mirror
/
nheko
mirror of https://github.com/Nheko-Reborn/nheko
2
0
Fork 1
Code Issues Releases Wiki Activity

Rotate session keys properly

Browse Source
pull/527/head
Nicolas Werner 4 years ago
parent 61c5dffffd
commit 569ea5b5f4
No known key found for this signature in database
GPG Key ID: C8D75E610773F2D9
6 changed files with 121 additions and 70 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      CMakeLists.txt
  2. 2
      io.github.NhekoReborn.Nheko.json
  3. 32
      src/Cache.cpp
  4. 1
      src/CacheCryptoStructs.h
  5. 2
      src/Cache_p.h
  6. 44
      src/Olm.cpp

2
CMakeLists.txt
Unescape View File

@ -358,7 +358,7 @@ if(USE_BUNDLED_MTXCLIENT)
FetchContent_Declare( FetchContent_Declare(
MatrixClient MatrixClient
GIT_REPOSITORY https://github.com/Nheko-Reborn/mtxclient.git GIT_REPOSITORY https://github.com/Nheko-Reborn/mtxclient.git
GIT_TAG b1b1ef9ad088f9666582f46d81b75a80c6b2b1c0 GIT_TAG 7194b4f058406b1c10d3741d83abcf2d8963d849
) )
set(BUILD_LIB_EXAMPLES OFF CACHE INTERNAL "") set(BUILD_LIB_EXAMPLES OFF CACHE INTERNAL "")
set(BUILD_LIB_TESTS OFF CACHE INTERNAL "") set(BUILD_LIB_TESTS OFF CACHE INTERNAL "")

2
io.github.NhekoReborn.Nheko.json
Unescape View File

@ -220,7 +220,7 @@
"name": "mtxclient", "name": "mtxclient",
"sources": [ "sources": [
{ {
"commit": "b1b1ef9ad088f9666582f46d81b75a80c6b2b1c0", "commit": "7194b4f058406b1c10d3741d83abcf2d8963d849",
"type": "git", "type": "git",
"url": "https://github.com/Nheko-Reborn/mtxclient.git" "url": "https://github.com/Nheko-Reborn/mtxclient.git"
} }

32
src/Cache.cpp
Unescape View File

@ -261,6 +261,36 @@ Cache::isRoomEncrypted(const std::string &room_id)
return res; return res;
} }
std::optional<mtx::events::state::Encryption>
Cache::roomEncryptionSettings(const std::string &room_id)
{
using namespace mtx::events;
using namespace mtx::events::state;
try {
auto txn = lmdb::txn::begin(env_, nullptr, MDB_RDONLY);
auto statesdb = getStatesDb(txn, room_id);
std::string_view event;
bool res =
statesdb.get(txn, to_string(mtx::events::EventType::RoomEncryption), event);
if (res) {
try {
StateEvent<Encryption> msg = json::parse(event);
return msg.content;
} catch (const json::exception &e) {
nhlog::db()->warn("failed to parse m.room.encryption event: {}",
e.what());
return Encryption{};
}
}
} catch (lmdb::error &) {
}
return std::nullopt;
}
mtx::crypto::ExportedSessionKeys mtx::crypto::ExportedSessionKeys
Cache::exportSessionKeys() Cache::exportSessionKeys()
{ {
@ -3893,6 +3923,7 @@ to_json(nlohmann::json &obj, const OutboundGroupSessionData &msg)
obj["session_id"] = msg.session_id; obj["session_id"] = msg.session_id;
obj["session_key"] = msg.session_key; obj["session_key"] = msg.session_key;
obj["message_index"] = msg.message_index; obj["message_index"] = msg.message_index;
obj["ts"] = msg.timestamp;
obj["initially"] = msg.initially; obj["initially"] = msg.initially;
obj["currently"] = msg.currently; obj["currently"] = msg.currently;
@ -3904,6 +3935,7 @@ from_json(const nlohmann::json &obj, OutboundGroupSessionData &msg)
msg.session_id = obj.at("session_id"); msg.session_id = obj.at("session_id");
msg.session_key = obj.at("session_key"); msg.session_key = obj.at("session_key");
msg.message_index = obj.at("message_index"); msg.message_index = obj.at("message_index");
msg.timestamp = obj.value("ts", 0ULL);
msg.initially = obj.value("initially", SharedWithUsers{}); msg.initially = obj.value("initially", SharedWithUsers{});
msg.currently = obj.value("currently", SharedWithUsers{}); msg.currently = obj.value("currently", SharedWithUsers{});

1
src/CacheCryptoStructs.h
Unescape View File

@ -28,6 +28,7 @@ struct OutboundGroupSessionData
std::string session_id; std::string session_id;
std::string session_key; std::string session_key;
uint64_t message_index = 0; uint64_t message_index = 0;
uint64_t timestamp = 0;
// who has access to this session. // who has access to this session.
// Rotate, when a user leaves the room and share, when a user gets added. // Rotate, when a user leaves the room and share, when a user gets added.

