Store secrets in keychain

pull/355/head
Nicolas Werner 4 years ago
parent 7f1f747203
commit 7b46aa2a6e
  1. 2
      CMakeLists.txt
  2. 94
      src/Cache.cpp
  3. 5
      src/Cache.h
  4. 5
      src/Cache_p.h
  5. 11
      src/ChatPage.cpp
  6. 5
      src/MainWindow.cpp
  7. 133
      src/Olm.cpp
  8. 6
      src/RoomList.h
  9. 57
      src/UserSettingsPage.cpp
  10. 7
      src/UserSettingsPage.h
  11. 7
      src/timeline/TimelineViewManager.h

@ -136,6 +136,7 @@ endif()
find_package(Qt5 COMPONENTS Core Widgets LinguistTools Concurrent Svg Multimedia Qml QuickControls2 QuickWidgets REQUIRED) find_package(Qt5 COMPONENTS Core Widgets LinguistTools Concurrent Svg Multimedia Qml QuickControls2 QuickWidgets REQUIRED)
find_package(Qt5QuickCompiler) find_package(Qt5QuickCompiler)
find_package(Qt5DBus) find_package(Qt5DBus)
find_package(Qt5Keychain REQUIRED)
if (APPLE) if (APPLE)
find_package(Qt5MacExtras REQUIRED) find_package(Qt5MacExtras REQUIRED)
@ -587,6 +588,7 @@ target_link_libraries(nheko PRIVATE
Qt5::Qml Qt5::Qml
Qt5::QuickControls2 Qt5::QuickControls2
Qt5::QuickWidgets Qt5::QuickWidgets
qt5keychain
nlohmann_json::nlohmann_json nlohmann_json::nlohmann_json
lmdbxx::lmdbxx lmdbxx::lmdbxx
liblmdb::lmdb liblmdb::lmdb

@ -24,9 +24,10 @@
#include <QFile> #include <QFile>
#include <QHash> #include <QHash>
#include <QMap> #include <QMap>
#include <QSettings>
#include <QStandardPaths> #include <QStandardPaths>
#include <qt5keychain/keychain.h>
#include <mtx/responses/common.hpp> #include <mtx/responses/common.hpp>
#include "Cache.h" #include "Cache.h"
@ -569,6 +570,64 @@ Cache::restoreOlmAccount()
return std::string(pickled.data(), pickled.size()); return std::string(pickled.data(), pickled.size());
} }
void
Cache::storeSecret(const std::string &name, const std::string &secret)
{
QKeychain::WritePasswordJob job(QCoreApplication::applicationName());
job.setAutoDelete(false);
job.setInsecureFallback(true);
job.setKey(QString::fromStdString(name));
job.setTextData(QString::fromStdString(secret));
QEventLoop loop;
job.connect(&job, &QKeychain::Job::finished, &loop, &QEventLoop::quit);
job.start();
loop.exec();
if (job.error()) {
nhlog::db()->warn(
"Storing secret '{}' failed: {}", name, job.errorString().toStdString());
} else {
emit secretChanged(name);
}
}
void
Cache::deleteSecret(const std::string &name)
{
QKeychain::DeletePasswordJob job(QCoreApplication::applicationName());
job.setAutoDelete(false);
job.setInsecureFallback(true);
job.setKey(QString::fromStdString(name));
QEventLoop loop;
job.connect(&job, &QKeychain::Job::finished, &loop, &QEventLoop::quit);
job.start();
loop.exec();
emit secretChanged(name);
}
std::optional<std::string>
Cache::secret(const std::string &name)
{
QKeychain::ReadPasswordJob job(QCoreApplication::applicationName());
job.setAutoDelete(false);
job.setInsecureFallback(true);
job.setKey(QString::fromStdString(name));
QEventLoop loop;
job.connect(&job, &QKeychain::Job::finished, &loop, &QEventLoop::quit);
job.start();
loop.exec();
const QString secret = job.textData();
if (job.error()) {
nhlog::db()->debug(
"Restoring secret '{}' failed: {}", name, job.errorString().toStdString());
return std::nullopt;
}
return secret.toStdString();
}
// //
// Media Management // Media Management
// //
@ -726,10 +785,32 @@ void
Cache::deleteData() Cache::deleteData()
{ {
// TODO: We need to remove the env_ while not accepting new requests. // TODO: We need to remove the env_ while not accepting new requests.
lmdb::dbi_close(env_, syncStateDb_);
lmdb::dbi_close(env_, roomsDb_);
lmdb::dbi_close(env_, invitesDb_);
lmdb::dbi_close(env_, mediaDb_);
lmdb::dbi_close(env_, readReceiptsDb_);
lmdb::dbi_close(env_, notificationsDb_);
lmdb::dbi_close(env_, devicesDb_);
lmdb::dbi_close(env_, deviceKeysDb_);
lmdb::dbi_close(env_, inboundMegolmSessionDb_);
lmdb::dbi_close(env_, outboundMegolmSessionDb_);
env_.close();
verification_storage.status.clear();
if (!cacheDirectory_.isEmpty()) { if (!cacheDirectory_.isEmpty()) {
QDir(cacheDirectory_).removeRecursively(); QDir(cacheDirectory_).removeRecursively();
nhlog::db()->info("deleted cache files from disk"); nhlog::db()->info("deleted cache files from disk");
} }
deleteSecret(mtx::secret_storage::secrets::megolm_backup_v1);
deleteSecret(mtx::secret_storage::secrets::cross_signing_master);
deleteSecret(mtx::secret_storage::secrets::cross_signing_user_signing);
deleteSecret(mtx::secret_storage::secrets::cross_signing_self_signing);
} }
//! migrates db to the current format //! migrates db to the current format
@ -4262,4 +4343,15 @@ restoreOlmAccount()
{ {
return instance_->restoreOlmAccount(); return instance_->restoreOlmAccount();
} }
void
storeSecret(const std::string &name, const std::string &secret)
{
instance_->storeSecret(name, secret);
}
std::optional<std::string>
secret(const std::string &name)
{
return instance_->secret(name);
}
} // namespace cache } // namespace cache

