matrixion/src/Olm.cpp
2021-02-09 20:22:02 +01:00

1314 lines
64 KiB
C++

#include "Olm.h"
#include <QObject>
#include <QTimer>
#include <nlohmann/json.hpp>
#include <variant>
#include <mtx/responses/common.hpp>
#include <mtx/secret_storage.hpp>
#include "Cache.h"
#include "Cache_p.h"
#include "ChatPage.h"
#include "DeviceVerificationFlow.h"
#include "Logging.h"
#include "MatrixClient.h"
#include "UserSettingsPage.h"
#include "Utils.h"
namespace {
auto client_ = std::make_unique<mtx::crypto::OlmClient>();
std::map<std::string, std::string> request_id_to_secret_name;
const std::string STORAGE_SECRET_KEY("secret");
constexpr auto MEGOLM_ALGO = "m.megolm.v1.aes-sha2";
}
namespace olm {
void
from_json(const nlohmann::json &obj, OlmMessage &msg)
{
if (obj.at("type") != "m.room.encrypted")
throw std::invalid_argument("invalid type for olm message");
if (obj.at("content").at("algorithm") != OLM_ALGO)
throw std::invalid_argument("invalid algorithm for olm message");
msg.sender = obj.at("sender");
msg.sender_key = obj.at("content").at("sender_key");
msg.ciphertext = obj.at("content")
.at("ciphertext")
.get<std::map<std::string, mtx::events::msg::OlmCipherContent>>();
}
mtx::crypto::OlmClient *
client()
{
return client_.get();
}
static void
handle_secret_request(const mtx::events::DeviceEvent<mtx::events::msg::SecretRequest> *e,
const std::string &sender)
{
using namespace mtx::events;
if (e->content.action != mtx::events::msg::RequestAction::Request)
return;
auto local_user = http::client()->user_id();
if (sender != local_user.to_string())
return;
auto verificationStatus = cache::verificationStatus(local_user.to_string());
if (!verificationStatus)
return;
auto deviceKeys = cache::userKeys(local_user.to_string());
if (!deviceKeys)
return;
if (std::find(verificationStatus->verified_devices.begin(),
verificationStatus->verified_devices.end(),
e->content.requesting_device_id) ==
verificationStatus->verified_devices.end())
return;
// this is a verified device
mtx::events::DeviceEvent<mtx::events::msg::SecretSend> secretSend;
secretSend.type = EventType::SecretSend;
secretSend.content.request_id = e->content.request_id;
auto secret = cache::client()->secret(e->content.name);
if (!secret)
return;
secretSend.content.secret = secret.value();
send_encrypted_to_device_messages(
{{local_user.to_string(), {{e->content.requesting_device_id}}}}, secretSend);
nhlog::net()->info("Sent secret '{}' to ({},{})",
e->content.name,
local_user.to_string(),
e->content.requesting_device_id);
}
void
handle_to_device_messages(const std::vector<mtx::events::collections::DeviceEvents> &msgs)
{
if (msgs.empty())
return;
nhlog::crypto()->info("received {} to_device messages", msgs.size());
nlohmann::json j_msg;
for (const auto &msg : msgs) {
j_msg = std::visit([](auto &e) { return json(e); }, std::move(msg));
if (j_msg.count("type") == 0) {
nhlog::crypto()->warn("received message with no type field: {}",
j_msg.dump(2));
continue;
}
std::string msg_type = j_msg.at("type");
if (msg_type == to_string(mtx::events::EventType::RoomEncrypted)) {
try {
olm::OlmMessage olm_msg = j_msg;
handle_olm_message(std::move(olm_msg));
} catch (const nlohmann::json::exception &e) {
nhlog::crypto()->warn(
"parsing error for olm message: {} {}", e.what(), j_msg.dump(2));
} catch (const std::invalid_argument &e) {
nhlog::crypto()->warn("validation error for olm message: {} {}",
e.what(),
j_msg.dump(2));
}
} else if (msg_type == to_string(mtx::events::EventType::RoomKeyRequest)) {
nhlog::crypto()->warn("handling key request event: {}", j_msg.dump(2));
try {
mtx::events::DeviceEvent<mtx::events::msg::KeyRequest> req = j_msg;
if (req.content.action == mtx::events::msg::RequestAction::Request)
handle_key_request_message(req);
else
nhlog::crypto()->warn(
"ignore key request (unhandled action): {}",
req.content.request_id);
} catch (const nlohmann::json::exception &e) {
nhlog::crypto()->warn(
"parsing error for key_request message: {} {}",
e.what(),
j_msg.dump(2));
}
} else if (msg_type == to_string(mtx::events::EventType::KeyVerificationAccept)) {
auto message = std::get<
mtx::events::DeviceEvent<mtx::events::msg::KeyVerificationAccept>>(msg);
ChatPage::instance()->receivedDeviceVerificationAccept(message.content);
} else if (msg_type == to_string(mtx::events::EventType::KeyVerificationRequest)) {
auto message = std::get<
mtx::events::DeviceEvent<mtx::events::msg::KeyVerificationRequest>>(msg);
ChatPage::instance()->receivedDeviceVerificationRequest(message.content,
message.sender);
} else if (msg_type == to_string(mtx::events::EventType::KeyVerificationCancel)) {
auto message = std::get<
mtx::events::DeviceEvent<mtx::events::msg::KeyVerificationCancel>>(msg);
ChatPage::instance()->receivedDeviceVerificationCancel(message.content);
} else if (msg_type == to_string(mtx::events::EventType::KeyVerificationKey)) {
auto message =
std::get<mtx::events::DeviceEvent<mtx::events::msg::KeyVerificationKey>>(
