Merge pull request #646 from Nheko-Reborn/historical-key-sharing

Historical key sharing
This commit is contained in:
DeepBlueV7.X 2021-07-18 16:22:45 +00:00 committed by GitHub
commit 1dc20f9164
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 269 additions and 111 deletions

View file

@ -78,6 +78,8 @@ constexpr auto ENCRYPTED_ROOMS_DB("encrypted_rooms");
constexpr auto INBOUND_MEGOLM_SESSIONS_DB("inbound_megolm_sessions");
//! MegolmSessionIndex -> pickled OlmOutboundGroupSession
constexpr auto OUTBOUND_MEGOLM_SESSIONS_DB("outbound_megolm_sessions");
//! MegolmSessionIndex -> session data about which devices have access to this
constexpr auto MEGOLM_SESSIONS_DATA_DB("megolm_sessions_data_db");
using CachedReceipts = std::multimap<uint64_t, std::string, std::greater<uint64_t>>;
using Receipts = std::map<std::string, std::map<std::string, uint64_t>>;
@ -284,6 +286,7 @@ Cache::setup()
// Session management
inboundMegolmSessionDb_ = lmdb::dbi::open(txn, INBOUND_MEGOLM_SESSIONS_DB, MDB_CREATE);
outboundMegolmSessionDb_ = lmdb::dbi::open(txn, OUTBOUND_MEGOLM_SESSIONS_DB, MDB_CREATE);
megolmSessionDataDb_ = lmdb::dbi::open(txn, MEGOLM_SESSIONS_DATA_DB, MDB_CREATE);
txn.commit();
@ -387,9 +390,14 @@ Cache::importSessionKeys(const mtx::crypto::ExportedSessionKeys &keys)
index.session_id = s.session_id;
index.sender_key = s.sender_key;
GroupSessionData data{};
data.forwarding_curve25519_key_chain = s.forwarding_curve25519_key_chain;
if (s.sender_claimed_keys.count("ed25519"))
data.sender_claimed_ed25519_key = s.sender_claimed_keys.at("ed25519");
auto exported_session = mtx::crypto::import_session(s.session_key);
saveInboundMegolmSession(index, std::move(exported_session));
saveInboundMegolmSession(index, std::move(exported_session), data);
ChatPage::instance()->receivedSessionKey(index.room_id, index.session_id);
}
}
@ -400,7 +408,8 @@ Cache::importSessionKeys(const mtx::crypto::ExportedSessionKeys &keys)
void
Cache::saveInboundMegolmSession(const MegolmSessionIndex &index,
mtx::crypto::InboundGroupSessionPtr session)
mtx::crypto::InboundGroupSessionPtr session,
const GroupSessionData &data)
{
using namespace mtx::crypto;
const auto key = json(index).dump();
@ -420,6 +429,7 @@ Cache::saveInboundMegolmSession(const MegolmSessionIndex &index,
}
inboundMegolmSessionDb_.put(txn, key, pickled);
megolmSessionDataDb_.put(txn, key, json(data).dump());
txn.commit();
}
@ -464,7 +474,7 @@ Cache::inboundMegolmSessionExists(const MegolmSessionIndex &index)
void
Cache::updateOutboundMegolmSession(const std::string &room_id,
const OutboundGroupSessionData &data_,
const GroupSessionData &data_,
mtx::crypto::OutboundGroupSessionPtr &ptr)
{
using namespace mtx::crypto;
@ -472,18 +482,20 @@ Cache::updateOutboundMegolmSession(const std::string &room_id,
if (!outboundMegolmSessionExists(room_id))
return;
OutboundGroupSessionData data = data_;
data.message_index = olm_outbound_group_session_message_index(ptr.get());
data.session_id = mtx::crypto::session_id(ptr.get());
data.session_key = mtx::crypto::session_key(ptr.get());
GroupSessionData data = data_;
data.message_index = olm_outbound_group_session_message_index(ptr.get());
MegolmSessionIndex index;
index.room_id = room_id;
index.sender_key = olm::client()->identity_keys().ed25519;
index.session_id = mtx::crypto::session_id(ptr.get());
// Save the updated pickled data for the session.
json j;
j["data"] = data;
j["session"] = pickle<OutboundSessionObject>(ptr.get(), SECRET);
auto txn = lmdb::txn::begin(env_);
outboundMegolmSessionDb_.put(txn, room_id, j.dump());
megolmSessionDataDb_.put(txn, json(index).dump(), json(data).dump());
txn.commit();
}
@ -498,24 +510,32 @@ Cache::dropOutboundMegolmSession(const std::string &room_id)
