(DO NOT MERGE) crypto: allow run goolm side-by-side with libolm

Signed-off-by: Sumner Evans <[email protected]>

Author: sumnerevans

crypto/account.go

@@ -7,64 +7,107 @@
 package crypto
 
 import (
+	"bytes"
 	"encoding/json"
+	"fmt"
 
 	"github.com/tidwall/sjson"
 
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/crypto/canonicaljson"
+	"maunium.net/go/mautrix/crypto/goolm/account"
 	"maunium.net/go/mautrix/crypto/olm"
 	"maunium.net/go/mautrix/crypto/signatures"
 	"maunium.net/go/mautrix/id"
 )
 
 type OlmAccount struct {
-	Internal         olm.Account
+	InternalLibolm   olm.Account
+	InternalGoolm    olm.Account
 	signingKey       id.SigningKey
 	identityKey      id.IdentityKey
 	Shared           bool
 	KeyBackupVersion id.KeyBackupVersion
 }
 
 func NewOlmAccount() *OlmAccount {
-	account, err := olm.NewAccount()
+	libolmAccount, err := olm.NewAccount()
+	if err != nil {
+		panic(err)
+	}
+	pickled, err := libolmAccount.Pickle([]byte("key"))
+	if err != nil {
+		panic(err)
+	}
+	goolmAccount, err := account.AccountFromPickled(pickled, []byte("key"))
 	if err != nil {
 		panic(err)
 	}
 	return &OlmAccount{
-		Internal: account,
+		InternalLibolm: libolmAccount,
+		InternalGoolm:  goolmAccount,
 	}
 }
 
 func (account *OlmAccount) Keys() (id.SigningKey, id.IdentityKey) {
 	if len(account.signingKey) == 0 || len(account.identityKey) == 0 {
 		var err error
-		account.signingKey, account.identityKey, err = account.Internal.IdentityKeys()
+		account.signingKey, account.identityKey, err = account.InternalLibolm.IdentityKeys()
+		if err != nil {
+			panic(err)
+		}
+		goolmSigningKey, goolmIdentityKey, err := account.InternalGoolm.IdentityKeys()
 		if err != nil {
 			panic(err)
 		}
+		if account.signingKey != goolmSigningKey {
+			panic("account signing keys not equal")
+		}
+		if account.identityKey != goolmIdentityKey {
+			panic("account identity keys not equal")
+		}
 	}
 	return account.signingKey, account.identityKey
 }
 
 func (account *OlmAccount) SigningKey() id.SigningKey {
 	if len(account.signingKey) == 0 {
 		var err error
-		account.signingKey, account.identityKey, err = account.Internal.IdentityKeys()
+		account.signingKey, account.identityKey, err = account.InternalLibolm.IdentityKeys()
+		if err != nil {
+			panic(err)
+		}
+		goolmSigningKey, goolmIdentityKey, err := account.InternalGoolm.IdentityKeys()
 		if err != nil {
 			panic(err)
 		}
+		if account.signingKey != goolmSigningKey {
+			panic("account signing keys not equal")
+		}
+		if account.identityKey != goolmIdentityKey {
+			panic("account identity keys not equal")
+		}
 	}
 	return account.signingKey
 }
 
 func (account *OlmAccount) IdentityKey() id.IdentityKey {
 	if len(account.identityKey) == 0 {
 		var err error
-		account.signingKey, account.identityKey, err = account.Internal.IdentityKeys()
+		account.signingKey, account.identityKey, err = account.InternalLibolm.IdentityKeys()
+		if err != nil {
+			panic(err)
+		}
+		goolmSigningKey, goolmIdentityKey, err := account.InternalGoolm.IdentityKeys()
 		if err != nil {
 			panic(err)
 		}
+		if account.signingKey != goolmSigningKey {
+			panic("account signing keys not equal")
+		}
+		if account.identityKey != goolmIdentityKey {
+			panic("account identity keys not equal")
+		}
 	}
 	return account.identityKey
 }
@@ -78,7 +121,15 @@ func (account *OlmAccount) SignJSON(obj any) (string, error) {
 	}
 	objJSON, _ = sjson.DeleteBytes(objJSON, "unsigned")
 	objJSON, _ = sjson.DeleteBytes(objJSON, "signatures")
-	signed, err := account.Internal.Sign(canonicaljson.CanonicalJSONAssumeValid(objJSON))
+	signed, err := account.InternalLibolm.Sign(canonicaljson.CanonicalJSONAssumeValid(objJSON))
+	goolmSigned, goolmErr := account.InternalGoolm.Sign(canonicaljson.CanonicalJSONAssumeValid(objJSON))
+	if err != nil {
+		if goolmErr == nil {
+			panic("libolm errored, but goolm did not on account.SignJSON")
+		}
+	} else if !bytes.Equal(signed, goolmSigned) {
+		panic("libolm and goolm signed are not equal in account.SignJSON")
+	}
 	return string(signed), err
 }
 
