            if (!olmData.session) {
+                logger.debug(`Received sas init message from ${pId} but we have no session for them!`);
+
+                this._sendError(participant, 'No session found while processing sas-init');
+
+                return;
+            }
+
+            if (olmData.sasVerification?.sas) {
+                logger.warn(`SAS already created for participant ${pId}`);
+                this.eventEmitter.emit(
+                    OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                    pId,
+                    false,
+                    E2EEErrors.E2EE_SAS_INVALID_SAS_VERIFICATION);
+
+                return;
+            }
+
+            const { transactionId } = msg.data;
+
+            const sas = new Olm.SAS();
+
+            olmData.sasVerification = {
+                sas,
+                transactionId,
+                isInitiator: false
+            };
+
+            const pubKey = olmData.sasVerification.sas.get_pubkey();
+            const commitment = this._computeCommitment(pubKey, msg.data);
+
+            /* The first phase of the verification process, the Key agreement phase
+                https://spec.matrix.org/latest/client-server-api/#short-authentication-string-sas-verification
+            */
+            const acceptMessage = {
+                [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+                olm: {
+                    type: OLM_MESSAGE_TYPES.SAS_ACCEPT,
+                    data: {
+                        transactionId,
+                        commitment
+                    }
+                }
+            };
+
+            this._sendMessage(acceptMessage, pId);
+            break;
+        }
+        case OLM_MESSAGE_TYPES.SAS_ACCEPT: {
+            if (!olmData.session) {
+                logger.debug(`Received sas accept message from ${pId} but we have no session for them!`);
+
+                this._sendError(participant, 'No session found while processing sas-accept');
+
+                return;
+            }
+
+            const { commitment, transactionId } = msg.data;
+
+
+            if (!olmData.sasVerification) {
+                logger.warn(`SAS_ACCEPT Participant ${pId} does not have valid sasVerification`);
+                this.eventEmitter.emit(
+                    OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                    pId,
+                    false,
+                    E2EEErrors.E2EE_SAS_INVALID_SAS_VERIFICATION);
+
+                return;
+            }
+
+            if (olmData.sasVerification.sasCommitment) {
+                logger.debug(`Already received sas commitment message from ${pId}!`);
+
+                this._sendError(participant, 'Already received sas commitment message from ${pId}!');
+
+                return;
+            }
+
+            olmData.sasVerification.sasCommitment = commitment;
+
+            const pubKey = olmData.sasVerification.sas.get_pubkey();
+
+            // Send KEY.
+            const keyMessage = {
+                [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+                olm: {
+                    type: OLM_MESSAGE_TYPES.SAS_KEY,
+                    data: {
+                        key: pubKey,
+                        transactionId
+                    }
+                }
+            };
+
+            this._sendMessage(keyMessage, pId);
+
+            olmData.sasVerification.keySent = true;
+            break;
+        }
+        case OLM_MESSAGE_TYPES.SAS_KEY: {
+            if (!olmData.session) {
+                logger.debug(`Received sas key message from ${pId} but we have no session for them!`);
+
+                this._sendError(participant, 'No session found while processing sas-key');
+
+                return;
+            }
+
+            if (!olmData.sasVerification) {
+                logger.warn(`SAS_KEY Participant ${pId} does not have valid sasVerification`);
+                this.eventEmitter.emit(
+                    OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                    pId,
+                    false,
+                    E2EEErrors.E2EE_SAS_INVALID_SAS_VERIFICATION);
+
+                return;
+            }
+
+            const { isInitiator, sas, sasCommitment, startContent, keySent } = olmData.sasVerification;
+
+            if (sas.is_their_key_set()) {
+                logger.warn('SAS already has their key!');
+
+                return;
+            }
+
+            const { key: theirKey, transactionId } = msg.data;
