update deps; experiment: log security

vendor/maunium.net/go/mautrix/crypto/encryptolm.go

@@ -97,7 +97,7 @@ func (mach *OlmMachine) createOutboundSessions(input map[id.UserID]map[id.Device
 				continue
 			}
 			identity := input[userID][deviceID]
-			if ok, err := olm.VerifySignatureJSON(oneTimeKey, userID, deviceID.String(), identity.SigningKey); err != nil {
+			if ok, err := olm.VerifySignatureJSON(oneTimeKey.RawData, userID, deviceID.String(), identity.SigningKey); err != nil {
 				mach.Log.Error("Failed to verify signature for %s of %s: %v", deviceID, userID, err)
 			} else if !ok {
 				mach.Log.Warn("Invalid signature for %s of %s", deviceID, userID)

vendor/maunium.net/go/mautrix/crypto/machine.go

@@ -445,15 +445,20 @@ func (mach *OlmMachine) WaitForSession(roomID id.RoomID, senderKey id.SenderKey,
 	mach.keyWaitersLock.Lock()
 	ch, ok := mach.keyWaiters[sessionID]
 	if !ok {
-		ch := make(chan struct{})
+		ch = make(chan struct{})
 		mach.keyWaiters[sessionID] = ch
 	}
 	mach.keyWaitersLock.Unlock()
+	// Handle race conditions where a session appears between the failed decryption and WaitForSession call.
+	sess, err := mach.CryptoStore.GetGroupSession(roomID, senderKey, sessionID)
+	if sess != nil || errors.Is(err, ErrGroupSessionWithheld) {
+		return true
+	}
 	select {
 	case <-ch:
 		return true
 	case <-time.After(timeout):
-		sess, err := mach.CryptoStore.GetGroupSession(roomID, senderKey, sessionID)
+		sess, err = mach.CryptoStore.GetGroupSession(roomID, senderKey, sessionID)
 		// Check if the session somehow appeared in the store without telling us
 		// We accept withheld sessions as received, as then the decryption attempt will show the error.
 		return sess != nil || errors.Is(err, ErrGroupSessionWithheld)

vendor/maunium.net/go/mautrix/crypto/olm/utility.go

@@ -107,9 +107,13 @@ func (u *Utility) VerifySignature(message string, key id.Ed25519, signature stri
 // https://matrix.org/speculator/spec/drafts%2Fe2e/appendices.html#signing-json
 // If the _obj is a struct, the `json` tags will be honored.
 func (u *Utility) VerifySignatureJSON(obj interface{}, userID id.UserID, keyName string, key id.Ed25519) (bool, error) {
-	objJSON, err := json.Marshal(obj)
-	if err != nil {
-		return false, err
+	var err error
+	objJSON, ok := obj.(json.RawMessage)
+	if !ok {
+		objJSON, err = json.Marshal(obj)
+		if err != nil {
+			return false, err
+		}
 	}
 	sig := gjson.GetBytes(objJSON, util.GJSONPath("signatures", string(userID), fmt.Sprintf("ed25519:%s", keyName)))
 	if !sig.Exists() || sig.Type != gjson.String {

vendor/maunium.net/go/mautrix/crypto/sql_store.go

@@ -302,7 +302,7 @@ func (store *SQLCryptoStore) GetWithheldGroupSession(roomID id.RoomID, senderKey
 	}, nil
 }
 
-func (store *SQLCryptoStore) scanGroupSessionList(rows *sql.Rows) (result []*InboundGroupSession, err error) {
+func (store *SQLCryptoStore) scanGroupSessionList(rows dbutil.Rows) (result []*InboundGroupSession, err error) {
 	for rows.Next() {
 		var roomID id.RoomID
 		var signingKey, senderKey, forwardingChains sql.NullString
@@ -577,7 +577,7 @@ func (store *SQLCryptoStore) PutDevices(userID id.UserID, devices map[id.DeviceI
 
 // FilterTrackedUsers finds all the user IDs out of the given ones for which the database contains identity information.
 func (store *SQLCryptoStore) FilterTrackedUsers(users []id.UserID) ([]id.UserID, error) {
-	var rows *sql.Rows
+	var rows dbutil.Rows
 	var err error
 	if store.DB.Dialect == dbutil.Postgres && PostgresArrayWrapper != nil {
 		rows, err = store.DB.Query("SELECT user_id FROM crypto_tracked_user WHERE user_id = ANY($1)", PostgresArrayWrapper(users))

vendor/maunium.net/go/mautrix/crypto/sql_store_upgrade/upgrade.go

@@ -22,7 +22,7 @@ const VersionTableName = "crypto_version"
 var fs embed.FS
 
 func init() {
-	Table.Register(-1, 3, "Unsupported version", func(tx dbutil.Transaction, database *dbutil.Database) error {
+	Table.Register(-1, 3, "Unsupported version", false, func(tx dbutil.Execable, database *dbutil.Database) error {
 		return fmt.Errorf("upgrading from versions 1 and 2 of the crypto store is no longer supported in mautrix-go v0.12+")
 	})
 	Table.RegisterFS(fs)