@@ -102,19 +153,36 @@ func (account *OlmAccount) getInitialKeys(userID id.UserID, deviceID id.DeviceID
 	return deviceKeys
 }
 
-func (account *OlmAccount) getOneTimeKeys(userID id.UserID, deviceID id.DeviceID, currentOTKCount int) map[id.KeyID]mautrix.OneTimeKey {
-	newCount := int(account.Internal.MaxNumberOfOneTimeKeys()/2) - currentOTKCount
+func (a *OlmAccount) getOneTimeKeys(userID id.UserID, deviceID id.DeviceID, currentOTKCount int) map[id.KeyID]mautrix.OneTimeKey {
+	newCount := int(a.InternalLibolm.MaxNumberOfOneTimeKeys()/2) - currentOTKCount
 	if newCount > 0 {
-		account.Internal.GenOneTimeKeys(uint(newCount))
+		a.InternalLibolm.GenOneTimeKeys(uint(newCount))
+
+		pickled, err := a.InternalLibolm.Pickle([]byte("key"))
+		if err != nil {
+			panic(err)
+		}
+		a.InternalGoolm, err = account.AccountFromPickled(pickled, []byte("key"))
+		if err != nil {
+			panic(err)
+		}
 	}
 	oneTimeKeys := make(map[id.KeyID]mautrix.OneTimeKey)
-	internalKeys, err := account.Internal.OneTimeKeys()
+	internalKeys, err := a.InternalLibolm.OneTimeKeys()
+	if err != nil {
+		panic(err)
+	}
+	goolmInternalKeys, err := a.InternalGoolm.OneTimeKeys()
 	if err != nil {
 		panic(err)
 	}
 	for keyID, key := range internalKeys {
+		if goolmInternalKeys[keyID] != key {
+			panic(fmt.Sprintf("key %s not found in getOneTimeKeys", keyID))
+		}
+
 		key := mautrix.OneTimeKey{Key: key}
-		signature, _ := account.SignJSON(key)
+		signature, _ := a.SignJSON(key)
 		key.Signatures = signatures.NewSingleSignature(userID, id.KeyAlgorithmEd25519, deviceID.String(), signature)
 		key.IsSigned = true
 		oneTimeKeys[id.NewKeyID(id.KeyAlgorithmSignedCurve25519, keyID)] = key

crypto/encryptolm.go

@@ -116,9 +116,17 @@ func (mach *OlmMachine) createOutboundSessions(ctx context.Context, input map[id
 				log.Error().Err(err).Msg("Failed to verify signature of one-time key")
 			} else if !ok {
 				log.Warn().Msg("One-time key has invalid signature from device")
-			} else if sess, err := mach.account.Internal.NewOutboundSession(identity.IdentityKey, oneTimeKey.Key); err != nil {
+			} else if sess, err := mach.account.InternalLibolm.NewOutboundSession(identity.IdentityKey, oneTimeKey.Key); err != nil {
 				log.Error().Err(err).Msg("Failed to create outbound session with claimed one-time key")
 			} else {
+				goolmSess, err := mach.account.InternalGoolm.NewOutboundSession(identity.IdentityKey, oneTimeKey.Key)
+				if err != nil {
+					panic("goolm NewOutboundSession errored")
+				}
+				if sess.Describe() != goolmSess.Describe() {
+					panic("goolm NewOutboundSession and libolm NewOutboundSession returned different values")
+				}
+
 				wrapped := wrapSession(sess)
 				err = mach.CryptoStore.AddSession(ctx, identity.IdentityKey, wrapped)
 				if err != nil {

