From 7f633a02981c9c593b0c6218b95b3b2e9d9531d2 Mon Sep 17 00:00:00 2001
From: Nicolas Werner <nicolas.werner@hotmail.de>
Date: Mon, 9 Aug 2021 20:52:54 +0200
Subject: [PATCH] Add rate limiting to unknown device list path

---
 src/Olm.cpp | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/src/Olm.cpp b/src/Olm.cpp
index 40c87f9f..2c9ac5a3 100644
--- a/src/Olm.cpp
+++ b/src/Olm.cpp
@@ -1112,6 +1112,8 @@ send_encrypted_to_device_messages(const std::map<std::string, std::vector<std::s
                                   const mtx::events::collections::DeviceEvents &event,
                                   bool force_new_session)
 {
+        static QMap<QPair<std::string, std::string>, qint64> rateLimit;
+
         nlohmann::json ev_json = std::visit([](const auto &e) { return json(e); }, event);
 
         std::map<std::string, std::vector<std::string>> keysToQuery;
@@ -1164,7 +1166,6 @@ send_encrypted_to_device_messages(const std::map<std::string, std::vector<std::s
 
                         auto session = cache::getLatestOlmSession(device_curve);
                         if (!session || force_new_session) {
-                                static QMap<QPair<std::string, std::string>, qint64> rateLimit;
                                 auto currentTime = QDateTime::currentSecsSinceEpoch();
                                 if (rateLimit.value(QPair(user, device)) + 60 * 60 * 10 <
                                     currentTime) {
@@ -1320,7 +1321,8 @@ send_encrypted_to_device_messages(const std::map<std::string, std::vector<std::s
                 };
         };
 
-        http::client()->claim_keys(claims, BindPks(pks));
+        if (!claims.one_time_keys.empty())
+                http::client()->claim_keys(claims, BindPks(pks));
 
         if (!keysToQuery.empty()) {
                 mtx::requests::QueryKeys req;
@@ -1397,9 +1399,25 @@ send_encrypted_to_device_messages(const std::map<std::string, std::vector<std::s
                                                   continue;
                                           }
 
-                                          deviceKeys[user_id].emplace(device_id, pks);
-                                          claim_keys.one_time_keys[user.first][device_id] =
-                                            mtx::crypto::SIGNED_CURVE25519;
+                                          auto currentTime = QDateTime::currentSecsSinceEpoch();
+                                          if (rateLimit.value(QPair(user.first, device_id.get())) +
+                                                60 * 60 * 10 <
+                                              currentTime) {
+                                                  deviceKeys[user_id].emplace(device_id, pks);
+                                                  claim_keys.one_time_keys[user.first][device_id] =
+                                                    mtx::crypto::SIGNED_CURVE25519;
+
+                                                  rateLimit.insert(
+                                                    QPair(user.first, device_id.get()),
+                                                    currentTime);
+                                          } else {
+                                                  nhlog::crypto()->warn(
+                                                    "Not creating new session with {}:{} "
+                                                    "because of rate limit",
+                                                    user.first,
+                                                    device_id.get());
+                                                  continue;
+                                          }
 
                                           nhlog::net()->info("{}", device_id.get());
                                           nhlog::net()->info("  curve25519 {}", pks.curve25519);
@@ -1407,7 +1425,8 @@ send_encrypted_to_device_messages(const std::map<std::string, std::vector<std::s
                                   }
                           }
 
-                          http::client()->claim_keys(claim_keys, BindPks(deviceKeys));
+                          if (!claim_keys.one_time_keys.empty())
+                                  http::client()->claim_keys(claim_keys, BindPks(deviceKeys));
                   });
         }
 }