Store secrets in keychain

This commit is contained in:
Nicolas Werner 2020-12-16 22:10:09 +01:00
parent 7f1f747203
commit 7b46aa2a6e
11 changed files with 320 additions and 12 deletions

View file

@ -136,6 +136,7 @@ endif()
find_package(Qt5 COMPONENTS Core Widgets LinguistTools Concurrent Svg Multimedia Qml QuickControls2 QuickWidgets REQUIRED)
find_package(Qt5QuickCompiler)
find_package(Qt5DBus)
find_package(Qt5Keychain REQUIRED)
if (APPLE)
find_package(Qt5MacExtras REQUIRED)
@ -587,6 +588,7 @@ target_link_libraries(nheko PRIVATE
Qt5::Qml
Qt5::QuickControls2
Qt5::QuickWidgets
qt5keychain
nlohmann_json::nlohmann_json
lmdbxx::lmdbxx
liblmdb::lmdb

View file

@ -24,9 +24,10 @@
#include <QFile>
#include <QHash>
#include <QMap>
#include <QSettings>
#include <QStandardPaths>
#include <qt5keychain/keychain.h>
#include <mtx/responses/common.hpp>
#include "Cache.h"
@ -569,6 +570,64 @@ Cache::restoreOlmAccount()
return std::string(pickled.data(), pickled.size());
}
void
Cache::storeSecret(const std::string &name, const std::string &secret)
{
QKeychain::WritePasswordJob job(QCoreApplication::applicationName());
job.setAutoDelete(false);
job.setInsecureFallback(true);
job.setKey(QString::fromStdString(name));
job.setTextData(QString::fromStdString(secret));
QEventLoop loop;
job.connect(&job, &QKeychain::Job::finished, &loop, &QEventLoop::quit);
job.start();
loop.exec();
if (job.error()) {
nhlog::db()->warn(
"Storing secret '{}' failed: {}", name, job.errorString().toStdString());
} else {
emit secretChanged(name);
}
}
void
Cache::deleteSecret(const std::string &name)
{
QKeychain::DeletePasswordJob job(QCoreApplication::applicationName());
job.setAutoDelete(false);
job.setInsecureFallback(true);
job.setKey(QString::fromStdString(name));
QEventLoop loop;
job.connect(&job, &QKeychain::Job::finished, &loop, &QEventLoop::quit);
job.start();
loop.exec();
emit secretChanged(name);
}
std::optional<std::string>
Cache::secret(const std::string &name)
{
QKeychain::ReadPasswordJob job(QCoreApplication::applicationName());
job.setAutoDelete(false);
job.setInsecureFallback(true);
job.setKey(QString::fromStdString(name));
QEventLoop loop;
job.connect(&job, &QKeychain::Job::finished, &loop, &QEventLoop::quit);
job.start();
loop.exec();
const QString secret = job.textData();
if (job.error()) {
nhlog::db()->debug(
"Restoring secret '{}' failed: {}", name, job.errorString().toStdString());
return std::nullopt;
}
return secret.toStdString();
}
//
// Media Management
//
@ -726,10 +785,32 @@ void
Cache::deleteData()
{
// TODO: We need to remove the env_ while not accepting new requests.
lmdb::dbi_close(env_, syncStateDb_);
lmdb::dbi_close(env_, roomsDb_);
lmdb::dbi_close(env_, invitesDb_);
lmdb::dbi_close(env_, mediaDb_);
lmdb::dbi_close(env_, readReceiptsDb_);
lmdb::dbi_close(env_, notificationsDb_);
lmdb::dbi_close(env_, devicesDb_);
lmdb::dbi_close(env_, deviceKeysDb_);
lmdb::dbi_close(env_, inboundMegolmSessionDb_);
lmdb::dbi_close(env_, outboundMegolmSessionDb_);
env_.close();
verification_storage.status.clear();
if (!cacheDirectory_.isEmpty()) {
QDir(cacheDirectory_).removeRecursively();
nhlog::db()->info("deleted cache files from disk");
}
deleteSecret(mtx::secret_storage::secrets::megolm_backup_v1);
deleteSecret(mtx::secret_storage::secrets::cross_signing_master);
deleteSecret(mtx::secret_storage::secrets::cross_signing_user_signing);
deleteSecret(mtx::secret_storage::secrets::cross_signing_self_signing);
}
//! migrates db to the current format
@ -4262,4 +4343,15 @@ restoreOlmAccount()
{
return instance_->restoreOlmAccount();
}
void
storeSecret(const std::string &name, const std::string &secret)
{
instance_->storeSecret(name, secret);
}
std::optional<std::string>
secret(const std::string &name)
{
return instance_->secret(name);
}
} // namespace cache