msg);
ChatPage::instance()->receivedDeviceVerificationKey(message.content);
} else if (msg_type == to_string(mtx::events::EventType::KeyVerificationMac)) {
auto message =
std::get<mtx::events::DeviceEvent<mtx::events::msg::KeyVerificationMac>>(
msg);
ChatPage::instance()->receivedDeviceVerificationMac(message.content);
} else if (msg_type == to_string(mtx::events::EventType::KeyVerificationStart)) {
auto message = std::get<
mtx::events::DeviceEvent<mtx::events::msg::KeyVerificationStart>>(msg);
ChatPage::instance()->receivedDeviceVerificationStart(message.content,
message.sender);
} else if (msg_type == to_string(mtx::events::EventType::KeyVerificationReady)) {
auto message = std::get<
mtx::events::DeviceEvent<mtx::events::msg::KeyVerificationReady>>(msg);
ChatPage::instance()->receivedDeviceVerificationReady(message.content);
} else if (msg_type == to_string(mtx::events::EventType::KeyVerificationDone)) {
auto message =
std::get<mtx::events::DeviceEvent<mtx::events::msg::KeyVerificationDone>>(
msg);
ChatPage::instance()->receivedDeviceVerificationDone(message.content);
} else if (auto e =
std::get_if<mtx::events::DeviceEvent<mtx::events::msg::SecretRequest>>(
&msg)) {
handle_secret_request(e, e->sender);
} else {
nhlog::crypto()->warn("unhandled event: {}", j_msg.dump(2));
}
}
}
void
handle_olm_message(const OlmMessage &msg)
{
nhlog::crypto()->info("sender : {}", msg.sender);
nhlog::crypto()->info("sender_key: {}", msg.sender_key);
const auto my_key = olm::client()->identity_keys().curve25519;
for (const auto &cipher : msg.ciphertext) {
// We skip messages not meant for the current device.
if (cipher.first != my_key)
continue;
const auto type = cipher.second.type;
nhlog::crypto()->info("type: {}", type == 0 ? "OLM_PRE_KEY" : "OLM_MESSAGE");
auto payload = try_olm_decryption(msg.sender_key, cipher.second);
if (payload.is_null()) {
// Check for PRE_KEY message
if (cipher.second.type == 0) {
payload = handle_pre_key_olm_message(
msg.sender, msg.sender_key, cipher.second);
} else {
nhlog::crypto()->error("Undecryptable olm message!");
continue;
}
}
if (!payload.is_null()) {
mtx::events::collections::DeviceEvents device_event;
{
std::string msg_type = payload["type"];
json event_array = json::array();
event_array.push_back(payload);
std::vector<mtx::events::collections::DeviceEvents> temp_events;
mtx::responses::utils::parse_device_events(event_array,
temp_events);
if (temp_events.empty()) {
nhlog::crypto()->warn("Decrypted unknown event: {}",
payload.dump());
continue;
}
device_event = temp_events.at(0);
}
using namespace mtx::events;
if (auto e1 =
std::get_if<DeviceEvent<msg::KeyVerificationAccept>>(&device_event)) {
ChatPage::instance()->receivedDeviceVerificationAccept(e1->content);
} else if (auto e2 = std::get_if<DeviceEvent<msg::KeyVerificationRequest>>(
&device_event)) {
ChatPage::instance()->receivedDeviceVerificationRequest(e2->content,
e2->sender);
} else if (auto e3 = std::get_if<DeviceEvent<msg::KeyVerificationCancel>>(
&device_event)) {
ChatPage::instance()->receivedDeviceVerificationCancel(e3->content);
} else if (auto e4 = std::get_if<DeviceEvent<msg::KeyVerificationKey>>(
&device_event)) {
ChatPage::instance()->receivedDeviceVerificationKey(e4->content);
} else if (auto e5 = std::get_if<DeviceEvent<msg::KeyVerificationMac>>(
&device_event)) {
ChatPage::instance()->receivedDeviceVerificationMac(e5->content);
} else if (auto e6 = std::get_if<DeviceEvent<msg::KeyVerificationStart>>(
&device_event)) {
ChatPage::instance()->receivedDeviceVerificationStart(e6->content,
e6->sender);
} else if (auto e7 = std::get_if<DeviceEvent<msg::KeyVerificationReady>>(
&device_event)) {
ChatPage::instance()->receivedDeviceVerificationReady(e7->content);
} else if (auto e8 = std::get_if<DeviceEvent<msg::KeyVerificationDone>>(
&device_event)) {
ChatPage::instance()->receivedDeviceVerificationDone(e8->content);
} else if (auto roomKey =
std::get_if<DeviceEvent<msg::RoomKey>>(&device_event)) {
create_inbound_megolm_session(*roomKey, msg.sender_key);
} else if (auto forwardedRoomKey =
std::get_if<DeviceEvent<msg::ForwardedRoomKey>>(
&device_event)) {
import_inbound_megolm_session(*forwardedRoomKey);
} else if (auto e =
std::get_if<DeviceEvent<msg::SecretSend>>(&device_event)) {
auto local_user = http::client()->user_id();
if (msg.sender != local_user.to_string())
continue;
auto secret_name =
request_id_to_secret_name.find(e->content.request_id);
if (secret_name != request_id_to_secret_name.end()) {
nhlog::crypto()->info("Received secret: {}",
secret_name->second);
mtx::events::msg::SecretRequest secretRequest{};
secretRequest.action =
mtx::events::msg::RequestAction::Cancellation;
secretRequest.requesting_device_id =
http::client()->device_id();
secretRequest.request_id = e->content.request_id;
auto verificationStatus =
cache::verificationStatus(local_user.to_string());
if (!verificationStatus)
continue;