{
auto txn = lmdb::txn::begin(env_);
outboundMegolmSessionDb_.del(txn, room_id);
// don't delete session data, so that we can still share the session.
txn.commit();
}
}
void
Cache::saveOutboundMegolmSession(const std::string &room_id,
const OutboundGroupSessionData &data,
const GroupSessionData &data_,
mtx::crypto::OutboundGroupSessionPtr &session)
{
using namespace mtx::crypto;
const auto pickled = pickle<OutboundSessionObject>(session.get(), SECRET);
GroupSessionData data = data_;
data.message_index = olm_outbound_group_session_message_index(session.get());
MegolmSessionIndex index;
index.room_id = room_id;
index.sender_key = olm::client()->identity_keys().ed25519;
index.session_id = mtx::crypto::session_id(session.get());
json j;
j["data"] = data;
j["session"] = pickled;
auto txn = lmdb::txn::begin(env_);
outboundMegolmSessionDb_.put(txn, room_id, j.dump());
megolmSessionDataDb_.put(txn, json(index).dump(), json(data).dump());
txn.commit();
}
@ -544,8 +564,17 @@ Cache::getOutboundMegolmSession(const std::string &room_id)
auto obj = json::parse(value);
OutboundGroupSessionDataRef ref{};
ref.data = obj.at("data").get<OutboundGroupSessionData>();
ref.session = unpickle<OutboundSessionObject>(obj.at("session"), SECRET);
MegolmSessionIndex index;
index.room_id = room_id;
index.sender_key = olm::client()->identity_keys().ed25519;
index.session_id = mtx::crypto::session_id(ref.session.get());
if (megolmSessionDataDb_.get(txn, json(index).dump(), value)) {
ref.data = nlohmann::json::parse(value).get<GroupSessionData>();
}
return ref;
} catch (std::exception &e) {
nhlog::db()->error("Failed to retrieve outbound Megolm Session: {}", e.what());
@ -553,6 +582,25 @@ Cache::getOutboundMegolmSession(const std::string &room_id)
}
}
std::optional<GroupSessionData>
Cache::getMegolmSessionData(const MegolmSessionIndex &index)
{
try {
using namespace mtx::crypto;
auto txn = ro_txn(env_);
std::string_view value;
if (megolmSessionDataDb_.get(txn, json(index).dump(), value)) {
return nlohmann::json::parse(value).get<GroupSessionData>();
}
return std::nullopt;
} catch (std::exception &e) {
nhlog::db()->error("Failed to retrieve Megolm Session Data: {}", e.what());
return std::nullopt;
}
}
//
// OLM sessions.
//
@ -829,6 +877,7 @@ Cache::deleteData()
lmdb::dbi_close(env_, inboundMegolmSessionDb_);
lmdb::dbi_close(env_, outboundMegolmSessionDb_);
lmdb::dbi_close(env_, megolmSessionDataDb_);
env_.close();
@ -3525,6 +3574,7 @@ to_json(json &j, const UserKeyCache &info)
{
j["device_keys"] = info.device_keys;
j["seen_device_keys"] = info.seen_device_keys;
j["seen_device_ids"] = info.seen_device_ids;
j["master_keys"] = info.master_keys;
j["master_key_changed"] = info.master_key_changed;
j["user_signing_keys"] = info.user_signing_keys;
@ -3538,6 +3588,7 @@ from_json(const json &j, UserKeyCache &info)
{
info.device_keys = j.value("device_keys", std::map<std::string, mtx::crypto::DeviceKeys>{});
info.seen_device_keys = j.value("seen_device_keys", std::set<std::string>{});
info.seen_device_ids = j.value("seen_device_ids", std::set<std::string>{});
info.master_keys = j.value("master_keys", mtx::crypto::CrossSigningKeys{});
info.master_key_changed = j.value("master_key_changed", false);
info.user_signing_keys = j.value("user_signing_keys", mtx::crypto::CrossSigningKeys{});
@ -3634,6 +3685,15 @@ Cache::updateUserKeys(const std::string &sync_token, const mtx::responses::Query
keyReused = true;
break;
}
if (updateToWrite.seen_device_ids.count(
device_id)) {
nhlog::crypto()->warn(
"device_id '{}' reused by ({})",
device_id,
user);
keyReused = true;
break;
}
}
if (!keyReused && !oldDeviceKeys.count(device_id))
