MUC: Omemo Support

[PolynomialDivision]

Hi, Conversations is going to support OMEMO in Multi-User Chats:

OMEMO encryption works only in private (members only) conferences that are non-anonymous. You need to have presence subscription with every member of the conference. You can verify that by going into the conference details, long press every member and start a conversation with them. (Or select 'contact details' if they are already in your contact list)
The owner of a conference can make a public conference private by going into the conference details and hit the settings button (the one with the gears) and select both private and members only.

It would be awesome if gajim could support omemo in muc too.

[petmos]

I'm not sure if this is the right place but I would recommend this request. Encrypted MUC (with multi device and multi platform support) would be great.

[nerdy-sam]

Encrypted MUC on Conversations is working now. Would be really nice to be able to participate from non-andriod device with gajim! :)

[kalkin]

This is on a TODO list, but the fastest way to get it is a PR! :grin:

[lovetox]

im working on it

[petmos]

@lovetox

im working on it

I'm not experienced in Python but perhaps I can support you by testing. Let me know.

[nicoechaniz]

@lovetox how's your work going? We'd love to test your implementation and maybe help out a bit.

[lovetox]

there is an event needed in gajim so that it works, thats only implemented in the gtk3/python3 branch until now not the gtk2 version

and everyone who can commit to the main repo is on holiday

[jocelynthode]

@lovetox Hey, is there a way to test your MUC implementation right now ?

[lovetox]

you can try with gajim nightly and https://github.com/lovetox/gajim-omemo/tree/groupchat

only with contacts you have in your roster chat channel has to be non-anonymus

[jocelynthode]

thanks !

[slizzered]

@lovetox, I get the following error when trying to send a message to a group chat where all members are in my contact list, but I don't yet have the OMEMO key of one member:

Traceback (most recent call last): File "/usr/share/gajim/src/chat_control.py", line 797, in _on_message_textview_mykeypress_event self.send_message(message, xhtml=xhtml) # send the message File "/usr/share/gajim/plugins/omemo/ui.py", line 188, in omemo_send_gc_message process_commands) File "/usr/share/gajim/plugins/omemo/ui.py", line 188, in omemo_send_gc_message process_commands) File "/usr/share/gajim/plugins/omemo/ui.py", line 188, in omemo_send_gc_message process_commands) File "/usr/share/gajim/plugins/omemo/ui.py", line 188, in omemo_send_gc_message process_commands) File "/usr/share/gajim/plugins/omemo/ui.py", line 188, in omemo_send_gc_message process_commands)

// SNIP

File "/usr/share/gajim/plugins/omemo/ui.py", line 179, in omemo_send_gc_message real_jid): File "/usr/share/gajim/plugins/omemo/init.py", line 720, in are_keys_missing state = self.get_omemo_state(account) File "/usr/share/gajim/src/plugins/helpers.py", line 106, in wrapper 'funcname': self.full_func_name}) File "/usr/lib/python2.7/logging/init.py", line 1154, in debug if self.isEnabledFor(DEBUG): File "/usr/lib/python2.7/logging/init.py", line 1366, in isEnabledFor return level >= self.getEffectiveLevel() RuntimeError: maximum recursion depth exceeded

[lovetox]

yeah, this was really only a try to implement this, i will update the code end of the week hopefully

[lovetox]

Only works with Gajim 0.16.6 or Nightly

So i merged GroupChat, but its rather incomplete because i need people who are testing.

• How a Room must be created to allow for OMEMO Encryption with Conversations

OMEMO encryption works only in private (members only) conferences that are non-anonymous. You need to have presence subscription with every member of the conference.

• Right now we dont querry the Memberlist of the room, we go only with presence we receive from people in the room. So if you join an ongoing conversation, and someone who was earlier in the room is offline right now, your messages will not reach him. -> i will work on this next.
• Gajim doesnt support MAM for MUC right now, so you will miss stuff if you go offline.
• set muc_restore_lines in the advanced config editor to 50 or something, so we request the MUC to send us the last 50 messages, if we really get it depends on the server, its the next best thing to MAM

BEWARE: if you run this now from GIT, you cant go back to an older version easily, because the DB Name is migrated to JID instead of Account. So if you test this, stay on GIT till the next release.

[pippcat]

Hey there,

thanks for working on this!

We tried it with a conference with 2 Gajim 0.16.6 clients and weren't able to activate OMEMO. What do we do wrong? Honestly I don't understand what you mean by "You need to have presence subscription with every member of the conference.". Does it mean we have to trust our OMEMO fingerprints? If so, than that's not the problem since we're chatting OMEMO-encrypted in our private conversations..