auto deviceKeys = cache::userKeys(local_user.to_string());
std::string sender_device_id;
if (deviceKeys) {
for (auto &[dev, key] : deviceKeys->device_keys) {
if (key.keys["curve25519:" + dev] ==
msg.sender_key) {
sender_device_id = dev;
break;
}
}
}
std::map<
mtx::identifiers::User,
std::map<std::string, mtx::events::msg::SecretRequest>>
body;
for (const auto &dev :
verificationStatus->verified_devices) {
if (dev != secretRequest.requesting_device_id &&
dev != sender_device_id)
body[local_user][dev] = secretRequest;
}
http::client()
->send_to_device<mtx::events::msg::SecretRequest>(
http::client()->generate_txn_id(),
body,
[name =
secret_name->second](mtx::http::RequestErr err) {
if (err) {
nhlog::net()->error(
"Failed to send request cancellation "
"for secrect "
"'{}'",
name);
return;
}
});
cache::client()->storeSecret(secret_name->second,
e->content.secret);
request_id_to_secret_name.erase(secret_name);
}
} else if (auto sec_req =
std::get_if<DeviceEvent<msg::SecretRequest>>(&device_event)) {
handle_secret_request(sec_req, msg.sender);
}
return;
}
}
}
nlohmann::json
handle_pre_key_olm_message(const std::string &sender,
const std::string &sender_key,
const mtx::events::msg::OlmCipherContent &content)
{
nhlog::crypto()->info("opening olm session with {}", sender);
mtx::crypto::OlmSessionPtr inbound_session = nullptr;
try {
inbound_session =
olm::client()->create_inbound_session_from(sender_key, content.body);
// We also remove the one time key used to establish that
// session so we'll have to update our copy of the account object.
cache::saveOlmAccount(olm::client()->save("secret"));
} catch (const mtx::crypto::olm_exception &e) {
nhlog::crypto()->critical(
"failed to create inbound session with {}: {}", sender, e.what());
return {};
}
if (!mtx::crypto::matches_inbound_session_from(
inbound_session.get(), sender_key, content.body)) {
nhlog::crypto()->warn("inbound olm session doesn't match sender's key ({})",
sender);
return {};
}
mtx::crypto::BinaryBuf output;
try {
output =
olm::client()->decrypt_message(inbound_session.get(), content.type, content.body);
} catch (const mtx::crypto::olm_exception &e) {
nhlog::crypto()->critical(
"failed to decrypt olm message {}: {}", content.body, e.what());
return {};
}
auto plaintext = json::parse(std::string((char *)output.data(), output.size()));
nhlog::crypto()->debug("decrypted message: \n {}", plaintext.dump(2));
try {
nhlog::crypto()->debug("New olm session: {}",
mtx::crypto::session_id(inbound_session.get()));
cache::saveOlmSession(
sender_key, std::move(inbound_session), QDateTime::currentMSecsSinceEpoch());
} catch (const lmdb::error &e) {
nhlog::db()->warn(
"failed to save inbound olm session from {}: {}", sender, e.what());
}
return plaintext;
}
mtx::events::msg::Encrypted
encrypt_group_message(const std::string &room_id, const std::string &device_id, nlohmann::json body)
{
using namespace mtx::events;
using namespace mtx::identifiers;
auto own_user_id = http::client()->user_id().to_string();
auto members = cache::client()->getMembersWithKeys(room_id);
std::map<std::string, std::vector<std::string>> sendSessionTo;
mtx::crypto::OutboundGroupSessionPtr session = nullptr;
OutboundGroupSessionData group_session_data;
if (cache::outboundMegolmSessionExists(room_id)) {
auto res = cache::getOutboundMegolmSession(room_id);
auto member_it = members.begin();
auto session_member_it = res.data.currently.keys.begin();
auto session_member_it_end = res.data.currently.keys.end();
while (member_it != members.end() || session_member_it != session_member_it_end) {
if (member_it == members.end()) {
// a member left, purge session!
nhlog::crypto()->debug(
"Rotating megolm session because of left member");
break;
}
if (session_member_it == session_member_it_end) {
// share with all remaining members
while (member_it != members.end()) {
sendSessionTo[member_it->first] = {};
if (member_it->second)
for (const auto &dev :
member_it->second->device_keys)
if (member_it->first != own_user_id ||
dev.first != device_id)
sendSessionTo[member_it->first]
.push_back(dev.first);
++member_it;
}
session = std::move(res.session);
break;
}
if (member_it->first > session_member_it->first) {
// a member left, purge session
nhlog::crypto()->debug(
"Rotating megolm session because of left member");
break;
} else if (member_it->first < session_member_it->first) {
// new member, send them the session at this index
sendSessionTo[member_it->first] = {};
if (member_it->second) {
for (const auto &dev : member_it->second->device_keys)
if (member_it->first != own_user_id ||
dev.first != device_id)
sendSessionTo[member_it->first].push_back(
dev.first);
}
++member_it;
} else {
// compare devices
bool device_removed = false;
for (const auto &dev : session_member_it->second.devices) {
if (!member_it->second ||
!member_it->second->device_keys.count(dev.first)) {
device_removed = true;
break;
}
}
if (device_removed) {
// device removed, rotate session!
