First message sent in large E2EE room can fail to decrypt with unknown message index

[kegsay]

After debugging an Element-Web UTD, it looks like the sender sent a message which almost everyone in a large (1k+ users) E2EE room could not decrypt, returning the error: The message was encrypted using an unknown message index, first known index 1, index of the message 0. The sender had just joined the large room a few minutes prior.

I don't know yet the reason why the message index was incremented as I'm missing the sender rageshake. However, I have verified that 2 different users in the room failed to decrypt the same message.

This issue is mostly being filed to publicly track this issue, as opposed for there to be anything actionable (yet). If I can't confirm there's a bug, I'll close this in a few days.

In this particular case, it seems like only :matrix.org users were affected, which implies some sort of /keys/claim issue.

[kegsay]

This is element-hq/synapse#17267 and not an issue with the rust SDK.

The failure mode seems to be:

• join a large E2EE room, where you are on a small HS and there are many users on another HS e.g matrix.org
• send a message
• this will try to /keys/claim on matrix.org
• if this times out, everyone on matrix.org will see a UTD.
• the next message you send may not be a UTD, so long as the /keys/claim 200 OKs
• critically, if this happens, the sender will only share the ratcheted key at index=1, causing The message was encrypted using an unknown message index, first known index 1, index of the message 0.