@ -3644,6 +3704,7 @@ Cache::updateUserKeys(const std::string &sync_token, const mtx::responses::Query
(void)key_id;
updateToWrite.seen_device_keys.insert(key);
}
updateToWrite.seen_device_ids.insert(device_id);
}
}
db.put(txn, user, json(updateToWrite).dump());
@ -4077,17 +4138,15 @@ from_json(const json &j, MemberInfo &info)
}
void
to_json(nlohmann::json &obj, const DeviceAndMasterKeys &msg)
to_json(nlohmann::json &obj, const DeviceKeysToMsgIndex &msg)
{
obj["devices"] = msg.devices;
obj["master_keys"] = msg.master_keys;
obj["deviceids"] = msg.deviceids;
}
void
from_json(const nlohmann::json &obj, DeviceAndMasterKeys &msg)
from_json(const nlohmann::json &obj, DeviceKeysToMsgIndex &msg)
{
msg.devices = obj.at("devices").get<decltype(msg.devices)>();
msg.master_keys = obj.at("master_keys").get<decltype(msg.master_keys)>();
msg.deviceids = obj.at("deviceids").get<decltype(msg.deviceids)>();
}
void
@ -4099,30 +4158,31 @@ to_json(nlohmann::json &obj, const SharedWithUsers &msg)
void
from_json(const nlohmann::json &obj, SharedWithUsers &msg)
{
msg.keys = obj.at("keys").get<std::map<std::string, DeviceAndMasterKeys>>();
msg.keys = obj.at("keys").get<std::map<std::string, DeviceKeysToMsgIndex>>();
}
void
to_json(nlohmann::json &obj, const OutboundGroupSessionData &msg)
to_json(nlohmann::json &obj, const GroupSessionData &msg)
{
obj["session_id"] = msg.session_id;
obj["session_key"] = msg.session_key;
obj["message_index"] = msg.message_index;
obj["ts"] = msg.timestamp;
obj["initially"] = msg.initially;
obj["sender_claimed_ed25519_key"] = msg.sender_claimed_ed25519_key;
obj["forwarding_curve25519_key_chain"] = msg.forwarding_curve25519_key_chain;
obj["currently"] = msg.currently;
}
void
from_json(const nlohmann::json &obj, OutboundGroupSessionData &msg)
from_json(const nlohmann::json &obj, GroupSessionData &msg)
{
msg.session_id = obj.at("session_id");
msg.session_key = obj.at("session_key");
msg.message_index = obj.at("message_index");
msg.timestamp = obj.value("ts", 0ULL);
msg.initially = obj.value("initially", SharedWithUsers{});
msg.sender_claimed_ed25519_key = obj.value("sender_claimed_ed25519_key", "");
msg.forwarding_curve25519_key_chain =
obj.value("forwarding_curve25519_key_chain", std::vector<std::string>{});
msg.currently = obj.value("currently", SharedWithUsers{});
}
@ -4522,7 +4582,7 @@ isRoomMember(const std::string &user_id, const std::string &room_id)
//
void
saveOutboundMegolmSession(const std::string &room_id,
const OutboundGroupSessionData &data,
const GroupSessionData &data,
mtx::crypto::OutboundGroupSessionPtr &session)
{
instance_->saveOutboundMegolmSession(room_id, data, session);
@ -4539,7 +4599,7 @@ outboundMegolmSessionExists(const std::string &room_id) noexcept
}
void
updateOutboundMegolmSession(const std::string &room_id,
const OutboundGroupSessionData &data,
const GroupSessionData &data,
mtx::crypto::OutboundGroupSessionPtr &session)
{
instance_->updateOutboundMegolmSession(room_id, data, session);
@ -4566,9 +4626,10 @@ exportSessionKeys()
//
void
saveInboundMegolmSession(const MegolmSessionIndex &index,
mtx::crypto::InboundGroupSessionPtr session)
mtx::crypto::InboundGroupSessionPtr session,
const GroupSessionData &data)
{
instance_->saveInboundMegolmSession(index, std::move(session));
instance_->saveInboundMegolmSession(index, std::move(session), data);
}
mtx::crypto::InboundGroupSessionPtr
getInboundMegolmSession(const MegolmSessionIndex &index)
@ -4580,6 +4641,11 @@ inboundMegolmSessionExists(const MegolmSessionIndex &index)
{
return instance_->inboundMegolmSessionExists(index);
}
std::optional<GroupSessionData>
getMegolmSessionData(const MegolmSessionIndex &index)
{
return instance_->getMegolmSessionData(index);
}
//
// Olm Sessions