@ -282,4 +282,9 @@ saveOlmAccount(const std::string &pickled);
std::string std::string
restoreOlmAccount(); restoreOlmAccount();
void
storeSecret(const std::string &name, const std::string &secret);
std::optional<std::string>
secret(const std::string &name);
} }

@ -269,6 +269,10 @@ public:
void saveOlmAccount(const std::string &pickled); void saveOlmAccount(const std::string &pickled);
std::string restoreOlmAccount(); std::string restoreOlmAccount();
void storeSecret(const std::string &name, const std::string &secret);
void deleteSecret(const std::string &name);
std::optional<std::string> secret(const std::string &name);
signals: signals:
void newReadReceipts(const QString &room_id, const std::vector<QString> &event_ids); void newReadReceipts(const QString &room_id, const std::vector<QString> &event_ids);
void roomReadStatus(const std::map<QString, bool> &status); void roomReadStatus(const std::map<QString, bool> &status);
@ -276,6 +280,7 @@ signals:
void userKeysUpdate(const std::string &sync_token, void userKeysUpdate(const std::string &sync_token,
const mtx::responses::QueryKeys &keyQuery); const mtx::responses::QueryKeys &keyQuery);
void verificationStatusChanged(const std::string &userid); void verificationStatusChanged(const std::string &userid);
void secretChanged(const std::string name);
private: private:
//! Save an invited room. //! Save an invited room.