View file

@ -282,4 +282,9 @@ saveOlmAccount(const std::string &pickled);
std::string
restoreOlmAccount();
void
storeSecret(const std::string &name, const std::string &secret);
std::optional<std::string>
secret(const std::string &name);
}

View file

@ -269,6 +269,10 @@ public:
void saveOlmAccount(const std::string &pickled);
std::string restoreOlmAccount();
void storeSecret(const std::string &name, const std::string &secret);
void deleteSecret(const std::string &name);
std::optional<std::string> secret(const std::string &name);
signals:
void newReadReceipts(const QString &room_id, const std::vector<QString> &event_ids);
void roomReadStatus(const std::map<QString, bool> &status);
@ -276,6 +280,7 @@ signals:
void userKeysUpdate(const std::string &sync_token,
const mtx::responses::QueryKeys &keyQuery);
void verificationStatusChanged(const std::string &userid);
void secretChanged(const std::string name);
private:
//! Save an invited room.

View file

@ -372,9 +372,8 @@ ChatPage::ChatPage(QSharedPointer<UserSettings> userSettings, QWidget *parent)
void
ChatPage::logout()
{
deleteConfigs();
resetUI();
deleteConfigs();
emit closing();
connectivityTimer_.stop();
@ -385,12 +384,12 @@ ChatPage::dropToLoginPage(const QString &msg)
{
nhlog::ui()->info("dropping to the login page: {}", msg.toStdString());
deleteConfigs();
resetUI();
http::client()->shutdown();
connectivityTimer_.stop();
resetUI();
deleteConfigs();
emit showLoginPage(msg);
}
@ -418,8 +417,8 @@ ChatPage::deleteConfigs()
settings.remove("");
settings.endGroup();
http::client()->shutdown();
cache::deleteData();
http::client()->clear();
}
void

View file

@ -26,6 +26,7 @@
#include <mtx/responses/login.hpp>
#include "Cache.h"
#include "Cache_p.h"
#include "ChatPage.h"
#include "Config.h"
#include "Logging.h"
@ -294,6 +295,10 @@ MainWindow::showChatPage()
login_page_->reset();
chat_page_->bootstrap(userid, homeserver, token);
connect(cache::client(),
&Cache::secretChanged,
userSettingsPage_,
&UserSettingsPage::updateSecretStatus);
instance_ = this;
}