nhlog::crypto()->debug(
"Rotating megolm session because of removed device of {}",
member_it->first);
break;
}
// check for new devices to share with
if (member_it->second)
for (const auto &dev : member_it->second->device_keys)
if (!session_member_it->second.devices.count(
dev.first) &&
(member_it->first != own_user_id ||
dev.first != device_id))
sendSessionTo[member_it->first].push_back(
dev.first);
++member_it;
++session_member_it;
if (member_it == members.end() &&
session_member_it == session_member_it_end) {
// all devices match or are newly added
session = std::move(res.session);
}
}
}
group_session_data = std::move(res.data);
}
if (!session) {
nhlog::ui()->debug("creating new outbound megolm session");
// Create a new outbound megolm session.
session = olm::client()->init_outbound_group_session();
const auto session_id = mtx::crypto::session_id(session.get());
const auto session_key = mtx::crypto::session_key(session.get());
// Saving the new megolm session.
OutboundGroupSessionData session_data{};
session_data.session_id = mtx::crypto::session_id(session.get());
session_data.session_key = mtx::crypto::session_key(session.get());
session_data.message_index = 0;
sendSessionTo.clear();
for (const auto &[user, devices] : members) {
sendSessionTo[user] = {};
session_data.initially.keys[user] = {};
if (devices) {
for (const auto &[device_id_, key] : devices->device_keys) {
(void)key;
if (device_id != device_id_ || user != own_user_id) {
sendSessionTo[user].push_back(device_id_);
session_data.initially.keys[user]
.devices[device_id_] = 0;
}
}
}
}
cache::saveOutboundMegolmSession(room_id, session_data, session);
group_session_data = std::move(session_data);
{
MegolmSessionIndex index;
index.room_id = room_id;
index.session_id = session_id;
index.sender_key = olm::client()->identity_keys().curve25519;
auto megolm_session =
olm::client()->init_inbound_group_session(session_key);
cache::saveInboundMegolmSession(index, std::move(megolm_session));
}
}
mtx::events::DeviceEvent<mtx::events::msg::RoomKey> megolm_payload{};
megolm_payload.content.algorithm = MEGOLM_ALGO;
megolm_payload.content.room_id = room_id;
megolm_payload.content.session_id = mtx::crypto::session_id(session.get());
megolm_payload.content.session_key = mtx::crypto::session_key(session.get());
megolm_payload.type = mtx::events::EventType::RoomKey;
if (!sendSessionTo.empty())
olm::send_encrypted_to_device_messages(sendSessionTo, megolm_payload);
// relations shouldn't be encrypted...
mtx::common::Relations relations = mtx::common::parse_relations(body["content"]);
auto payload = olm::client()->encrypt_group_message(session.get(), body.dump());
// Prepare the m.room.encrypted event.
msg::Encrypted data;
data.ciphertext = std::string((char *)payload.data(), payload.size());
data.sender_key = olm::client()->identity_keys().curve25519;
data.session_id = mtx::crypto::session_id(session.get());
data.device_id = device_id;
data.algorithm = MEGOLM_ALGO;
data.relations = relations;
group_session_data.message_index = olm_outbound_group_session_message_index(session.get());
nhlog::crypto()->debug("next message_index {}", group_session_data.message_index);
// update current set of members for the session with the new members and that message_index
for (const auto &[user, devices] : sendSessionTo) {
if (!group_session_data.currently.keys.count(user))
group_session_data.currently.keys[user] = {};
for (const auto &device_id_ : devices) {
if (!group_session_data.currently.keys[user].devices.count(device_id_))
group_session_data.currently.keys[user].devices[device_id_] =
group_session_data.message_index;
}
}
// We need to re-pickle the session after we send a message to save the new message_index.
