Change Details

This differential implements solution for a bug described in https://linear.app/comm/issue/ENG-5911/olmbad-message-mac-on-web. The solution works as follows: 1. Web client creates olm session and corresponding encryption key and persists it under key that is suffixed with its cookieID. 2. When notifications arrives all keys in IndexedDB are retrieved and filtered against those that keep olm sessions and their encryption keys. 3. Keys are sorted lexicographically and last ones are used to actually perform decryption. This means that for decryption we will use olm session that was created by lexicographically largest cookie ID. We have strong reasons to believe that keyserver uses olm session associated with the largest cookie ID for encryption. 4. Other sessions are deleted It is important to review this code closely since it implements quite complex solution for rather infrequent bug.

Edit in web uiThis differential implements solution for a bug described in https://linear.app/comm/issue/ENG-5911/olmbad-message-mac-on-web. The solution works as follows: 1. Web client creates olm session and corresponding encryption key and persists it under key that is suffixed with its cookieID. 2. When notifications arrives all keys in IndexedDB are retrieved and filtered against those that keep olm sessions and their encryption keys. 3. Keys are sorted lexicographically and last ones are used to actually perform decryption. This means that for decryption we will use olm session that was created by lexicographically largest cookie ID. We have strong reasons to believe that keyserver uses olm session associated with the largest cookie ID for encryption. 4. Other sessions are deleted It is important to review this code closely since it implements quite complex solution for rather infrequent bug.