View file

@ -200,7 +200,7 @@ isRoomMember(const std::string &user_id, const std::string &room_id);
//
void
saveOutboundMegolmSession(const std::string &room_id,
const OutboundGroupSessionData &data,
const GroupSessionData &data,
mtx::crypto::OutboundGroupSessionPtr &session);
OutboundGroupSessionDataRef
getOutboundMegolmSession(const std::string &room_id);
@ -208,7 +208,7 @@ bool
outboundMegolmSessionExists(const std::string &room_id) noexcept;
void
updateOutboundMegolmSession(const std::string &room_id,
const OutboundGroupSessionData &data,
const GroupSessionData &data,
mtx::crypto::OutboundGroupSessionPtr &session);
void
dropOutboundMegolmSession(const std::string &room_id);
@ -223,11 +223,14 @@ exportSessionKeys();
//
void
saveInboundMegolmSession(const MegolmSessionIndex &index,
mtx::crypto::InboundGroupSessionPtr session);
mtx::crypto::InboundGroupSessionPtr session,
const GroupSessionData &data);
mtx::crypto::InboundGroupSessionPtr
getInboundMegolmSession(const MegolmSessionIndex &index);
bool
inboundMegolmSessionExists(const MegolmSessionIndex &index);
std::optional<GroupSessionData>
getMegolmSessionData(const MegolmSessionIndex &index);
//
// Olm Sessions

View file

@ -27,40 +27,43 @@ enum Trust
Q_ENUM_NS(Trust)
}
struct DeviceAndMasterKeys
struct DeviceKeysToMsgIndex
{
// map from device id or master key id to message_index
std::map<std::string, uint64_t> devices, master_keys;
// map from device key to message_index
// Using the device id is safe because we check for reuse on device list updates
// Using the device id makes our logic much easier to read.
std::map<std::string, uint64_t> deviceids;
};
struct SharedWithUsers
{
// userid to keys
std::map<std::string, DeviceAndMasterKeys> keys;
std::map<std::string, DeviceKeysToMsgIndex> keys;
};
// Extra information associated with an outbound megolm session.
struct OutboundGroupSessionData
struct GroupSessionData
{
std::string session_id;
std::string session_key;
uint64_t message_index = 0;
uint64_t timestamp = 0;
std::string sender_claimed_ed25519_key;
std::vector<std::string> forwarding_curve25519_key_chain;
// who has access to this session.
// Rotate, when a user leaves the room and share, when a user gets added.
SharedWithUsers initially, currently;
SharedWithUsers currently;
};
void
to_json(nlohmann::json &obj, const OutboundGroupSessionData &msg);
to_json(nlohmann::json &obj, const GroupSessionData &msg);
void
from_json(const nlohmann::json &obj, OutboundGroupSessionData &msg);
from_json(const nlohmann::json &obj, GroupSessionData &msg);
struct OutboundGroupSessionDataRef
{
mtx::crypto::OutboundGroupSessionPtr session;
OutboundGroupSessionData data;
GroupSessionData data;
};
struct DevicePublicKeys
@ -134,6 +137,8 @@ struct UserKeyCache
bool master_key_changed = false;
//! Device keys that were already used at least once
std::set<std::string> seen_device_keys;
//! Device ids that were already used at least once
std::set<std::string> seen_device_ids;
};
void

View file

@ -238,12 +238,12 @@ public:
// Outbound Megolm Sessions
//
void saveOutboundMegolmSession(const std::string &room_id,
const OutboundGroupSessionData &data,
const GroupSessionData &data,
mtx::crypto::OutboundGroupSessionPtr &session);
OutboundGroupSessionDataRef getOutboundMegolmSession(const std::string &room_id);
bool outboundMegolmSessionExists(const std::string &room_id) noexcept;
void updateOutboundMegolmSession(const std::string &room_id,
const OutboundGroupSessionData &data,
const GroupSessionData &data,
mtx::crypto::OutboundGroupSessionPtr &session);
void dropOutboundMegolmSession(const std::string &room_id);
@ -254,10 +254,12 @@ public:
// Inbound Megolm Sessions
//
void saveInboundMegolmSession(const MegolmSessionIndex &index,
mtx::crypto::InboundGroupSessionPtr session);
mtx::crypto::InboundGroupSessionPtr session,
const GroupSessionData &data);
mtx::crypto::InboundGroupSessionPtr getInboundMegolmSession(
const MegolmSessionIndex &index);
bool inboundMegolmSessionExists(const MegolmSessionIndex &index);
std::optional<GroupSessionData> getMegolmSessionData(const MegolmSessionIndex &index);
//
// Olm Sessions
@ -676,6 +678,7 @@ private:
lmdb::dbi inboundMegolmSessionDb_;
lmdb::dbi outboundMegolmSessionDb_;
lmdb::dbi megolmSessionDataDb_;
QString localUserId_;
QString cacheDirectory_;

