Show if there are unverified devices in a room

Also fixes some issues where nested transactions will poison the
verification cache.
This commit is contained in:
Nicolas Werner 2021-08-13 23:13:09 +02:00
parent 796e5fcd39
commit 18ea01e198
No known key found for this signature in database
GPG key ID: C8D75E610773F2D9
8 changed files with 221 additions and 73 deletions

View file

@ -35,6 +35,7 @@ Page {
function onCurrentRoomChanged() {
if (Rooms.currentRoom)
roomlist.positionViewAtIndex(Rooms.roomidToIndex(Rooms.currentRoom.roomId), ListView.Contain);
}
target: Rooms

View file

@ -88,6 +88,7 @@ Item {
Loader {
active: room || roomPreview
Layout.fillWidth: true
sourceComponent: MessageView {
implicitHeight: msgView.height - typingIndicator.height
}

View file

@ -15,6 +15,8 @@ Rectangle {
property string roomName: room ? room.roomName : qsTr("No room selected")
property string avatarUrl: room ? room.roomAvatarUrl : ""
property string roomTopic: room ? room.roomTopic : ""
property bool isEncrypted: room ? room.isEncrypted : false
property int trustlevel: room ? room.trustlevel : Crypto.Unverified
Layout.fillWidth: true
implicitHeight: topLayout.height + Nheko.paddingMedium * 2
@ -92,11 +94,33 @@ Rectangle {
text: roomTopic
}
EncryptionIndicator {
Layout.column: 3
Layout.row: 0
Layout.rowSpan: 2
visible: isEncrypted
encrypted: isEncrypted
trust: trustlevel
ToolTip.text: {
if (!encrypted)
return qsTr("This room is not encrypted!");
switch (trust) {
case Crypto.Verified:
return qsTr("This room contains only verified devices.");
case Crypto.TOFU:
return qsTr("This rooms contain verified devices and devices which have never changed their master key.");
default:
return qsTr("This room contains unverified devices!");
}
}
}
ImageButton {
id: roomOptionsButton
visible: !!room
Layout.column: 3
Layout.column: 4
Layout.row: 0
Layout.rowSpan: 2
Layout.alignment: Qt.AlignVCenter

