feat: Securejoin v3, encrypt all securejoin messages #7754
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hocuri
changed the title
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
2 times, most recently
from
59957ed to
ef97a7e
Compare
Hocuri
commented
Jan 22, 2026
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
from
807b8c4 to
afb7e2a
Compare
Hocuri
commented
Jan 26, 2026
src/mimeparser.rs
Outdated
| Ok(secret) | ||
| }) | ||
| .await?; | ||
| secrets.extend(token::lookup_all(context, token::Namespace::Auth).await?); |
Collaborator
Author
There was a problem hiding this comment.
There was the idea to use a new table rather than reusing the AUTH token.
I don't think this would be worth it:
- It would increase complexity, because in
decode_openpgp()and in "step 5+6" inhandle_securejoin_handshake(), we would need to lookup tokens from both the old and new table, in order to keep backwards compatibility, in case someone scans a QR code that was generated before the upgrade, because in that case, the AUTH token would only be in thetokenstable and not in the new table. - It would be another table to deprecate eventually. As it stands, we can just one day remove all the invitenumbers from
tokens, and ignore thenamespccolumn - All in all, we would need to juggle two tables rather than one.
...but it wouldn't be too much effort to switch to a new table, either.
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
from
afb7e2a to
81f79a9
Compare
…rt() and set_content_type_to_encrypted() functions
Previously, AUTH tokens were only synchronized if an INVITE token was generated at the same time. This led to several user-visible bugs. Now, we always send a sync message after generating a new AUTH token. Since the INVITE token may have stayed the same, I added a UNIQUE bound to the `tokens` table, in order to prevent saving the same INVITE token many times.
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
from
81f79a9 to
6b658a0
Compare
I don't need them anymore, it seems unlikely they will be needed soon, and they made it hard to implement a performance improvement I'm planning
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
from
db0d9d9 to
dbd6360
Compare
Collaborator
Author
|
Benchmarking results: Details
Loading 5000 auth tokens (a reeeally high number) slows down receiving a pk-encrypted message by ~7% We don't need to load the secrets for messages that are asymmetrically encrypted see dbd6360. Replacing |
This improves performance, though not a lot - 8% performance improvement
if there is a huge number of shared secrets. Anyways, I think it's worth
it.
```
NUM_BROADCAST_SECRETS=500
NUM_AUTH_TOKENS=5000
Decrypt/Decrypt and parse a symmetrically encrypted message
time: [12.354 ms 12.364 ms 12.376 ms]
change: [−0.5375% −0.3815% −0.2345%] (p = 0.00 < 0.05)
Change within noise threshold.
Found 7 outliers among 100 measurements (7.00%)
3 (3.00%) high mild
4 (4.00%) high severe
Decrypt/Decrypt and parse a public-key encrypted message
time: [12.269 ms 12.273 ms 12.278 ms]
change: [−7.9163% −7.8439% −7.7724%] (p = 0.00 < 0.05)
Performance has improved.
Found 13 outliers among 100 measurements (13.00%)
8 (8.00%) high mild
5 (5.00%) high severe
```
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
from
dbd6360 to
61ae743
Compare
…n v3 When we finally get rid of legacy Securejoin, we can just leave them out, then.
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
from
1832269 to
b5ae93c
Compare
…succeeds with 1:1 chats and broadcasts
…her we know this QR code
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
from
be7c5da to
55d6919
Compare
Hocuri
force-pushed
the
hoc/securejoin-v3
branch
from
55d6919 to
fd61423
Compare
Hocuri
commented
Feb 10, 2026
| //! ``` | ||
| //! | ||
| //! or, if you want to only run e.g. the 'Decrypt a symmetrically encrypted message' benchmark: | ||
| //! or, if you want to only run e.g. the 'Decrypt and parse a symmetrically encrypted message' benchmark: |
Collaborator
Author
There was a problem hiding this comment.
I removed the "Decrypt a symmetrically/public-key encrypted message" benchmarks, because I don't need them anymore, it seems unlikely they will be needed soon, and they made it hard to implement the performance improvement in 61ae743
|
|
||
| let request = charlie.pop_sent_msg().await; | ||
| assert_eq!(request.recipients, "alice@example.org charlie@example.net"); | ||
| assert_eq!(request.recipients, "alice@example.org"); |
Collaborator
Author
There was a problem hiding this comment.
The first two messages of the protocol aren't sent to self anymore, because in many cases, one's own other devices wouldn't be able to decrypt them, anyways.
| .into(), | ||
| )); | ||
| } | ||
|
|
Collaborator
Author
There was a problem hiding this comment.
I moved this code up, in order to be able to extract the group_headers_by_confidentiality() function.
| /// to prevent downloading the same message in the future. | ||
| /// | ||
| /// Returns tombstone database row ID. | ||
| pub(crate) async fn insert_tombstone(context: &Context, rfc724_mid: &str) -> Result<MsgId> { |
Collaborator
Author
There was a problem hiding this comment.
I moved this function from receive_imf.rs to here, so that it can be used from the securejoin code
Comment on lines
+156
to
+159
| context | ||
| .sync_qr_code_tokens(Some(chat.grpid.as_str())) | ||
| .await?; | ||
| context.scheduler.interrupt_smtp().await; |
Collaborator
Author
There was a problem hiding this comment.
This actually fixes an existing bug:
We now generate a new AUTH token every time a QR code is shown. Therefore, we always need to sync it.
Hocuri
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Close #7396. Before reviewing, you should read the issue description of #7396.
I recommend to review with hidden whitespace changes.
TODO:
auth_tokenstable with a proper UNIQUE bound, or put a UNIQUE bound on thetokenstableMaybe use a new table rather than reusing AUTH token.See feat: Securejoin v3, encrypt all securejoin messages #7754 (comment)request-pubkeyrather thanrequestandpubkeyrather thanauth-required; I'll do that in a follow-up PRBackwards compatibility:
Everything works seamlessly in my tests. If both devices are updated, then the new protocol is used; otherwise, the old protocol is used. If there is a not-yet-updated second device, it will correctly observe the protocol, and mark the chat partner as verified.
Note that I removed the
Auto-Submitted: auto-repliedheader from securejoin messages. We don't need it ourselves, it's a cleartext header that leaks too much information, and I can't see any reason to have it.