View file

@ -939,12 +939,16 @@ ChatPage::ensureOneTimeKeyCount(const std::map<std::string, uint16_t> &counts)
[](const mtx::responses::UploadKeys &, mtx::http::RequestErr err) {
if (err) {
nhlog::crypto()->warn(
"failed to update one-time keys: {} {}",
"failed to update one-time keys: {} {} {}",
err->matrix_error.error,
static_cast<int>(err->status_code));
return;
static_cast<int>(err->status_code),
static_cast<int>(err->error_code));
if (err->status_code < 400 || err->status_code >= 500)
return;
}
// mark as published anyway, otherwise we may end up in a loop.
olm::mark_keys_as_published();
});
}

View file

@ -123,7 +123,17 @@ handle_to_device_messages(const std::vector<mtx::events::collections::DeviceEven
if (msg_type == to_string(mtx::events::EventType::RoomEncrypted)) {
try {
olm::OlmMessage olm_msg = j_msg;
handle_olm_message(std::move(olm_msg));
cache::client()->query_keys(
olm_msg.sender,
[olm_msg](const UserKeyCache &userKeys, mtx::http::RequestErr e) {
if (e) {
nhlog::crypto()->error(
"Failed to query user keys, dropping olm "
"message");
return;
}
handle_olm_message(std::move(olm_msg), userKeys);
});
} catch (const nlohmann::json::exception &e) {
nhlog::crypto()->warn(
"parsing error for olm message: {} {}", e.what(), j_msg.dump(2));
@ -197,7 +207,7 @@ handle_to_device_messages(const std::vector<mtx::events::collections::DeviceEven
}
void
handle_olm_message(const OlmMessage &msg)
handle_olm_message(const OlmMessage &msg, const UserKeyCache &otherUserDeviceKeys)
{
nhlog::crypto()->info("sender : {}", msg.sender);
nhlog::crypto()->info("sender_key: {}", msg.sender_key);
@ -209,7 +219,7 @@ handle_olm_message(const OlmMessage &msg)
if (cipher.first != my_key) {
nhlog::crypto()->debug(
"Skipping message for {} since we are {}.", cipher.first, my_key);
continue;
return;
}
const auto type = cipher.second.type;
@ -231,6 +241,57 @@ handle_olm_message(const OlmMessage &msg)
if (!payload.is_null()) {
mtx::events::collections::DeviceEvents device_event;
// Other properties are included in order to prevent an attacker from
// publishing someone else's curve25519 keys as their own and subsequently
// claiming to have sent messages which they didn't. sender must correspond
// to the user who sent the event, recipient to the local user, and
// recipient_keys to the local ed25519 key.
std::string receiver_ed25519 = payload["recipient_keys"]["ed25519"];
if (receiver_ed25519.empty() ||
receiver_ed25519 != olm::client()->identity_keys().ed25519) {
nhlog::crypto()->warn(
"Decrypted event doesn't include our ed25519: {}",
payload.dump());
return;
}
std::string receiver = payload["recipient"];
if (receiver.empty() || receiver != http::client()->user_id().to_string()) {
nhlog::crypto()->warn(
"Decrypted event doesn't include our user_id: {}",
payload.dump());
return;
}
// Clients must confirm that the sender_key and the ed25519 field value
// under the keys property match the keys returned by /keys/query for the
// given user, and must also verify the signature of the payload. Without
// this check, a client cannot be sure that the sender device owns the
// private part of the ed25519 key it claims to have in the Olm payload.
// This is crucial when the ed25519 key corresponds to a verified device.
std::string sender_ed25519 = payload["keys"]["ed25519"];
if (sender_ed25519.empty()) {
nhlog::crypto()->warn(
"Decrypted event doesn't include sender ed25519: {}",
payload.dump());
return;
}
bool from_their_device = false;
for (auto [device_id, key] : otherUserDeviceKeys.device_keys) {
if (key.keys.at("curve25519:" + device_id) == msg.sender_key) {
if (key.keys.at("ed25519:" + device_id) == sender_ed25519) {
from_their_device = true;
break;
}
}
}
if (!from_their_device) {
nhlog::crypto()->warn("Decrypted event isn't sent from a device "
"listed by that user! {}",
payload.dump());
return;
}
{
std::string msg_type = payload["type"];
json event_array = json::array();
@ -242,7 +303,7 @@ handle_olm_message(const OlmMessage &msg)
if (temp_events.empty()) {
nhlog::crypto()->warn("Decrypted unknown event: {}",
payload.dump());
continue;
return;
}
device_event = temp_events.at(0);
}
@ -276,17 +337,20 @@ handle_olm_message(const OlmMessage &msg)
ChatPage::instance()->receivedDeviceVerificationDone(e8->content);
} else if (auto roomKey =
std::get_if<DeviceEvent<msg::RoomKey>>(&device_event)) {
create_inbound_megolm_session(*roomKey, msg.sender_key);
create_inbound_megolm_session(
*roomKey, msg.sender_key, sender_ed25519);
} else if (auto forwardedRoomKey =
std::get_if<DeviceEvent<msg::ForwardedRoomKey>>(
&device_event)) {
forwardedRoomKey->content.forwarding_curve25519_key_chain.push_back(
msg.sender_key);
import_inbound_megolm_session(*forwardedRoomKey);