@ -372,9 +372,8 @@ ChatPage::ChatPage(QSharedPointer<UserSettings> userSettings, QWidget *parent)
void void
ChatPage::logout() ChatPage::logout()
{ {
deleteConfigs();
resetUI(); resetUI();
deleteConfigs();
emit closing(); emit closing();
connectivityTimer_.stop(); connectivityTimer_.stop();
@ -385,12 +384,12 @@ ChatPage::dropToLoginPage(const QString &msg)
{ {
nhlog::ui()->info("dropping to the login page: {}", msg.toStdString()); nhlog::ui()->info("dropping to the login page: {}", msg.toStdString());
deleteConfigs();
resetUI();
http::client()->shutdown(); http::client()->shutdown();
connectivityTimer_.stop(); connectivityTimer_.stop();
resetUI();
deleteConfigs();
emit showLoginPage(msg); emit showLoginPage(msg);
} }
@ -418,8 +417,8 @@ ChatPage::deleteConfigs()
settings.remove(""); settings.remove("");
settings.endGroup(); settings.endGroup();
http::client()->shutdown();
cache::deleteData(); cache::deleteData();
http::client()->clear();
} }
void void

@ -26,6 +26,7 @@
#include <mtx/responses/login.hpp> #include <mtx/responses/login.hpp>
#include "Cache.h" #include "Cache.h"
#include "Cache_p.h"
#include "ChatPage.h" #include "ChatPage.h"
#include "Config.h" #include "Config.h"
#include "Logging.h" #include "Logging.h"
@ -294,6 +295,10 @@ MainWindow::showChatPage()
login_page_->reset(); login_page_->reset();
chat_page_->bootstrap(userid, homeserver, token); chat_page_->bootstrap(userid, homeserver, token);
connect(cache::client(),
&Cache::secretChanged,
userSettingsPage_,
&UserSettingsPage::updateSecretStatus);
instance_ = this; instance_ = this;
} }

@ -18,13 +18,13 @@
#include "UserSettingsPage.h" #include "UserSettingsPage.h"
#include "Utils.h" #include "Utils.h"
static const std::string STORAGE_SECRET_KEY("secret");
constexpr auto MEGOLM_ALGO = "m.megolm.v1.aes-sha2";
namespace { namespace {
auto client_ = std::make_unique<mtx::crypto::OlmClient>(); auto client_ = std::make_unique<mtx::crypto::OlmClient>();
std::map<std::string, std::string> request_id_to_secret_name; std::map<std::string, std::string> request_id_to_secret_name;
const std::string STORAGE_SECRET_KEY("secret");
constexpr auto MEGOLM_ALGO = "m.megolm.v1.aes-sha2";
} }
namespace olm { namespace olm {
@ -221,6 +221,133 @@ handle_olm_message(const OlmMessage &msg)
} else if (auto roomKey = std::get_if<DeviceEvent<msg::ForwardedRoomKey>>( } else if (auto roomKey = std::get_if<DeviceEvent<msg::ForwardedRoomKey>>(
&device_event)) { &device_event)) {
import_inbound_megolm_session(*roomKey); import_inbound_megolm_session(*roomKey);
} else if (auto e =
std::get_if<DeviceEvent<msg::SecretSend>>(&device_event)) {
auto local_user = http::client()->user_id();
if (msg.sender != local_user.to_string())