The settings of our conference rooms are: [x] make room persistent [x] make room publicly searchable [ ] allow occupants to change subject anyone may discover real JIDs no password not moderated [x] members only

The two JIDs of interest are admins as well as members in the room.

Any hints?

[lovetox]

it means you have to have each other in your contact list, you cant chat with strangers.

when you are saying you couldnt activate omemo, does that mean the omemo symbol stayed grey?

i would try to let the conversations client open the chat room, and invite everybody

[pippcat]

There is no OMEMO symbol.

If I set up the room with gajim and invite a conversations client I can activate OMEMO in conversations. But if I then send a encrypted message, Gajim only receives the "I sent you an OMEMO encrypted message but your client doesn't seem to support that. Find more information on https://conversations.im/omemo" message.

If I create the room with conversations and invite the Gajim user the latter can't join the room because Gajim seems to think that the room is a contact although it's listed as a conference in the Buddylist. If I try to join I get an error message stating that whatever@conference.server.tld isn't the name of a chat room. In the console I can read "10.10.2016 17:48:05 (W) gajim.plugin_system.omemo AID => No devices for 22zuoy5dej6nz@conference.jabber.systemli.org"

If I double click the entry of the room in the Buddy list Gajim tries to make a personal conversation window with the conference room "user" and I get a "service-unavailable" error once I try to write something. I tried it with jabber.systemli.org and jabber.ccc.de ..

[nerdy-sam]

I'm testing in MUCs with conversations.im as other clients... fingerprint trusting is a little sticky and on some MUCs it has two OMEMO icons and I can enable OMEMO independently on each one, not sure what that means. I will create issues as I get more information. However, I am successfully chatting in multiple OMEMO MUCs for the first time from the non-mobile device!! thank you!

[lovetox]

@pippcat when there is no omemo symbol that means there are other bigger issues. omemo capable chat or not, there should always be the omemo symbol in MUC (its different for private chats)

if the groupchat is in your roster, delete it and try to join on your own without invitation, after conversations invited you, you are in the memberlist and should be able to join.

do you really have no omemo icon in ANY groupchat? please check if you are really on 0.16.6

[lovetox]

@mitzip whats sticky about fingerprint trusting? it should be the same process like in normal chats. but you shouldnt really have to trust that much because the contact should be already in your roster. so probably you chatted to him before anyway.

the thing with the 2 icons, could happen if you deactivate the plugin itself in the pluginmanager, and reactivated it without restart. so the icon was added 2 times. thanks for reporting, i will fix this.

[lovetox]

i updated my previous post with instructions

• set muc_restore_lines in the advanced config editor to 0, or you will get on every join old messages which can not be decrypted a second time and fail probably with a "I sent you an OMEMO encrypted message but your client doesn't seem to support that. Find more information on https://conversations.im/omemo" Message.

[nerdy-sam]

@lovetox "whats sticky about fingerprint trusting?" Trusting the fingerprints from the chat window icon didn't seem to do anything... doing it through the plugin config didn't seem to either, since they were already marked as trusted... though if I do that and then come back to the MUC, no more prompting for trusting fingerprints and my messages go through

[lovetox]

1. Fingerprint Window from Chat, and Config Fingerprint Window have the same Fingerprints, the only difference is that the config Fingerprint Window has Fingerprints of all Contacts in your Account.
2. If a Fingerprint is Trusted its trusted, it will not do anything to trust again, for groupchat the same fingerprints are used as for single chat, there are no new fingerprints to be trusted normally, if you already single chatted with the contact regularly.

If you have a fingerprint of a contact in the fingerprint window of the groupchat that is trusted, but still cant send messages, that is certainly a bug.

[lovetox]

I updated the way the Memberlist is pulled from Chat with the newest commit, so it should now work to write messages to people in the memberlist who are not online when we join the chat

[YoukaiCat]

Sending a message that contains non ASCII characters cause the database error. However, the message will still be sent.

Tested on: GNU/Linux, Gajim nightly, OMEMO master Windows 7, Gajim 0.16.6, OMEMO master

[lovetox]

@YoukaiCat

hm scrap that, i can reproduce it :/

trying to repair

[YoukaiCat]

@lovetox This error appears only in OMEMO-enabled MUC. Everything else works: 1-to-1 chat with or without OMEMO, MUCs without OMEMO. I'll take more tests in a virtual machine with other distro and another XMPP server.

[lovetox]

@YoukaiCat you dont need to already found the problem, fix will be online soon

[lovetox]

@YoukaiCat thanks for reporting the bug, i fixed it and added various other improvements.