} else if (auto e =
std::get_if<DeviceEvent<msg::SecretSend>>(&device_event)) {
auto local_user = http::client()->user_id();
if (msg.sender != local_user.to_string())
continue;
return;
auto secret_name =
request_id_to_secret_name.find(e->content.request_id);
@ -306,7 +370,7 @@ handle_olm_message(const OlmMessage &msg)
cache::verificationStatus(local_user.to_string());
if (!verificationStatus)
continue;
return;
auto deviceKeys = cache::userKeys(local_user.to_string());
std::string sender_device_id;
@ -344,7 +408,6 @@ handle_olm_message(const OlmMessage &msg)
"for secrect "
"'{}'",
name);
return;
}
});
@ -364,13 +427,8 @@ handle_olm_message(const OlmMessage &msg)
}
try {
auto otherUserDeviceKeys = cache::userKeys(msg.sender);
if (!otherUserDeviceKeys)
return;
std::map<std::string, std::vector<std::string>> targets;
for (auto [device_id, key] : otherUserDeviceKeys->device_keys) {
for (auto [device_id, key] : otherUserDeviceKeys.device_keys) {
if (key.keys.at("curve25519:" + device_id) == msg.sender_key)
targets[msg.sender].push_back(device_id);
}
@ -450,7 +508,7 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
std::map<std::string, std::vector<std::string>> sendSessionTo;
mtx::crypto::OutboundGroupSessionPtr session = nullptr;
OutboundGroupSessionData group_session_data;
GroupSessionData group_session_data;
if (cache::outboundMegolmSessionExists(room_id)) {
auto res = cache::getOutboundMegolmSession(room_id);
@ -519,7 +577,8 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
} else {
// compare devices
bool device_removed = false;
for (const auto &dev : session_member_it->second.devices) {
for (const auto &dev :
session_member_it->second.deviceids) {
if (!member_it->second ||
!member_it->second->device_keys.count(
dev.first)) {
@ -541,7 +600,7 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
if (member_it->second)
for (const auto &dev :
member_it->second->device_keys)
if (!session_member_it->second.devices
if (!session_member_it->second.deviceids
.count(dev.first) &&
(member_it->first != own_user_id ||
dev.first != device_id))
@ -571,32 +630,28 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
const auto session_key = mtx::crypto::session_key(session.get());
// Saving the new megolm session.
OutboundGroupSessionData session_data{};
session_data.session_id = mtx::crypto::session_id(session.get());
session_data.session_key = mtx::crypto::session_key(session.get());
session_data.message_index = 0;
session_data.timestamp = QDateTime::currentMSecsSinceEpoch();
GroupSessionData session_data{};
session_data.message_index = 0;
session_data.timestamp = QDateTime::currentMSecsSinceEpoch();
session_data.sender_claimed_ed25519_key = olm::client()->identity_keys().ed25519;
sendSessionTo.clear();
for (const auto &[user, devices] : members) {
sendSessionTo[user] = {};
session_data.initially.keys[user] = {};
session_data.currently.keys[user] = {};
if (devices) {
for (const auto &[device_id_, key] : devices->device_keys) {
(void)key;
if (device_id != device_id_ || user != own_user_id) {
sendSessionTo[user].push_back(device_id_);
session_data.initially.keys[user]
.devices[device_id_] = 0;
session_data.currently.keys[user]
.deviceids[device_id_] = 0;
}
}
}
}
cache::saveOutboundMegolmSession(room_id, session_data, session);
group_session_data = std::move(session_data);
{
MegolmSessionIndex index;
index.room_id = room_id;
@ -604,8 +659,12 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
index.sender_key = olm::client()->identity_keys().curve25519;
auto megolm_session =
olm::client()->init_inbound_group_session(session_key);
cache::saveInboundMegolmSession(index, std::move(megolm_session));
cache::saveInboundMegolmSession(
index, std::move(megolm_session), session_data);
}
cache::saveOutboundMegolmSession(room_id, session_data, session);
group_session_data = std::move(session_data);
}
mtx::events::DeviceEvent<mtx::events::msg::RoomKey> megolm_payload{};
@ -641,8 +700,8 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
group_session_data.currently.keys[user] = {};
for (const auto &device_id_ : devices) {
if (!group_session_data.currently.keys[user].devices.count(device_id_))
group_session_data.currently.keys[user].devices[device_id_] =
if (!group_session_data.currently.keys[user].deviceids.count(device_id_))
group_session_data.currently.keys[user].deviceids[device_id_] =
group_session_data.message_index;
}
}
@ -704,7 +763,8 @@ try_olm_decryption(const std::string &sender_key, const mtx::events::msg::OlmCip
void
create_inbound_megolm_session(const mtx::events::DeviceEvent<mtx::events::msg::RoomKey> &roomKey,
const std::string &sender_key)
const std::string &sender_key,
const std::string &sender_ed25519)
{
