handle decrypting/encrypting of omemo messages with duplicate device ids

src/main/java/eu/siacs/conversations/crypto/axolotl/XmppAxolotlMessage.java

@@ -9,6 +9,7 @@ import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.SecureRandom;
+import java.util.ArrayList;
 import java.util.List;
 
 import javax.crypto.BadPaddingException;
@@ -42,7 +43,7 @@ public class XmppAxolotlMessage {
 	private byte[] ciphertext = null;
 	private byte[] authtagPlusInnerKey = null;
 	private byte[] iv = null;
-	private final SparseArray<XmppAxolotlSession.AxolotlKey> keys;
+	private final List<XmppAxolotlSession.AxolotlKey> keys;
 	private final Jid from;
 	private final int sourceDeviceId;
 
@@ -110,7 +111,7 @@ public class XmppAxolotlMessage {
 			throw new IllegalArgumentException("invalid source id");
 		}
 		List<Element> keyElements = header.getChildren();
-		this.keys = new SparseArray<>();
+		this.keys = new ArrayList<>();
 		for (Element keyElement : keyElements) {
 			switch (keyElement.getName()) {
 				case KEYTAG:
@@ -118,7 +119,7 @@ public class XmppAxolotlMessage {
 						Integer recipientId = Integer.parseInt(keyElement.getAttribute(REMOTEID));
 						byte[] key = Base64.decode(keyElement.getContent().trim(), Base64.DEFAULT);
 						boolean isPreKey =keyElement.getAttributeAsBoolean("prekey");
-						this.keys.put(recipientId, new XmppAxolotlSession.AxolotlKey(key,isPreKey));
+						this.keys.add(new XmppAxolotlSession.AxolotlKey(recipientId, key,isPreKey));
 					} catch (NumberFormatException e) {
 						throw new IllegalArgumentException("invalid remote id");
 					}
@@ -143,7 +144,7 @@ public class XmppAxolotlMessage {
 	XmppAxolotlMessage(Jid from, int sourceDeviceId) {
 		this.from = from;
 		this.sourceDeviceId = sourceDeviceId;
-		this.keys = new SparseArray<>();
+		this.keys = new ArrayList<>();
 		this.iv = generateIv();
 		this.innerKey = generateKey();
 	}
@@ -232,7 +233,7 @@ public class XmppAxolotlMessage {
 			key = session.processSending(innerKey, ignoreSessionTrust);
 		}
 		if (key != null) {
-			keys.put(session.getRemoteAddress().getDeviceId(), key);
+			keys.add(key);
 		}
 	}
 
@@ -248,13 +249,13 @@ public class XmppAxolotlMessage {
 		Element encryptionElement = new Element(CONTAINERTAG, AxolotlService.PEP_PREFIX);
 		Element headerElement = encryptionElement.addChild(HEADER);
 		headerElement.setAttribute(SOURCEID, sourceDeviceId);
-		for(int i = 0; i < keys.size(); ++i) {
+		for(XmppAxolotlSession.AxolotlKey key : keys) {
 			Element keyElement = new Element(KEYTAG);
-			keyElement.setAttribute(REMOTEID, keys.keyAt(i));
+			keyElement.setAttribute(REMOTEID, key.deviceId);
-			if (keys.valueAt(i).prekey) {
+			if (key.prekey) {
 				keyElement.setAttribute("prekey","true");
 			}
-			keyElement.setContent(Base64.encodeToString(keys.valueAt(i).key, Base64.NO_WRAP));
+			keyElement.setContent(Base64.encodeToString(key.key, Base64.NO_WRAP));
 			headerElement.addChild(keyElement);
 		}
 		headerElement.addChild(IVTAG).setContent(Base64.encodeToString(iv, Base64.NO_WRAP));
@@ -266,11 +267,16 @@ public class XmppAxolotlMessage {
 	}
 
 	private byte[] unpackKey(XmppAxolotlSession session, Integer sourceDeviceId) throws CryptoFailedException {
-		XmppAxolotlSession.AxolotlKey encryptedKey = keys.get(sourceDeviceId);
+		ArrayList<XmppAxolotlSession.AxolotlKey> possibleKeys = new ArrayList<>();
-		if (encryptedKey == null) {
+		for(XmppAxolotlSession.AxolotlKey key : keys) {
+			if (key.deviceId == sourceDeviceId) {
+				possibleKeys.add(key);
+			}
+		}
+		if (possibleKeys.size() == 0) {
 			throw new NotEncryptedForThisDeviceException();
 		}
-		return session.processReceiving(encryptedKey);
+		return session.processReceiving(possibleKeys);
 	}
 
 	XmppAxolotlKeyTransportMessage getParameters(XmppAxolotlSession session, Integer sourceDeviceId) throws CryptoFailedException {

src/main/java/eu/siacs/conversations/crypto/axolotl/XmppAxolotlSession.java

@@ -2,6 +2,7 @@ package eu.siacs.conversations.crypto.axolotl;
 
 import android.support.annotation.NonNull;
 import android.support.annotation.Nullable;
+import android.util.Log;
 
 import org.whispersystems.libsignal.SignalProtocolAddress;
 import org.whispersystems.libsignal.DuplicateMessageException;
@@ -19,6 +20,10 @@ import org.whispersystems.libsignal.protocol.PreKeySignalMessage;
 import org.whispersystems.libsignal.protocol.SignalMessage;
 import org.whispersystems.libsignal.util.guava.Optional;
 
+import java.util.Iterator;
+import java.util.List;
+
+import eu.siacs.conversations.Config;
 import eu.siacs.conversations.entities.Account;
 import eu.siacs.conversations.utils.CryptoHelper;
 
