Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: withhold outgoing messages to unsigned dehydrated devices #4551

Merged
merged 2 commits into from
Jan 29, 2025
Merged

crypto: withhold outgoing messages to unsigned dehydrated devices #4551

merged 2 commits into from
Jan 29, 2025

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Jan 17, 2025
edited
Loading

Per #4313, we should not send outgoing messages to dehydrated devices that are not signed by the user's identity

Fixes #4313

@richvdh richvdh requested review from a team as code owners January 17, 2025 16:40
@richvdh richvdh requested review from poljar and removed request for a team January 17, 2025 16:40
@richvdh richvdh force-pushed the rav/withheld_to_unverified_dehydrated branch from 001dcf6 to cac1067 Compare January 17, 2025 16:54
richvdh
richvdh commented Jan 17, 2025
View reviewed changes
crates/matrix-sdk-crypto/src/session_manager/group_sessions/share_strategy.rs Outdated
Comment on lines 164 to 216
// We only need the user identity if `only_allow_trusted_devices` or
// `error_on_verified_user_problem` is set.
let device_owner_identity =
if only_allow_trusted_devices || error_on_verified_user_problem {
store.get_user_identity(user_id).await?
} else {
None
};
let device_owner_identity = store.get_user_identity(user_id).await?;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We now also need the identity if the user has a dehydrated device. Trying to optimise away this call in the cases where we weren't going to need the identity was getting too complicated, so let's just do it every time.

@codecov Codecov
Copy link

codecov bot commented Jan 17, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 90.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 85.40%. Comparing base (408b843) to head (13cc4bc).
Report is 56 commits behind head on main.

Files with missing lines Patch % Lines
crates/matrix-sdk-crypto/src/identities/device.rs 66.66% 1 Missing ⚠️
...c/session_manager/group_sessions/share_strategy.rs 94.11% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4551      +/-   ##
==========================================
+ Coverage   85.39%   85.40%   +0.01%     
==========================================
  Files         286      286              
  Lines       32258    32275      +17     
==========================================
+ Hits        27546    27564      +18     
+ Misses       4712     4711       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@richvdh richvdh mentioned this pull request Jan 20, 2025
Closed
@richvdh
Copy link
Member Author

richvdh commented Jan 20, 2025

I need to update this in view of #4313 (comment)

@richvdh richvdh marked this pull request as draft January 20, 2025 21:22
@richvdh richvdh removed the request for review from poljar January 20, 2025 21:22
@richvdh richvdh force-pushed the rav/withheld_to_unverified_dehydrated branch 2 times, most recently from aa82b96 to 919f073 Compare January 21, 2025 13:32
@richvdh richvdh marked this pull request as ready for review January 21, 2025 13:32
@richvdh
Copy link
Member Author

richvdh commented Jan 22, 2025

I need to update this in view of #4313 (comment)

(Now done)

@richvdh richvdh requested a review from poljar January 22, 2025 09:29
poljar
poljar requested changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@poljar poljar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we refactor the meat of the logic a bit, I find the function to be quite a challenging read.

@richvdh richvdh force-pushed the rav/withheld_to_unverified_dehydrated branch 3 times, most recently from ecab4b1 to c38feeb Compare January 26, 2025 23:05
@richvdh
Copy link
Member Author

richvdh commented Jan 26, 2025

I've now rebased this PR on top of #4581, which I think/hope will make the logic introduced here much clearer.

Unfortunately there is a failing test, due to incorrect data initialisation in test_legacy_dehydrated_device_rehydration. Hopefully @uhoreg is working on a fix for that....

@richvdh richvdh requested a review from poljar January 26, 2025 23:09
@richvdh richvdh marked this pull request as draft January 27, 2025 15:54
@richvdh richvdh force-pushed the rav/withheld_to_unverified_dehydrated branch from c38feeb to 54eda15 Compare January 27, 2025 16:29
@richvdh
Copy link
Member Author

richvdh commented Jan 27, 2025

Now rebased on #4586, which fixes the failing test.

@richvdh
test: test helpers in share_strategy tests
6c43ab6 
Split the existing `set_up_test_machine` into two parts, so we can set up
the test OlmMachine without importing data for other users
@richvdh richvdh force-pushed the rav/withheld_to_unverified_dehydrated branch from 54eda15 to 051f595 Compare January 27, 2025 17:57
@richvdh richvdh marked this pull request as ready for review January 27, 2025 17:57
poljar
poljar approved these changes Jan 29, 2025
View reviewed changes
Copy link
Contributor

@poljar poljar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking the time to refactor this so this becomes more manageable.

I took the time to re-read all of our strategies and I think the code matches to what we described in the docs.

Great work.

crates/matrix-sdk-crypto/src/identities/device.rs Outdated
@@ -966,6 +966,11 @@ impl DeviceData {
pub fn first_time_seen_ts(&self) -> MilliSecondsSinceUnixEpoch {
self.first_time_seen_ts
}

/// True if this device is an MSC3814 dehydrated device.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we mention an MSC it would be nice to link to it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, done.

@richvdh
crypto: withhold outgoing messages to unsigned dehydrated devices
13cc4bc 
Per #4313, we should not
send outgoing messages to dehydrated devices that are not signed by the current
pinned/verified identity.
@richvdh richvdh force-pushed the rav/withheld_to_unverified_dehydrated branch from 051f595 to 13cc4bc Compare January 29, 2025 17:22
@richvdh richvdh enabled auto-merge (rebase) January 29, 2025 17:22
@richvdh richvdh merged commit 6f42b0a into main Jan 29, 2025
40 checks passed
@richvdh richvdh deleted the rav/withheld_to_unverified_dehydrated branch January 29, 2025 17:37
@richvdh richvdh mentioned this pull request Feb 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@poljar poljar poljar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

KeySharing, DevicebasedStrategy | Exclude insecure dehydrated devices when sending messages
2 participants
@richvdh @poljar