+
+            if (sasCommitment) {
+                const commitment = this._computeCommitment(theirKey, startContent);
+
+                if (sasCommitment !== commitment) {
+                    this._sendError(participant, 'OlmAdapter commitments mismatched');
+                    this.eventEmitter.emit(
+                        OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                        pId,
+                        false,
+                        E2EEErrors.E2EE_SAS_COMMITMENT_MISMATCHED);
+                    olmData.sasVerification.free();
+
+                    return;
+                }
+            }
+
+            sas.set_their_key(theirKey);
+
+            const pubKey = sas.get_pubkey();
+
+            const myInfo = `${this.myId}|${pubKey}`;
+            const theirInfo = `${pId}|${theirKey}`;
+
+            const info = isInitiator ? `${myInfo}|${theirInfo}` : `${theirInfo}|${myInfo}`;
+
+            const sasBytes = sas.generate_bytes(info, OLM_SAS_NUM_BYTES);
+            const generatedSas = generateSas(sasBytes);
+
+            this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_SAS_READY, pId, generatedSas);
+
+            if (keySent) {
+                return;
+            }
+
+            const keyMessage = {
+                [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+                olm: {
+                    type: OLM_MESSAGE_TYPES.SAS_KEY,
+                    data: {
+                        key: pubKey,
+                        transactionId
+                    }
+                }
+            };
+
+            this._sendMessage(keyMessage, pId);
+
+            olmData.sasVerification.keySent = true;
+            break;
+        }
+        case OLM_MESSAGE_TYPES.SAS_MAC: {
+            if (!olmData.session) {
+                logger.debug(`Received sas mac message from ${pId} but we have no session for them!`);
+
+                this._sendError(participant, 'No session found while processing sas-mac');
+
+                return;
+            }
+
+            const { keys, mac, transactionId } = msg.data;
+
+            if (!mac || !keys) {
+                logger.warn('Invalid SAS MAC message');
+
+                return;
+            }
+
+            if (!olmData.sasVerification) {
+                logger.warn(`SAS_MAC Participant ${pId} does not have valid sasVerification`);
+
+                return;
+            }
+
+            const sas = olmData.sasVerification.sas;
+
+            // Verify the received MACs.
+            const baseInfo = `${OLM_KEY_VERIFICATION_MAC_INFO}${pId}${this.myId}${transactionId}`;
+            const keysMac = sas.calculate_mac(
+                Object.keys(mac).sort().join(','), // eslint-disable-line newline-per-chained-call
+                baseInfo + OLM_KEY_VERIFICATION_MAC_KEY_IDS
+            );
+
+            if (keysMac !== keys) {
+                logger.error('SAS verification error: keys MAC mismatch');
+                this.eventEmitter.emit(
+                    OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                    pId,
+                    false,
+                    E2EEErrors.E2EE_SAS_KEYS_MAC_MISMATCH);
+
+                return;
+            }
+
+            if (!olmData.ed25519) {
+                logger.warn('SAS verification error: Missing ed25519 key');
+
+                this.eventEmitter.emit(
+                    OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                    pId,
+                    false,
+                    E2EEErrors.E2EE_SAS_MISSING_KEY);
+
+                return;
+            }
+
+            for (const [ keyInfo, computedMac ] of Object.entries(mac)) {
+                const ourComputedMac = sas.calculate_mac(
+                    olmData.ed25519,
+                    baseInfo + keyInfo
+                );
+
+                if (computedMac !== ourComputedMac) {
+                    logger.error('SAS verification error: MAC mismatch');
+                    this.eventEmitter.emit(
+                        OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED,
+                        pId,
+                        false,
+                        E2EEErrors.E2EE_SAS_MAC_MISMATCH);
+
+                    return;
+                }
+            }
+
+            logger.info(`SAS MAC verified for participant ${pId}`);
+            this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_VERIFICATION_COMPLETED, pId, true);
+
+            break;
+        }
         }
     }
 
