In the switch from v3, we bind identities in the message MAC
instead of doing the 1mod8 trick. Since identity keys were
never set as 1mod8, it seemed like we could just remove it.
However, PreKeys are durable. If an old client upgrades to v3,
it has a bunch of keys that *were* set to 1mod8 floating around.
The Curve25519 donna code re-sets the private key bits on every
operation, which results in a different key, and breaks the output
of an agreement.
So now we don't intentionally generate keys with 1mod8, but we
have to remove the donna code to honor existing 1mod8 keys for
the rest of time. Trevor is squarely to blame.
// FREEBIE
1) Fix bugs that prevented decrypt() from being non-transactional
in some cases.
2) Introduce a new unified storage interface.
3) Transition simultaneous initiate from the "needs refresh"
strategy to one that uses session state resurrection and
promotion.
1) Since we're not CPU or space constrained (and are in fact
padding), and since keystream reuse would be more catastrophic
than IV reuse without chosen plaintext.
1) ephemeralKey -> ratchetKey
2) Have the caller specify Alice/Bob orientation.
3) Reorganize verification tag.
4) Remove verification tag from key exchange messages, replace
with signatures in both directions.
1) Change SessionBuilder to only establish sessions via
KeyExchangeMessage and PreKeyBundles.
2) Change SessionCipher to decrypt either WhisperMessage
or PreKeyWhisperMessage items, automatically building
a session for the latter.
3) Change SessionCipher to tear down new sessions built
with PreKeyWhisperMessages if the embedded WhsiperMessage
fails to decrypt.
Jake McGinty
Moxie Marlinspike
agrajaghh