MegolmSessionIndex index;
index.room_id = roomKey.content.room_id;
@ -712,9 +772,13 @@ create_inbound_megolm_session(const mtx::events::DeviceEvent<mtx::events::msg::R
index.sender_key = sender_key;
try {
GroupSessionData data{};
data.forwarding_curve25519_key_chain = {sender_key};
data.sender_claimed_ed25519_key = sender_ed25519;
auto megolm_session =
olm::client()->init_inbound_group_session(roomKey.content.session_key);
cache::saveInboundMegolmSession(index, std::move(megolm_session));
cache::saveInboundMegolmSession(index, std::move(megolm_session), data);
} catch (const lmdb::error &e) {
nhlog::crypto()->critical("failed to save inbound megolm session: {}", e.what());
return;
@ -741,7 +805,13 @@ import_inbound_megolm_session(
try {
auto megolm_session =
olm::client()->import_inbound_group_session(roomKey.content.session_key);
cache::saveInboundMegolmSession(index, std::move(megolm_session));
GroupSessionData data{};
data.forwarding_curve25519_key_chain =
roomKey.content.forwarding_curve25519_key_chain;
data.sender_claimed_ed25519_key = roomKey.content.sender_claimed_ed25519_key;
cache::saveInboundMegolmSession(index, std::move(megolm_session), data);
} catch (const lmdb::error &e) {
nhlog::crypto()->critical("failed to save inbound megolm session: {}", e.what());
return;
@ -817,21 +887,16 @@ handle_key_request_message(const mtx::events::DeviceEvent<mtx::events::msg::KeyR
return;
}
// Check if we were the sender of the session being requested.
if (req.content.sender_key != olm::client()->identity_keys().curve25519) {
nhlog::crypto()->debug("ignoring key request {} because we were not the sender: "
"\nrequested({}) ours({})",
req.content.request_id,
req.content.sender_key,
olm::client()->identity_keys().curve25519);
return;
}
// Check if we have the keys for the requested session.
auto outboundSession = cache::getOutboundMegolmSession(req.content.room_id);
if (!outboundSession.session) {
nhlog::crypto()->warn("requested session not found in room: {}",
req.content.room_id);
// Check if we were the sender of the session being requested (unless it is actually us
// requesting the session).
if (req.sender != http::client()->user_id().to_string() &&
req.content.sender_key != olm::client()->identity_keys().curve25519) {
nhlog::crypto()->debug(
"ignoring key request {} because we did not create the requested session: "
"\nrequested({}) ours({})",
req.content.request_id,
req.content.sender_key,
olm::client()->identity_keys().curve25519);
return;
}
@ -839,7 +904,15 @@ handle_key_request_message(const mtx::events::DeviceEvent<mtx::events::msg::KeyR
MegolmSessionIndex index{};
index.room_id = req.content.room_id;
index.session_id = req.content.session_id;
index.sender_key = olm::client()->identity_keys().curve25519;
index.sender_key = req.content.sender_key;
// Check if we have the keys for the requested session.
auto sessionData = cache::getMegolmSessionData(index);
if (!sessionData) {
nhlog::crypto()->warn("requested session not found in room: {}",
req.content.room_id);
return;
}
const auto session = cache::getInboundMegolmSession(index);
if (!session) {
@ -873,12 +946,12 @@ handle_key_request_message(const mtx::events::DeviceEvent<mtx::events::msg::KeyR
bool shouldSeeKeys = false;
uint64_t minimumIndex = -1;
if (outboundSession.data.currently.keys.count(req.sender)) {
if (outboundSession.data.currently.keys.at(req.sender)
.devices.count(req.content.requesting_device_id)) {
if (sessionData->currently.keys.count(req.sender)) {
if (sessionData->currently.keys.at(req.sender)
.deviceids.count(req.content.requesting_device_id)) {
shouldSeeKeys = true;
minimumIndex = outboundSession.data.currently.keys.at(req.sender)
.devices.at(req.content.requesting_device_id);
minimumIndex = sessionData->currently.keys.at(req.sender)
.deviceids.at(req.content.requesting_device_id);
}
}
@ -907,8 +980,9 @@ handle_key_request_message(const mtx::events::DeviceEvent<mtx::events::msg::KeyR
forward_key.sender_key = index.sender_key;
// TODO(Nico): Figure out if this is correct
forward_key.sender_claimed_ed25519_key = olm::client()->identity_keys().ed25519;
forward_key.forwarding_curve25519_key_chain = {};
forward_key.sender_claimed_ed25519_key = sessionData->sender_claimed_ed25519_key;
forward_key.forwarding_curve25519_key_chain =
sessionData->forwarding_curve25519_key_chain;
send_megolm_key_to_device(
req.sender, req.content.requesting_device_id, forward_key);
@ -929,6 +1003,7 @@ send_megolm_key_to_device(const std::string &user_id,
std::map<std::string, std::vector<std::string>> targets;
targets[user_id] = {device_id};
send_encrypted_to_device_messages(targets, room_key);
nhlog::crypto()->debug("Forwarded key to {}:{}", user_id, device_id);
}
DecryptionResult