cache::updateOutboundMegolmSession(room_id, group_session_data, session);
return data;
}
nlohmann::json
try_olm_decryption(const std::string &sender_key, const mtx::events::msg::OlmCipherContent &msg)
{
auto session_ids = cache::getOlmSessions(sender_key);
nhlog::crypto()->info("attempt to decrypt message with {} known session_ids",
session_ids.size());
for (const auto &id : session_ids) {
auto session = cache::getOlmSession(sender_key, id);
if (!session)
continue;
mtx::crypto::BinaryBuf text;
try {
text = olm::client()->decrypt_message(session->get(), msg.type, msg.body);
nhlog::crypto()->debug("Updated olm session: {}",
mtx::crypto::session_id(session->get()));
cache::saveOlmSession(
id, std::move(session.value()), QDateTime::currentMSecsSinceEpoch());
} catch (const mtx::crypto::olm_exception &e) {
nhlog::crypto()->debug("failed to decrypt olm message ({}, {}) with {}: {}",
msg.type,
sender_key,
id,
e.what());
continue;
} catch (const lmdb::error &e) {
nhlog::crypto()->critical("failed to save session: {}", e.what());
return {};
}
try {
return json::parse(std::string_view((char *)text.data(), text.size()));
} catch (const json::exception &e) {
nhlog::crypto()->critical(
"failed to parse the decrypted session msg: {} {}",
e.what(),
std::string_view((char *)text.data(), text.size()));
}
}
return {};
}
void
create_inbound_megolm_session(const mtx::events::DeviceEvent<mtx::events::msg::RoomKey> &roomKey,
const std::string &sender_key)
{
MegolmSessionIndex index;
index.room_id = roomKey.content.room_id;
index.session_id = roomKey.content.session_id;
index.sender_key = sender_key;
try {
auto megolm_session =
olm::client()->init_inbound_group_session(roomKey.content.session_key);
cache::saveInboundMegolmSession(index, std::move(megolm_session));
} catch (const lmdb::error &e) {
nhlog::crypto()->critical("failed to save inbound megolm session: {}", e.what());
return;
} catch (const mtx::crypto::olm_exception &e) {
nhlog::crypto()->critical("failed to create inbound megolm session: {}", e.what());
return;
}
nhlog::crypto()->info(
"established inbound megolm session ({}, {})", roomKey.content.room_id, roomKey.sender);
ChatPage::instance()->receivedSessionKey(index.room_id, index.session_id);
}
void
import_inbound_megolm_session(
const mtx::events::DeviceEvent<mtx::events::msg::ForwardedRoomKey> &roomKey)
{
MegolmSessionIndex index;
index.room_id = roomKey.content.room_id;
index.session_id = roomKey.content.session_id;
index.sender_key = roomKey.content.sender_key;
try {
auto megolm_session =
olm::client()->import_inbound_group_session(roomKey.content.session_key);
cache::saveInboundMegolmSession(index, std::move(megolm_session));
} catch (const lmdb::error &e) {
nhlog::crypto()->critical("failed to save inbound megolm session: {}", e.what());
return;
} catch (const mtx::crypto::olm_exception &e) {
nhlog::crypto()->critical("failed to import inbound megolm session: {}", e.what());
return;
}
nhlog::crypto()->info(
"established inbound megolm session ({}, {})", roomKey.content.room_id, roomKey.sender);
ChatPage::instance()->receivedSessionKey(index.room_id, index.session_id);
}
void
mark_keys_as_published()
{
olm::client()->mark_keys_as_published();
cache::saveOlmAccount(olm::client()->save(STORAGE_SECRET_KEY));
}
void
send_key_request_for(mtx::events::EncryptedEvent<mtx::events::msg::Encrypted> e,
const std::string &request_id,
bool cancel)
{
using namespace mtx::events;
nhlog::crypto()->debug("sending key request: sender_key {}, session_id {}",
e.content.sender_key,
e.content.session_id);
mtx::events::msg::KeyRequest request;
request.action = cancel ? mtx::events::msg::RequestAction::Cancellation
: mtx::events::msg::RequestAction::Request;
request.algorithm = MEGOLM_ALGO;
request.room_id = e.room_id;
request.sender_key = e.content.sender_key;
request.session_id = e.content.session_id;
request.request_id = request_id;
request.requesting_device_id = http::client()->device_id();
nhlog::crypto()->debug("m.room_key_request: {}", json(request).dump(2));
std::map<mtx::identifiers::User, std::map<std::string, decltype(request)>> body;
body[mtx::identifiers::parse<mtx::identifiers::User>(e.sender)][e.content.device_id] =
request;
body[http::client()->user_id()]["*"] = request;
http::client()->send_to_device(
http::client()->generate_txn_id(), body, [e](mtx::http::RequestErr err) {
if (err) {
nhlog::net()->warn("failed to send "
"send_to_device "
"message: {}",
err->matrix_error.error);
}
nhlog::net()->info("m.room_key_request sent to {}:{} and your own devices",
e.sender,
e.content.device_id);
});
}
void
handle_key_request_message(const mtx::events::DeviceEvent<mtx::events::msg::KeyRequest> &req)
{
if (req.content.algorithm != MEGOLM_ALGO) {
nhlog::crypto()->debug("ignoring key request {} with invalid algorithm: {}",
req.content.request_id,
req.content.algorithm);
return;
}
// Check if we were the sender of the session being requested.
if (req.content.sender_key != olm::client()->identity_keys().curve25519) {
nhlog::crypto()->debug("ignoring key request {} because we were not the sender: "
"\nrequested({}) ours({})",
req.content.request_id,
req.content.sender_key,
olm::client()->identity_keys().curve25519);
return;
}
// Check if we have the keys for the requested session.
if (!cache::outboundMegolmSessionExists(req.content.room_id)) {
nhlog::crypto()->warn("requested session not found in room: {}",
req.content.room_id);
return;
}
// Check that the requested session_id and the one we have saved match.
