aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.DS_Storebin6148 -> 0 bytes
-rw-r--r--Makefile1
-rw-r--r--android/olm-sdk/src/androidTest/java/org/matrix/olm/OlmPkTest.java44
-rw-r--r--android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java9
-rw-r--r--android/olm-sdk/src/main/java/org/matrix/olm/OlmException.java2
-rw-r--r--android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java7
-rw-r--r--android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java5
-rw-r--r--android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java28
-rw-r--r--android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java8
-rw-r--r--android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java17
-rw-r--r--android/olm-sdk/src/main/jni/olm_account.cpp14
-rw-r--r--android/olm-sdk/src/main/jni/olm_inbound_group_session.cpp18
-rw-r--r--android/olm-sdk/src/main/jni/olm_outbound_group_session.cpp12
-rw-r--r--android/olm-sdk/src/main/jni/olm_pk.cpp132
-rw-r--r--android/olm-sdk/src/main/jni/olm_pk.h2
-rw-r--r--android/olm-sdk/src/main/jni/olm_session.cpp12
-rw-r--r--android/olm-sdk/src/main/jni/olm_utility.cpp14
-rw-r--r--fuzzers/README.rst3
-rw-r--r--include/olm/olm.h28
-rw-r--r--include/olm/pk.h2
-rw-r--r--javascript/.gitignore1
-rw-r--r--javascript/olm_inbound_group_session.js62
-rw-r--r--javascript/olm_outbound_group_session.js34
-rw-r--r--javascript/olm_pk.js79
-rw-r--r--javascript/olm_post.js175
-rwxr-xr-xjenkins.sh8
-rw-r--r--python/.gdb_history225
-rw-r--r--python/.gitignore15
-rw-r--r--python/MANIFEST.in3
-rw-r--r--python/Makefile43
-rw-r--r--python/README.md161
-rw-r--r--python/docs/Makefile20
-rw-r--r--python/docs/conf.py165
-rw-r--r--python/docs/index.html1
-rw-r--r--python/docs/index.rst19
-rw-r--r--python/docs/make.bat36
-rw-r--r--python/docs/olm.rst34
-rw-r--r--python/dummy/README2
-rw-r--r--python/dummy/stddef.h0
-rw-r--r--python/dummy/stdint.h0
-rw-r--r--python/olm/__init__.py43
-rwxr-xr-xpython/olm/__main__.py468
-rw-r--r--python/olm/__version__.py9
-rw-r--r--python/olm/_base.py17
-rw-r--r--python/olm/_compat.py46
-rw-r--r--python/olm/_finalize.py65
-rw-r--r--python/olm/account.py371
-rw-r--r--python/olm/group_session.py525
-rw-r--r--python/olm/inbound_group_session.py138
-rw-r--r--python/olm/outbound_group_session.py134
-rw-r--r--python/olm/session.py630
-rw-r--r--python/olm/utility.py132
-rw-r--r--python/olm_build.py51
-rw-r--r--python/requirements.txt3
-rw-r--r--python/setup.cfg8
-rw-r--r--python/setup.py27
-rw-r--r--python/test-requirements.txt7
-rwxr-xr-xpython/test_olm.sh46
-rw-r--r--python/tests/account_test.py100
-rw-r--r--python/tests/group_session_test.py114
-rw-r--r--python/tests/session_test.py143
-rw-r--r--python/tox.ini43
-rw-r--r--src/pk.cpp2
-rw-r--r--xcode/OLMKit.xcodeproj/project.pbxproj4
-rw-r--r--xcode/OLMKit/OLMAccount.m2
-rw-r--r--xcode/OLMKit/OLMInboundGroupSession.m2
-rw-r--r--xcode/OLMKit/OLMKit.h2
-rw-r--r--xcode/OLMKit/OLMOutboundGroupSession.m2
-rw-r--r--xcode/OLMKit/OLMPKEncryption.h42
-rw-r--r--xcode/OLMKit/OLMPKEncryption.m111
-rw-r--r--xcode/OLMKit/OLMPkDecryption.h64
-rw-r--r--xcode/OLMKit/OLMPkDecryption.m295
-rw-r--r--xcode/OLMKit/OLMPkMessage.h31
-rw-r--r--xcode/OLMKit/OLMPkMessage.m32
-rw-r--r--xcode/OLMKit/OLMSession.m2
-rw-r--r--xcode/OLMKitTests/OLMKitPkTests.m107
76 files changed, 3746 insertions, 1513 deletions
diff --git a/.DS_Store b/.DS_Store
deleted file mode 100644
index 5008ddf..0000000
--- a/.DS_Store
+++ /dev/null
Binary files differ
diff --git a/Makefile b/Makefile
index 91436ed..a354e19 100644
--- a/Makefile
+++ b/Makefile
@@ -161,6 +161,7 @@ $(RELEASE_TARGET): $(RELEASE_OBJECTS)
$(OLM_LDFLAGS) \
$(OUTPUT_OPTION) $(RELEASE_OBJECTS)
ln -sf libolm.$(SO).$(VERSION) $(BUILD_DIR)/libolm.$(SO).$(MAJOR)
+ ln -sf libolm.$(SO).$(VERSION) $(BUILD_DIR)/libolm.$(SO)
debug: $(DEBUG_TARGET)
.PHONY: debug
diff --git a/android/olm-sdk/src/androidTest/java/org/matrix/olm/OlmPkTest.java b/android/olm-sdk/src/androidTest/java/org/matrix/olm/OlmPkTest.java
index 04b2217..1577f3b 100644
--- a/android/olm-sdk/src/androidTest/java/org/matrix/olm/OlmPkTest.java
+++ b/android/olm-sdk/src/androidTest/java/org/matrix/olm/OlmPkTest.java
@@ -19,6 +19,8 @@ package org.matrix.olm;
import android.support.test.runner.AndroidJUnit4;
import android.util.Log;
+import java.util.Arrays;
+
import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.Test;
@@ -91,4 +93,46 @@ public class OlmPkTest {
assertTrue(mOlmPkEncryption.isReleased());
assertTrue(mOlmPkDecryption.isReleased());
}
+
+ @Test
+ public void test02PrivateKey() {
+ try {
+ mOlmPkDecryption = new OlmPkDecryption();
+ } catch (OlmException e) {
+ e.printStackTrace();
+ assertTrue("OlmPkEncryption failed " + e.getMessage(), false);
+ }
+
+ assertNotNull(mOlmPkDecryption);
+
+ byte[] privateKey = {
+ (byte)0x77, (byte)0x07, (byte)0x6D, (byte)0x0A,
+ (byte)0x73, (byte)0x18, (byte)0xA5, (byte)0x7D,
+ (byte)0x3C, (byte)0x16, (byte)0xC1, (byte)0x72,
+ (byte)0x51, (byte)0xB2, (byte)0x66, (byte)0x45,
+ (byte)0xDF, (byte)0x4C, (byte)0x2F, (byte)0x87,
+ (byte)0xEB, (byte)0xC0, (byte)0x99, (byte)0x2A,
+ (byte)0xB1, (byte)0x77, (byte)0xFB, (byte)0xA5,
+ (byte)0x1D, (byte)0xB9, (byte)0x2C, (byte)0x2A
+ };
+
+ try {
+ mOlmPkDecryption.setPrivateKey(privateKey);
+ } catch (OlmException e) {
+ assertTrue("Exception in setPrivateKey, Exception code=" + e.getExceptionCode(), false);
+ }
+
+ byte[] privateKeyCopy = null;
+
+ try {
+ privateKeyCopy = mOlmPkDecryption.privateKey();
+ } catch (OlmException e) {
+ assertTrue("Exception in privateKey, Exception code=" + e.getExceptionCode(), false);
+ }
+
+ assertTrue(Arrays.equals(privateKey, privateKeyCopy));
+
+ mOlmPkDecryption.releaseDecryption();
+ assertTrue(mOlmPkDecryption.isReleased());
+ }
}
diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java
index 26c3e60..98a3c5b 100644
--- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java
+++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java
@@ -26,6 +26,7 @@ import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
+import java.util.Arrays;
import java.util.Map;
/**
@@ -290,9 +291,9 @@ public class OlmAccount extends CommonSerializeUtils implements Serializable {
String result = null;
if (null != aMessage) {
+ byte[] utf8String = null;
try {
- byte[] utf8String = aMessage.getBytes("UTF-8");
-
+ utf8String = aMessage.getBytes("UTF-8");
if (null != utf8String) {
byte[] signedMessage = signMessageJni(utf8String);
@@ -302,6 +303,10 @@ public class OlmAccount extends CommonSerializeUtils implements Serializable {
}
} catch (Exception e) {
throw new OlmException(OlmException.EXCEPTION_CODE_ACCOUNT_SIGN_MESSAGE, e.getMessage());
+ } finally {
+ if (null != utf8String) {
+ Arrays.fill(utf8String, (byte) 0);
+ }
}
}
diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmException.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmException.java
index 31b5729..5b534d5 100644
--- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmException.java
+++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmException.java
@@ -68,6 +68,8 @@ public class OlmException extends IOException {
public static final int EXCEPTION_CODE_PK_DECRYPTION_CREATION = 700;
public static final int EXCEPTION_CODE_PK_DECRYPTION_GENERATE_KEY = 701;
public static final int EXCEPTION_CODE_PK_DECRYPTION_DECRYPT = 702;
+ public static final int EXCEPTION_CODE_PK_DECRYPTION_SET_PRIVATE_KEY = 703;
+ public static final int EXCEPTION_CODE_PK_DECRYPTION_PRIVATE_KEY = 704;
// exception human readable messages
public static final String EXCEPTION_MSG_INVALID_PARAMS_DESERIALIZATION = "invalid de-serialized parameters";
diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java
index b41c67a..2fc81ef 100644
--- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java
+++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java
@@ -77,10 +77,16 @@ public class OlmInboundGroupSession extends CommonSerializeUtils implements Seri
Log.e(LOG_TAG, "## initInboundGroupSession(): invalid session key");
throw new OlmException(OlmException.EXCEPTION_CODE_INIT_INBOUND_GROUP_SESSION, "invalid session key");
} else {
+ byte[] sessionBuffer = null;
try {
+ sessionBuffer = aSessionKey.getBytes("UTF-8");
mNativeId = createNewSessionJni(aSessionKey.getBytes("UTF-8"), isImported);
} catch (Exception e) {
throw new OlmException(OlmException.EXCEPTION_CODE_INIT_INBOUND_GROUP_SESSION, e.getMessage());
+ } finally {
+ if (null != sessionBuffer) {
+ Arrays.fill(sessionBuffer, (byte) 0);
+ }
}
}
}
@@ -216,6 +222,7 @@ public class OlmInboundGroupSession extends CommonSerializeUtils implements Seri
if (null != bytesBuffer) {
result = new String(bytesBuffer, "UTF-8");
+ Arrays.fill(bytesBuffer, (byte) 0);
}
} catch (Exception e) {
Log.e(LOG_TAG, "## export() failed " + e.getMessage());
diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java
index e4d4a44..55732fe 100644
--- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java
+++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java
@@ -142,7 +142,10 @@ public class OlmOutboundGroupSession extends CommonSerializeUtils implements Ser
*/
public String sessionKey() throws OlmException {
try {
- return new String(sessionKeyJni(), "UTF-8");
+ byte[] sessionKeyBuffer = sessionKeyJni();
+ String ret = new String(sessionKeyBuffer, "UTF-8");
+ Arrays.fill(sessionKeyBuffer, (byte) 0);
+ return ret;
} catch (Exception e) {
Log.e(LOG_TAG, "## sessionKey() failed " + e.getMessage());
throw new OlmException(OlmException.EXCEPTION_CODE_OUTBOUND_GROUP_SESSION_KEY, e.getMessage());
diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java
index ea838f1..6522f70 100644
--- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java
+++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java
@@ -51,6 +51,18 @@ public class OlmPkDecryption {
return (0 == mNativeId);
}
+ public String setPrivateKey(byte[] privateKey) throws OlmException {
+ try {
+ byte[] key = setPrivateKeyJni(privateKey);
+ return new String(key, "UTF-8");
+ } catch (Exception e) {
+ Log.e(LOG_TAG, "## setPrivateKey(): failed " + e.getMessage());
+ throw new OlmException(OlmException.EXCEPTION_CODE_PK_DECRYPTION_SET_PRIVATE_KEY, e.getMessage());
+ }
+ }
+
+ private native byte[] setPrivateKeyJni(byte[] privateKey);
+
public String generateKey() throws OlmException {
try {
byte[] key = generateKeyJni();
@@ -63,19 +75,31 @@ public class OlmPkDecryption {
private native byte[] generateKeyJni();
+ public byte[] privateKey() throws OlmException {
+ try {
+ return privateKeyJni();
+ } catch (Exception e) {
+ Log.e(LOG_TAG, "## privateKey(): failed " + e.getMessage());
+ throw new OlmException(OlmException.EXCEPTION_CODE_PK_DECRYPTION_PRIVATE_KEY, e.getMessage());
