Configurable sender trust checking on decrypting

[uhoreg]

• Public API changes documented in changelogs (optional)

Signed-off-by:

[uhoreg]

I'm not sure how to handle the higher levels. It seems like we should be storing the setting in some struct so that, e.g. messages that come down /sync get decrypted with the right setting, but I'm not sure where it should go. I don't see a relevant struct that has settings, so there isn't a clear place to put the setting.

[jmartinesp]

Sorry, I don't have much experience with the SDK and much less with the crypto part of it. Maybe someone else from the team can answer your questions? @poljar , @andybalaam?

[uhoreg]

I added this so that session_data_finder can find this information, so that the trust level can be calculated. But I think that it would be better to combine this with the master_key_verified field, and make them into a new master_key_status field that is an enum with Unverified, NeedsApproval, and Verified options. Maybe we should even add another option for the case where the user's previous identity was verified, but they rotated their identity. Maybe something like PreviousIdentityVerified.

What do you think?

(If you think it's better to keep it as-is, then I'll write documentation for this field, but I didn't want to write it if I was going to remove it right away.)

[richvdh]

You've asked me for my opinion on this question, but this change doesn't seem to appear anywhere in the PR, so I don't think I have enough context on the change to form a sensible opinion.

[uhoreg]

I believe the tests fail because get_encryption_info now updates the sender_data, so I'll need to poke more things into the database so that it updates to the right thing. Aside from that, I think that this is ready for re-review.

[richvdh]

Discussion: should we throw an error when an identity has been rotated?

• For a TOFU user, we should definitely just decrypt as normal (for symmetry with encryption)
• For a verified user, we will throw an error on decryption if the identity is replaced (an expected UTD). The application can try to re-decrypt after the user re-verifies/reverts to unverified.

[richvdh]

@uhoreg will update this PR a bit and then get @richvdh to review

[codecov]

Codecov Report

Attention: Patch coverage is 91.30435% with 4 lines in your changes missing coverage. Please review.

Project coverage is 84.09%. Comparing base (6becbf6) to head (0e9b581).
Report is 106 commits behind head on main.

Files	Patch %	Lines
crates/matrix-sdk-crypto/src/machine/mod.rs	87.50%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3701      +/-   ##
==========================================
- Coverage   84.11%   84.09%   -0.02%     
==========================================
  Files         262      262              
  Lines       27599    27628      +29     
==========================================
+ Hits        23214    23235      +21     
- Misses       4385     4393       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[uhoreg]

@richvdh I think this is ready for review. I do have one question that I'd like an opinion on.

The commit history is a big mess, partially due to being based on a branch that got force-pushed at some point, so this PR should probably get squash-merged.

[richvdh]

Some initial thoughts.

I'm really struggling to follow this as one big diff. +600 lines isn't huge, but there is actually quite a lot changing here, and following the logic though everywhere is hard.

I think it might be better to start again on the commit history, and break it into smaller changes. For example - let's separate the changes to SenderData from the changes to decryption. Then add the DecryptionSettings parameter without actually implementing it, so that we can see the real changes without all the noise from that.

[richvdh]

Suggested change

	- `OlmMachine::decrypt_room_event` now takes an `EncryptionSettings` argument.
	- `OlmMachine::decrypt_room_event` now takes a `DecryptionSettings` argument.

[richvdh]

we should probably also document some of the changes to publicly-visible types (MegolmError, VerificationLevel, etc)

[richvdh]

what does "quarantined" mean here? Is it stored somewhere within the store?

[richvdh]

SenderIdentity feels like it doesn't quite describe the problem here.

Suggested change

	SenderIdentity(#[from] VerificationLevel),
	SenderIdentityNotTrusted(#[from] VerificationLevel),

[richvdh]

Suggested change

	/// The sender's cross-signing identity isn't trusted
	/// An encrypted message wasn't decrypted, because the sender's cross-signing identity isn't trusted.

(This should maybe also link to DecryptionSettings and say that it only happens under some conditions)

[richvdh]

Actually, isn't it more "because the message could not be linked to a verified device" than specific to the sender's identity?

[richvdh]

Suggested change

	/// Only decrypt events from cross-signed or legacy sessions (Megolm
	/// Only decrypt events from cross-signed devices or legacy sessions (Megolm

[richvdh]

Short answer: yes, this really feels like it ought to be a tri-state.

(#3846 added an OwnUserIdentityVerifiedState enum for a similar reason; not sure we should reuse that, but I think it's a pattern we should follow)

A downside is that it breaks backwards-compatibility for the crypto store :/

[richvdh]

per a discussion today in #matrix-rust-sdk-dev, helper functions should probably come after the functions they help.

[richvdh]

helpers after the functions they help, please

[richvdh]

if this is the actual behaviour (and I'm not sure that it is), it needs a name that reflects it.

[richvdh]

You've asked me for my opinion on this question, but this change doesn't seem to appear anywhere in the PR, so I don't think I have enough context on the change to form a sensible opinion.

[uhoreg]

replaced by #3899