MegolmSessionIndex index{};
index.room_id = req.content.room_id;
index.session_id = req.content.session_id;
index.sender_key = olm::client()->identity_keys().curve25519;
const auto session = cache::getInboundMegolmSession(index);
if (!session) {
nhlog::crypto()->warn("No session with id {} in db", req.content.session_id);
return;
}
if (!cache::isRoomMember(req.sender, req.content.room_id)) {
nhlog::crypto()->warn(
"user {} that requested the session key is not member of the room {}",
req.sender,
req.content.room_id);
return;
}
// check if device is verified
auto verificationStatus = cache::verificationStatus(req.sender);
bool verifiedDevice = false;
if (verificationStatus &&
ChatPage::instance()->userSettings()->shareKeysWithTrustedUsers()) {
for (const auto &dev : verificationStatus->verified_devices) {
if (dev == req.content.requesting_device_id) {
verifiedDevice = true;
nhlog::crypto()->debug("Verified device: {}", dev);
break;
}
}
}
if (!utils::respondsToKeyRequests(req.content.room_id) && !verifiedDevice) {
nhlog::crypto()->debug("ignoring all key requests for room {}",
req.content.room_id);
return;
}
auto session_key = mtx::crypto::export_session(session.get());
//
// Prepare the m.room_key event.
//
mtx::events::msg::ForwardedRoomKey forward_key{};
forward_key.algorithm = MEGOLM_ALGO;
forward_key.room_id = index.room_id;
forward_key.session_id = index.session_id;
forward_key.session_key = session_key;
forward_key.sender_key = index.sender_key;
// TODO(Nico): Figure out if this is correct
forward_key.sender_claimed_ed25519_key = olm::client()->identity_keys().ed25519;
forward_key.forwarding_curve25519_key_chain = {};
send_megolm_key_to_device(req.sender, req.content.requesting_device_id, forward_key);
}
void
send_megolm_key_to_device(const std::string &user_id,
const std::string &device_id,
const mtx::events::msg::ForwardedRoomKey &payload)
{
mtx::events::DeviceEvent<mtx::events::msg::ForwardedRoomKey> room_key;
room_key.content = payload;
room_key.type = mtx::events::EventType::ForwardedRoomKey;
std::map<std::string, std::vector<std::string>> targets;
targets[user_id] = {device_id};
send_encrypted_to_device_messages(targets, room_key);
}
DecryptionResult
decryptEvent(const MegolmSessionIndex &index,
const mtx::events::EncryptedEvent<mtx::events::msg::Encrypted> &event)
{
try {
if (!cache::client()->inboundMegolmSessionExists(index)) {
return {DecryptionErrorCode::MissingSession, std::nullopt, std::nullopt};
}
} catch (const lmdb::error &e) {
return {DecryptionErrorCode::DbError, e.what(), std::nullopt};
}
// TODO: Lookup index,event_id,origin_server_ts tuple for replay attack errors
// TODO: Verify sender_key
std::string msg_str;
try {
auto session = cache::client()->getInboundMegolmSession(index);
auto res =
olm::client()->decrypt_group_message(session.get(), event.content.ciphertext);
msg_str = std::string((char *)res.data.data(), res.data.size());
} catch (const lmdb::error &e) {
return {DecryptionErrorCode::DbError, e.what(), std::nullopt};
} catch (const mtx::crypto::olm_exception &e) {
if (e.error_code() == mtx::crypto::OlmErrorCode::UNKNOWN_MESSAGE_INDEX)
return {DecryptionErrorCode::MissingSessionIndex, e.what(), std::nullopt};
return {DecryptionErrorCode::DecryptionFailed, e.what(), std::nullopt};
}
// Add missing fields for the event.
json body = json::parse(msg_str);
body["event_id"] = event.event_id;
body["sender"] = event.sender;
body["origin_server_ts"] = event.origin_server_ts;
body["unsigned"] = event.unsigned_data;
// relations are unencrypted in content...
mtx::common::add_relations(body["content"], event.content.relations);
mtx::events::collections::TimelineEvent te;
try {
mtx::events::collections::from_json(body, te);
} catch (std::exception &e) {
return {DecryptionErrorCode::ParsingFailed, e.what(), std::nullopt};
}
return {std::nullopt, std::nullopt, std::move(te.data)};
}
//! Send encrypted to device messages, targets is a map from userid to device ids or {} for all
//! devices
void
send_encrypted_to_device_messages(const std::map<std::string, std::vector<std::string>> targets,
const mtx::events::collections::DeviceEvents &event,
bool force_new_session)
{
nlohmann::json ev_json = std::visit([](const auto &e) { return json(e); }, event);
std::map<std::string, std::vector<std::string>> keysToQuery;
mtx::requests::ClaimKeys claims;
std::map<mtx::identifiers::User, std::map<std::string, mtx::events::msg::OlmEncrypted>>
messages;
std::map<std::string, std::map<std::string, DevicePublicKeys>> pks;
for (const auto &[user, devices] : targets) {
auto deviceKeys = cache::client()->userKeys(user);
// no keys for user, query them
if (!deviceKeys) {
keysToQuery[user] = devices;
continue;
}
auto deviceTargets = devices;
if (devices.empty()) {
deviceTargets.clear();
for (const auto &[device, keys] : deviceKeys->device_keys) {
(void)keys;
deviceTargets.push_back(device);