crypto/goolm/account/account.go

@@ -336,8 +336,10 @@ func (a *Account) UnpickleLibOlm(buf []byte) error {
 	} else if pickledVersion != accountPickleVersionLibOLM && pickledVersion != 3 && pickledVersion != 2 {
 		return fmt.Errorf("unpickle account: %w (found version %d)", olm.ErrBadVersion, pickledVersion)
 	} else if err = a.IdKeys.Ed25519.UnpickleLibOlm(decoder); err != nil { // read the ed25519 key pair
+		fmt.Printf("123 %+v\n", err)
 		return err
 	} else if err = a.IdKeys.Curve25519.UnpickleLibOlm(decoder); err != nil { // read curve25519 key pair
+		fmt.Printf("456 %+v\n", err)
 		return err
 	}
 

crypto/goolm/libolmpickle/pickle.go

@@ -28,11 +28,11 @@ func Pickle(key, plaintext []byte) ([]byte, error) {
 
 // Unpickle decodes the input from base64 and decrypts the decoded input with the key and the cipher AESSHA256.
 func Unpickle(key, input []byte) ([]byte, error) {
-	ciphertext, err := goolmbase64.Decode(input)
+	decoded, err := goolmbase64.Decode(input)
 	if err != nil {
 		return nil, err
 	}
-	ciphertext, mac := ciphertext[:len(ciphertext)-pickleMACLength], ciphertext[len(ciphertext)-pickleMACLength:]
+	ciphertext, mac := decoded[:len(decoded)-pickleMACLength], decoded[len(decoded)-pickleMACLength:]
 	if c, err := aessha2.NewAESSHA2(key, kdfPickle); err != nil {
 		return nil, err
 	} else if verified, err := c.VerifyMAC(ciphertext, mac); err != nil {

crypto/machine.go

@@ -279,7 +279,7 @@ func (mach *OlmMachine) HandleOTKCounts(ctx context.Context, otkCount *mautrix.O
 		mach.receivedOTKsForSelf.Store(true)
 	}
 
-	minCount := mach.account.Internal.MaxNumberOfOneTimeKeys() / 2
+	minCount := mach.account.InternalLibolm.MaxNumberOfOneTimeKeys() / 2
 	if otkCount.SignedCurve25519 < int(minCount) {
 		traceID := time.Now().Format("15:04:05.000000")
 		log := mach.Log.With().Str("trace_id", traceID).Logger()
@@ -749,7 +749,8 @@ func (mach *OlmMachine) ShareKeys(ctx context.Context, currentOTKCount int) erro
 		return err
 	}
 	mach.lastOTKUpload = time.Now()
-	mach.account.Internal.MarkKeysAsPublished()
+	mach.account.InternalLibolm.MarkKeysAsPublished()
+	mach.account.InternalGoolm.MarkKeysAsPublished()
 	mach.account.Shared = true
 	return mach.saveAccount(ctx)
 }

crypto/machine_test.go

@@ -78,10 +78,11 @@ func TestOlmMachineOlmMegolmSessions(t *testing.T) {
 		otk = otkTmp
 		break
 	}
-	machineIn.account.Internal.MarkKeysAsPublished()
+	machineIn.account.InternalLibolm.MarkKeysAsPublished()
+	machineIn.account.InternalGoolm.MarkKeysAsPublished()
 
 	// create outbound olm session for sending machine using OTK
-	olmSession, err := machineOut.account.Internal.NewOutboundSession(machineIn.account.IdentityKey(), otk.Key)
+	olmSession, err := machineOut.account.InternalLibolm.NewOutboundSession(machineIn.account.IdentityKey(), otk.Key)
 	if err != nil {
 		t.Errorf("Failed to create outbound olm session: %v", err)
 	}

crypto/sessions.go

@@ -7,12 +7,14 @@
 package crypto
 
 import (
+	"bytes"
 	"errors"
 	"time"
 
+	"go.mau.fi/util/exerrors"
+
 	"maunium.net/go/mautrix/crypto/olm"
 	"maunium.net/go/mautrix/event"
-
 	"maunium.net/go/mautrix/id"
 )
 
