feat(securejoin): ignore invalid *-request-with-auth messages silently

2026-05-20 07:16:31 +03:00 · 2024-08-31 03:44:13 +00:00
parent be73076e9e
commit dd1c2e836b
2 changed files with 28 additions and 48 deletions
--- a/deltachat-rpc-client/tests/test_securejoin.py
+++ b/deltachat-rpc-client/tests/test_securejoin.py
@@ -650,7 +650,8 @@ def test_withdraw_securejoin_qr(acfactory):
    logging.info("Bob scanned withdrawn QR code")
    while True:
        event = alice.wait_for_event()
-        if event.kind == EventType.MSGS_CHANGED and event.chat_id != 0:
+        if (
            event.kind == EventType.WARNING
            and "Ignoring vg-request-with-auth message because of invalid auth code." in event.msg
        ):
            break
    snapshot = alice.get_message_by_id(event.msg_id).get_snapshot()
    assert snapshot.text == "Cannot establish guaranteed end-to-end encryption with {}".format(bob.get_config("addr"))
--- a/src/securejoin.rs
+++ b/src/securejoin.rs
@@ -369,60 +369,42 @@ pub(crate) async fn handle_securejoin_handshake(
            ==========================================================*/
            // verify that Secure-Join-Fingerprint:-header matches the fingerprint of Bob
-            let fingerprint: Fingerprint =
+            let Some(fp) = mime_message.get_header(HeaderDef::SecureJoinFingerprint) else {
-                match mime_message.get_header(HeaderDef::SecureJoinFingerprint) {
+                warn!(
                    Some(fp) => fp.parse()?,
                    None => {
                        could_not_establish_secure_connection(
                            context,
                            contact_id,
                            info_chat_id(context, contact_id).await?,
                            "Fingerprint not provided.",
                        )
                        .await?;
                        return Ok(HandshakeMessage::Ignore);
                    }
                };
            if !encrypted_and_signed(context, mime_message, Some(&fingerprint)) {
                could_not_establish_secure_connection(
                    context,
-                    contact_id,
+                    "Ignoring {step} message because fingerprint is not provided."
-                    info_chat_id(context, contact_id).await?,
+                );
-                    "Auth not encrypted.",
+                return Ok(HandshakeMessage::Ignore);
-                )
+            };
-                .await?;
+            let fingerprint: Fingerprint = fp.parse()?;
            if !encrypted_and_signed(context, mime_message, Some(&fingerprint)) {
                warn!(
                    context,
                    "Ignoring {step} message because the message is not encrypted."
                );
                return Ok(HandshakeMessage::Ignore);
            }
            if !verify_sender_by_fingerprint(context, &fingerprint, contact_id).await? {
-                could_not_establish_secure_connection(
+                warn!(
                    context,
-                    contact_id,
+                    "Ignoring {step} message because of fingerprint mismatch."
-                    info_chat_id(context, contact_id).await?,
+                );
                    "Fingerprint mismatch on inviter-side.",
                )
                .await?;
                return Ok(HandshakeMessage::Ignore);
            }
            info!(context, "Fingerprint verified.",);
            // verify that the `Secure-Join-Auth:`-header matches the secret written to the QR code
            let Some(auth) = mime_message.get_header(HeaderDef::SecureJoinAuth) else {
-                could_not_establish_secure_connection(
+                warn!(
                    context,
-                    contact_id,
+                    "Ignoring {step} message because of missing auth code."
-                    info_chat_id(context, contact_id).await?,
+                );
                    "Auth not provided.",
                )
                .await?;
                return Ok(HandshakeMessage::Ignore);
            };
            let Some(group_chat_id) = token::auth_chat_id(context, auth).await? else {
-                could_not_establish_secure_connection(
+                warn!(
                    context,
-                    contact_id,
+                    "Ignoring {step} message because of invalid auth code."
-                    info_chat_id(context, contact_id).await?,
+                );
                    "Auth invalid.",
                )
                .await?;
                return Ok(HandshakeMessage::Ignore);
            };
@@ -439,13 +421,10 @@ pub(crate) async fn handle_securejoin_handshake(
            )
            .await?;
            if !fingerprint_found {
-                could_not_establish_secure_connection(
+                warn!(
                    context,
-                    contact_id,
+                    "Ignoring {step} message because of the failure to find matching peerstate."
-                    info_chat_id(context, contact_id).await?,
+                );
                    "Fingerprint mismatch on inviter-side.",
                )
                .await?;
                return Ok(HandshakeMessage::Ignore);
            }
            contact_id.regossip_keys(context).await?;