}
}
for (const auto &device : deviceTargets) {
if (!deviceKeys->device_keys.count(device)) {
keysToQuery[user] = {};
break;
}
auto d = deviceKeys->device_keys.at(device);
if (!d.keys.count("curve25519:" + device) ||
!d.keys.count("ed25519:" + device)) {
nhlog::crypto()->warn("Skipping device {} since it has no keys!",
device);
continue;
}
auto session =
cache::getLatestOlmSession(d.keys.at("curve25519:" + device));
if (!session || force_new_session) {
claims.one_time_keys[user][device] = mtx::crypto::SIGNED_CURVE25519;
pks[user][device].ed25519 = d.keys.at("ed25519:" + device);
pks[user][device].curve25519 = d.keys.at("curve25519:" + device);
continue;
}
messages[mtx::identifiers::parse<mtx::identifiers::User>(user)][device] =
olm::client()
->create_olm_encrypted_content(session->get(),
ev_json,
UserId(user),
d.keys.at("ed25519:" + device),
d.keys.at("curve25519:" + device))
.get<mtx::events::msg::OlmEncrypted>();
try {
nhlog::crypto()->debug("Updated olm session: {}",
mtx::crypto::session_id(session->get()));
cache::saveOlmSession(d.keys.at("curve25519:" + device),
std::move(*session),
QDateTime::currentMSecsSinceEpoch());
} catch (const lmdb::error &e) {
nhlog::db()->critical("failed to save outbound olm session: {}",
e.what());
} catch (const mtx::crypto::olm_exception &e) {
nhlog::crypto()->critical(
"failed to pickle outbound olm session: {}", e.what());
}
}
}
if (!messages.empty())
http::client()->send_to_device<mtx::events::msg::OlmEncrypted>(
http::client()->generate_txn_id(), messages, [](mtx::http::RequestErr err) {
if (err) {
nhlog::net()->warn("failed to send "
"send_to_device "
"message: {}",
err->matrix_error.error);
}
});
auto BindPks = [ev_json](decltype(pks) pks_temp) {
return [pks = pks_temp, ev_json](const mtx::responses::ClaimKeys &res,
mtx::http::RequestErr) {
std::map<mtx::identifiers::User,
std::map<std::string, mtx::events::msg::OlmEncrypted>>
messages;
for (const auto &[user_id, retrieved_devices] : res.one_time_keys) {
nhlog::net()->debug("claimed keys for {}", user_id);
if (retrieved_devices.size() == 0) {
nhlog::net()->debug(
"no one-time keys found for user_id: {}", user_id);
continue;
}
for (const auto &rd : retrieved_devices) {
const auto device_id = rd.first;
nhlog::net()->debug(
"{} : \n {}", device_id, rd.second.dump(2));
if (rd.second.empty() ||
!rd.second.begin()->contains("key")) {
nhlog::net()->warn(
"Skipping device {} as it has no key.",
device_id);
continue;
}
// TODO: Verify signatures
auto otk = rd.second.begin()->at("key");
auto id_key = pks.at(user_id).at(device_id).curve25519;
auto session =
olm::client()->create_outbound_session(id_key, otk);
messages[mtx::identifiers::parse<mtx::identifiers::User>(
user_id)][device_id] =
olm::client()
->create_olm_encrypted_content(
session.get(),
ev_json,
UserId(user_id),
pks.at(user_id).at(device_id).ed25519,
id_key)
.get<mtx::events::msg::OlmEncrypted>();
try {
nhlog::crypto()->debug(
"Updated olm session: {}",
mtx::crypto::session_id(session.get()));
cache::saveOlmSession(
id_key,
std::move(session),
QDateTime::currentMSecsSinceEpoch());
} catch (const lmdb::error &e) {
nhlog::db()->critical(
"failed to save outbound olm session: {}",
e.what());
} catch (const mtx::crypto::olm_exception &e) {
nhlog::crypto()->critical(
"failed to pickle outbound olm session: {}",
e.what());
}
}
nhlog::net()->info("send_to_device: {}", user_id);
}
if (!messages.empty())
http::client()->send_to_device<mtx::events::msg::OlmEncrypted>(
http::client()->generate_txn_id(),
messages,
[](mtx::http::RequestErr err) {
if (err) {
nhlog::net()->warn("failed to send "
"send_to_device "
"message: {}",
err->matrix_error.error);
}
});
};
};
http::client()->claim_keys(claims, BindPks(pks));
if (!keysToQuery.empty()) {
mtx::requests::QueryKeys req;
req.device_keys = keysToQuery;
http::client()->query_keys(
req,
[ev_json, BindPks](const mtx::responses::QueryKeys &res,
mtx::http::RequestErr err) {
if (err) {
nhlog::net()->warn("failed to query device keys: {} {}",
err->matrix_error.error,
static_cast<int>(err->status_code));
return;
}
nhlog::net()->info("queried keys");
cache::client()->updateUserKeys(cache::nextBatchToken(), res);
mtx::requests::ClaimKeys claim_keys;
std::map<std::string, std::map<std::string, DevicePublicKeys>> deviceKeys;
for (const auto &user : res.device_keys) {
for (const auto &dev : user.second) {
const auto user_id = ::UserId(dev.second.user_id);
const auto device_id = DeviceId(dev.second.device_id);
if (user_id.get() ==
http::client()->user_id().to_string() &&
device_id.get() == http::client()->device_id())
continue;
const auto device_keys = dev.second.keys;
const auto curveKey = "curve25519:" + device_id.get();
const auto edKey = "ed25519:" + device_id.get();
if ((device_keys.find(curveKey) == device_keys.end()) ||
(device_keys.find(edKey) == device_keys.end())) {
nhlog::net()->debug(