View file

@ -114,7 +114,13 @@ ro_txn(lmdb::env &env)
txn = lmdb::txn::begin(env, nullptr, MDB_RDONLY);
reuse_counter = 0;
} else if (reuse_counter > 0) {
try {
txn.renew();
} catch (...) {
txn.abort();
txn = lmdb::txn::begin(env, nullptr, MDB_RDONLY);
reuse_counter = 0;
}
}
reuse_counter++;
@ -290,6 +296,8 @@ Cache::setup()
// What rooms are encrypted
encryptedRooms_ = lmdb::dbi::open(txn, ENCRYPTED_ROOMS_DB, MDB_CREATE);
[[maybe_unused]] auto verificationDb = getVerificationDb(txn);
[[maybe_unused]] auto userKeysDb = getUserKeysDb(txn);
txn.commit();
@ -861,6 +869,9 @@ Cache::setNextBatchToken(lmdb::txn &txn, const QString &token)
bool
Cache::isInitialized()
{
if (!env_.handle())
return false;
auto txn = ro_txn(env_);
std::string_view token;
@ -3570,6 +3581,37 @@ Cache::roomMembers(const std::string &room_id)
return members;
}
crypto::Trust
Cache::roomVerificationStatus(const std::string &room_id)
{
std::string_view keys;
crypto::Trust trust = crypto::Verified;
try {
auto txn = ro_txn(env_);
auto db = getMembersDb(txn, room_id);
auto keysDb = getUserKeysDb(txn);
std::string_view user_id, unused;
auto cursor = lmdb::cursor::open(txn, db);
while (cursor.get(user_id, unused, MDB_NEXT)) {
auto verif = verificationStatus_(std::string(user_id), txn);
if (verif.unverified_device_count)
return crypto::Unverified;
else if (verif.user_verified == crypto::TOFU)
trust = crypto::TOFU;
}
} catch (std::exception &e) {
nhlog::db()->error(
"Failed to calculate verification status for {}: {}", room_id, e.what());
return crypto::Unverified;
}
return trust;
}
std::map<std::string, std::optional<UserKeyCache>>
Cache::getMembersWithKeys(const std::string &room_id, bool verified_only)
{
@ -3751,11 +3793,17 @@ from_json(const json &j, UserKeyCache &info)
std::optional<UserKeyCache>
Cache::userKeys(const std::string &user_id)
{
auto txn = ro_txn(env_);
return userKeys_(user_id, txn);
}
std::optional<UserKeyCache>
Cache::userKeys_(const std::string &user_id, lmdb::txn &txn)
{
std::string_view keys;
try {
auto txn = ro_txn(env_);
auto db = getUserKeysDb(txn);
auto res = db.get(txn, user_id, keys);
@ -3764,7 +3812,8 @@ Cache::userKeys(const std::string &user_id)
} else {
return {};
}
} catch (std::exception &) {
} catch (std::exception &e) {
nhlog::db()->error("Failed to retrieve user keys for {}: {}", user_id, e.what());
return {};
}
}
@ -3799,8 +3848,14 @@ Cache::updateUserKeys(const std::string &sync_token, const mtx::responses::Query
auto last_changed = updateToWrite.last_changed;
// skip if we are tracking this and expect it to be up to date with the last
// sync token
if (!last_changed.empty() && last_changed != sync_token)
if (!last_changed.empty() && last_changed != sync_token) {
nhlog::db()->debug("Not storing update for user {}, because "
"last_changed {}, but we fetched update for {}",
user,
last_changed,
sync_token);
continue;
}
if (!updateToWrite.master_keys.keys.empty() &&
update.master_keys.keys != updateToWrite.master_keys.keys) {
@ -3859,6 +3914,7 @@ Cache::updateUserKeys(const std::string &sync_token, const mtx::responses::Query
updateToWrite.seen_device_ids.insert(device_id);
}
}
updateToWrite.updated_at = sync_token;
db.put(txn, user, json(updateToWrite).dump());
}
@ -3944,35 +4000,46 @@ void
Cache::query_keys(const std::string &user_id,
std::function<void(const UserKeyCache &, mtx::http::RequestErr)> cb)
{
auto cache_ = cache::userKeys(user_id);
mtx::requests::QueryKeys req;
std::string last_changed;
{
auto txn = ro_txn(env_);
auto cache_ = userKeys_(user_id, txn);
if (cache_.has_value()) {
if (!cache_->updated_at.empty() && cache_->updated_at == cache_->last_changed) {
if (cache_->updated_at == cache_->last_changed) {
cb(cache_.value(), {});
return;
}
}
} else
nhlog::db()->info("Keys outdated for {}: {} vs {}",
user_id,
cache_->updated_at,
cache_->last_changed);
} else
nhlog::db()->info("No keys found for {}", user_id);
mtx::requests::QueryKeys req;
req.device_keys[user_id] = {};
std::string last_changed;
if (cache_)
last_changed = cache_->last_changed;
req.token = last_changed;
}
// use context object so that we can disconnect again
QObject *context{new QObject(this)};
QObject::connect(this,
QObject::connect(
this,
&Cache::verificationStatusChanged,
context,
[cb, user_id, context_ = context](std::string updated_user) mutable {
[cb, user_id, context_ = context, this](std::string updated_user) mutable {
if (user_id == updated_user) {
context_->deleteLater();
auto keys = cache::userKeys(user_id);
auto txn = ro_txn(env_);
auto keys = this->userKeys_(user_id, txn);
cb(keys.value_or(UserKeyCache{}), {});
}
});
},
Qt::QueuedConnection);
http::client()->query_keys(
req,
@ -4000,16 +4067,15 @@ to_json(json &j, const VerificationCache &info)
void
from_json(const json &j, VerificationCache &info)
{
info.device_verified = j.at("device_verified").get<std::vector<std::string>>();
info.device_blocked = j.at("device_blocked").get<std::vector<std::string>>();
info.device_verified = j.at("device_verified").get<std::set<std::string>>();
info.device_blocked = j.at("device_blocked").get<std::set<std::string>>();
}
std::optional<VerificationCache>
Cache::verificationCache(const std::string &user_id)