@@ -68,11 +70,20 @@ func wrapSession(session olm.Session) *OlmSession {
 }
 
 func (account *OlmAccount) NewInboundSessionFrom(senderKey id.Curve25519, ciphertext string) (*OlmSession, error) {
-	session, err := account.Internal.NewInboundSessionFrom(&senderKey, ciphertext)
+	session, err := account.InternalLibolm.NewInboundSessionFrom(&senderKey, ciphertext)
 	if err != nil {
 		return nil, err
 	}
-	_ = account.Internal.RemoveOneTimeKeys(session)
+	goolmSession, err := account.InternalGoolm.NewInboundSessionFrom(&senderKey, ciphertext)
+	if err != nil {
+		return nil, err
+	}
+	if !bytes.Equal(exerrors.Must(goolmSession.Pickle([]byte("123"))), exerrors.Must(session.Pickle([]byte("123")))) {
+		panic("goolm inbound session and libolm inbound session from ciphertext are different")
+	}
+
+	_ = account.InternalLibolm.RemoveOneTimeKeys(session)
+	_ = account.InternalGoolm.RemoveOneTimeKeys(goolmSession)
 	return wrapSession(session), nil
 }
 

crypto/sql_store.go

@@ -7,6 +7,7 @@
 package crypto
 
 import (
+	"bytes"
 	"context"
 	"database/sql"
 	"database/sql/driver"
@@ -21,6 +22,7 @@ import (
 	"go.mau.fi/util/dbutil"
 
 	"maunium.net/go/mautrix"
+	"maunium.net/go/mautrix/crypto/goolm/account"
 	"maunium.net/go/mautrix/crypto/goolm/libolmpickle"
 	"maunium.net/go/mautrix/crypto/olm"
 	"maunium.net/go/mautrix/crypto/sql_store_upgrade"
@@ -127,35 +129,49 @@ func (store *SQLCryptoStore) FindDeviceID(ctx context.Context) (deviceID id.Devi
 // PutAccount stores an OlmAccount in the database.
 func (store *SQLCryptoStore) PutAccount(ctx context.Context, account *OlmAccount) error {
 	store.Account = account
-	bytes, err := account.Internal.Pickle(store.PickleKey)
+	pickled, err := account.InternalLibolm.Pickle(store.PickleKey)
 	if err != nil {
 		return err
 	}
+	goolmBytes, err := account.InternalGoolm.Pickle(store.PickleKey)
+	if err != nil {
+		panic(fmt.Errorf("pickling goolm account errored %w", err))
+	}
+	if !bytes.Equal(pickled, goolmBytes) {
+		panic("libolm and goolm pickled to different values")
+	}
 	_, err = store.DB.Exec(ctx, `
 		INSERT INTO crypto_account (device_id, shared, sync_token, account, account_id, key_backup_version) VALUES ($1, $2, $3, $4, $5, $6)
 		ON CONFLICT (account_id) DO UPDATE SET shared=excluded.shared, sync_token=excluded.sync_token,
 											   account=excluded.account, account_id=excluded.account_id,
 											   key_backup_version=excluded.key_backup_version
-	`, store.DeviceID, account.Shared, store.SyncToken, bytes, store.AccountID, account.KeyBackupVersion)
+	`, store.DeviceID, account.Shared, store.SyncToken, pickled, store.AccountID, account.KeyBackupVersion)
 	return err
 }
 
 // GetAccount retrieves an OlmAccount from the database.
 func (store *SQLCryptoStore) GetAccount(ctx context.Context) (*OlmAccount, error) {
 	if store.Account == nil {
 		row := store.DB.QueryRow(ctx, "SELECT shared, sync_token, account, key_backup_version FROM crypto_account WHERE account_id=$1", store.AccountID)
-		acc := &OlmAccount{Internal: olm.NewBlankAccount()}
+		acc := &OlmAccount{
+			InternalLibolm: olm.NewBlankAccount(),
+			InternalGoolm:  &account.Account{},
+		}
 		var accountBytes []byte
 		err := row.Scan(&acc.Shared, &store.SyncToken, &accountBytes, &acc.KeyBackupVersion)
 		if err == sql.ErrNoRows {
 			return nil, nil
 		} else if err != nil {
 			return nil, err
 		}
-		err = acc.Internal.Unpickle(accountBytes, store.PickleKey)
+		err = acc.InternalLibolm.Unpickle(bytes.Clone(accountBytes), store.PickleKey)
 		if err != nil {
 			return nil, err
 		}
+		err = acc.InternalGoolm.Unpickle(accountBytes, store.PickleKey)
+		if err != nil {
+			panic(fmt.Sprintf("failed to unpickle account using goolm: %+v", err))
+		}
 		store.Account = acc
 	}
 	return store.Account, nil