continue;
auto secret_name =
request_id_to_secret_name.find(e->content.request_id);
if (secret_name != request_id_to_secret_name.end()) {
nhlog::crypto()->info("Received secret: {}",
secret_name->second);
mtx::events::msg::SecretRequest secretRequest{};
secretRequest.action =
mtx::events::msg::RequestAction::Cancellation;
secretRequest.requesting_device_id =
http::client()->device_id();
secretRequest.request_id = e->content.request_id;
auto verificationStatus =
cache::verificationStatus(local_user.to_string());
if (!verificationStatus)
continue;
auto deviceKeys = cache::userKeys(local_user.to_string());
std::string sender_device_id;
if (deviceKeys) {
for (auto &[dev, key] : deviceKeys->device_keys) {
if (key.keys["curve25519:" + dev] ==
msg.sender_key) {
sender_device_id = dev;
break;
}
}
}
std::map<
mtx::identifiers::User,
std::map<std::string, mtx::events::msg::SecretRequest>>
body;
for (const auto &dev :
verificationStatus->verified_devices) {
if (dev != secretRequest.requesting_device_id &&
dev != sender_device_id)
body[local_user][dev] = secretRequest;
}
http::client()
->send_to_device<mtx::events::msg::SecretRequest>(
http::client()->generate_txn_id(),
body,
[name =
secret_name->second](mtx::http::RequestErr err) {
if (err) {
nhlog::net()->error(
"Failed to send request cancellation "
"for secrect "
"'{}'",
name);
return;
}
});
cache::client()->storeSecret(secret_name->second,
e->content.secret);
request_id_to_secret_name.erase(secret_name);
}
} else if (auto e =
std::get_if<DeviceEvent<msg::SecretRequest>>(&device_event)) {
if (e->content.action != mtx::events::msg::RequestAction::Request)
continue;
auto local_user = http::client()->user_id();
if (msg.sender != local_user.to_string())
continue;
auto verificationStatus =
cache::verificationStatus(local_user.to_string());
if (!verificationStatus)
continue;
auto deviceKeys = cache::userKeys(local_user.to_string());
if (!deviceKeys)
continue;
for (auto &[dev, key] : deviceKeys->device_keys) {
if (key.keys["curve25519:" + dev] == msg.sender_key) {
if (std::find(
verificationStatus->verified_devices.begin(),
verificationStatus->verified_devices.end(),
dev) ==
verificationStatus->verified_devices.end())
break;
// this is a verified device
mtx::events::DeviceEvent<
mtx::events::msg::SecretSend>
secretSend;
secretSend.type = EventType::SecretSend;
secretSend.content.request_id =
e->content.request_id;
auto secret =
cache::client()->secret(e->content.name);
if (!secret)
break;
secretSend.content.secret = secret.value();
send_encrypted_to_device_messages(
{{local_user.to_string(), {{dev}}}}, secretSend);
nhlog::net()->info("Sent secret to ({},{})",
local_user.to_string(),
dev);
break;
}
}
} }
return; return;

