Check edKey when receiving an olm message

2 files changed, 12 insertions, 3 deletions

diff --git a/lib/connection.cpp b/lib/connection.cpp
index 45888bcb..1250eddf 100644
--- a/lib/connection.cpp
+++ b/lib/connection.cpp
@@ -322,9 +322,17 @@ public:
                           << "in Olm plaintext";
             return {};
         }
-        //TODO make this do the check mentioned in the E2EE Implementation guide instead
-        if (decryptedEvent->fullJson()["keys"]["ed25519"].toString().isEmpty()) {
-            qCDebug(E2EE) << "Event does not contain an ed25519 key";
+
+        auto query = database->prepareQuery(QStringLiteral("SELECT edKey FROM tracked_devices WHERE curveKey=:curveKey;"));
+        query.bindValue(":curveKey", encryptedEvent.contentJson()["sender_key"].toString());
+        database->execute(query);
+        if (!query.next()) {
+            qCWarning(E2EE) << "Received olm message from unknown device" << encryptedEvent.contentJson()["sender_key"].toString();
+            return {};
+        }
+        auto edKey = decryptedEvent->fullJson()["keys"]["ed25519"].toString();
+        if (edKey.isEmpty() || query.value(QStringLiteral("edKey")).toString() != edKey) {
+            qCDebug(E2EE) << "Received olm message with invalid ed key";
             return {};
         }
 
diff --git a/lib/database.cpp b/lib/database.cpp
index 70dc1b9b..d719d027 100644
--- a/lib/database.cpp
+++ b/lib/database.cpp
@@ -99,6 +99,7 @@ void Database::migrateTo2()
 {
     qCDebug(DATABASE) << "Migrating database to version 2";
     transaction();
+    //TODO remove this column again - we don't need it after all
     execute(QStringLiteral("ALTER TABLE inbound_megolm_sessions ADD ed25519Key TEXT"));
     execute(QStringLiteral("ALTER TABLE olm_sessions ADD lastReceived TEXT"));