fix: do not send Secure-Join-Group in vg-request

link2xt · link2xt · commit 62dba658f7ab · 2024-03-04T19:43:37.000Z
Secure-Join-Group is only expected by old core in vg-request-with-auth.
There is no reason to leak group ID in unencrypted vg-request.
Besides that, Secure-Join-Group is deprecated
as Alice knows Group ID corresponding to the auth code,
so the header can be removed completely eventually.
diff --git a/src/param.rs b/src/param.rs
@@ -87,7 +87,7 @@ pub enum Param {
     /// `Secure-Join-Fingerprint` header for `{vc,vg}-request-with-auth` messages.
     Arg3 = b'G',
 
-    /// For Messages
+    /// Deprecated `Secure-Join-Group` header for messages.
     Arg4 = b'H',
 
     /// For Messages
diff --git a/src/securejoin.rs b/src/securejoin.rs
@@ -1125,6 +1125,14 @@ mod tests {
         assert_eq!(msg.get_header(HeaderDef::SecureJoin).unwrap(), "vg-request");
         assert!(msg.get_header(HeaderDef::SecureJoinInvitenumber).is_some());
 
+        // Old Delta Chat core sent `Secure-Join-Group` header in `vg-request`,
+        // but it was only used by Alice in `vg-request-with-auth`.
+        // New Delta Chat versions do not use `Secure-Join-Group` header at all
+        // and it is deprecated.
+        // Now `Secure-Join-Group` header
+        // is only sent in `vg-request-with-auth` for compatibility.
+        assert!(msg.get_header(HeaderDef::SecureJoinGroup).is_none());
+
         // Step 3: Alice receives vg-request, sends vg-auth-required
         alice.recv_msg(&sent).await;
 
diff --git a/src/securejoin/bobstate.rs b/src/securejoin/bobstate.rs
@@ -378,14 +378,21 @@ async fn send_handshake_message(
             // Sends our own fingerprint in the Secure-Join-Fingerprint header.
             let bob_fp = load_self_public_key(context).await?.fingerprint();
             msg.param.set(Param::Arg3, bob_fp.hex());
+
+            // Sends the grpid in the Secure-Join-Group header.
+            //
+            // `Secure-Join-Group` header is deprecated,
+            // but old Delta Chat core requires that Alice receives it.
+            //
+            // Previous Delta Chat core also sent `Secure-Join-Group` header
+            // in `vg-request` messages,
+            // but it was not used on the receiver.
+            if let QrInvite::Group { ref grpid, .. } = invite {
+                msg.param.set(Param::Arg4, grpid);
+            }
         }
     };
 
-    // Sends the grpid in the Secure-Join-Group header.
-    if let QrInvite::Group { ref grpid, .. } = invite {
-        msg.param.set(Param::Arg4, grpid);
-    }
-
     chat::send_msg(context, chat_id, &mut msg).await?;
     Ok(())
 }