View file

@ -18,13 +18,13 @@
#include "UserSettingsPage.h"
#include "Utils.h"
static const std::string STORAGE_SECRET_KEY("secret");
constexpr auto MEGOLM_ALGO = "m.megolm.v1.aes-sha2";
namespace {
auto client_ = std::make_unique<mtx::crypto::OlmClient>();
std::map<std::string, std::string> request_id_to_secret_name;
const std::string STORAGE_SECRET_KEY("secret");
constexpr auto MEGOLM_ALGO = "m.megolm.v1.aes-sha2";
}
namespace olm {
@ -221,6 +221,133 @@ handle_olm_message(const OlmMessage &msg)
} else if (auto roomKey = std::get_if<DeviceEvent<msg::ForwardedRoomKey>>(
&device_event)) {
import_inbound_megolm_session(*roomKey);
} else if (auto e =
std::get_if<DeviceEvent<msg::SecretSend>>(&device_event)) {
auto local_user = http::client()->user_id();
if (msg.sender != local_user.to_string())
continue;
auto secret_name =
request_id_to_secret_name.find(e->content.request_id);
if (secret_name != request_id_to_secret_name.end()) {
nhlog::crypto()->info("Received secret: {}",
secret_name->second);
mtx::events::msg::SecretRequest secretRequest{};
secretRequest.action =
mtx::events::msg::RequestAction::Cancellation;
secretRequest.requesting_device_id =
http::client()->device_id();
secretRequest.request_id = e->content.request_id;
auto verificationStatus =
cache::verificationStatus(local_user.to_string());
if (!verificationStatus)
continue;
auto deviceKeys = cache::userKeys(local_user.to_string());
std::string sender_device_id;
if (deviceKeys) {
for (auto &[dev, key] : deviceKeys->device_keys) {
if (key.keys["curve25519:" + dev] ==
msg.sender_key) {
sender_device_id = dev;
break;
}
}
}
std::map<
mtx::identifiers::User,
std::map<std::string, mtx::events::msg::SecretRequest>>
body;
for (const auto &dev :
verificationStatus->verified_devices) {
if (dev != secretRequest.requesting_device_id &&
dev != sender_device_id)
body[local_user][dev] = secretRequest;
}
http::client()
->send_to_device<mtx::events::msg::SecretRequest>(
http::client()->generate_txn_id(),
body,
[name =
secret_name->second](mtx::http::RequestErr err) {
if (err) {
nhlog::net()->error(
"Failed to send request cancellation "
"for secrect "
"'{}'",
name);
return;
}
});
cache::client()->storeSecret(secret_name->second,
e->content.secret);
request_id_to_secret_name.erase(secret_name);
}
} else if (auto e =
std::get_if<DeviceEvent<msg::SecretRequest>>(&device_event)) {
if (e->content.action != mtx::events::msg::RequestAction::Request)
continue;
auto local_user = http::client()->user_id();
if (msg.sender != local_user.to_string())
continue;
auto verificationStatus =
cache::verificationStatus(local_user.to_string());
if (!verificationStatus)
continue;
auto deviceKeys = cache::userKeys(local_user.to_string());
if (!deviceKeys)
continue;
for (auto &[dev, key] : deviceKeys->device_keys) {
if (key.keys["curve25519:" + dev] == msg.sender_key) {
if (std::find(
verificationStatus->verified_devices.begin(),
verificationStatus->verified_devices.end(),
dev) ==
verificationStatus->verified_devices.end())
break;
// this is a verified device
mtx::events::DeviceEvent<
mtx::events::msg::SecretSend>
secretSend;
secretSend.type = EventType::SecretSend;
secretSend.content.request_id =
e->content.request_id;
auto secret =
cache::client()->secret(e->content.name);
if (!secret)
break;
secretSend.content.secret = secret.value();
send_encrypted_to_device_messages(
{{local_user.to_string(), {{dev}}}}, secretSend);
nhlog::net()->info("Sent secret to ({},{})",
local_user.to_string(),
dev);
break;
}
}
}
return;

View file

@ -43,7 +43,11 @@ public:
void initialize(const QMap<QString, RoomInfo> &info);
void sync(const std::map<QString, RoomInfo> &info);
void clear() { rooms_.clear(); };
void clear()
{
rooms_.clear();
rooms_sort_cache_.clear();
};
void updateAvatar(const QString &room_id, const QString &url);
void addRoom(const QString &room_id, const RoomInfo &info);