"ignoring malformed keys for device {}",
device_id.get());
continue;
}
DevicePublicKeys pks;
pks.ed25519 = device_keys.at(edKey);
pks.curve25519 = device_keys.at(curveKey);
try {
if (!mtx::crypto::verify_identity_signature(
dev.second, device_id, user_id)) {
nhlog::crypto()->warn(
"failed to verify identity keys: {}",
json(dev.second).dump(2));
continue;
}
} catch (const json::exception &e) {
nhlog::crypto()->warn(
"failed to parse device key json: {}",
e.what());
continue;
} catch (const mtx::crypto::olm_exception &e) {
nhlog::crypto()->warn(
"failed to verify device key json: {}",
e.what());
continue;
}
deviceKeys[user_id].emplace(device_id, pks);
claim_keys.one_time_keys[user.first][device_id] =
mtx::crypto::SIGNED_CURVE25519;
nhlog::net()->info("{}", device_id.get());
nhlog::net()->info(" curve25519 {}", pks.curve25519);
nhlog::net()->info(" ed25519 {}", pks.ed25519);
}
}
http::client()->claim_keys(claim_keys, BindPks(deviceKeys));
});
}
}
void
request_cross_signing_keys()
{
mtx::events::msg::SecretRequest secretRequest{};
secretRequest.action = mtx::events::msg::RequestAction::Request;
secretRequest.requesting_device_id = http::client()->device_id();
auto local_user = http::client()->user_id();
auto verificationStatus = cache::verificationStatus(local_user.to_string());
if (!verificationStatus)
return;
auto request = [&](std::string secretName) {
secretRequest.name = secretName;
secretRequest.request_id = "ss." + http::client()->generate_txn_id();
request_id_to_secret_name[secretRequest.request_id] = secretRequest.name;
std::map<mtx::identifiers::User,
std::map<std::string, mtx::events::msg::SecretRequest>>
body;
for (const auto &dev : verificationStatus->verified_devices) {
if (dev != secretRequest.requesting_device_id)
body[local_user][dev] = secretRequest;
}
http::client()->send_to_device<mtx::events::msg::SecretRequest>(
http::client()->generate_txn_id(),
body,
[request_id = secretRequest.request_id, secretName](mtx::http::RequestErr err) {
if (err) {
request_id_to_secret_name.erase(request_id);
nhlog::net()->error("Failed to send request for secrect '{}'",
secretName);
return;
}
});
for (const auto &dev : verificationStatus->verified_devices) {
if (dev != secretRequest.requesting_device_id)
body[local_user][dev].action =
mtx::events::msg::RequestAction::Cancellation;
}
// timeout after 15 min
QTimer::singleShot(15 * 60 * 1000, [secretRequest, body]() {
if (request_id_to_secret_name.count(secretRequest.request_id)) {
request_id_to_secret_name.erase(secretRequest.request_id);
http::client()->send_to_device<mtx::events::msg::SecretRequest>(
http::client()->generate_txn_id(),
body,
[secretRequest](mtx::http::RequestErr err) {
if (err) {
nhlog::net()->error(
"Failed to cancel request for secrect '{}'",
secretRequest.name);
return;
}
});
}
});
};
request(mtx::secret_storage::secrets::cross_signing_self_signing);
request(mtx::secret_storage::secrets::cross_signing_user_signing);
request(mtx::secret_storage::secrets::megolm_backup_v1);
}
namespace {
void
unlock_secrets(const std::string &key,
const std::map<std::string, mtx::secret_storage::AesHmacSha2EncryptedData> &secrets)
{
http::client()->secret_storage_key(
key,
[secrets](mtx::secret_storage::AesHmacSha2KeyDescription keyDesc,
mtx::http::RequestErr err) {
if (err) {
nhlog::net()->error("Failed to download secret storage key");
return;
}
emit ChatPage::instance()->downloadedSecrets(keyDesc, secrets);
});
}
}
void
download_cross_signing_keys()
{
using namespace mtx::secret_storage;
http::client()->secret_storage_secret(
secrets::megolm_backup_v1, [](Secret secret, mtx::http::RequestErr err) {
std::optional<Secret> backup_key;
if (!err)
backup_key = secret;
http::client()->secret_storage_secret(
secrets::cross_signing_self_signing,
[backup_key](Secret secret, mtx::http::RequestErr err) {
std::optional<Secret> self_signing_key;
if (!err)
self_signing_key = secret;
http::client()->secret_storage_secret(
secrets::cross_signing_user_signing,
[backup_key, self_signing_key](Secret secret,
mtx::http::RequestErr err) {
std::optional<Secret> user_signing_key;
if (!err)
user_signing_key = secret;
std::map<std::string,
std::map<std::string, AesHmacSha2EncryptedData>>
secrets;
if (backup_key && !backup_key->encrypted.empty())
secrets[backup_key->encrypted.begin()->first]
[secrets::megolm_backup_v1] =
backup_key->encrypted.begin()->second;
if (self_signing_key && !self_signing_key->encrypted.empty())
secrets[self_signing_key->encrypted.begin()->first]
[secrets::cross_signing_self_signing] =
self_signing_key->encrypted.begin()->second;
if (user_signing_key && !user_signing_key->encrypted.empty())
secrets[user_signing_key->encrypted.begin()->first]
[secrets::cross_signing_user_signing] =
user_signing_key->encrypted.begin()->second;
for (const auto &[key, secrets] : secrets)
unlock_secrets(key, secrets);
});
});
});
}
} // namespace olm