1) Change SessionBuilder to only establish sessions via
KeyExchangeMessage and PreKeyBundles.
2) Change SessionCipher to decrypt either WhisperMessage
or PreKeyWhisperMessage items, automatically building
a session for the latter.
3) Change SessionCipher to tear down new sessions built
with PreKeyWhisperMessages if the embedded WhsiperMessage
fails to decrypt.
1) Use the new /v2/keys API for storing/retrieving prekey bundles.
2) For sessions built with PreKeyBundle and PreKeyWhisperMessage,
use a v3 ratcheting session when available.
1) Add plain two-way key exchange support libaxolotl by moving
all the KeyExchangeMessage code there.
2) Move the bulk of KeyExchangeProcessor code to libaxolotl
for setting up sessions based on retrieved prekeys, received
prekeybundles, or exchanged key exchange messages.
1) Break the core cryptography functions out into libaxolotol.
2) The objective for this code is a Java library that isn't
dependent on any Android functions. However, while the
code has been separated from any Android functionality,
it is still an 'android library project' because of the
JNI.
1) Modify SessionRecord to store a list of "previous" sessions
in addition to the current active session. Previous sessions
can be used for receiving messages, but not for sending
messages.
2) When a possible "simultaneous initiate" is detected, push the
current session onto the "previous session" stack instead of
clearing it and starting over.
3) Additionally, mark the new session created on a received
possible "simultaneous initiate" as stale for sending. The
next outgoing message would trigger a full prekey refresh.
4) Work to do: outgoing messages on the SMS transport should
probably not use the existing session if it's marked stale
for sending. These messages need to fail and notify the user,
similar to how we'll handle SMS fallback to push users before
a prekey session is created.
1) On the push side, this message is a flag in PushMessageContent.
Any secure message with that flag will terminate the current
sessin.
2) On the SMS side, there is an "end session" wire type and
the convention that a message with this wire type must be
secure and contain the string "TERMINATE."
1) At registration time, a client generates a random ID and
transmits to the the server.
2) The server provides that registration ID to any client
that requests a prekey.
3) Clients include that registration ID in any
PreKeyWhisperMessage.
4) Clients include that registration ID in their sendMessage
API call to the server.
5) The server verifies that the registration ID included in
an API call is the same as the current registration ID
for the destination device. Otherwise, it notifies the
sender that their session is stale.
1) In addition to the Recipient interface, there is now
RecipientDevice. A Recipient can have multiple corresponding
RecipientDevices. All addressing is done to a Recipient, but
crypto sessions and transport delivery are done to
RecipientDevice.
2) The Push transport handles the discovery and session setup
of additional Recipient devices.
3) Some internal rejiggering of Groups.
1) Move the attachment structures into the encrypted message body.
2) Encrypt attachments with symmetric keys transmitted in the
encryptd attachment pointer structure.
3) Correctly handle asynchronous decryption and categorization of
encrypted push messages.
TODO: Correct notification process and network/interruption
retries.
1) Add encryption support for the transport layer. This obscures
metadata from the push messaging provider.
2) Better support the direction multiple destination messages is
headed (one unique message per recipient).
1) Added SMS transport support.
2) Keep track of whether a PreKeyBundle message has gotten
a response, and send them as subsequent messages until
one has been received.
1) Move all the crypto classes from securesms.crypto.
2) Move all the crypto storage from securesms.database.keys
3) Replace the old imported BC code with spongycastle.
Moxie Marlinspike
Jake McGinty