Delete secrets when cross-signing is reset

2024-12-22 19:14:52 +01:00 · 2023-06-20 17:45:19 +05:30 · 2023-06-20 17:45:19 +05:30 · d00f140309
commit d00f140309
parent 071aa2c2a3
4 changed files with 35 additions and 0 deletions
--- a/src/matrix/Session.js
+++ b/src/matrix/Session.js
@ -772,6 +772,7 @@ export class Session {
            e2eeAccountChanges: null,
            hasNewRoomKeys: false,
            deviceMessageDecryptionResults: null,
+            changedDevices: null,
        };
        const syncToken = syncResponse.next_batch;
        if (syncToken !== this.syncToken) {
@ -789,6 +790,7 @@ export class Session {
        const deviceLists = syncResponse.device_lists;
        if (this._deviceTracker && Array.isArray(deviceLists?.changed) && deviceLists.changed.length) {
            await log.wrap("deviceLists", log => this._deviceTracker.writeDeviceChanges(deviceLists.changed, txn, log));
+            changes.changedDevices = deviceLists.changed;
        }

        if (preparation) {
@ -838,6 +840,9 @@ export class Session {
        if (changes.deviceMessageDecryptionResults) {
            await this._deviceMessageHandler.afterSyncCompleted(changes.deviceMessageDecryptionResults, this._deviceTracker, this._hsApi, log);
        }
+        if (changes.changedDevices?.includes(this.userId)) {
+            this._secretSharing?.checkSecretValidity();
+        }
    }

    _tryReplaceRoomBeingCreated(roomId, log) {
--- a/src/matrix/ssss/SecretSharing.ts
+++ b/src/matrix/ssss/SecretSharing.ts
@ -225,6 +225,17 @@ export class SecretSharing {
        }
    }

+    async checkSecretValidity(log: ILogItem): Promise<void> {
+        const crossSigning = this.crossSigning.get();
+        const needsDeleting = !await crossSigning?.areWeVerified(log);
+        if (needsDeleting) {
+            // User probably reset their cross-signing keys
+            // Can't trust the secrets anymore!
+            const txn = await this.storage.readWriteTxn([this.storage.storeNames.sharedSecrets]);
+            txn.sharedSecrets.deleteAllSecrets();
+        }
+    }
+
    async getLocallyStoredSecret(name: string): Promise<any> {
        const txn = await this.storage.readTxn([
            this.storage.storeNames.sharedSecrets,
--- a/src/matrix/storage/idb/Store.ts
+++ b/src/matrix/storage/idb/Store.ts
@ -118,6 +118,16 @@ export class QueryTargetWrapper<T> {
        }
    }

+    clear(): IDBRequest<undefined> {
+        try {
+            LOG_REQUESTS && logRequest("clear", [], this._qt);
+            return this._qtStore.clear();
+        }
+        catch (err) {
+            throw new IDBRequestAttemptError("delete", this._qt, err, []);
+        }
+    }
+
    count(keyRange?: IDBKeyRange): IDBRequest<number> {
        try {
            return this._qt.count(keyRange);
@ -195,6 +205,11 @@ export class Store<T> extends QueryTarget<T> {
        this._prepareErrorLog(request, log, "delete", keyOrKeyRange, undefined);
    }

+    clear(log?: ILogItem): void {
+        const request = this._idbStore.clear();
+        this._prepareErrorLog(request, log, "delete", undefined, undefined);
+    }
+
    private _prepareErrorLog(request: IDBRequest, log: ILogItem | undefined, operationName: string, key: IDBKey | undefined, value: T | undefined) {
        if (log) {
            log.ensureRefId();
--- a/src/matrix/storage/idb/stores/SharedSecretStore.ts
+++ b/src/matrix/storage/idb/stores/SharedSecretStore.ts
@ -36,4 +36,8 @@ export class SharedSecretStore {
    remove(name: string): void {
        this._store.delete(name);
    }
+
+    deleteAllSecrets(): void {
+        this._store.clear();
+    }
 }