View file

@ -59,12 +59,13 @@ try_olm_decryption(const std::string &sender_key,
const mtx::events::msg::OlmCipherContent &content);
void
handle_olm_message(const OlmMessage &msg);
handle_olm_message(const OlmMessage &msg, const UserKeyCache &otherUserDeviceKeys);
//! Establish a new inbound megolm session with the decrypted payload from olm.
void
create_inbound_megolm_session(const mtx::events::DeviceEvent<mtx::events::msg::RoomKey> &roomKey,
const std::string &sender_key);
const std::string &sender_key,
const std::string &sender_ed25519);
void
import_inbound_megolm_session(
const mtx::events::DeviceEvent<mtx::events::msg::ForwardedRoomKey> &roomKey);

View file

@ -91,7 +91,7 @@ UserSettings::load(std::optional<QString> profile)
privacyScreen_ = settings.value("user/privacy_screen", false).toBool();
privacyScreenTimeout_ = settings.value("user/privacy_screen_timeout", 0).toInt();
shareKeysWithTrustedUsers_ =
settings.value("user/share_keys_with_trusted_users", true).toBool();
settings.value("user/automatically_share_keys_with_trusted_users", false).toBool();
mobileMode_ = settings.value("user/mobile_mode", false).toBool();
emojiFont_ = settings.value("user/emoji_font_family", "default").toString();
baseFontSize_ = settings.value("user/font_size", QFont().pointSizeF()).toDouble();
@ -610,7 +610,8 @@ UserSettings::save()
settings.setValue("decrypt_sidebar", decryptSidebar_);
settings.setValue("privacy_screen", privacyScreen_);
settings.setValue("privacy_screen_timeout", privacyScreenTimeout_);
settings.setValue("share_keys_with_trusted_users", shareKeysWithTrustedUsers_);
settings.setValue("automatically_share_keys_with_trusted_users",
shareKeysWithTrustedUsers_);
settings.setValue("mobile_mode", mobileMode_);
settings.setValue("font_size", baseFontSize_);
settings.setValue("typing_notifications", typingNotifications_);