@@ -494,11 +887,13 @@ export class OlmAdapter extends Listenable {
     * @private
     */
     async _onParticipantPropertyChanged(participant, name, oldValue, newValue) {
+        const participantId = participant.getId();
+        const olmData = this._getParticipantOlmData(participant);
+
         switch (name) {
         case 'e2ee.enabled':
             if (newValue && this._conf.isE2EEEnabled()) {
                 const localParticipantId = this._conf.myUserId();
-                const participantId = participant.getId();
                 const participantFeatures = await participant.getFeatures();
 
                 if (participantFeatures.has(FEATURE_E2EE) && localParticipantId < participantId) {
@@ -507,7 +902,6 @@ export class OlmAdapter extends Listenable {
                     }
                     await this._sendSessionInit(participant);
 
-                    const olmData = this._getParticipantOlmData(participant);
                     const uuid = uuidv4();
 
                     const d = new Deferred();
@@ -534,6 +928,10 @@ export class OlmAdapter extends Listenable {
                 }
             }
             break;
+        case 'e2ee.idKey.ed25519':
+            olmData.ed25519 = newValue;
+            this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_SAS_AVAILABLE, participantId);
+            break;
         }
     }
 
@@ -613,7 +1011,7 @@ export class OlmAdapter extends Listenable {
             olm: {
                 type: OLM_MESSAGE_TYPES.SESSION_INIT,
                 data: {
-                    idKey: this._idKey,
+                    idKey: this._idKeys.curve25519,
                     otKey,
                     uuid
                 }
@@ -636,6 +1034,60 @@ export class OlmAdapter extends Listenable {
 
         return d;
     }
+
+    /**
+     * Builds and sends the SAS MAC message to the given participant.
+     * The second phase of the verification process, the Key verification phase
+        https://spec.matrix.org/latest/client-server-api/#short-authentication-string-sas-verification
+     */
+    _sendSasMac(participant) {
+        const pId = participant.getId();
+        const olmData = this._getParticipantOlmData(participant);
+        const { sas, transactionId } = olmData.sasVerification;
+
+        // Calculate and send MAC with the keys to be verified.
+        const mac = {};
+        const keyList = [];
+        const baseInfo = `${OLM_KEY_VERIFICATION_MAC_INFO}${this.myId}${pId}${transactionId}`;
+
+        const deviceKeyId = `ed25519:${pId}`;
+
+        mac[deviceKeyId] = sas.calculate_mac(
+            this._idKeys.ed25519,
+            baseInfo + deviceKeyId);
+        keyList.push(deviceKeyId);
+
+        const keys = sas.calculate_mac(
+            keyList.sort().join(','),
+            baseInfo + OLM_KEY_VERIFICATION_MAC_KEY_IDS
+        );
+
+        const macMessage = {
+            [JITSI_MEET_MUC_TYPE]: OLM_MESSAGE_TYPE,
+            olm: {
+                type: OLM_MESSAGE_TYPES.SAS_MAC,
+                data: {
+                    keys,
+                    mac,
+                    transactionId
+                }
+            }
+        };
+
+        this._sendMessage(macMessage, pId);
+    }
+
+    /**
+     * Computes the commitment.
+     */
+    _computeCommitment(pubKey, data) {
+        const olmUtil = new Olm.Utility();
+        const commitment = olmUtil.sha256(pubKey + JSON.stringify(data));
+
+        olmUtil.free();
+
+        return commitment;
+    }
 }
 
