Verify signature of identity keys before sharing the megolm session
Ignore devices that fail the verification.
This commit is contained in:
Konstantinos Sideris
parent
961c880d55
commit
74396e9aba
|
|
@ -1277,19 +1277,22 @@ TimelineView::prepareEncryptedMessage(const PendingMessage &msg)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (const auto &entry : res.device_keys) {
|
for (const auto &user : res.device_keys) {
|
||||||
for (const auto &dev : entry.second) {
|
for (const auto &dev : user.second) {
|
||||||
nhlog::net()->info("received device {}", dev.first);
|
const auto user_id = UserId(dev.second.user_id);
|
||||||
|
const auto device_id = DeviceId(dev.second.device_id);
|
||||||
|
|
||||||
|
nhlog::net()->info("device_id {}", device_id.get());
|
||||||
|
|
||||||
const auto device_keys = dev.second.keys;
|
const auto device_keys = dev.second.keys;
|
||||||
const auto curveKey = "curve25519:" + dev.first;
|
const auto curveKey = "curve25519:" + device_id.get();
|
||||||
const auto edKey = "ed25519:" + dev.first;
|
const auto edKey = "ed25519:" + device_id.get();
|
||||||
|
|
||||||
if ((device_keys.find(curveKey) == device_keys.end()) ||
|
if ((device_keys.find(curveKey) == device_keys.end()) ||
|
||||||
(device_keys.find(edKey) == device_keys.end())) {
|
(device_keys.find(edKey) == device_keys.end())) {
|
||||||
nhlog::net()->info(
|
nhlog::net()->info(
|
||||||
"ignoring malformed keys for device {}",
|
"ignoring malformed keys for device {}",
|
||||||
dev.first);
|
device_id.get());
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1303,23 +1306,36 @@ TimelineView::prepareEncryptedMessage(const PendingMessage &msg)
|
||||||
"dev keys {} {}", algo.first, algo.second);
|
"dev keys {} {}", algo.first, algo.second);
|
||||||
}
|
}
|
||||||
|
|
||||||
auto room_key =
|
try {
|
||||||
olm::client()
|
if (!mtx::crypto::verify_identity_signature(
|
||||||
->create_room_key_event(UserId(dev.second.user_id),
|
json(dev.second), device_id, user_id)) {
|
||||||
pks.ed25519,
|
nhlog::crypto()->warn(
|
||||||
megolm_payload)
|
"failed to verify identity keys: {}",
|
||||||
|
json(dev.second).dump(2));
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
} catch (const json::exception &e) {
|
||||||
|
nhlog::crypto()->warn(
|
||||||
|
"failed to parse device key json: {}",
|
||||||
|
e.what());
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
auto room_key = olm::client()
|
||||||
|
->create_room_key_event(
|
||||||
|
user_id, pks.ed25519, megolm_payload)
|
||||||
.dump();
|
.dump();
|
||||||
|
|
||||||
http::v2::client()->claim_keys(
|
http::v2::client()->claim_keys(
|
||||||
dev.second.user_id,
|
user_id,
|
||||||
{dev.second.device_id},
|
{device_id},
|
||||||
std::bind(&TimelineView::handleClaimedKeys,
|
std::bind(&TimelineView::handleClaimedKeys,
|
||||||
this,
|
this,
|
||||||
keeper,
|
keeper,
|
||||||
room_key,
|
room_key,
|
||||||
pks,
|
pks,
|
||||||
dev.second.user_id,
|
user_id,
|
||||||
dev.second.device_id,
|
device_id,
|
||||||
std::placeholders::_1,
|
std::placeholders::_1,
|
||||||
std::placeholders::_2));
|
std::placeholders::_2));
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue