Use RemoteConfig for UsePqRatchet.

Co-authored-by: Greyson Parrelli <greyson@signal.org>
2026-04-30 05:31:34 +01:00 · 2025-06-30 11:46:36 -07:00
parent f6b74ad2a0
commit 173983a1ab
9 changed files with 34 additions and 16 deletions
--- a/libsignal-service/src/main/java/org/whispersystems/signalservice/api/SignalServiceMessageSender.java
+++ b/libsignal-service/src/main/java/org/whispersystems/signalservice/api/SignalServiceMessageSender.java
@@ -13,6 +13,7 @@ import org.signal.libsignal.protocol.InvalidRegistrationIdException;
 import org.signal.libsignal.protocol.NoSessionException;
 import org.signal.libsignal.protocol.SessionBuilder;
 import org.signal.libsignal.protocol.SignalProtocolAddress;
+import org.signal.libsignal.protocol.UsePqRatchet;
 import org.signal.libsignal.protocol.groups.GroupSessionBuilder;
 import org.signal.libsignal.protocol.logging.Log;
 import org.signal.libsignal.protocol.message.DecryptionErrorMessage;
@@ -182,6 +183,7 @@ public class SignalServiceMessageSender {
  private final Scheduler       scheduler;
  private final long            maxEnvelopeSize;
  private final BooleanSupplier useRestFallback;
+  private final UsePqRatchet usePqRatchet;

  public SignalServiceMessageSender(PushServiceSocket pushServiceSocket,
                                    SignalServiceDataStore store,
@@ -192,7 +194,8 @@ public class SignalServiceMessageSender {
                                    Optional<EventListener> eventListener,
                                    ExecutorService executor,
                                    long maxEnvelopeSize,
-                                    BooleanSupplier useRestFallback)
+                                    BooleanSupplier useRestFallback,
+                                    UsePqRatchet usePqRatchet)
  {
    CredentialsProvider credentialsProvider = pushServiceSocket.getCredentialsProvider();

@@ -210,6 +213,7 @@ public class SignalServiceMessageSender {
    this.scheduler        = Schedulers.from(executor, false, false);
    this.keysApi          = keysApi;
    this.useRestFallback  = useRestFallback;
+    this.usePqRatchet     = usePqRatchet;
  }

  /**
@@ -2701,7 +2705,7 @@ public class SignalServiceMessageSender {
          try {
            SignalProtocolAddress preKeyAddress  = new SignalProtocolAddress(recipient.getIdentifier(), preKey.getDeviceId());
            SignalSessionBuilder  sessionBuilder = new SignalSessionBuilder(sessionLock, new SessionBuilder(aciStore, preKeyAddress));
-            sessionBuilder.process(preKey);
+            sessionBuilder.process(preKey, usePqRatchet);
          } catch (org.signal.libsignal.protocol.UntrustedIdentityException e) {
            throw new UntrustedIdentityException("Untrusted identity key!", recipient.getIdentifier(), preKey.getIdentityKey());
          }
@@ -2753,7 +2757,7 @@ public class SignalServiceMessageSender {

        try {
          SignalSessionBuilder sessionBuilder = new SignalSessionBuilder(sessionLock, new SessionBuilder(aciStore, new SignalProtocolAddress(recipient.getIdentifier(), missingDeviceId)));
-          sessionBuilder.process(preKey);
+          sessionBuilder.process(preKey, usePqRatchet);
        } catch (org.signal.libsignal.protocol.UntrustedIdentityException e) {
          throw new UntrustedIdentityException("Untrusted identity key!", recipient.getIdentifier(), preKey.getIdentityKey());
        }
--- a/libsignal-service/src/main/java/org/whispersystems/signalservice/api/crypto/SignalServiceCipher.java
+++ b/libsignal-service/src/main/java/org/whispersystems/signalservice/api/crypto/SignalServiceCipher.java
@@ -34,6 +34,7 @@ import org.signal.libsignal.protocol.NoSessionException;
 import org.signal.libsignal.protocol.SessionCipher;
 import org.signal.libsignal.protocol.SignalProtocolAddress;
 import org.signal.libsignal.protocol.UntrustedIdentityException;
+import org.signal.libsignal.protocol.UsePqRatchet;
 import org.signal.libsignal.protocol.groups.GroupCipher;
 import org.signal.libsignal.protocol.logging.Log;
 import org.signal.libsignal.protocol.message.CiphertextMessage;
@@ -131,7 +132,7 @@ public class SignalServiceCipher {
    }
  }

-  public SignalServiceCipherResult decrypt(Envelope envelope, long serverDeliveredTimestamp)
+  public SignalServiceCipherResult decrypt(Envelope envelope, long serverDeliveredTimestamp, UsePqRatchet usePqRatchet)
      throws InvalidMetadataMessageException, InvalidMetadataVersionException,
             ProtocolInvalidKeyIdException, ProtocolLegacyMessageException,
             ProtocolUntrustedIdentityException, ProtocolNoSessionException,
@@ -141,7 +142,7 @@ public class SignalServiceCipher {
  {
    try {
      if (envelope.content != null) {
-        Plaintext plaintext = decryptInternal(envelope, serverDeliveredTimestamp);
+        Plaintext plaintext = decryptInternal(envelope, serverDeliveredTimestamp, usePqRatchet);
        Content   content   = Content.ADAPTER.decode(plaintext.getData());

        return new SignalServiceCipherResult(
@@ -163,7 +164,7 @@ public class SignalServiceCipher {
    }
  }

-  private Plaintext decryptInternal(Envelope envelope, long serverDeliveredTimestamp)
+  private Plaintext decryptInternal(Envelope envelope, long serverDeliveredTimestamp, UsePqRatchet usePqRatchet)
      throws InvalidMetadataMessageException, InvalidMetadataVersionException,
      ProtocolDuplicateMessageException, ProtocolUntrustedIdentityException,
      ProtocolLegacyMessageException, ProtocolInvalidKeyException,
@@ -184,7 +185,7 @@ public class SignalServiceCipher {
        SignalProtocolAddress sourceAddress = new SignalProtocolAddress(envelope.sourceServiceId, envelope.sourceDevice);
        SignalSessionCipher   sessionCipher = new SignalSessionCipher(sessionLock, new SessionCipher(signalProtocolStore, sourceAddress));

-        paddedMessage = sessionCipher.decrypt(new PreKeySignalMessage(envelope.content.toByteArray()));
+        paddedMessage = sessionCipher.decrypt(new PreKeySignalMessage(envelope.content.toByteArray()), usePqRatchet);
        metadata      = new SignalServiceMetadata(getSourceAddress(envelope), envelope.sourceDevice, envelope.timestamp, envelope.serverTimestamp, serverDeliveredTimestamp, false, envelope.serverGuid, Optional.empty(), envelope.destinationServiceId);

        signalProtocolStore.clearSenderKeySharedWith(Collections.singleton(sourceAddress));
--- a/libsignal-service/src/main/java/org/whispersystems/signalservice/api/crypto/SignalSessionBuilder.java
+++ b/libsignal-service/src/main/java/org/whispersystems/signalservice/api/crypto/SignalSessionBuilder.java
@@ -20,9 +20,9 @@ public class SignalSessionBuilder {
    this.builder = builder;
  }

-  public void process(PreKeyBundle preKey) throws InvalidKeyException, UntrustedIdentityException {
+  public void process(PreKeyBundle preKey, UsePqRatchet usePqRatchet) throws InvalidKeyException, UntrustedIdentityException {
    try (SignalSessionLock.Lock unused = lock.acquire()) {
-      builder.process(preKey, UsePqRatchet.NO);
+      builder.process(preKey, usePqRatchet);
    }
  }
 }
--- a/libsignal-service/src/main/java/org/whispersystems/signalservice/api/crypto/SignalSessionCipher.java
+++ b/libsignal-service/src/main/java/org/whispersystems/signalservice/api/crypto/SignalSessionCipher.java
@@ -34,9 +34,9 @@ public class SignalSessionCipher {
    }
  }

-  public byte[] decrypt(PreKeySignalMessage ciphertext) throws DuplicateMessageException, LegacyMessageException, InvalidMessageException, InvalidKeyIdException, InvalidKeyException, org.signal.libsignal.protocol.UntrustedIdentityException {
+  public byte[] decrypt(PreKeySignalMessage ciphertext, UsePqRatchet usePqRatchet) throws DuplicateMessageException, LegacyMessageException, InvalidMessageException, InvalidKeyIdException, InvalidKeyException, org.signal.libsignal.protocol.UntrustedIdentityException {
    try (SignalSessionLock.Lock unused = lock.acquire()) {
-      return cipher.decrypt(ciphertext, UsePqRatchet.NO);
+      return cipher.decrypt(ciphertext, usePqRatchet);
    }
  }