+ }
+ }
+
+ private native byte[] privateKeyJni();
+
public String decrypt(OlmPkMessage aMessage) throws OlmException {
if (null == aMessage) {
return null;
}
+ byte[] plaintextBuffer = decryptJni(aMessage);
try {
- byte[] plaintextBuffer = decryptJni(aMessage);
String plaintext = new String(plaintextBuffer, "UTF-8");
- Arrays.fill(plaintextBuffer, (byte) 0);
return plaintext;
} catch (Exception e) {
Log.e(LOG_TAG, "## pkDecrypt(): failed " + e.getMessage());
throw new OlmException(OlmException.EXCEPTION_CODE_PK_DECRYPTION_DECRYPT, e.getMessage());
+ } finally {
+ Arrays.fill(plaintextBuffer, (byte) 0);
}
}
diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java
index a2ccf2e..01666fd 100644
--- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java
+++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java
@@ -73,10 +73,10 @@ public class OlmPkEncryption {
OlmPkMessage encryptedMsgRetValue = new OlmPkMessage();
+ byte[] plaintextBuffer = null;
try {
- byte[] plaintextBuffer = aPlaintext.getBytes("UTF-8");
+ plaintextBuffer = aPlaintext.getBytes("UTF-8");
byte[] ciphertextBuffer = encryptJni(plaintextBuffer, encryptedMsgRetValue);
- Arrays.fill(plaintextBuffer, (byte) 0);
if (null != ciphertextBuffer) {
encryptedMsgRetValue.mCipherText = new String(ciphertextBuffer, "UTF-8");
@@ -84,6 +84,10 @@ public class OlmPkEncryption {
} catch (Exception e) {
Log.e(LOG_TAG, "## pkEncrypt(): failed " + e.getMessage());
throw new OlmException(OlmException.EXCEPTION_CODE_PK_ENCRYPTION_ENCRYPT, e.getMessage());
+ } finally {
+ if (null != plaintextBuffer) {
+ Arrays.fill(plaintextBuffer, (byte) 0);
+ }
}
return encryptedMsgRetValue;
diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java
index bf9ef90..250cfb1 100644
--- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java
+++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java
@@ -23,6 +23,7 @@ import android.util.Log;
import org.json.JSONObject;
import java.security.SecureRandom;
+import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
@@ -81,17 +82,23 @@ public class OlmUtility {
*/
public void verifyEd25519Signature(String aSignature, String aFingerprintKey, String aMessage) throws OlmException {
String errorMessage;
+ byte[] messageBuffer = null;
try {
if (TextUtils.isEmpty(aSignature) || TextUtils.isEmpty(aFingerprintKey) || TextUtils.isEmpty(aMessage)) {
Log.e(LOG_TAG, "## verifyEd25519Signature(): invalid input parameters");
errorMessage = "JAVA sanity check failure - invalid input parameters";
} else {
- errorMessage = verifyEd25519SignatureJni(aSignature.getBytes("UTF-8"), aFingerprintKey.getBytes("UTF-8"), aMessage.getBytes("UTF-8"));
+ messageBuffer = aMessage.getBytes("UTF-8");
+ errorMessage = verifyEd25519SignatureJni(aSignature.getBytes("UTF-8"), aFingerprintKey.getBytes("UTF-8"), messageBuffer);
}
} catch (Exception e) {
Log.e(LOG_TAG, "## verifyEd25519Signature(): failed " + e.getMessage());
errorMessage = e.getMessage();
+ } finally {
+ if (messageBuffer != null) {
+ Arrays.fill(messageBuffer, (byte) 0);
+ }
}
if (!TextUtils.isEmpty(errorMessage)) {
@@ -119,10 +126,16 @@ public class OlmUtility {
String hashRetValue = null;
if (null != aMessageToHash) {
+ byte[] messageBuffer = null;
try {
- hashRetValue = new String(sha256Jni(aMessageToHash.getBytes("UTF-8")), "UTF-8");
+ messageBuffer = aMessageToHash.getBytes("UTF-8");
+ hashRetValue = new String(sha256Jni(messageBuffer), "UTF-8");
} catch (Exception e) {
Log.e(LOG_TAG, "## sha256(): failed " + e.getMessage());
+ } finally {
+ if (null != messageBuffer) {
+ Arrays.fill(messageBuffer, (byte) 0);
+ }
}
}
diff --git a/android/olm-sdk/src/main/jni/olm_account.cpp b/android/olm-sdk/src/main/jni/olm_account.cpp
index 40081ac..00b1460 100644
--- a/android/olm-sdk/src/main/jni/olm_account.cpp
+++ b/android/olm-sdk/src/main/jni/olm_account.cpp
@@ -528,6 +528,7 @@ JNIEXPORT jbyteArray OLM_ACCOUNT_FUNC_DEF(serializeJni)(JNIEnv *env, jobject thi
const char* errorMessage = NULL;
jbyteArray pickledDataRetValue = 0;
jbyte* keyPtr = NULL;
+ jboolean keyIsCopied = JNI_FALSE;
OlmAccount* accountPtr = NULL;
LOGD("## serializeJni(): IN");
@@ -542,7 +543,7 @@ JNIEXPORT jbyteArray OLM_ACCOUNT_FUNC_DEF(serializeJni)(JNIEnv *env, jobject thi
LOGE(" ## serializeJni(): failure - invalid account ptr");
errorMessage = "invalid account ptr";
}
- else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, NULL)))
+ else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, &keyIsCopied)))
{
LOGE(" ## serializeJni(): failure - keyPtr JNI allocation OOM");
errorMessage = "keyPtr JNI allocation OOM";
@@ -586,6 +587,9 @@ JNIEXPORT jbyteArray OLM_ACCOUNT_FUNC_DEF(serializeJni)(JNIEnv *env, jobject thi
// free alloc
if (keyPtr)
{
+ if (keyIsCopied) {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(aKeyBuffer));
+ }
env->ReleaseByteArrayElements(aKeyBuffer, keyPtr, JNI_ABORT);
}
@@ -610,6 +614,7 @@ JNIEXPORT jlong OLM_ACCOUNT_FUNC_DEF(deserializeJni)(JNIEnv *env, jobject thiz,
OlmAccount* accountPtr = NULL;
jbyte* keyPtr = NULL;
+ jboolean keyIsCopied = JNI_FALSE;
jbyte* pickledPtr = NULL;
LOGD("## deserializeJni(): IN");
@@ -629,7 +634,7 @@ JNIEXPORT jlong OLM_ACCOUNT_FUNC_DEF(deserializeJni)(JNIEnv *env, jobject thiz,
LOGE(" ## deserializeJni(): failure - account failure OOM");
errorMessage = "account failure OOM";
}
- else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, 0)))
+ else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, &keyIsCopied)))
{
LOGE(" ## deserializeJni(): failure - keyPtr JNI allocation OOM");
errorMessage = "keyPtr JNI allocation OOM";
@@ -665,6 +670,9 @@ JNIEXPORT jlong OLM_ACCOUNT_FUNC_DEF(deserializeJni)(JNIEnv *env, jobject thiz,
// free alloc
if (keyPtr)
{
+ if (keyIsCopied) {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(aKeyBuffer));
+ }
env->ReleaseByteArrayElements(aKeyBuffer, keyPtr, JNI_ABORT);
}
@@ -684,4 +692,4 @@ JNIEXPORT jlong OLM_ACCOUNT_FUNC_DEF(deserializeJni)(JNIEnv *env, jobject thiz,
}
return (jlong)(intptr_t)accountPtr;
-} \ No newline at end of file
+}
diff --git a/android/olm-sdk/src/main/jni/olm_inbound_group_session.cpp b/android/olm-sdk/src/main/jni/olm_inbound_group_session.cpp
index 114b7cd..ae9ecf1 100644
--- a/android/olm-sdk/src/main/jni/olm_inbound_group_session.cpp
+++ b/android/olm-sdk/src/main/jni/olm_inbound_group_session.cpp
@@ -62,6 +62,7 @@ JNIEXPORT jlong OLM_INBOUND_GROUP_SESSION_FUNC_DEF(createNewSessionJni)(JNIEnv *
const char* errorMessage = NULL;
OlmInboundGroupSession* sessionPtr = NULL;
jbyte* sessionKeyPtr = NULL;
+ jboolean sessionWasCopied = JNI_FALSE;
size_t sessionSize = olm_inbound_group_session_size();
LOGD("## createNewSessionJni(): inbound group session IN");
@@ -81,7 +82,7 @@ JNIEXPORT jlong OLM_INBOUND_GROUP_SESSION_FUNC_DEF(createNewSessionJni)(JNIEnv *
LOGE(" ## createNewSessionJni(): failure - invalid aSessionKey");
errorMessage = "invalid aSessionKey";
}
- else if (!(sessionKeyPtr = env->GetByteArrayElements(aSessionKeyBuffer, 0)))
+ else if (!(sessionKeyPtr = env->GetByteArrayElements(aSessionKeyBuffer, &sessionWasCopied)))
{
LOGE(" ## createNewSessionJni(): failure - session key JNI allocation OOM");
errorMessage = "Session key JNI allocation OOM";
@@ -119,6 +120,9 @@ JNIEXPORT jlong OLM_INBOUND_GROUP_SESSION_FUNC_DEF(createNewSessionJni)(JNIEnv *
if (sessionKeyPtr)
{
+ if (sessionWasCopied) {
+ memset(sessionKeyPtr, 0, (size_t)env->GetArrayLength(aSessionKeyBuffer));
+ }
env->ReleaseByteArrayElements(aSessionKeyBuffer, sessionKeyPtr, JNI_ABORT);
}
@@ -474,6 +478,7 @@ JNIEXPORT jbyteArray OLM_INBOUND_GROUP_SESSION_FUNC_DEF(serializeJni)(JNIEnv *en
jbyteArray pickledDataRet = 0;
jbyte* keyPtr = NULL;
+ jboolean keyWasCopied = JNI_FALSE;
OlmInboundGroupSession* sessionPtr = getInboundGroupSessionInstanceId(env, thiz);
LOGD("## inbound group session serializeJni(): IN");
@@ -488,7 +493,7 @@ JNIEXPORT jbyteArray OLM_INBOUND_GROUP_SESSION_FUNC_DEF(serializeJni)(JNIEnv *en
LOGE(" ## serializeJni(): failure - invalid key");
errorMessage = "invalid key";
}
- else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, 0)))
+ else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, &keyWasCopied)))
{
LOGE(" ## serializeJni(): failure - keyPtr JNI allocation OOM");
errorMessage = "keyPtr JNI allocation OOM";
@@ -533,6 +538,9 @@ JNIEXPORT jbyteArray OLM_INBOUND_GROUP_SESSION_FUNC_DEF(serializeJni)(JNIEnv *en
// free alloc
if (keyPtr)
{
+ if (keyWasCopied) {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(aKeyBuffer));
+ }
env->ReleaseByteArrayElements(aKeyBuffer, keyPtr, JNI_ABORT);
}
@@ -558,6 +566,7 @@ JNIEXPORT jlong OLM_INBOUND_GROUP_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env,
OlmInboundGroupSession* sessionPtr = NULL;
size_t sessionSize = olm_inbound_group_session_size();
jbyte* keyPtr = NULL;
+ jboolean keyWasCopied = JNI_FALSE;
jbyte* pickledPtr = NULL;
LOGD("## deserializeJni(): IN");
@@ -582,7 +591,7 @@ JNIEXPORT jlong OLM_INBOUND_GROUP_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env,
LOGE(" ## deserializeJni(): failure - serialized data");
errorMessage = "serialized data";
}
- else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, 0)))
+ else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, &keyWasCopied)))
{
LOGE(" ## deserializeJni(): failure - keyPtr JNI allocation OOM");
errorMessage = "keyPtr JNI allocation OOM";
@@ -620,6 +629,9 @@ JNIEXPORT jlong OLM_INBOUND_GROUP_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env,
// free alloc
if (keyPtr)
{
+ if (keyWasCopied) {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(aKeyBuffer));
+ }
env->ReleaseByteArrayElements(aKeyBuffer, keyPtr, JNI_ABORT);
}
diff --git a/android/olm-sdk/src/main/jni/olm_outbound_group_session.cpp b/android/olm-sdk/src/main/jni/olm_outbound_group_session.cpp
index b11c474..a22122a 100644
--- a/android/olm-sdk/src/main/jni/olm_outbound_group_session.cpp
+++ b/android/olm-sdk/src/main/jni/olm_outbound_group_session.cpp
@@ -387,6 +387,7 @@ JNIEXPORT jbyteArray OLM_OUTBOUND_GROUP_SESSION_FUNC_DEF(serializeJni)(JNIEnv *e
jbyteArray returnValue = 0;
jbyte* keyPtr = NULL;
+ jboolean keyWasCopied = JNI_FALSE;
OlmOutboundGroupSession* sessionPtr = NULL;
LOGD("## outbound group session serializeJni(): IN");
@@ -401,7 +402,7 @@ JNIEXPORT jbyteArray OLM_OUTBOUND_GROUP_SESSION_FUNC_DEF(serializeJni)(JNIEnv *e
LOGE(" ## serializeJni(): failure - invalid key");
errorMessage = "invalid key";
}
- else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, 0)))
+ else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, &keyWasCopied)))
{
LOGE(" ## serializeJni(): failure - keyPtr JNI allocation OOM");
errorMessage = "keyPtr JNI allocation OOM";
@@ -446,6 +447,9 @@ JNIEXPORT jbyteArray OLM_OUTBOUND_GROUP_SESSION_FUNC_DEF(serializeJni)(JNIEnv *e
// free alloc
if (keyPtr)
{
+ if (keyWasCopied) {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(aKeyBuffer));
+ }
env->ReleaseByteArrayElements(aKeyBuffer, keyPtr, JNI_ABORT);
}
@@ -471,6 +475,7 @@ JNIEXPORT jlong OLM_OUTBOUND_GROUP_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env,
OlmOutboundGroupSession* sessionPtr = NULL;
jbyte* keyPtr = NULL;
+ jboolean keyWasCopied = JNI_FALSE;
jbyte* pickledPtr = NULL;
LOGD("## deserializeJni(): IN");
@@ -495,7 +500,7 @@ JNIEXPORT jlong OLM_OUTBOUND_GROUP_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env,
LOGE(" ## deserializeJni(): failure - serialized data");
errorMessage = "invalid serialized data";
}
- else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, 0)))
+ else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, &keyWasCopied)))
{
LOGE(" ## deserializeJni(): failure - keyPtr JNI allocation OOM");
errorMessage = "keyPtr JNI allocation OOM";
@@ -532,6 +537,9 @@ JNIEXPORT jlong OLM_OUTBOUND_GROUP_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env,
// free alloc
if (keyPtr)
{
+ if (keyWasCopied) {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(aKeyBuffer));
+ }
env->ReleaseByteArrayElements(aKeyBuffer, keyPtr, JNI_ABORT);
}
diff --git a/android/olm-sdk/src/main/jni/olm_pk.cpp b/android/olm-sdk/src/main/jni/olm_pk.cpp
index 12528de..eff57a5 100644
--- a/android/olm-sdk/src/main/jni/olm_pk.cpp
+++ b/android/olm-sdk/src/main/jni/olm_pk.cpp
@@ -364,9 +364,82 @@ JNIEXPORT void OLM_PK_DECRYPTION_FUNC_DEF(releasePkDecryptionJni)(JNIEnv *env, j
}
}
+JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(setPrivateKeyJni)(JNIEnv *env, jobject thiz, jbyteArray key)
+{
+ jbyteArray publicKeyRet = 0;
+ jbyte *keyPtr = NULL;
+ jboolean keyWasCopied = JNI_FALSE;
+
+ const char* errorMessage = NULL;
+
+ OlmPkDecryption* decryptionPtr = getPkDecryptionInstanceId(env, thiz);
+
+ if (!decryptionPtr)
+ {
+ LOGE(" ## pkSetPrivateKeyJni(): failure - invalid Decryption ptr=NULL");
+ }
+ else if (!key)
+ {
+ LOGE(" ## pkSetPrivateKeyJni(): failure - invalid key");
+ errorMessage = "invalid key";
+ }
+ else if (!(keyPtr = env->GetByteArrayElements(key, &keyWasCopied)))
+ {
+ LOGE(" ## pkSetPrivateKeyJni(): failure - key JNI allocation OOM");
+ errorMessage = "key JNI allocation OOM";
+ }
+ else
+ {
+ size_t publicKeyLength = olm_pk_key_length();
+ uint8_t *publicKeyPtr = NULL;
+ size_t keyLength = (size_t)env->GetArrayLength(key);
+ if (!(publicKeyPtr = (uint8_t*)malloc(publicKeyLength)))
+ {
+ LOGE("## pkSetPrivateKeyJni(): failure - public key JNI allocation OOM");
+ errorMessage = "public key JNI allocation OOM";
+ }
+ else
+ {
+ size_t returnValue = olm_pk_key_from_private(
+ decryptionPtr,
+ publicKeyPtr, publicKeyLength,
+ keyPtr, keyLength
+ );
+ if (returnValue == olm_error())
+ {
+ errorMessage = olm_pk_decryption_last_error(decryptionPtr);
+ LOGE(" ## pkSetPrivateKeyJni(): failure - olm_pk_key_from_private Msg=%s", errorMessage);
+ }
+ else
+ {
+ publicKeyRet = env->NewByteArray(publicKeyLength);
+ env->SetByteArrayRegion(
+ publicKeyRet, 0, publicKeyLength, (jbyte*)publicKeyPtr
+ );
+ }
+ }
+ }
+
+ if (keyPtr)
+ {
+ if (keyWasCopied)
+ {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(key));
+ }
+ env->ReleaseByteArrayElements(key, keyPtr, JNI_ABORT);
+ }
+
+ if (errorMessage)
+ {
+ env->ThrowNew(env->FindClass("java/lang/Exception"), errorMessage);
+ }
+
+ return publicKeyRet;
+}
+
JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(generateKeyJni)(JNIEnv *env, jobject thiz)
{
- size_t randomLength = olm_pk_generate_key_random_length();
+ size_t randomLength = olm_pk_private_key_length();
uint8_t *randomBuffPtr = NULL;
jbyteArray publicKeyRet = 0;
@@ -393,7 +466,7 @@ JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(generateKeyJni)(JNIEnv *env, job
}
else
{
- if (olm_pk_generate_key(decryptionPtr, publicKeyPtr, publicKeyLength, randomBuffPtr, randomLength) == olm_error())
+ if (olm_pk_key_from_private(decryptionPtr, publicKeyPtr, publicKeyLength, randomBuffPtr, randomLength) == olm_error())
{
errorMessage = olm_pk_decryption_last_error(decryptionPtr);
LOGE("## pkGenerateKeyJni(): failure - olm_pk_generate_key Msg=%s", errorMessage);
@@ -414,16 +487,61 @@ JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(generateKeyJni)(JNIEnv *env, job
if (errorMessage)
{
- // release the allocated data
- if (decryptionPtr)
+ env->ThrowNew(env->FindClass("java/lang/Exception"), errorMessage);
+ }
+
+ return publicKeyRet;
+}
+
+JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(privateKeyJni)(JNIEnv *env, jobject thiz)
+{
+ jbyteArray privateKeyRet = 0;
+
+ const char* errorMessage = NULL;
+
+ OlmPkDecryption* decryptionPtr = getPkDecryptionInstanceId(env, thiz);
+
+ if (!decryptionPtr)
+ {
+ LOGE(" ## pkPrivateKeyJni(): failure - invalid Decryption ptr=NULL");
+ }
+ else
+ {
+ size_t privateKeyLength = olm_pk_private_key_length();
+ uint8_t *privateKeyPtr = NULL;
+ if (!(privateKeyPtr = (uint8_t*)malloc(privateKeyLength)))
{
- olm_clear_pk_decryption(decryptionPtr);
- free(decryptionPtr);
+ LOGE("## pkPrivateKeyJni(): failure - private key JNI allocation OOM");
+ errorMessage = "private key JNI allocation OOM";
+ }
+ else
+ {
+ size_t returnValue = olm_pk_get_private_key(
+ decryptionPtr,
+ privateKeyPtr, privateKeyLength
+ );
+ if (returnValue == olm_error())
+ {
+ errorMessage = olm_pk_decryption_last_error(decryptionPtr);
+ LOGE(" ## pkPrivateKeyJni(): failure - olm_pk_get_private_key Msg=%s", errorMessage);
+ }
+ else
+ {
+ privateKeyRet = env->NewByteArray(privateKeyLength);
+ env->SetByteArrayRegion(
+ privateKeyRet, 0, privateKeyLength, (jbyte*)privateKeyPtr
+ );
+ memset(privateKeyPtr, 0, privateKeyLength);
+ }
}
+ }
+
+ if (errorMessage)
+ {
env->ThrowNew(env->FindClass("java/lang/Exception"), errorMessage);
}
- return publicKeyRet;
+ return privateKeyRet;
}
JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(decryptJni)(
diff --git a/android/olm-sdk/src/main/jni/olm_pk.h b/android/olm-sdk/src/main/jni/olm_pk.h
index 984c5f8..5f45462 100644
--- a/android/olm-sdk/src/main/jni/olm_pk.h
+++ b/android/olm-sdk/src/main/jni/olm_pk.h
@@ -35,7 +35,9 @@ JNIEXPORT jbyteArray OLM_PK_ENCRYPTION_FUNC_DEF(encryptJni)(JNIEnv *env, jobject
JNIEXPORT jlong OLM_PK_DECRYPTION_FUNC_DEF(createNewPkDecryptionJni)(JNIEnv *env, jobject thiz);
JNIEXPORT void OLM_PK_DECRYPTION_FUNC_DEF(releasePkDecryptionJni)(JNIEnv *env, jobject thiz);
+JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(setPrivateKeyJni)(JNIEnv *env, jobject thiz, jbyteArray key);
JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(generateKeyJni)(JNIEnv *env, jobject thiz);
+JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(privateKeyJni)(JNIEnv *env, jobject thiz);
JNIEXPORT jbyteArray OLM_PK_DECRYPTION_FUNC_DEF(decryptJni)(JNIEnv *env, jobject thiz, jobject aEncryptedMsg);
#ifdef __cplusplus
diff --git a/android/olm-sdk/src/main/jni/olm_session.cpp b/android/olm-sdk/src/main/jni/olm_session.cpp
index b9db286..15ad4fe 100644
--- a/android/olm-sdk/src/main/jni/olm_session.cpp
+++ b/android/olm-sdk/src/main/jni/olm_session.cpp
@@ -810,6 +810,7 @@ JNIEXPORT jbyteArray OLM_SESSION_FUNC_DEF(serializeJni)(JNIEnv *env, jobject thi
jbyteArray returnValue = 0;
jbyte* keyPtr = NULL;
+ jboolean keyWasCopied = JNI_FALSE;
OlmSession* sessionPtr = getSessionInstanceId(env, thiz);
LOGD("## serializeJni(): IN");
@@ -824,7 +825,7 @@ JNIEXPORT jbyteArray OLM_SESSION_FUNC_DEF(serializeJni)(JNIEnv *env, jobject thi
LOGE(" ## serializeJni(): failure - invalid key");
errorMessage = "invalid key";
}
- else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, 0)))
+ else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, &keyWasCopied)))
{
LOGE(" ## serializeJni(): failure - keyPtr JNI allocation OOM");
errorMessage = "ikeyPtr JNI allocation OOM";
@@ -869,6 +870,9 @@ JNIEXPORT jbyteArray OLM_SESSION_FUNC_DEF(serializeJni)(JNIEnv *env, jobject thi
// free alloc
if (keyPtr)
{
+ if (keyWasCopied) {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(aKeyBuffer));
+ }
env->ReleaseByteArrayElements(aKeyBuffer, keyPtr, JNI_ABORT);
}
@@ -892,6 +896,7 @@ JNIEXPORT jlong OLM_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env, jobject thiz,
const char* errorMessage = NULL;
OlmSession* sessionPtr = initializeSessionMemory();
jbyte* keyPtr = NULL;
+ jboolean keyWasCopied = JNI_FALSE;
jbyte* pickledPtr = NULL;
LOGD("## deserializeJni(): IN");
@@ -911,7 +916,7 @@ JNIEXPORT jlong OLM_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env, jobject thiz,
LOGE(" ## deserializeJni(): failure - serialized data");
errorMessage = "serialized data";
}
- else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, 0)))
+ else if (!(keyPtr = env->GetByteArrayElements(aKeyBuffer, &keyWasCopied)))
{
LOGE(" ## deserializeJni(): failure - keyPtr JNI allocation OOM");
errorMessage = "keyPtr JNI allocation OOM";
@@ -947,6 +952,9 @@ JNIEXPORT jlong OLM_SESSION_FUNC_DEF(deserializeJni)(JNIEnv *env, jobject thiz,
// free alloc
if (keyPtr)
{
+ if (keyWasCopied) {
+ memset(keyPtr, 0, (size_t)env->GetArrayLength(aKeyBuffer));
+ }
env->ReleaseByteArrayElements(aKeyBuffer, keyPtr, JNI_ABORT);
}
diff --git a/android/olm-sdk/src/main/jni/olm_utility.cpp b/android/olm-sdk/src/main/jni/olm_utility.cpp
index f6fe719..da27eda 100644
--- a/android/olm-sdk/src/main/jni/olm_utility.cpp
+++ b/android/olm-sdk/src/main/jni/olm_utility.cpp
@@ -90,6 +90,7 @@ JNIEXPORT jstring OLM_UTILITY_FUNC_DEF(verifyEd25519SignatureJni)(JNIEnv *env, j
jbyte* signaturePtr = NULL;
jbyte* keyPtr = NULL;
jbyte* messagePtr = NULL;
+ jboolean messageWasCopied = JNI_FALSE;
LOGD("## verifyEd25519SignatureJni(): IN");
@@ -109,7 +110,7 @@ JNIEXPORT jstring OLM_UTILITY_FUNC_DEF(verifyEd25519SignatureJni)(JNIEnv *env, j
{
LOGE(" ## verifyEd25519SignatureJni(): failure - key JNI allocation OOM");
}
- else if (!(messagePtr = env->GetByteArrayElements(aMessageBuffer, 0)))
+ else if (!(messagePtr = env->GetByteArrayElements(aMessageBuffer, &messageWasCopied)))
{
LOGE(" ## verifyEd25519SignatureJni(): failure - message JNI allocation OOM");
}
@@ -152,6 +153,9 @@ JNIEXPORT jstring OLM_UTILITY_FUNC_DEF(verifyEd25519SignatureJni)(JNIEnv *env, j
if (messagePtr)
{
+ if (messageWasCopied) {
+ memset(messagePtr, 0, (size_t)env->GetArrayLength(aMessageBuffer));
+ }
env->ReleaseByteArrayElements(aMessageBuffer, messagePtr, JNI_ABORT);
}
@@ -171,6 +175,7 @@ JNIEXPORT jbyteArray OLM_UTILITY_FUNC_DEF(sha256Jni)(JNIEnv *env, jobject thiz,
OlmUtility* utilityPtr = getUtilityInstanceId(env, thiz);
jbyte* messagePtr = NULL;
+ jboolean messageWasCopied = JNI_FALSE;
LOGD("## sha256Jni(): IN");
@@ -182,7 +187,7 @@ JNIEXPORT jbyteArray OLM_UTILITY_FUNC_DEF(sha256Jni)(JNIEnv *env, jobject thiz,
{
LOGE(" ## sha256Jni(): failure - invalid message parameters ");
}
- else if(!(messagePtr = env->GetByteArrayElements(aMessageToHashBuffer, 0)))
+ else if(!(messagePtr = env->GetByteArrayElements(aMessageToHashBuffer, &messageWasCopied)))
{
LOGE(" ## sha256Jni(): failure - message JNI allocation OOM");
}
@@ -221,8 +226,11 @@ JNIEXPORT jbyteArray OLM_UTILITY_FUNC_DEF(sha256Jni)(JNIEnv *env, jobject thiz,
if (messagePtr)
{
+ if (messageWasCopied) {
+ memset(messagePtr, 0, (size_t)env->GetArrayLength(aMessageToHashBuffer));
+ }
env->ReleaseByteArrayElements(aMessageToHashBuffer, messagePtr, JNI_ABORT);
}
return sha256Ret;
-} \ No newline at end of file
+}
diff --git a/fuzzers/README.rst b/fuzzers/README.rst
index d052303..b6f5f9c 100644
--- a/fuzzers/README.rst
+++ b/fuzzers/README.rst
@@ -19,8 +19,7 @@ Usage notes:
make fuzzers
3. Some of the tests (eg ``fuzz_decrypt`` and ``fuzz_group_decrypt``) require a
- session file. You can use the ones generated by the python test script
- (``python/test.sh``).
+ session file. You can create one by pickling an Olm session.
4. Make some work directories:
diff --git a/include/olm/olm.h b/include/olm/olm.h
index 793aa30..0722d79 100644
--- a/include/olm/olm.h
+++ b/include/olm/olm.h
@@ -320,13 +320,13 @@ int olm_session_has_received_message(
/** Checks if the PRE_KEY message is for this in-bound session. This can happen
* if multiple messages are sent to this account before this account sends a
- * message in reply. Returns 1 if the session matches. Returns 0 if the session
- * does not match. Returns olm_error() on failure. If the base64
- * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
- * If the message was for an unsupported protocol version then
- * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
- * couldn't be decoded then then olm_session_last_error() will be
- * "BAD_MESSAGE_FORMAT". */
+ * message in reply. The one_time_key_message buffer is destroyed. Returns 1 if
+ * the session matches. Returns 0 if the session does not match. Returns
+ * olm_error() on failure. If the base64 couldn't be decoded then
+ * olm_session_last_error will be "INVALID_BASE64". If the message was for an
+ * unsupported protocol version then olm_session_last_error() will be
+ * "BAD_MESSAGE_VERSION". If the message couldn't be decoded then then
+ * olm_session_last_error() will be "BAD_MESSAGE_FORMAT". */
size_t olm_matches_inbound_session(
OlmSession * session,
void * one_time_key_message, size_t message_length
@@ -334,13 +334,13 @@ size_t olm_matches_inbound_session(
/** Checks if the PRE_KEY message is for this in-bound session. This can happen
* if multiple messages are sent to this account before this account sends a
- * message in reply. Returns 1 if the session matches. Returns 0 if the session
- * does not match. Returns olm_error() on failure. If the base64
- * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
- * If the message was for an unsupported protocol version then
- * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
- * couldn't be decoded then then olm_session_last_error() will be
- * "BAD_MESSAGE_FORMAT". */
+ * message in reply. The one_time_key_message buffer is destroyed. Returns 1 if
+ * the session matches. Returns 0 if the session does not match. Returns
+ * olm_error() on failure. If the base64 couldn't be decoded then
+ * olm_session_last_error will be "INVALID_BASE64". If the message was for an
+ * unsupported protocol version then olm_session_last_error() will be
+ * "BAD_MESSAGE_VERSION". If the message couldn't be decoded then then
+ * olm_session_last_error() will be "BAD_MESSAGE_FORMAT". */
size_t olm_matches_inbound_session_from(
OlmSession * session,
void const * their_identity_key, size_t their_identity_key_length,
diff --git a/include/olm/pk.h b/include/olm/pk.h
index 4278fca..c46baa0 100644
--- a/include/olm/pk.h
+++ b/include/olm/pk.h
@@ -114,7 +114,7 @@ size_t olm_clear_pk_decryption(
/** Get the number of bytes required to store an olm private key
*/
-size_t olm_pk_private_key_length();
+size_t olm_pk_private_key_length(void);
/** DEPRECATED: Use olm_pk_private_key_length()
*/
diff --git a/javascript/.gitignore b/javascript/.gitignore
index 3437f73..1533e1b 100644
--- a/javascript/.gitignore
+++ b/javascript/.gitignore
@@ -2,5 +2,6 @@
/node_modules
/npm-debug.log
/olm.js
+/olm_legacy.js
/olm.wasm
/reports
diff --git a/javascript/olm_inbound_group_session.js b/javascript/olm_inbound_group_session.js
index 7d9e401..dd8e493 100644
--- a/javascript/olm_inbound_group_session.js
+++ b/javascript/olm_inbound_group_session.js
@@ -29,9 +29,17 @@ InboundGroupSession.prototype['pickle'] = restore_stack(function(key) {
)(this.ptr);
var key_buffer = stack(key_array);
var pickle_buffer = stack(pickle_length + NULL_BYTE_PADDING_LENGTH);
- inbound_group_session_method(Module['_olm_pickle_inbound_group_session'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
- );
+ try {
+ inbound_group_session_method(Module['_olm_pickle_inbound_group_session'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
return Pointer_stringify(pickle_buffer);
});
@@ -40,28 +48,52 @@ InboundGroupSession.prototype['unpickle'] = restore_stack(function(key, pickle)
var key_buffer = stack(key_array);
var pickle_array = array_from_string(pickle);
var pickle_buffer = stack(pickle_array);
- inbound_group_session_method(Module['_olm_unpickle_inbound_group_session'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer,
- pickle_array.length
- );
+ try {
+ inbound_group_session_method(Module['_olm_unpickle_inbound_group_session'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer,
+ pickle_array.length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
});
InboundGroupSession.prototype['create'] = restore_stack(function(session_key) {
var key_array = array_from_string(session_key);
var key_buffer = stack(key_array);
- inbound_group_session_method(Module['_olm_init_inbound_group_session'])(
- this.ptr, key_buffer, key_array.length
- );
+ try {
+ inbound_group_session_method(Module['_olm_init_inbound_group_session'])(
+ this.ptr, key_buffer, key_array.length
+ );
+ } finally {
+ // clear out copies of the key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
});
InboundGroupSession.prototype['import_session'] = restore_stack(function(session_key) {
var key_array = array_from_string(session_key);
var key_buffer = stack(key_array);
- inbound_group_session_method(Module['_olm_import_inbound_group_session'])(
- this.ptr, key_buffer, key_array.length
- );
+ try {
+ inbound_group_session_method(Module['_olm_import_inbound_group_session'])(
+ this.ptr, key_buffer, key_array.length
+ );
+ } finally {
+ // clear out copies of the key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
});
InboundGroupSession.prototype['decrypt'] = restore_stack(function(
@@ -140,7 +172,9 @@ InboundGroupSession.prototype['export_session'] = restore_stack(function(message
outbound_group_session_method(Module['_olm_export_inbound_group_session'])(
this.ptr, key, key_length, message_index
);
- return Pointer_stringify(key);
+ var key_str = Pointer_stringify(key);
+ bzero(key, key_length); // clear out a copy of the key
+ return key_str;
});
olm_exports['InboundGroupSession'] = InboundGroupSession;
diff --git a/javascript/olm_outbound_group_session.js b/javascript/olm_outbound_group_session.js
index e232883..f1ccd3d 100644
--- a/javascript/olm_outbound_group_session.js
+++ b/javascript/olm_outbound_group_session.js
@@ -29,9 +29,17 @@ OutboundGroupSession.prototype['pickle'] = restore_stack(function(key) {
)(this.ptr);
var key_buffer = stack(key_array);
var pickle_buffer = stack(pickle_length + NULL_BYTE_PADDING_LENGTH);
- outbound_group_session_method(Module['_olm_pickle_outbound_group_session'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
- );
+ try {
+ outbound_group_session_method(Module['_olm_pickle_outbound_group_session'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
return Pointer_stringify(pickle_buffer);
});
@@ -40,10 +48,18 @@ OutboundGroupSession.prototype['unpickle'] = restore_stack(function(key, pickle)
var key_buffer = stack(key_array);
var pickle_array = array_from_string(pickle);
var pickle_buffer = stack(pickle_array);
- outbound_group_session_method(Module['_olm_unpickle_outbound_group_session'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer,
- pickle_array.length
- );
+ try {
+ outbound_group_session_method(Module['_olm_unpickle_outbound_group_session'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer,
+ pickle_array.length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
});
OutboundGroupSession.prototype['create'] = restore_stack(function() {
@@ -116,7 +132,9 @@ OutboundGroupSession.prototype['session_key'] = restore_stack(function() {
outbound_group_session_method(Module['_olm_outbound_group_session_key'])(
this.ptr, key, key_length
);
- return Pointer_stringify(key);
+ var key_str = Pointer_stringify(key);
+ bzero(key, key_length); // clear out our copy of the key
+ return key_str;
});
OutboundGroupSession.prototype['message_index'] = function() {
diff --git a/javascript/olm_pk.js b/javascript/olm_pk.js
index 4f730dd..81dbad4 100644
--- a/javascript/olm_pk.js
+++ b/javascript/olm_pk.js
@@ -33,15 +33,15 @@ PkEncryption.prototype['set_recipient_key'] = restore_stack(function(key) {
PkEncryption.prototype['encrypt'] = restore_stack(function(
plaintext
) {
- var plaintext_buffer, ciphertext_buffer, plaintext_length;
+ var plaintext_buffer, ciphertext_buffer, plaintext_length, random, random_length;
try {
plaintext_length = lengthBytesUTF8(plaintext)
plaintext_buffer = malloc(plaintext_length + 1);
stringToUTF8(plaintext, plaintext_buffer, plaintext_length + 1);
- var random_length = pk_encryption_method(
+ random_length = pk_encryption_method(
Module['_olm_pk_encrypt_random_length']
)();
- var random = random_stack(random_length);
+ random = random_stack(random_length);
var ciphertext_length = pk_encryption_method(
Module['_olm_pk_ciphertext_length']
)(this.ptr, plaintext_length);
@@ -82,6 +82,10 @@ PkEncryption.prototype['encrypt'] = restore_stack(function(
"ephemeral": Pointer_stringify(ephemeral_buffer)
};
} finally {
+ if (random !== undefined) {
+ // clear out the random buffer, since it is key data
+ bzero(random, random_length);
+ }
if (plaintext_buffer !== undefined) {
// don't leave a copy of the plaintext in the heap.
bzero(plaintext_buffer, plaintext_length + 1);
@@ -126,11 +130,16 @@ PkDecryption.prototype['init_with_private_key'] = restore_stack(function (privat
Module['_olm_pk_key_length']
)();
var pubkey_buffer = stack(pubkey_length + NULL_BYTE_PADDING_LENGTH);
- pk_decryption_method(Module['_olm_pk_key_from_private'])(
- this.ptr,
- pubkey_buffer, pubkey_length,
- private_key_buffer, private_key.length
- );
+ try {
+ pk_decryption_method(Module['_olm_pk_key_from_private'])(
+ this.ptr,
+ pubkey_buffer, pubkey_length,
+ private_key_buffer, private_key.length
+ );
+ } finally {
+ // clear out our copy of the private key
+ bzero(private_key_buffer, private_key.length);
+ }
return Pointer_stringify(pubkey_buffer);
});
@@ -143,11 +152,16 @@ PkDecryption.prototype['generate_key'] = restore_stack(function () {
Module['_olm_pk_key_length']
)();
var pubkey_buffer = stack(pubkey_length + NULL_BYTE_PADDING_LENGTH);
- pk_decryption_method(Module['_olm_pk_key_from_private'])(
- this.ptr,
- pubkey_buffer, pubkey_length,
- random_buffer, random_length
- );
+ try {
+ pk_decryption_method(Module['_olm_pk_key_from_private'])(
+ this.ptr,
+ pubkey_buffer, pubkey_length,
+ random_buffer, random_length
+ );
+ } finally {
+ // clear out the random buffer (= private key)
+ bzero(random_buffer, random_length);
+ }
return Pointer_stringify(pubkey_buffer);
});
@@ -160,7 +174,14 @@ PkDecryption.prototype['get_private_key'] = restore_stack(function () {
this.ptr,
privkey_buffer, privkey_length
);
- return new Uint8Array(Module['HEAPU8'].buffer, privkey_buffer, privkey_length);
+ // The inner Uint8Array creates a view of the buffer. The outer Uint8Array
+ // copies it to a new array to return, since the original buffer will get
+ // deallocated from the stack and could get overwritten.
+ var key_arr = new Uint8Array(
+ new Uint8Array(Module['HEAPU8'].buffer, privkey_buffer, privkey_length)
+ );
+ bzero(privkey_buffer, privkey_length); // clear out our copy of the key
+ return key_arr;
});
PkDecryption.prototype['pickle'] = restore_stack(function (key) {
@@ -170,9 +191,17 @@ PkDecryption.prototype['pickle'] = restore_stack(function (key) {
)(this.ptr);
var key_buffer = stack(key_array);
var pickle_buffer = stack(pickle_length + NULL_BYTE_PADDING_LENGTH);
- pk_decryption_method(Module['_olm_pickle_pk_decryption'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
- );
+ try {
+ pk_decryption_method(Module['_olm_pickle_pk_decryption'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
return Pointer_stringify(pickle_buffer);
});
@@ -185,10 +214,18 @@ PkDecryption.prototype['unpickle'] = restore_stack(function (key, pickle) {
Module["_olm_pk_key_length"]
)();
var ephemeral_buffer = stack(ephemeral_length + NULL_BYTE_PADDING_LENGTH);
- pk_decryption_method(Module['_olm_unpickle_pk_decryption'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer,
- pickle_array.length, ephemeral_buffer, ephemeral_length
- );
+ try {
+ pk_decryption_method(Module['_olm_unpickle_pk_decryption'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer,
+ pickle_array.length, ephemeral_buffer, ephemeral_length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
return Pointer_stringify(ephemeral_buffer);
});
diff --git a/javascript/olm_post.js b/javascript/olm_post.js
index 21ea890..8c06fff 100644
--- a/javascript/olm_post.js
+++ b/javascript/olm_post.js
@@ -91,11 +91,19 @@ Account.prototype['sign'] = restore_stack(function(message) {
var message_array = array_from_string(message);
var message_buffer = stack(message_array);
var signature_buffer = stack(signature_length + NULL_BYTE_PADDING_LENGTH);
- account_method(Module['_olm_account_sign'])(
- this.ptr,
- message_buffer, message_array.length,
- signature_buffer, signature_length
- );
+ try {
+ account_method(Module['_olm_account_sign'])(
+ this.ptr,
+ message_buffer, message_array.length,
+ signature_buffer, signature_length
+ );
+ } finally {
+ // clear out copies of the message, which may be plaintext
+ bzero(message_buffer, message_array.length);
+ for (var i = 0; i < message_array.length; i++) {
+ message_array[i] = 0;
+ }
+ }
return Pointer_stringify(signature_buffer);
});
@@ -145,9 +153,17 @@ Account.prototype['pickle'] = restore_stack(function(key) {
)(this.ptr);
var key_buffer = stack(key_array);
var pickle_buffer = stack(pickle_length + NULL_BYTE_PADDING_LENGTH);
- account_method(Module['_olm_pickle_account'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
- );
+ try {
+ account_method(Module['_olm_pickle_account'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
return Pointer_stringify(pickle_buffer);
});
@@ -156,10 +172,18 @@ Account.prototype['unpickle'] = restore_stack(function(key, pickle) {
var key_buffer = stack(key_array);
var pickle_array = array_from_string(pickle);
var pickle_buffer = stack(pickle_array);
- account_method(Module['_olm_unpickle_account'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer,
- pickle_array.length
- );
+ try {
+ account_method(Module['_olm_unpickle_account'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer,
+ pickle_array.length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
});
function Session() {
@@ -193,9 +217,17 @@ Session.prototype['pickle'] = restore_stack(function(key) {
)(this.ptr);
var key_buffer = stack(key_array);
var pickle_buffer = stack(pickle_length + NULL_BYTE_PADDING_LENGTH);
- session_method(Module['_olm_pickle_session'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
- );
+ try {
+ session_method(Module['_olm_pickle_session'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer, pickle_length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
return Pointer_stringify(pickle_buffer);
});
@@ -204,10 +236,18 @@ Session.prototype['unpickle'] = restore_stack(function(key, pickle) {
var key_buffer = stack(key_array);
var pickle_array = array_from_string(pickle);
var pickle_buffer = stack(pickle_array);
- session_method(Module['_olm_unpickle_session'])(
- this.ptr, key_buffer, key_array.length, pickle_buffer,
- pickle_array.length
- );
+ try {
+ session_method(Module['_olm_unpickle_session'])(
+ this.ptr, key_buffer, key_array.length, pickle_buffer,
+ pickle_array.length
+ );
+ } finally {
+ // clear out copies of the pickle key
+ bzero(key_buffer, key_array.length)
+ for (var i = 0; i < key_array.length; i++) {
+ key_array[i] = 0;
+ }
+ }
});
Session.prototype['create_outbound'] = restore_stack(function(
@@ -221,12 +261,17 @@ Session.prototype['create_outbound'] = restore_stack(function(
var one_time_key_array = array_from_string(their_one_time_key);
var identity_key_buffer = stack(identity_key_array);
var one_time_key_buffer = stack(one_time_key_array);
- session_method(Module['_olm_create_outbound_session'])(
- this.ptr, account.ptr,
- identity_key_buffer, identity_key_array.length,
- one_time_key_buffer, one_time_key_array.length,
- random, random_length
- );
+ try {
+ session_method(Module['_olm_create_outbound_session'])(
+ this.ptr, account.ptr,
+ identity_key_buffer, identity_key_array.length,
+ one_time_key_buffer, one_time_key_array.length,
+ random, random_length
+ );
+ } finally {
+ // clear the random buffer, which is key data
+ bzero(random, random_length);
+ }
});
Session.prototype['create_inbound'] = restore_stack(function(
@@ -234,9 +279,17 @@ Session.prototype['create_inbound'] = restore_stack(function(
) {
var message_array = array_from_string(one_time_key_message);
var message_buffer = stack(message_array);
- session_method(Module['_olm_create_inbound_session'])(
- this.ptr, account.ptr, message_buffer, message_array.length
- );
+ try {
+ session_method(Module['_olm_create_inbound_session'])(
+ this.ptr, account.ptr, message_buffer, message_array.length
+ );
+ } finally {
+ // clear out copies of the key
+ bzero(message_buffer, message_array.length);
+ for (var i = 0; i < message_array.length; i++) {
+ message_array[i] = 0;
+ }
+ }
});
Session.prototype['create_inbound_from'] = restore_stack(function(
@@ -246,11 +299,19 @@ Session.prototype['create_inbound_from'] = restore_stack(function(
var identity_key_buffer = stack(identity_key_array);
var message_array = array_from_string(one_time_key_message);
var message_buffer = stack(message_array);
- session_method(Module['_olm_create_inbound_session_from'])(
- this.ptr, account.ptr,
- identity_key_buffer, identity_key_array.length,
- message_buffer, message_array.length
- );
+ try {
+ session_method(Module['_olm_create_inbound_session_from'])(
+ this.ptr, account.ptr,
+ identity_key_buffer, identity_key_array.length,
+ message_buffer, message_array.length
+ );
+ } finally {
+ // clear out copies of the key
+ bzero(message_buffer, message_array.length);
+ for (var i = 0; i < message_array.length; i++) {
+ message_array[i] = 0;
+ }
+ }
});
Session.prototype['session_id'] = restore_stack(function() {
@@ -296,9 +357,9 @@ Session.prototype['matches_inbound_from'] = restore_stack(function(
Session.prototype['encrypt'] = restore_stack(function(
plaintext
) {
- var plaintext_buffer, message_buffer, plaintext_length;
+ var plaintext_buffer, message_buffer, plaintext_length, random, random_length;
try {
- var random_length = session_method(
+ random_length = session_method(
Module['_olm_encrypt_random_length']
)(this.ptr);
var message_type = session_method(
@@ -310,7 +371,7 @@ Session.prototype['encrypt'] = restore_stack(function(
Module['_olm_encrypt_message_length']
)(this.ptr, plaintext_length);
- var random = random_stack(random_length);
+ random = random_stack(random_length);
// need to allow space for the terminator (which stringToUTF8 always
// writes), hence + 1.
@@ -338,6 +399,10 @@ Session.prototype['encrypt'] = restore_stack(function(
"body": UTF8ToString(message_buffer),
};
} finally {
+ if (random !== undefined) {
+ // clear out the random buffer, since it is the private key
+ bzero(random, random_length);
+ }
if (plaintext_buffer !== undefined) {
// don't leave a copy of the plaintext in the heap.
bzero(plaintext_buffer, plaintext_length + 1);
@@ -423,11 +488,19 @@ Utility.prototype['sha256'] = restore_stack(function(input) {
var input_array = array_from_string(input);
var input_buffer = stack(input_array);
var output_buffer = stack(output_length + NULL_BYTE_PADDING_LENGTH);
- utility_method(Module['_olm_sha256'])(
- this.ptr,
- input_buffer, input_array.length,
- output_buffer, output_length
- );
+ try {
+ utility_method(Module['_olm_sha256'])(
+ this.ptr,
+ input_buffer, input_array.length,
+ output_buffer, output_length
+ );
+ } finally {
+ // clear out copies of the input buffer, which may be plaintext
+ bzero(input_buffer, input_array.length);
+ for (var i = 0; i < input_array.length; i++) {
+ input_array[i] = 0;
+ }
+ }
return Pointer_stringify(output_buffer);
});
@@ -440,12 +513,20 @@ Utility.prototype['ed25519_verify'] = restore_stack(function(
var message_buffer = stack(message_array);
var signature_array = array_from_string(signature);
var signature_buffer = stack(signature_array);
- utility_method(Module['_olm_ed25519_verify'])(
- this.ptr,
- key_buffer, key_array.length,
- message_buffer, message_array.length,
- signature_buffer, signature_array.length
- );
+ try {
+ utility_method(Module['_olm_ed25519_verify'])(
+ this.ptr,
+ key_buffer, key_array.length,
+ message_buffer, message_array.length,
+ signature_buffer, signature_array.length
+ );
+ } finally {
+ // clear out copies of the input buffer, which may be plaintext
+ bzero(message_buffer, message_array.length);
+ for (var i = 0; i < message_array.length; i++) {
+ message_array[i] = 0;
+ }
+ }
});
olm_exports["Account"] = Account;
diff --git a/jenkins.sh b/jenkins.sh
index d8c66bc..1dc6b58 100755
--- a/jenkins.sh
+++ b/jenkins.sh
@@ -8,14 +8,6 @@ rm -f olm-*.tgz
make lib
make test
-virtualenv env
-. env/bin/activate
-pip install pyyaml
-pip install pep8
-
-./python/test_olm.sh
-pep8 -v python
-
. ~/.emsdk_set_env.sh
make js
(cd javascript && npm install && npm run test)
diff --git a/python/.gdb_history b/python/.gdb_history
deleted file mode 100644
index 747b80f..0000000
--- a/python/.gdb_history
+++ /dev/null
@@ -1,225 +0,0 @@
-b _olm_enc_input
-r
-l
-p key
-p key_lenght
-p key_length
-b _olm_enc_input
-r
-key[12]
-p key[12]
-p key[11]
-key[11]='\0'
-p key[11]='\0'
-p key[11]
-key_length=12
-p key_length=12
-n
-c
-b _olm_enc_input
-r
-r
-r
-b olm_decrypt
-r
-l
-b 677
-c
-s
-fin
-s
-s
-fin
-s
-s
-fin
-s
-l
-n
-l
-l
-s
-s
-n
-l
-n
-l
-p reader
-p *this
-n
-p chain
-p receiver_chains
-p receiver_chains.length()
-p receiver_chains.size()
-p reader
-p reader.ratchet_key
-r
-r
-b olm_account_one_time_keys
-r
-l
-s
-n
-p *this
-p one_time_keys
-p one_time_keys.length
-p one_time_keys.length()
-p one_time_keys.len()
-p one_time_keys.size()
-p one_time_keys.count()
-p one_time_keys.data
-p one_time_keys._data
-p &one_time_keys._data
-l
-n
-q
-r
-b olm_create_inbound_session
-r
-b olm_create_inbound_session_from
-r
-r
-r
-b olm_create_inbound_session_from
-r
-b olm_create_inbound_session
-b olm_create_inbound_session
-r
-l
-n
-l
-s
-b olm_create_inbound_session
-r
-l
-l
-n
-s
-f
-s
-fin
-s
-s
-fin
-s
-l
-n
-l
-l -
-l
-l
-l
-n
-p our_one_time_key
-p *our_one_time_key
-l
-n
-l
-n
-p bob_one_time_key
-p alice_identity_key
-p alice_base_key
-p bob_identity_key
-x alice_identity_key
-x &alice_identity_key
-x /32x &alice_identity_key
-x /32b &alice_identity_key
-l
-l
-l
-n
-b olm_decrypt
-c
-l
-l
-b 'olm::Session::decrypt'
-c
-l
-l
-n
-l
-n
-p reader
-p reader
-5*128
-p 5*128
-p 0xb0 - 0x80
-p 0xb0 - 0x80 + 640
-l
-n
-s
-l
-n
-p reader
-n
-l
-n
-p max_length
-p reader.ciphertext_length
-l
-n
-l
-p receiver_chains
-p &receiver_chains ._data
-p &receiver_chains ._data[1]
-n
-s
-s
-l
-n
-p new_chain.index
-p reader.counter
-n
-l
-l
-n
-s
-s
-n
-l
-x key
-x /16b key
-l
-l
-n
-p keys
-_olm_crypto_aes_decrypt_cbc&keys.aes_key, &keys.aes_iv, ciphertext, ciphertext_length, plaintext
-p _olm_crypto_aes_decrypt_cbc(&keys.aes_key, &keys.aes_iv, ciphertext, ciphertext_length, plaintext)
-p plaintext
-r
-b olm_account_identity_keys
-l
-r
-b olm_unpickle_account
-r
-l
-n
-p object.last_error
-l
-l -
-l
-b 268
-r
-c
-s
-l
-l
-p end-pos
-x /246b pos
-x /246x pos
-x /82x pos+164
-x /82x pos+132
-pos
-p pos
-x /246x pos
-r
-r
-b olm_create_outbound_session
-r
-n
-l
-p id_key_length
-p ot_key_length
-p olm::decode_base64_length(id_key_length)
-p olm::decode_base64_length(ot_key_length)
-p CURVE25519_KEY_LENGTH
diff --git a/python/.gitignore b/python/.gitignore
index a3d197d..1ff9f49 100644
--- a/python/.gitignore
+++ b/python/.gitignore
@@ -1,5 +1,12 @@
+.coverage
+.mypy_cache/
+.ropeproject/
+.pytest_cache/
+packages/
+python_olm.egg-info/
+_libolm*
+__pycache__
*.pyc
-/*.account
-/*.session
-/*.group_session
-/group_message
+.hypothesis/
+.tox/
+include/
diff --git a/python/MANIFEST.in b/python/MANIFEST.in
new file mode 100644
index 0000000..bfddd4f
--- /dev/null
+++ b/python/MANIFEST.in
@@ -0,0 +1,3 @@
+include olm.h
+include Makefile
+include olm_build.py
diff --git a/python/Makefile b/python/Makefile
new file mode 100644
index 0000000..5da703a
--- /dev/null
+++ b/python/Makefile
@@ -0,0 +1,43 @@
+all: olm-python2 olm-python3
+
+include/olm/olm.h: ../include/olm/olm.h ../include/olm/inbound_group_session.h ../include/olm/outbound_group_session.h
+ mkdir -p include/olm
+ $(CPP) -I dummy -I ../include ../include/olm/olm.h -o include/olm/olm.h
+# add memset to the header so that we can use it to clear buffers
+ echo 'void *memset(void *s, int c, size_t n);' >> include/olm/olm.h
+
+olm-python2: include/olm/olm.h
+ DEVELOP=$(DEVELOP) python2 setup.py build
+
+olm-python3: include/olm/olm.h
+ DEVELOP=$(DEVELOP) python3 setup.py build
+
+install: install-python2 install-python3
+
+install-python2: olm-python2
+ python2 setup.py install --skip-build -O1 --root=$(DESTDIR)
+
+install-python3: olm-python3
+ python3 setup.py install --skip-build -O1 --root=$(DESTDIR)
+
+test: olm-python2 olm-python3
+ rm -rf install-temp
+ mkdir -p install-temp/2 install-temp/3
+ PYTHONPATH=install-temp/2 python2 setup.py install --skip-build --install-lib install-temp/2 --install-script install-temp/bin
+ PYTHONPATH=install-temp/3 python3 setup.py install --skip-build --install-lib install-temp/3 --install-script install-temp/bin
+ PYTHONPATH=install-temp/3 python3 -m pytest
+ PYTHONPATH=install-temp/2 python2 -m pytest
+ PYTHONPATH=install-temp/3 python3 -m pytest --flake8 --benchmark-disable
+ PYTHONPATH=install-temp/3 python3 -m pytest --isort --benchmark-disable
+ PYTHONPATH=install-temp/3 python3 -m pytest --cov --cov-branch --benchmark-disable
+ rm -rf install-temp
+
+clean:
+ rm -rf python_olm.egg-info/ dist/ __pycache__/
+ rm -rf *.so _libolm.o
+ rm -rf packages/
+ rm -rf build/
+ rm -rf install-temp/
+ rm -rf include/
+
+.PHONY: all olm-python2 olm-python3 install install-python2 install-python3 clean test
diff --git a/python/README.md b/python/README.md
new file mode 100644
index 0000000..b928185
--- /dev/null
+++ b/python/README.md
@@ -0,0 +1,161 @@
+python-olm
+==========
+
+Python bindings for Olm.
+
+The specification of the Olm cryptographic ratchet which is used for peer to
+peer sessions of this library can be found [here][4].
+
+The specification of the Megolm cryptographic ratchet which is used for group
+sessions of this library can be found [here][5].
+
+An example of the implementation of the Olm and Megolm cryptographic protocol
+can be found in the Matrix protocol for which the implementation guide can be
+found [here][6].
+
+The full API reference can be found [here][7].
+
+# Accounts
+
+Accounts create and hold the central identity of the Olm protocol, they consist of a fingerprint and identity
+key pair. They also produce one time keys that are used to start peer to peer
+encrypted communication channels.
+
+## Account Creation
+
+A new account is created with the Account class, it creates a new Olm key pair.
+The public parts of the key pair are available using the identity_keys property
+of the class.
+
+```python
+>>> alice = Account()
+>>> alice.identity_keys
+{'curve25519': '2PytGagXercwHjzQETLcMa3JOsaU2qkPIESaqoi59zE',
+ 'ed25519': 'HHpOuFYdHwoa54GxSttz9YmaTmbuVU3js92UTUjYJgM'}
+```
+
+
+## One Time keys
+
+One time keys need to be generated before people can start an encrypted peer to
+peer channel to an account.
+
+```python
+>>> alice.generate_one_time_keys(1)
+>>> alice.one_time_keys
+{'curve25519': {'AAAAAQ': 'KiHoW6CIy905UC4V1Frmwr3VW8bTWkBL4uWtWFFllxM'}}
+```
+
+After the one time keys are published they should be marked as such so they
+aren't reused.
+
+```python
+>>> alice.mark_keys_as_published()
+>>> alice.one_time_keys
+{'curve25519': {}}
+```
+
+## Pickling
+
+Accounts should be stored for later reuse, storing an account is done with the
+pickle method while the restoring step is done with the from_pickle class
+method.
+
+```python
+>>> pickle = alice.pickle()
+>>> restored = Account.from_pickle(pickle)
+```
+
+# Sessions
+
+Sessions are used to create an encrypted peer to peer communication channel
+between two accounts.
+
+## Session Creation
+```python
+>>> alice = Account()
+>>> bob = Account()
+>>> bob.generate_one_time_keys(1)
+>>> id_key = bob.identity_keys["curve25519"]
+>>> one_time = list(bob.one_time_keys["curve25519"].values())[0]
+>>> alice_session = OutboundSession(alice, id_key, one_time)
+```
+
+## Encryption
+
+After an outbound session is created an encrypted message can be exchanged:
+
+```python
+>>> message = alice_session.encrypt("It's a secret to everybody")
+>>> message.ciphertext
+'AwogkL7RoakT9gnjcZMra+y39WXKRmnxBPEaEp6OSueIA0cSIJxGpBoP8YZ+CGweXQ10LujbXMgK88
+xG/JZMQJ5ulK9ZGiC8TYrezNYr3qyIBLlecXr/9wnegvJaSFDmWDVOcf4XfyI/AwogqIZfAklRXGC5b
+ZJcZxVxQGgJ8Dz4OQII8k0Dp8msUXwQACIQvagY1dO55Qvnk5PZ2GF+wdKnvj6Zxl2g'
+>>> message.message_type
+0
+```
+
+After the message is transfered, bob can create an InboundSession to decrypt the
+message.
+
+```python
+>>> bob_session = InboundSession(bob, message)
+>>> bob_session.decrypt(message)
+"It's a secret to everybody"
+```
+
+## Pickling
+
+Sessions like accounts can be stored for later use the API is the same as for
+accounts.
+
+```python
+>>> pickle = session.pickle()
+>>> restored = Session.from_pickle(pickle)
+```
+
+# Group Sessions
+
+Group Sessions are used to create a one-to-many encrypted communication channel.
+The group session key needs to be shared with all participants that should be able
+to decrypt the group messages. Another thing to notice is that, since the group
+session key is ratcheted every time a message is encrypted, the session key should
+be shared before any messages are encrypted.
+
+## Group Session Creation
+
+Group sessions aren't bound to an account like peer-to-peer sessions so their
+creation is straightforward.
+
+```python
+>>> alice_group = OutboundGroupSession()
+>>> bob_inbound_group = InboundGroupSession(alice_group.session_key)
+```
+
+## Group Encryption
+
+Group encryption is pretty simple. The important part is to share the session
+key with all participants over a secure channel (e.g. peer-to-peer Olm
+sessions).
+
+```python
+>>> message = alice_group.encrypt("It's a secret to everybody")
+>>> bob_inbound_group.decrypt(message)
+("It's a secret to everybody", 0)
+```
+
+## Pickling
+
+Pickling works the same way as for peer-to-peer Olm sessions.
+
+```python
+>>> pickle = session.pickle()
+>>> restored = InboundGroupSession.from_pickle(pickle)
+```
+[1]: https://git.matrix.org/git/olm/about/
+[2]: https://git.matrix.org/git/olm/tree/python?id=f8c61b8f8432d0b0b38d57f513c5048fb42f22ab
+[3]: https://cffi.readthedocs.io/en/latest/
+[4]: https://git.matrix.org/git/olm/about/docs/olm.rst
+[5]: https://git.matrix.org/git/olm/about/docs/megolm.rst
+[6]: https://matrix.org/docs/guides/e2e_implementation.html
+[7]: https://poljar.github.io/python-olm/html/index.html
diff --git a/python/docs/Makefile b/python/docs/Makefile
new file mode 100644
index 0000000..a72f9d9
--- /dev/null
+++ b/python/docs/Makefile
@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS =
+SPHINXBUILD = sphinx-build
+SPHINXPROJ = olm
+SOURCEDIR = .
+BUILDDIR = .
+
+# Put it first so that "make" without argument is like "make help".
+help:
+ @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+ @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
diff --git a/python/docs/conf.py b/python/docs/conf.py
new file mode 100644
index 0000000..ce2a88d
--- /dev/null
+++ b/python/docs/conf.py
@@ -0,0 +1,165 @@
+# -*- coding: utf-8 -*-
+#
+# Configuration file for the Sphinx documentation builder.
+#
+# This file does only contain a selection of the most common options. For a
+# full list see the documentation:
+# http://www.sphinx-doc.org/en/master/config
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+import os
+import sys
+
+sys.path.insert(0, os.path.abspath('../'))
+
+
+# -- Project information -----------------------------------------------------
+
+project = 'python-olm'
+copyright = '2018, Damir Jelić'
+author = 'Damir Jelić'
+
+# The short X.Y version
+version = ''
+# The full version, including alpha/beta/rc tags
+release = '2.2'
+
+
+# -- General configuration ---------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+ 'sphinx.ext.autodoc',
+ 'sphinx.ext.doctest',
+ 'sphinx.ext.coverage',
+ 'sphinx.ext.viewcode',
+ 'sphinx.ext.githubpages',
+ 'sphinx.ext.napoleon',
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+#
+# source_suffix = ['.rst', '.md']
+source_suffix = '.rst'
+
+# The master toctree document.
+master_doc = 'index'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path .
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+#
+html_theme = 'alabaster'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further. For a list of options available for each theme, see the
+# documentation.
+#
+# html_theme_options = {}
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+# Custom sidebar templates, must be a dictionary that maps document names
+# to template names.
+#
+# The default sidebars (for documents that don't match any pattern) are
+# defined by theme itself. Builtin themes are using these templates by
+# default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
+# 'searchbox.html']``.
+#
+# html_sidebars = {}
+
+
+# -- Options for HTMLHelp output ---------------------------------------------
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'olmdoc'
+
+
+# -- Options for LaTeX output ------------------------------------------------
+
+latex_elements = {
+ # The paper size ('letterpaper' or 'a4paper').
+ #
+ # 'papersize': 'letterpaper',
+
+ # The font size ('10pt', '11pt' or '12pt').
+ #
+ # 'pointsize': '10pt',
+
+ # Additional stuff for the LaTeX preamble.
+ #
+ # 'preamble': '',
+
+ # Latex figure (float) alignment
+ #
+ # 'figure_align': 'htbp',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title,
+# author, documentclass [howto, manual, or own class]).
+latex_documents = [
+ (master_doc, 'olm.tex', 'olm Documentation',
+ 'Damir Jelić', 'manual'),
+]
+
+
+# -- Options for manual page output ------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+ (master_doc, 'olm', 'olm Documentation',
+ [author], 1)
+]
+
+
+# -- Options for Texinfo output ----------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+# dir menu entry, description, category)
+texinfo_documents = [
+ (master_doc, 'olm', 'olm Documentation',
+ author, 'olm', 'One line description of project.',
+ 'Miscellaneous'),
+]
+
+
+# -- Extension configuration -------------------------------------------------
diff --git a/python/docs/index.html b/python/docs/index.html
new file mode 100644
index 0000000..9644bbb
--- /dev/null
+++ b/python/docs/index.html
@@ -0,0 +1 @@
+<meta http-equiv="refresh" content="0; url=./html/index.html" />
diff --git a/python/docs/index.rst b/python/docs/index.rst
new file mode 100644
index 0000000..39e6657
--- /dev/null
+++ b/python/docs/index.rst
@@ -0,0 +1,19 @@
+.. olm documentation master file, created by
+ sphinx-quickstart on Sun Jun 17 15:57:08 2018.
+
+Welcome to olm's documentation!
+===============================
+
+.. toctree::
+ Olm API reference <olm.rst>
+ :maxdepth: 2
+ :caption: Contents:
+
+
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`modindex`
+* :ref:`search`
diff --git a/python/docs/make.bat b/python/docs/make.bat
new file mode 100644
index 0000000..1c5b4d8
--- /dev/null
+++ b/python/docs/make.bat
@@ -0,0 +1,36 @@
+@ECHO OFF
+
+pushd %~dp0
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+ set SPHINXBUILD=sphinx-build
+)
+set SOURCEDIR=.
+set BUILDDIR=_build
+set SPHINXPROJ=olm
+
+if "%1" == "" goto help
+
+%SPHINXBUILD% >NUL 2>NUL
+if errorlevel 9009 (
+ echo.
+ echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
+ echo.installed, then set the SPHINXBUILD environment variable to point
+ echo.to the full path of the 'sphinx-build' executable. Alternatively you
+ echo.may add the Sphinx directory to PATH.
+ echo.
+ echo.If you don't have Sphinx installed, grab it from
+ echo.http://sphinx-doc.org/
+ exit /b 1
+)
+
+%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS%
+goto end
+
+:help
+%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS%
+
+:end
+popd
diff --git a/python/docs/olm.rst b/python/docs/olm.rst
new file mode 100644
index 0000000..9d8edf0
--- /dev/null
+++ b/python/docs/olm.rst
@@ -0,0 +1,34 @@
+olm package
+===========
+
+olm.account module
+------------------
+
+.. automodule:: olm.account
+ :members:
+ :undoc-members:
+ :show-inheritance:
+
+olm.group\_session module
+-------------------------
+
+.. automodule:: olm.group_session
+ :members:
+ :undoc-members:
+ :show-inheritance:
+
+olm.session module
+------------------
+
+.. automodule:: olm.session
+ :members:
+ :undoc-members:
+ :show-inheritance:
+
+olm.utility module
+------------------
+
+.. automodule:: olm.utility
+ :members:
+ :undoc-members:
+ :show-inheritance:
diff --git a/python/dummy/README b/python/dummy/README
new file mode 100644
index 0000000..61039f3
--- /dev/null
+++ b/python/dummy/README
@@ -0,0 +1,2 @@
+Dummy header files, so that we can generate the function list for cffi from the
+olm header files. \ No newline at end of file
diff --git a/python/dummy/stddef.h b/python/dummy/stddef.h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/python/dummy/stddef.h
diff --git a/python/dummy/stdint.h b/python/dummy/stdint.h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/python/dummy/stdint.h
diff --git a/python/olm/__init__.py b/python/olm/__init__.py
index f74cbcb..015c4f8 100644
--- a/python/olm/__init__.py
+++ b/python/olm/__init__.py
@@ -1,5 +1,38 @@
-from .account import Account
-from .session import Session
-from .outbound_group_session import OutboundGroupSession
-from .inbound_group_session import InboundGroupSession
-from .utility import ed25519_verify
+# -*- coding: utf-8 -*-
+# libolm python bindings
+# Copyright © 2015-2017 OpenMarket Ltd
+# Copyright © 2018 Damir Jelić <poljar@termina.org.uk>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+Olm Python bindings
+~~~~~~~~~~~~~~~~~~~~~
+| This package implements python bindings for the libolm C library.