Cache::verificationCache(const std::string &user_id, lmdb::txn &txn)
{
std::string_view verifiedVal;
auto txn = lmdb::txn::begin(env_);
auto db = getVerificationDb(txn);
try {
@ -4028,6 +4094,7 @@ Cache::verificationCache(const std::string &user_id)
void
Cache::markDeviceVerified(const std::string &user_id, const std::string &key)
{
{
std::string_view val;
@ -4045,11 +4112,12 @@ Cache::markDeviceVerified(const std::string &user_id, const std::string &key)
if (device == key)
return;
verified_state.device_verified.push_back(key);
verified_state.device_verified.insert(key);
db.put(txn, user_id, json(verified_state).dump());
txn.commit();
} catch (std::exception &) {
}
}
const auto local_user = utils::localUser().toStdString();
std::map<std::string, VerificationStatus> tmp;
@ -4086,11 +4154,7 @@ Cache::markDeviceUnverified(const std::string &user_id, const std::string &key)
verified_state = json::parse(val);
}
verified_state.device_verified.erase(
std::remove(verified_state.device_verified.begin(),
verified_state.device_verified.end(),
key),
verified_state.device_verified.end());
verified_state.device_verified.erase(key);
db.put(txn, user_id, json(verified_state).dump());
txn.commit();
@ -4119,6 +4183,13 @@ Cache::markDeviceUnverified(const std::string &user_id, const std::string &key)
VerificationStatus
Cache::verificationStatus(const std::string &user_id)
{
auto txn = ro_txn(env_);
return verificationStatus_(user_id, txn);
}
VerificationStatus
Cache::verificationStatus_(const std::string &user_id, lmdb::txn &txn)
{
std::unique_lock<std::mutex> lock(verification_storage.verification_storage_mtx);
if (verification_storage.status.count(user_id))
@ -4126,7 +4197,11 @@ Cache::verificationStatus(const std::string &user_id)
VerificationStatus status;
if (auto verifCache = verificationCache(user_id)) {
// assume there is at least one unverified device until we have checked we have the device
// list for that user.
status.unverified_device_count = 1;
if (auto verifCache = verificationCache(user_id, txn)) {
status.verified_devices = verifCache->device_verified;
}
@ -4134,12 +4209,10 @@ Cache::verificationStatus(const std::string &user_id)
crypto::Trust trustlevel = crypto::Trust::Unverified;
if (user_id == local_user) {
status.verified_devices.push_back(http::client()->device_id());
status.verified_devices.insert(http::client()->device_id());
trustlevel = crypto::Trust::Verified;
}
verification_storage.status[user_id] = status;
auto verifyAtLeastOneSig = [](const auto &toVerif,
const std::map<std::string, std::string> &keys,
const std::string &keyOwner) {
@ -4157,6 +4230,16 @@ Cache::verificationStatus(const std::string &user_id)
return false;
};
auto updateUnverifiedDevices = [&status](auto &theirDeviceKeys) {
int currentVerifiedDevices = 0;
for (auto device_id : status.verified_devices) {
if (theirDeviceKeys.count(device_id))
currentVerifiedDevices++;
}
status.unverified_device_count =
static_cast<int>(theirDeviceKeys.size()) - currentVerifiedDevices;
};
try {
// for local user verify this device_key -> our master_key -> our self_signing_key
// -> our device_keys
@ -4166,17 +4249,24 @@ Cache::verificationStatus(const std::string &user_id)
//
// This means verifying the other user adds 2 extra steps,verifying our user_signing
// key and their master key
auto ourKeys = userKeys(local_user);
auto theirKeys = userKeys(user_id);
if (!ourKeys || !theirKeys)
auto ourKeys = userKeys_(local_user, txn);
auto theirKeys = userKeys_(user_id, txn);
if (!ourKeys || !theirKeys) {
verification_storage.status[user_id] = status;
return status;
}
// Update verified devices count to count without cross-signing
updateUnverifiedDevices(theirKeys->device_keys);
if (!mtx::crypto::ed25519_verify_signature(
olm::client()->identity_keys().ed25519,
json(ourKeys->master_keys),
ourKeys->master_keys.signatures.at(local_user)
.at("ed25519:" + http::client()->device_id())))
.at("ed25519:" + http::client()->device_id()))) {
verification_storage.status[user_id] = status;
return status;
}
auto master_keys = ourKeys->master_keys.keys;
@ -4191,14 +4281,17 @@ Cache::verificationStatus(const std::string &user_id)
trustlevel = crypto::Trust::Verified;
else if (!theirKeys->master_key_changed)
trustlevel = crypto::Trust::TOFU;
else
else {
verification_storage.status[user_id] = status;
return status;
}
master_keys = theirKeys->master_keys.keys;
}
status.user_verified = trustlevel;
verification_storage.status[user_id] = status;
if (!verifyAtLeastOneSig(theirKeys->self_signing_keys, master_keys, user_id))
return status;
@ -4209,16 +4302,19 @@ Cache::verificationStatus(const std::string &user_id)
device_key.keys.at("curve25519:" + device_key.device_id);
if (verifyAtLeastOneSig(
device_key, theirKeys->self_signing_keys.keys, user_id)) {
status.verified_devices.push_back(device_key.device_id);
status.verified_devices.insert(device_key.device_id);
status.verified_device_keys[identkey] = trustlevel;
}
} catch (...) {
}
}
updateUnverifiedDevices(theirKeys->device_keys);
verification_storage.status[user_id] = status;
return status;
} catch (std::exception &) {
} catch (std::exception &e) {
nhlog::db()->error(
"Failed to calculate verification status of {}: {}", user_id, e.what());
return status;
}
}

