search

element-hq / element-web

A glossy Matrix collaboration client for the web.
https://element.io
Apache License 2.0
10.69k stars 1.88k forks source link

Broken Secret Storage Setup #27382

Open MichaelErjemenko opened 3 weeks ago

MichaelErjemenko commented 3 weeks ago

Steps to reproduce

  1. Create new SSO Account and sign in for the first time with the web client 1-login
  2. Create a private room 2-1-create-private-room 2-2-create-private-room
  3. Set up secret storage using a recovery key / without passphrase 3-1-set-up-secure-backup 3-2-set-up-secure-backup
  4. Send a message => The message has a red shield.4-1-send-message The security page in the settings shows that the session is connected with the secret storage and the cross signing is setup. The session page shows that this session is not trusted. 4-2-untrusted-session
  5. Sign out 5-1-sign-out
  6. and sign in again. The dialog for entering the recovery key appears several times but it doesnt help to decrypt the message. 5-2-entered-first-time 5-3-encrypted-messages 7 . Endless many POST matrix/client/v3/keys/query requests with 200 Response. It stops when clicking on the "Upgrade" button in the Encryption upgrade available modal / dialog. (See https://github.com/element-hq/element-web/issues/27165)
  7. In the security settings it is shown that the session "is not backing up your keys" in the secret storage. 7-1-not-backing-up-keys 7-2-unverified-session
  8. Connecting to the secret storage leads to an error dialog Unable to restore backup when having entered the correct recovery key. The console prints (v1.11.64): Error: the signing key is missing from the object that signed the message 8-1-connecting-to-secret-backup 8-2-connecting-to-secret-backup

Outcome

What did you expect?

After step 4: The session should be trusted after setting up they secret storage. After step 5: Entering the recovery key a single time and being directed to the chat with decrypted messages.

What happened instead?

After step 4: The session is not trusted. After step 5: I had to enter the recovery key several times and the messages were not decrypted afterwards.

Operating system

Windows

Browser information

Google Chrome 123.0.6312.124

URL for webapp

No response

Application version

Element Web v1.11.64

Homeserver

Synapse v1.101.0

Will you send logs?

No

MichaelErjemenko commented 3 weeks ago

Some additional information:

There are no db entries at the server for the tables e2e_cross_signing_keys, e2e_cross_signing_signatures for this user. The following tables seem to have "normal" entries:

Setting 1 Repository name commit hash version
element-web ba2336ac5c952a2dea36f70fc8e727cf9fe1d6a4 v1.11.61
matrix-react-sdk f96606acebaeea99e98c3a827575c76a68f37a5c v3.95.0
matrix-js-sdk 78d05942a35a764ca2ae0de153ae38adf1d7c934 v31.5.0
Setting 2 Repository name commit hash version
element-web 180a1a243bbcd22f5fd9b17ea49f4d63ec960cc5 v1.11.64
matrix-react-sdk adc805828da3a5cc1f2a9dccc05ce83430166ff8 v3.97.0
matrix-js-sdk e4937e62226a90428a66194cb2eb389c94fd848b v32.0.0
richvdh commented 3 weeks ago

Please can you send a bug report from within your client after step 3?

MichaelErjemenko commented 3 weeks ago

Sorry but this is not possible. The urls and other information must not be published and I cannot guarantee to replace all information in the debug logs with a placeholder.

richvdh commented 3 weeks ago

Hrm, tricky. I've not been able to reproduce this at all, so without logs it's going to be hard to proceed.

richvdh commented 3 weeks ago

Some of the later stages of this sound much like https://github.com/element-hq/element-web/issues/27252

flesueur commented 2 weeks ago

Hi,

I encounter this precise case, I can reproduce all the steps. Element 1.11.65 using SSO.

It appears starting from 1.11.58 when the rust crypto is activated ; 1.11.57 is ok.

I uploaded debug logs after step 3. I can also provide test accounts in my environment if you want to reproduce.

As proposed in #27252 , resetting cross-signing keys after this initial step solves this problem.

Cheers, François