[petmos]

@lovetox First I want to say thank you very much for your great work. At the moment I only work with a small MUC (only 2 participants), but it works very good. The only problem I have is that all my own clients must be online or I loose some messages. But I think it is not a problem with gajim-omemo but with my MUC, xmpp service provider, ..., because I see the same behaviour on my conversations clients, too. Or is it a requirement to be online with all clients in an encrypted MUC?

[lovetox]

its not a requirement, but you need MAM support for MUC, the server where the MUC is hostedn has to have that, and then, i believe, the room has to be created with the option to save history (activated MAM for the MUC).

but Gajim doesnt support MAM for MUC right now, so even if your server provides it you will not get all messages.

what MUCs also provide is to send the last X messages to someone who joins.

you can activated this in gajim advanced options "muc_restore_lines" and set it to 100 or something. though this is also limited by the server how much we get.

[petmos]

@lovetox Thank you for your explanation. Now it's clear for me.

you can activated this in gajim advanced options "muc_restore_lines" and set it to 100 or something. though this is also limited by the server how much we get.

But this is in opposite you wrote in your HowTo some posts earlier:

set muc_restore_lines in the advanced config editor to 0, or you will get on every join old messages which can not be decrypted a second time and fail probably with a "I sent you an OMEMO encrypted message but your client doesn't seem to support that.

I set muc_restore_lines to 0, but now I'm not sure. Should I increase muc_restore_lines again?

[lovetox]

yes try it, can not hurt :)

i wrote this because i didnt want to have error reports because of that, but now i think its wrong anyway there will be no error messages, or at least shouldnt, please report what you found out, if its working or not

[YoukaiCat]

@lovetox For me, muc_restore_lines doesn't work for encrypted messages. When i join the room, i see only the old plain text messages marked as **Unencrypted**. I didn't receive any encrypted messages that have been sent by members of the conference while I was away.

Settings: Maximum Number of History Messages Returned by Room = 350 muc_restore_lines = -1 (all available messages)

[lovetox]

yes thats intended, you can only decrypt a message once with omemo after that keys are deleted. so in that way you would get only messages that are new to you, you missed when you were offline.

what you want to have is, gajim displaying already received messages as history in the chat window.

but gajim has a history window where it does that. so it displays only new messages in the chat window, never history.

to see also history in the chat window (like it is on smartphones usually) is a much requested feature, and it will be integrated in the future

[YoukaiCat]

@lovetox

in that way you would get only messages that are new to you, you missed when you were offline.

That's what i was trying to test and it does not work.

3 participants in the conference, encryption is enabled.

1. I asked one of the participants to send a message when i leave the conference
2. Quit gajim
3. Reconnect after some time
4. No new messages (Which actually was sent)

[lovetox]

hm damn, it seems like server doesnt save messages without a body.

if you have your own server you could look if it saves the stanzas without body. to confirm my theory. i didnt found it in any xep that it would be forbidden to save such messages

if this is true and server implementations dont save these messages, we can only hope that gajim adopts MAM querry for muc

[YoukaiCat]

@lovetox

I have found that if a message is sent from a mobile client Conversations, when i'm offline, then when i connect and enter the conference i can see this message.

My outdated mobile client Talkonaut for Symbian that doesn't support OMEMO displays it as "I sent you an OMEMO encrypted message but your client doesn't seem to support that. Find more information on https://conversations.im/omemo".

Gajim also recieve it and decrypt it normally.

If a message is sent from Gajim, it looks like it doesn't stored on the server.

MUC offline messages test:

Sender	Reciever	Result
Conversations	Gajim	OK, there is an offline message
Conversations	Talkonaut	OK, there is a message
Gajim	Conversations	No offline messages
Gajim	Gajim	No offline messages
Gajim	Talkonaut	No offline messages

Does this mean that MAM for MUC is currently supported in Gajim but only for receiving messages and not to send? Or Conversations team found a way to workaround that server limit on saving a messages "without a body"?

[lovetox]

they found i think accidently a way around

they add the

I sent you an OMEMO encrypted message but your client doesn't seem to support that. Find more information on https://conversations.im/omemo

message in groupchats, to every message, it doesnt matter if all clients in a groupchat support it or not.

i thought that i am smart, and aks the clients first if they support it, and only adding the message if someone doesnt support it.

so if all clients in a chat support omemo, i dont add a body with that message, hence the server doesnt archive the message.

but as it looks like i should add this message to all messages, so the server stores the messages.

good catch, thanks for testing !!

[lovetox]

you can try HEAD, i added the body to the message, so server should save now every message

btw i was incorrect before, i didnt even add the message if someone doesnt support omemo, it was in no case added in grpchat

[YoukaiCat]

Now offline messages works! (at least Gajim -> Gajim, Gajim -> Talkonaut).

But there are some bugs (not critical).

After restart Gajim and enter the conference:

1) For each OMEMO message that is received for second time there is an error and a stacktrace:

10/18/2016 00:05:52 (E) gajim.c.ged Error while running an even handler: <bound method OmemoPlugin.message_received of <omemo.OmemoPlugin object at 0x7f4b41008090>>
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/gajim/common/ged.py", line 93, in raise_event
    if handler(*args, **kwargs):
  File "/usr/lib64/python2.7/site-packages/gajim/plugins/helpers.py", line 107, in wrapper
    result = f(*args, **kwargs)
  File "/usr/share/gajim/plugins/omemo/__init__.py", line 377, in message_received
    from_jid = self.groupchat[msg.jid][msg.resource]
KeyError: u'username'

2) For each OMEMO message that is received for second time the chat window displays the line "You received a message encrypted with OMEMO but your client doesnt support OMEMO.". This is expected, but it would be nice to hide already once decrypted messages.

Chat window

3) For each OMEMO message that is received for second time a string "You received a message encrypted with OMEMO but your client doesnt support OMEMO." added to the history next to the original message.

History window:

History database:

[lovetox]

it displays because of the stacktrace,

the stacktrace is because we get messages from sources that are not currently in the channel maybe?

could you show me how such a history stanza looks like? is there a full jid in there? or only a nickname

[YoukaiCat]

@lovetox Yes, the sender has not been in the conference when I got the message for second time. There is only a nickname.

<message id="1784a4ea-5e91-4e97-9862-eb6c99c6394b" type="groupchat" to="youkaicat@tchncs.de/Gajim" from="ec9c339d-a77f-4865-bf65-a336b8cb7f02@muc.tchncs.de/wertyui">
    <encrypted xmlns="eu.siacs.conversations.axolotl">
        <header sid="1716442343">
            <key rid="266892735">MwohBagOEUTQqR3ORio8HksFFnJPvEjw5nNG7tL/0LUxUDZDEAIYACIgMg0x3KCdQQNU6Z2tBbzONw/G6kmFQfIOfJmz1C8qTfHLV0QgRKqjew==</key>
            <iv>PjFwuf9TDmYs+d4/KPpONA==</iv>
        </header>
        <payload>ZMTl/veeqJ/U3YU/EtUTotGcNmcjk9tdwbnjCrPy</payload>
    </encrypted>
    <encrypted namespace="eu.siacs.conversations.axolotl" name="OMEMO" xmlns="urn:xmpp:eme:0" />
    <body>You received a message encrypted with OMEMO but your client doesnt support OMEMO.</body>
    <store xmlns="urn:xmpp:hints" />
    <delay stamp="2016-10-17T20:43:17Z" xmlns="urn:xmpp:delay" />
    <x stamp="20161017T20:43:17" xmlns="jabber:x:delay" />
</message>

[lovetox]

hm ok, seems some servers send the full jid in the history messages, some not. but i have an idea how to fix this :) stay tuned

[lovetox]

could you please clone from my rep here https://github.com/lovetox/gajim-omemo/commits/master

i made an experimental commit, i cant test this myself as i dont have a server that acts like yours please check the debug log again if something doesnt work

[lovetox]

ok i made an account on your server, in my test this worked now.

[YoukaiCat]

Works for me too. Tested on Gentoo Gajim 0.16.6, Kali Linux Gajim 0.16.6-1, Andoid x86 Conversations 1.14.6 Everything works well. In the log, i found only warnings:

1. No handlers could be found for logger "axolotl.sessionbuilder"
2. /home/natsuo/.local/share/gajim/plugins/gajim-omemo/omemo/state.py:202: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6 log.warning('No Session found ' + e.message) But i can't reproduce them.

[lovetox]

1. is normal, thats just saying that the axolotl lib cant write debug output. not really an issue.
2. guess that only means we cant use e.message in python3, also not an issue as the plugin is ported already to python3 and works good there.

[lovetox]

New version is in the Gajim Plugin Repo, if there are Problems with Groupchat please open a new separate new issue

thanks to anyone helping debugging this

[l29ah]

Is there some paper describing the protocol? The OMEMO XEP has nothing to do with the MUC encryption.

[lovetox]

there is no difference between MUC and single chat.

OMEMO doesnt encrypt to Users it encrypts to devices. One User can have 100 devices or 100 users can have each one device, it doesnt matter, the whole encryption process is the same.

• Get a devicelist from the server of the user
• Query the keys for each device from the server
• Encrypt for each device and send the message

you can read here a analysis of omemo groupchat https://conversations.im/omemo/audit.pdf