2
src/Cache_p.h
Unescape View File

@ -221,6 +221,8 @@ public:
//! Mark a room that uses e2e encryption. //! Mark a room that uses e2e encryption.
void setEncryptedRoom(lmdb::txn &txn, const std::string &room_id); void setEncryptedRoom(lmdb::txn &txn, const std::string &room_id);
bool isRoomEncrypted(const std::string &room_id); bool isRoomEncrypted(const std::string &room_id);
std::optional<mtx::events::state::Encryption> roomEncryptionSettings(
const std::string &room_id);
//! Check if a user is a member of the room. //! Check if a user is a member of the room.
bool isRoomMember(const std::string &user_id, const std::string &room_id); bool isRoomMember(const std::string &user_id, const std::string &room_id);

44
src/Olm.cpp
Unescape View File

@ -431,12 +431,20 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
if (cache::outboundMegolmSessionExists(room_id)) { if (cache::outboundMegolmSessionExists(room_id)) {
auto res = cache::getOutboundMegolmSession(room_id); auto res = cache::getOutboundMegolmSession(room_id);
auto encryptionSettings = cache::client()->roomEncryptionSettings(room_id);
mtx::events::state::Encryption defaultSettings;
// rotate if we crossed the limits for this key
if (res.data.message_index <
encryptionSettings.value_or(defaultSettings).rotation_period_msgs &&
(QDateTime::currentMSecsSinceEpoch() - res.data.timestamp) <
encryptionSettings.value_or(defaultSettings).rotation_period_ms) {
auto member_it = members.begin(); auto member_it = members.begin();
auto session_member_it = res.data.currently.keys.begin(); auto session_member_it = res.data.currently.keys.begin();
auto session_member_it_end = res.data.currently.keys.end(); auto session_member_it_end = res.data.currently.keys.end();
while (member_it != members.end() || session_member_it != session_member_it_end) { while (member_it != members.end() ||
session_member_it != session_member_it_end) {
if (member_it == members.end()) { if (member_it == members.end()) {
// a member left, purge session! // a member left, purge session!
nhlog::crypto()->debug( nhlog::crypto()->debug(
@ -452,9 +460,11 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
if (member_it->second) if (member_it->second)
for (const auto &dev : for (const auto &dev :
member_it->second->device_keys) member_it->second->device_keys)
if (member_it->first != own_user_id || if (member_it->first !=
own_user_id ||
dev.first != device_id) dev.first != device_id)
sendSessionTo[member_it->first] sendSessionTo[member_it
->first]
.push_back(dev.first); .push_back(dev.first);
++member_it; ++member_it;
@ -474,11 +484,12 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
sendSessionTo[member_it->first] = {}; sendSessionTo[member_it->first] = {};
if (member_it->second) { if (member_it->second) {
for (const auto &dev : member_it->second->device_keys) for (const auto &dev :
member_it->second->device_keys)
if (member_it->first != own_user_id || if (member_it->first != own_user_id ||
dev.first != device_id) dev.first != device_id)
sendSessionTo[member_it->first].push_back( sendSessionTo[member_it->first]
dev.first); .push_back(dev.first);
} }
++member_it; ++member_it;
@ -487,7 +498,8 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
bool device_removed = false; bool device_removed = false;
for (const auto &dev : session_member_it->second.devices) { for (const auto &dev : session_member_it->second.devices) {
if (!member_it->second || if (!member_it->second ||
!member_it->second->device_keys.count(dev.first)) { !member_it->second->device_keys.count(
dev.first)) {
device_removed = true; device_removed = true;
break; break;
} }
@ -496,20 +508,22 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
if (device_removed) { if (device_removed) {
// device removed, rotate session! // device removed, rotate session!
nhlog::crypto()->debug( nhlog::crypto()->debug(
"Rotating megolm session because of removed device of {}", "Rotating megolm session because of removed "
"device of {}",
member_it->first); member_it->first);
break; break;
} }
// check for new devices to share with // check for new devices to share with
if (member_it->second) if (member_it->second)
for (const auto &dev : member_it->second->device_keys) for (const auto &dev :
if (!session_member_it->second.devices.count( member_it->second->device_keys)
dev.first) && if (!session_member_it->second.devices
.count(dev.first) &&
(member_it->first != own_user_id || (member_it->first != own_user_id ||
dev.first != device_id)) dev.first != device_id))
sendSessionTo[member_it->first].push_back( sendSessionTo[member_it->first]
dev.first); .push_back(dev.first);
++member_it; ++member_it;
++session_member_it; ++session_member_it;
@ -520,6 +534,7 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
} }
} }
} }
}
group_session_data = std::move(res.data); group_session_data = std::move(res.data);
} }
@ -537,6 +552,7 @@ encrypt_group_message(const std::string &room_id, const std::string &device_id,
session_data.session_id = mtx::crypto::session_id(session.get()); session_data.session_id = mtx::crypto::session_id(session.get());
session_data.session_key = mtx::crypto::session_key(session.get()); session_data.session_key = mtx::crypto::session_key(session.get());
session_data.message_index = 0; session_data.message_index = 0;
session_data.timestamp = QDateTime::currentMSecsSinceEpoch();
sendSessionTo.clear(); sendSessionTo.clear();

Write Preview
Loading…
Cancel
Save