 /**

modules/e2ee/SAS.js

@@ -0,0 +1,137 @@
+/* eslint-disable no-bitwise */
+/* eslint-disable no-mixed-operators */
+
+/**
+ * Generates a SAS composed of decimal numbers.
+ * Borrowed from the Matrix JS SDK.
+ *
+ * @param {Uint8Array} sasBytes - The bytes from sas.generate_bytes.
+ * @returns Array<number>
+ */
+function generateDecimalSas(sasBytes) {
+    /**
+     *      +--------+--------+--------+--------+--------+
+     *      | Byte 0 | Byte 1 | Byte 2 | Byte 3 | Byte 4 |
+     *      +--------+--------+--------+--------+--------+
+     * bits: 87654321 87654321 87654321 87654321 87654321
+     *       \____________/\_____________/\____________/
+     *         1st number    2nd number     3rd number
+     */
+    return [
+        (sasBytes[0] << 5 | sasBytes[1] >> 3) + 1000,
+        ((sasBytes[1] & 0x7) << 10 | sasBytes[2] << 2 | sasBytes[3] >> 6) + 1000,
+        ((sasBytes[3] & 0x3f) << 7 | sasBytes[4] >> 1) + 1000
+    ];
+}
+
+const emojiMapping = [
+    [ '🐶', 'dog' ],
+    [ '🐱', 'cat' ],
+    [ '🦁', 'lion' ],
+    [ '🐎', 'horse' ],
+    [ '🦄', 'unicorn' ],
+    [ '🐷', 'pig' ],
+    [ '🐘', 'elephant' ],
+    [ '🐰', 'rabbit' ],
+    [ '🐼', 'panda' ],
+    [ '🐓', 'rooster' ],
+    [ '🐧', 'penguin' ],
+    [ '🐢', 'turtle' ],
+    [ '🐟', 'fish' ],
+    [ '🐙', 'octopus' ],
+    [ '🦋', 'butterfly' ],
+    [ '🌷', 'flower' ],
+    [ '🌳', 'tree' ],
+    [ '🌵', 'cactus' ],
+    [ '🍄', 'mushroom' ],
+    [ '🌏', 'globe' ],
+    [ '🌙', 'moon' ],
+    [ '☁️', 'cloud' ],
+    [ '🔥', 'fire' ],
+    [ '🍌', 'banana' ],
+    [ '🍎', 'apple' ],
+    [ '🍓', 'strawberry' ],
+    [ '🌽', 'corn' ],
+    [ '🍕', 'pizza' ],
+    [ '🎂', 'cake' ],
+    [ '❤️', 'heart' ],
+    [ '🙂', 'smiley' ],
+    [ '🤖', 'robot' ],
+    [ '🎩', 'hat' ],
+    [ '👓', 'glasses' ],
+    [ '🔧', 'spanner' ],
+    [ '🎅', 'santa' ],
+    [ '👍', 'thumbs up' ],
+    [ '☂️', 'umbrella' ],
+    [ '⌛', 'hourglass' ],
+    [ '⏰', 'clock' ],
+    [ '🎁', 'gift' ],
+    [ '💡', 'light bulb' ],
+    [ '📕', 'book' ],
+    [ '✏️', 'pencil' ],
+    [ '📎', 'paperclip' ],
+    [ '✂️', 'scissors' ],
+    [ '🔒', 'lock' ],
+    [ '🔑', 'key' ],
+    [ '🔨', 'hammer' ],
+    [ '☎️', 'telephone' ],
+    [ '🏁', 'flag' ],
+    [ '🚂', 'train' ],
+    [ '🚲', 'bicycle' ],
+    [ '✈️', 'aeroplane' ],
+    [ '🚀', 'rocket' ],
+    [ '🏆', 'trophy' ],
+    [ '⚽', 'ball' ],
+    [ '🎸', 'guitar' ],
+    [ '🎺', 'trumpet' ],
+    [ '🔔', 'bell' ],
+    [ '⚓️', 'anchor' ],
+    [ '🎧', 'headphones' ],
+    [ '📁', 'folder' ],
+    [ '📌', 'pin' ]
+];
+
+/**
+ * Generates a SAS composed of defimal numbers.
+ * Borrowed from the Matrix JS SDK.
+ *
+ * @param {Uint8Array} sasBytes - The bytes from sas.generate_bytes.
+ * @returns Array<number>
+ */
+function generateEmojiSas(sasBytes) {
+    // Just like base64.
+    const emojis = [
+        sasBytes[0] >> 2,
+        (sasBytes[0] & 0x3) << 4 | sasBytes[1] >> 4,
+        (sasBytes[1] & 0xf) << 2 | sasBytes[2] >> 6,
+        sasBytes[2] & 0x3f,
+        sasBytes[3] >> 2,
+        (sasBytes[3] & 0x3) << 4 | sasBytes[4] >> 4,
+        (sasBytes[4] & 0xf) << 2 | sasBytes[5] >> 6
+    ];
+
+    return emojis.map(num => emojiMapping[num]);
+}
+
+const sasGenerators = {
+    decimal: generateDecimalSas,
+    emoji: generateEmojiSas
+};
+
+/**
+ * Generates multiple SAS for the given bytes.
+ *
+ * @param {Uint8Array} sasBytes - The bytes from sas.generate_bytes.
+ * @returns {object}
+ */
+export function generateSas(sasBytes) {
+    const sas = {};
+
+    for (const method in sasGenerators) {
+        if (sasGenerators.hasOwnProperty(method)) {
+            sas[method] = sasGenerators[method](sasBytes);
+        }
+    }
+
+    return sas;
+}