View file

@ -112,9 +112,11 @@ struct VerificationStatus
//! True, if the users master key is verified
crypto::Trust user_verified = crypto::Trust::Unverified;
//! List of all devices marked as verified
std::vector<std::string> verified_devices;
std::set<std::string> verified_devices;
//! Map from sender key/curve25519 to trust status
std::map<std::string, crypto::Trust> verified_device_keys;
//! Count of unverified devices
int unverified_device_count = 0;
};
//! In memory cache of verification status
@ -154,9 +156,9 @@ from_json(const nlohmann::json &j, UserKeyCache &info);
struct VerificationCache
{
//! list of verified device_ids with device-verification
std::vector<std::string> device_verified;
std::set<std::string> device_verified;
//! list of devices the user blocks
std::vector<std::string> device_blocked;
std::set<std::string> device_blocked;
};
void

View file

@ -46,7 +46,6 @@ public:
std::string statusMessage(const std::string &user_id);
// user cache stores user keys
std::optional<UserKeyCache> userKeys(const std::string &user_id);
std::map<std::string, std::optional<UserKeyCache>> getMembersWithKeys(
const std::string &room_id,
bool verified_only);
@ -63,9 +62,11 @@ public:
std::function<void(const UserKeyCache &, mtx::http::RequestErr)> cb);
// device & user verification cache
std::optional<UserKeyCache> userKeys(const std::string &user_id);
VerificationStatus verificationStatus(const std::string &user_id);
void markDeviceVerified(const std::string &user_id, const std::string &device);
void markDeviceUnverified(const std::string &user_id, const std::string &device);
crypto::Trust roomVerificationStatus(const std::string &room_id);
std::vector<std::string> joinedRooms();
@ -681,7 +682,10 @@ private:
return QString::fromStdString(event.state_key);
}
std::optional<VerificationCache> verificationCache(const std::string &user_id);
std::optional<VerificationCache> verificationCache(const std::string &user_id,
lmdb::txn &txn);
VerificationStatus verificationStatus_(const std::string &user_id, lmdb::txn &txn);
std::optional<UserKeyCache> userKeys_(const std::string &user_id, lmdb::txn &txn);
void setNextBatchToken(lmdb::txn &txn, const std::string &token);
void setNextBatchToken(lmdb::txn &txn, const QString &token);

View file

@ -418,6 +418,14 @@ TimelineModel::TimelineModel(TimelineViewManager *manager, QString room_id, QObj
&events,
&EventStore::enableKeyRequests);
connect(this, &TimelineModel::encryptionChanged, this, &TimelineModel::trustlevelChanged);
connect(
this, &TimelineModel::roomMemberCountChanged, this, &TimelineModel::trustlevelChanged);
connect(cache::client(),
&Cache::verificationStatusChanged,
this,
&TimelineModel::trustlevelChanged);
showEventTimer.callOnTimeout(this, &TimelineModel::scrollTimerEvent);
}
@ -1993,6 +2001,15 @@ TimelineModel::roomTopic() const
QString::fromStdString(info[room_id_].topic).toHtmlEscaped()));
}
crypto::Trust
TimelineModel::trustlevel() const
{
if (!isEncrypted_)
return crypto::Trust::Unverified;
return cache::client()->roomVerificationStatus(room_id_.toStdString());
}
int
TimelineModel::roomMemberCount() const
{

View file

@ -175,6 +175,7 @@ class TimelineModel : public QAbstractListModel
Q_PROPERTY(int roomMemberCount READ roomMemberCount NOTIFY roomMemberCountChanged)
Q_PROPERTY(bool isEncrypted READ isEncrypted NOTIFY encryptionChanged)
Q_PROPERTY(bool isSpace READ isSpace CONSTANT)
Q_PROPERTY(int trustlevel READ trustlevel NOTIFY trustlevelChanged)
Q_PROPERTY(InputBar *input READ input CONSTANT)
Q_PROPERTY(Permissions *permissions READ permissions NOTIFY permissionsChanged)
@ -287,6 +288,7 @@ public:
DescInfo lastMessage() const { return lastMessage_; }
bool isSpace() const { return isSpace_; }
bool isEncrypted() const { return isEncrypted_; }
crypto::Trust trustlevel() const;
int roomMemberCount() const;
public slots:
@ -372,6 +374,7 @@ signals:
void updateFlowEventId(std::string event_id);
void encryptionChanged();
void trustlevelChanged();
void roomNameChanged();
void plainRoomNameChanged();
void roomTopicChanged();