@ -43,7 +43,11 @@ public:
void initialize(const QMap<QString, RoomInfo> &info); void initialize(const QMap<QString, RoomInfo> &info);
void sync(const std::map<QString, RoomInfo> &info); void sync(const std::map<QString, RoomInfo> &info);
void clear() { rooms_.clear(); }; void clear()
{
rooms_.clear();
rooms_sort_cache_.clear();
};
void updateAvatar(const QString &room_id, const QString &url); void updateAvatar(const QString &room_id, const QString &url);
void addRoom(const QString &room_id, const RoomInfo &info); void addRoom(const QString &room_id, const RoomInfo &info);

@ -637,6 +637,15 @@ UserSettingsPage::UserSettingsPage(QSharedPointer<UserSettings> settings, QWidge
deviceFingerprintValue_->setText(utils::humanReadableFingerprint(QString(44, 'X'))); deviceFingerprintValue_->setText(utils::humanReadableFingerprint(QString(44, 'X')));
backupSecretCached = new QLabel{this};
masterSecretCached = new QLabel{this};
selfSigningSecretCached = new QLabel{this};
userSigningSecretCached = new QLabel{this};
backupSecretCached->setFont(monospaceFont);
masterSecretCached->setFont(monospaceFont);
selfSigningSecretCached->setFont(monospaceFont);
userSigningSecretCached->setFont(monospaceFont);
auto sessionKeysLabel = new QLabel{tr("Session Keys"), this}; auto sessionKeysLabel = new QLabel{tr("Session Keys"), this};
sessionKeysLabel->setFont(font); sessionKeysLabel->setFont(font);
sessionKeysLabel->setMargin(OptionMargin); sessionKeysLabel->setMargin(OptionMargin);
@ -801,6 +810,27 @@ UserSettingsPage::UserSettingsPage(QSharedPointer<UserSettings> settings, QWidge
formLayout_->addRow(sessionKeysLabel, sessionKeysLayout); formLayout_->addRow(sessionKeysLabel, sessionKeysLayout);
formLayout_->addRow(crossSigningKeysLabel, crossSigningKeysLayout); formLayout_->addRow(crossSigningKeysLabel, crossSigningKeysLayout);
boxWrap(tr("Master signing key"),
masterSecretCached,
tr("Your most important key. You don't need to have it cached, since not caching "
"it makes it less likely it can be stolen and it is only needed to rotate your "
"other signing keys."));
boxWrap(tr("User signing key"),
userSigningSecretCached,
tr("The key to verify other users. If it is cached, verifying a user will verify "
"all their devices."));
boxWrap(
tr("Self signing key"),
selfSigningSecretCached,
tr("The key to verify your own devices. If it is cached, verifying one of your devices "
"will mark it verified for all your other devices and for users, that have verified "
"you."));
boxWrap(tr("Backup key"),
backupSecretCached,
tr("The key to decrypt online key backups. If it is cached, you can enable online "
"key backup to store encryption keys securely encrypted on the server."));
updateSecretStatus();
auto scrollArea_ = new QScrollArea{this}; auto scrollArea_ = new QScrollArea{this};
scrollArea_->setFrameShape(QFrame::NoFrame); scrollArea_->setFrameShape(QFrame::NoFrame);
scrollArea_->setHorizontalScrollBarPolicy(Qt::ScrollBarAlwaysOff); scrollArea_->setHorizontalScrollBarPolicy(Qt::ScrollBarAlwaysOff);
@ -1154,3 +1184,30 @@ UserSettingsPage::exportSessionKeys()
QMessageBox::warning(this, tr("Error"), e.what()); QMessageBox::warning(this, tr("Error"), e.what());
} }
} }
void
UserSettingsPage::updateSecretStatus()
{
QString ok = "QLabel { color : #00cc66; }";
QString notSoOk = "QLabel { color : #ff9933; }";
auto updateLabel = [&, this](QLabel *label, const std::string &secretName) {
if (cache::secret(secretName)) {
label->setStyleSheet(ok);
label->setText(tr("CACHED"));
} else {
if (secretName == mtx::secret_storage::secrets::cross_signing_master)
label->setStyleSheet(ok);
else
label->setStyleSheet(notSoOk);
label->setText(tr("NOT CACHED"));
}
};
updateLabel(masterSecretCached, mtx::secret_storage::secrets::cross_signing_master);
updateLabel(userSigningSecretCached,
mtx::secret_storage::secrets::cross_signing_user_signing);
updateLabel(selfSigningSecretCached,
mtx::secret_storage::secrets::cross_signing_self_signing);
updateLabel(backupSecretCached, mtx::secret_storage::secrets::megolm_backup_v1);
}

@ -253,6 +253,9 @@ signals:
void themeChanged(); void themeChanged();
void decryptSidebarChanged(); void decryptSidebarChanged();
public slots:
void updateSecretStatus();
private slots: private slots:
void importSessionKeys(); void importSessionKeys();
void exportSessionKeys(); void exportSessionKeys();
@ -285,6 +288,10 @@ private:
Toggle *mobileMode_; Toggle *mobileMode_;
QLabel *deviceFingerprintValue_; QLabel *deviceFingerprintValue_;
QLabel *deviceIdValue_; QLabel *deviceIdValue_;
QLabel *backupSecretCached;
QLabel *masterSecretCached;
QLabel *selfSigningSecretCached;
QLabel *userSigningSecretCached;
QComboBox *themeCombo_; QComboBox *themeCombo_;
QComboBox *scaleFactorCombo_; QComboBox *scaleFactorCombo_;

@ -51,7 +51,12 @@ public:
void sync(const mtx::responses::Rooms &rooms); void sync(const mtx::responses::Rooms &rooms);
void addRoom(const QString &room_id); void addRoom(const QString &room_id);
void clearAll() { models.clear(); } void clearAll()
{
timeline_ = nullptr;
emit activeTimelineChanged(nullptr);
models.clear();
}
Q_INVOKABLE TimelineModel *activeTimeline() const { return timeline_; } Q_INVOKABLE TimelineModel *activeTimeline() const { return timeline_; }
Q_INVOKABLE bool isInitialSync() const { return isInitialSync_; } Q_INVOKABLE bool isInitialSync() const { return isInitialSync_; }

Loading…
Cancel
Save