@@ -79,35 +84,56 @@ public class XmppAxolotlSession implements Comparable<XmppAxolotlSession> {
 	}
 
 	@Nullable
-	byte[] processReceiving(AxolotlKey encryptedKey) throws CryptoFailedException {
+	byte[] processReceiving(List<AxolotlKey> possibleKeys) throws CryptoFailedException {
-		byte[] plaintext;
+		byte[] plaintext = null;
 		FingerprintStatus status = getTrust();
 		if (!status.isCompromised()) {
-			try {
+			Iterator<AxolotlKey> iterator = possibleKeys.iterator();
-                if (encryptedKey.prekey) {
+			while (iterator.hasNext()) {
-                    PreKeySignalMessage preKeySignalMessage = new PreKeySignalMessage(encryptedKey.key);
+				AxolotlKey encryptedKey = iterator.next();
-                    Optional<Integer> optionalPreKeyId = preKeySignalMessage.getPreKeyId();
+				try {
-                    IdentityKey identityKey = preKeySignalMessage.getIdentityKey();
+					if (encryptedKey.prekey) {
-                    if (!optionalPreKeyId.isPresent()) {
+						PreKeySignalMessage preKeySignalMessage = new PreKeySignalMessage(encryptedKey.key);
-                        throw new CryptoFailedException("PreKeyWhisperMessage did not contain a PreKeyId");
+						Optional<Integer> optionalPreKeyId = preKeySignalMessage.getPreKeyId();
-                    }
+						IdentityKey identityKey = preKeySignalMessage.getIdentityKey();
-                    preKeyId = optionalPreKeyId.get();
+						if (!optionalPreKeyId.isPresent()) {
-                    if (this.identityKey != null && !this.identityKey.equals(identityKey)) {
+							if (iterator.hasNext()) {
-                        throw new CryptoFailedException("Received PreKeyWhisperMessage but preexisting identity key changed.");
+								continue;
-                    }
+							}
-                    this.identityKey = identityKey;
+							throw new CryptoFailedException("PreKeyWhisperMessage did not contain a PreKeyId");
-                    plaintext = cipher.decrypt(preKeySignalMessage);
+						}
-                } else {
+						preKeyId = optionalPreKeyId.get();
-                    SignalMessage signalMessage = new SignalMessage(encryptedKey.key);
+						if (this.identityKey != null && !this.identityKey.equals(identityKey)) {
-                    try {
+							if (iterator.hasNext()) {
-                        plaintext = cipher.decrypt(signalMessage);
+								continue;
-                    } catch (InvalidMessageException | NoSessionException e) {
+							}
-                        throw new BrokenSessionException(this.remoteAddress, e);
+							throw new CryptoFailedException("Received PreKeyWhisperMessage but preexisting identity key changed.");
-                    }
+						}
-                    preKeyId = null; //better safe than sorry because we use that to do special after prekey handling
+						this.identityKey = identityKey;
-                }
+						plaintext = cipher.decrypt(preKeySignalMessage);
-			} catch (InvalidVersionException | InvalidKeyException | LegacyMessageException | InvalidMessageException | DuplicateMessageException | InvalidKeyIdException | UntrustedIdentityException e) {
+					} else {
-				throw new CryptoFailedException("Error decrypting SignalMessage", e);
+						SignalMessage signalMessage = new SignalMessage(encryptedKey.key);
+						try {
+							plaintext = cipher.decrypt(signalMessage);
+						} catch (InvalidMessageException | NoSessionException e) {
+							if (iterator.hasNext()) {
+								Log.w(Config.LOGTAG,account.getJid().asBareJid()+": ignoring crypto exception because possible keys left to try",e);
+								continue;
+							}
+							throw new BrokenSessionException(this.remoteAddress, e);
+						}
+						preKeyId = null; //better safe than sorry because we use that to do special after prekey handling
+					}
+				} catch (InvalidVersionException | InvalidKeyException | LegacyMessageException | InvalidMessageException | DuplicateMessageException | InvalidKeyIdException | UntrustedIdentityException e) {
+					if (iterator.hasNext()) {
+						Log.w(Config.LOGTAG,account.getJid().asBareJid()+": ignoring crypto exception because possible keys left to try",e);
+						continue;
+					}
+					throw new CryptoFailedException("Error decrypting SignalMessage", e);
+				}
+				if (iterator.hasNext()) {
+					break;
+				}
 			}
 			if (!status.isActive()) {
 				setTrust(status.toActive());
@@ -125,7 +151,7 @@ public class XmppAxolotlSession implements Comparable<XmppAxolotlSession> {
 		if (ignoreSessionTrust || status.isTrustedAndActive()) {
 			try {
 				CiphertextMessage ciphertextMessage = cipher.encrypt(outgoingMessage);
-				return new AxolotlKey(ciphertextMessage.serialize(),ciphertextMessage.getType() == CiphertextMessage.PREKEY_TYPE);
+				return new AxolotlKey(getRemoteAddress().getDeviceId(), ciphertextMessage.serialize(),ciphertextMessage.getType() == CiphertextMessage.PREKEY_TYPE);
 			} catch (UntrustedIdentityException e) {
 				return null;
 			}
@@ -148,8 +174,10 @@ public class XmppAxolotlSession implements Comparable<XmppAxolotlSession> {
 
 		public final byte[] key;
 		public final boolean prekey;
+		public final int deviceId;
 
-		public AxolotlKey(byte[] key, boolean prekey) {
+		public AxolotlKey(int deviceId, byte[] key, boolean prekey) {
+			this.deviceId = deviceId;
 			this.key = key;
 			this.prekey = prekey;
 		}