View file

@ -637,6 +637,15 @@ UserSettingsPage::UserSettingsPage(QSharedPointer<UserSettings> settings, QWidge
deviceFingerprintValue_->setText(utils::humanReadableFingerprint(QString(44, 'X')));
backupSecretCached = new QLabel{this};
masterSecretCached = new QLabel{this};
selfSigningSecretCached = new QLabel{this};
userSigningSecretCached = new QLabel{this};
backupSecretCached->setFont(monospaceFont);
masterSecretCached->setFont(monospaceFont);
selfSigningSecretCached->setFont(monospaceFont);
userSigningSecretCached->setFont(monospaceFont);
auto sessionKeysLabel = new QLabel{tr("Session Keys"), this};
sessionKeysLabel->setFont(font);
sessionKeysLabel->setMargin(OptionMargin);
@ -801,6 +810,27 @@ UserSettingsPage::UserSettingsPage(QSharedPointer<UserSettings> settings, QWidge
formLayout_->addRow(sessionKeysLabel, sessionKeysLayout);
formLayout_->addRow(crossSigningKeysLabel, crossSigningKeysLayout);
boxWrap(tr("Master signing key"),
masterSecretCached,
tr("Your most important key. You don't need to have it cached, since not caching "
"it makes it less likely it can be stolen and it is only needed to rotate your "
"other signing keys."));
boxWrap(tr("User signing key"),
userSigningSecretCached,
tr("The key to verify other users. If it is cached, verifying a user will verify "
"all their devices."));
boxWrap(
tr("Self signing key"),
selfSigningSecretCached,
tr("The key to verify your own devices. If it is cached, verifying one of your devices "
"will mark it verified for all your other devices and for users, that have verified "
"you."));
boxWrap(tr("Backup key"),
backupSecretCached,
tr("The key to decrypt online key backups. If it is cached, you can enable online "
"key backup to store encryption keys securely encrypted on the server."));
updateSecretStatus();
auto scrollArea_ = new QScrollArea{this};
scrollArea_->setFrameShape(QFrame::NoFrame);
scrollArea_->setHorizontalScrollBarPolicy(Qt::ScrollBarAlwaysOff);
@ -1154,3 +1184,30 @@ UserSettingsPage::exportSessionKeys()
QMessageBox::warning(this, tr("Error"), e.what());
}
}
void
UserSettingsPage::updateSecretStatus()
{
QString ok = "QLabel { color : #00cc66; }";
QString notSoOk = "QLabel { color : #ff9933; }";
auto updateLabel = [&, this](QLabel *label, const std::string &secretName) {
if (cache::secret(secretName)) {
label->setStyleSheet(ok);
label->setText(tr("CACHED"));
} else {
if (secretName == mtx::secret_storage::secrets::cross_signing_master)
label->setStyleSheet(ok);
else
label->setStyleSheet(notSoOk);
label->setText(tr("NOT CACHED"));
}
};
updateLabel(masterSecretCached, mtx::secret_storage::secrets::cross_signing_master);
updateLabel(userSigningSecretCached,
mtx::secret_storage::secrets::cross_signing_user_signing);
updateLabel(selfSigningSecretCached,
mtx::secret_storage::secrets::cross_signing_self_signing);
updateLabel(backupSecretCached, mtx::secret_storage::secrets::megolm_backup_v1);
}

View file

@ -253,6 +253,9 @@ signals:
void themeChanged();
void decryptSidebarChanged();
public slots:
void updateSecretStatus();
private slots:
void importSessionKeys();
void exportSessionKeys();
@ -285,6 +288,10 @@ private:
Toggle *mobileMode_;
QLabel *deviceFingerprintValue_;
QLabel *deviceIdValue_;
QLabel *backupSecretCached;
QLabel *masterSecretCached;
QLabel *selfSigningSecretCached;
QLabel *userSigningSecretCached;
QComboBox *themeCombo_;
QComboBox *scaleFactorCombo_;

View file

@ -51,7 +51,12 @@ public:
void sync(const mtx::responses::Rooms &rooms);
void addRoom(const QString &room_id);
void clearAll() { models.clear(); }
void clearAll()
{
timeline_ = nullptr;
emit activeTimelineChanged(nullptr);
models.clear();
}
Q_INVOKABLE TimelineModel *activeTimeline() const { return timeline_; }
Q_INVOKABLE bool isInitialSync() const { return isInitialSync_; }