+| © Copyright 2015-2017 by OpenMarket Ltd
+| © Copyright 2018 by Damir Jelić
+"""
+from .utility import ed25519_verify, OlmVerifyError
+from .account import Account, OlmAccountError
+from .session import (
+ Session,
+ InboundSession,
+ OutboundSession,
+ OlmSessionError,
+ OlmMessage,
+ OlmPreKeyMessage
+)
+from .group_session import (
+ InboundGroupSession,
+ OutboundGroupSession,
+ OlmGroupSessionError
+)
diff --git a/python/olm/__main__.py b/python/olm/__main__.py
deleted file mode 100755
index d062459..0000000
--- a/python/olm/__main__.py
+++ /dev/null
@@ -1,468 +0,0 @@
-#!/usr/bin/env python
-
-from __future__ import print_function
-
-import argparse
-import json
-import os
-import sys
-import yaml
-
-from . import *
-
-
-def read_base64_file(filename):
- """Read a base64 file, dropping any CR/LF characters"""
- with open(filename, "rb") as f:
- return f.read().translate(None, "\r\n")
-
-
-def build_arg_parser():
- parser = argparse.ArgumentParser()
- parser.add_argument("--key", help="Account encryption key", default="")
- commands = parser.add_subparsers()
-
- create_account = commands.add_parser("create_account",
- help="Create a new account")
- create_account.add_argument("account_file", help="Local account file")
-
- def do_create_account(args):
- if os.path.exists(args.account_file):
- sys.stderr.write("Account %r file already exists" % (
- args.account_file,
- ))
- sys.exit(1)
- account = Account()
- account.create()
- with open(args.account_file, "wb") as f:
- f.write(account.pickle(args.key))
-
- create_account.set_defaults(func=do_create_account)
-
- keys = commands.add_parser("keys", help="List public keys for an account")
- keys.add_argument("account_file", help="Local account file")
- keys.add_argument("--json", action="store_true", help="Output as JSON")
-
- def do_keys(args):
- account = Account()
- account.unpickle(args.key, read_base64_file(args.account_file))
- result = {
- "account_keys": account.identity_keys(),
- "one_time_keys": account.one_time_keys(),
- }
- try:
- if args.json:
- json.dump(result, sys.stdout, indent=4)
- else:
- yaml.safe_dump(result, sys.stdout, default_flow_style=False)
- except:
- pass
-
- keys.set_defaults(func=do_keys)
-
- def do_id_key(args):
- account = Account()
- account.unpickle(args.key, read_base64_file(args.account_file))
- print(account.identity_keys()['curve25519'])
-
- id_key = commands.add_parser(
- "identity_key",
- help="Get the public part of the identity key for an account",
- )
- id_key.add_argument("account_file", help="Local account file")
- id_key.set_defaults(func=do_id_key)
-
- def do_signing_key(args):
- account = Account()
- account.unpickle(args.key, read_base64_file(args.account_file))
- print(account.identity_keys()['ed25519'])
-
- signing_key = commands.add_parser(
- "signing_key",
- help="Get the public part of the signing key for an account",
- )
- signing_key.add_argument("account_file", help="Local account file")
- signing_key.set_defaults(func=do_signing_key)
-
- def do_one_time_key(args):
- account = Account()
- account.unpickle(args.key, read_base64_file(args.account_file))
- keys = account.one_time_keys()['curve25519'].values()
- key_num = args.key_num
- if key_num < 1 or key_num > len(keys):
- print(
- "Invalid key number %i: %i keys available" % (
- key_num, len(keys),
- ), file=sys.stderr,
- )
- sys.exit(1)
- print(keys[key_num-1])
-
- one_time_key = commands.add_parser(
- "one_time_key",
- help="Get a one-time key for the account",
- )
- one_time_key.add_argument("account_file", help="Local account file")
- one_time_key.add_argument("--key-num", "-n", type=int, default=1,
- help="Index of key to retrieve (default: 1)")
- one_time_key.set_defaults(func=do_one_time_key)
-
- sign = commands.add_parser("sign", help="Sign a message")
- sign.add_argument("account_file", help="Local account file")
- sign.add_argument("message_file", help="Message to sign")
- sign.add_argument("signature_file", help="Signature to output")
-
- def do_sign(args):
- account = Account()
- account.unpickle(args.key, read_base64_file(args.account_file))
- with open_in(args.message_file) as f:
- message = f.read()
- signature = account.sign(message)
- with open_out(args.signature_file) as f:
- f.write(signature)
-
- sign.set_defaults(func=do_sign)
-
- generate_keys = commands.add_parser("generate_keys",
- help="Generate one time keys")
- generate_keys.add_argument("account_file", help="Local account file")
- generate_keys.add_argument("count", type=int,
- help="Number of keys to generate")
-
- def do_generate_keys(args):
- account = Account()
- account.unpickle(args.key, read_base64_file(args.account_file))
- account.generate_one_time_keys(args.count)
- with open(args.account_file, "wb") as f:
- f.write(account.pickle(args.key))
-
- generate_keys.set_defaults(func=do_generate_keys)
-
- outbound = commands.add_parser("outbound",
- help="Create an outbound session")
- outbound.add_argument("account_file", help="Local account file")
- outbound.add_argument("session_file", help="Local session file")
- outbound.add_argument("identity_key", help="Remote identity key")
- outbound.add_argument("one_time_key", help="Remote one time key")
-
- def do_outbound(args):
- if os.path.exists(args.session_file):
- sys.stderr.write("Session %r file already exists" % (
- args.session_file,
- ))
- sys.exit(1)
- account = Account()
- account.unpickle(args.key, read_base64_file(args.account_file))
- session = Session()
- session.create_outbound(
- account, args.identity_key, args.one_time_key
- )
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
-
- outbound.set_defaults(func=do_outbound)
-
- def open_in(path):
- if path == "-":
- return sys.stdin
- else:
- return open(path, "rb")
-
- def open_out(path):
- if path == "-":
- return sys.stdout
- else:
- return open(path, "wb")
-
- inbound = commands.add_parser("inbound", help="Create an inbound session")
- inbound.add_argument("account_file", help="Local account file")
- inbound.add_argument("session_file", help="Local session file")
- inbound.add_argument("message_file", help="Message", default="-")
- inbound.add_argument("plaintext_file", help="Plaintext", default="-")
-
- def do_inbound(args):
- if os.path.exists(args.session_file):
- sys.stderr.write("Session %r file already exists" % (
- args.session_file,
- ))
- sys.exit(1)
- account = Account()
- account.unpickle(args.key, read_base64_file(args.account_file))
- with open_in(args.message_file) as f:
- message_type = f.read(8)
- message = f.read()
- if message_type != "PRE_KEY ":
- sys.stderr.write("Expecting a PRE_KEY message")
- sys.exit(1)
- session = Session()
- session.create_inbound(account, message)
- plaintext = session.decrypt(0, message)
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
- with open_out(args.plaintext_file) as f:
- f.write(plaintext)
-
- inbound.set_defaults(func=do_inbound)
-
- session_id = commands.add_parser("session_id", help="Session ID")
- session_id.add_argument("session_file", help="Local session file")
-
- def do_session_id(args):
- session = Session()
- session.unpickle(args.key, read_base64_file(args.session_file))
- sys.stdout.write(session.session_id() + "\n")
-
- session_id.set_defaults(func=do_session_id)
-
- encrypt = commands.add_parser("encrypt", help="Encrypt a message")
- encrypt.add_argument("session_file", help="Local session file")
- encrypt.add_argument("plaintext_file", help="Plaintext", default="-")
- encrypt.add_argument("message_file", help="Message", default="-")
-
- def do_encrypt(args):
- session = Session()
- session.unpickle(args.key, read_base64_file(args.session_file))
- with open_in(args.plaintext_file) as f:
- plaintext = f.read()
- message_type, message = session.encrypt(plaintext)
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
- with open_out(args.message_file) as f:
- f.write(["PRE_KEY ", "MESSAGE "][message_type])
- f.write(message)
-
- encrypt.set_defaults(func=do_encrypt)
-
- decrypt = commands.add_parser("decrypt", help="Decrypt a message")
- decrypt.add_argument("session_file", help="Local session file")
- decrypt.add_argument("message_file", help="Message", default="-")
- decrypt.add_argument("plaintext_file", help="Plaintext", default="-")
-
- def do_decrypt(args):
- session = Session()
- session.unpickle(args.key, read_base64_file(args.session_file))
- with open_in(args.message_file) as f:
- message_type = f.read(8)
- message = f.read()
- if message_type not in {"PRE_KEY ", "MESSAGE "}:
- sys.stderr.write("Expecting a PRE_KEY or MESSAGE message")
- sys.exit(1)
- message_type = 1 if message_type == "MESSAGE " else 0
- plaintext = session.decrypt(message_type, message)
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
- with open_out(args.plaintext_file) as f:
- f.write(plaintext)
-
- decrypt.set_defaults(func=do_decrypt)
-
- outbound_group = commands.add_parser(
- "outbound_group",
- help="Create an outbound group session",
- )
- outbound_group.add_argument("session_file",
- help="Local group session file")
- outbound_group.set_defaults(func=do_outbound_group)
-
- group_credentials = commands.add_parser(
- "group_credentials",
- help="Export the current outbound group session credentials",
- )
- group_credentials.add_argument(
- "session_file",
- help="Local outbound group session file",
- )
- group_credentials.add_argument(
- "credentials_file",
- help="File to write credentials to (default stdout)",
- type=argparse.FileType('w'), nargs='?',
- default=sys.stdout,
- )
- group_credentials.set_defaults(func=do_group_credentials)
-
- group_encrypt = commands.add_parser(
- "group_encrypt",
- help="Encrypt a group message",
- )
- group_encrypt.add_argument("session_file",
- help="Local outbound group session file")
- group_encrypt.add_argument("plaintext_file",
- help="Plaintext file (default stdin)",
- type=argparse.FileType('rb'), nargs='?',
- default=sys.stdin)
- group_encrypt.add_argument("message_file",
- help="Message file (default stdout)",
- type=argparse.FileType('w'), nargs='?',
- default=sys.stdout)
- group_encrypt.set_defaults(func=do_group_encrypt)
-
- inbound_group = commands.add_parser(
- "inbound_group",
- help=("Create an inbound group session based on credentials from an " +
- "outbound group session"))
- inbound_group.add_argument("session_file",
- help="Local inbound group session file")
- inbound_group.add_argument(
- "credentials_file",
- help="File to read credentials from (default stdin)",
- type=argparse.FileType('r'), nargs='?',
- default=sys.stdin,
- )
- inbound_group.set_defaults(func=do_inbound_group)
-
- import_inbound_group = commands.add_parser(
- "import_inbound_group",
- help="Create an inbound group session based an exported inbound group"
- )
- import_inbound_group.add_argument("session_file",
- help="Local inbound group session file")
- import_inbound_group.add_argument(
- "export_file",
- help="File to read credentials from (default stdin)",
- type=argparse.FileType('r'), nargs='?',
- default=sys.stdin,
- )
- import_inbound_group.set_defaults(func=do_import_inbound_group)
-
- group_decrypt = commands.add_parser("group_decrypt",
- help="Decrypt a group message")
- group_decrypt.add_argument("session_file",
- help="Local inbound group session file")
- group_decrypt.add_argument("message_file",
- help="Message file (default stdin)",
- type=argparse.FileType('r'), nargs='?',
- default=sys.stdin)
- group_decrypt.add_argument("plaintext_file",
- help="Plaintext file (default stdout)",
- type=argparse.FileType('wb'), nargs='?',
- default=sys.stdout)
- group_decrypt.set_defaults(func=do_group_decrypt)
-
- export_inbound_group = commands.add_parser(
- "export_inbound_group",
- help="Export the keys for an inbound group session",
- )
- export_inbound_group.add_argument(
- "session_file", help="Local inbound group session file",
- )
- export_inbound_group.add_argument(
- "export_file", help="File to export to (default stdout)",
- type=argparse.FileType('w'), nargs='?',
- default=sys.stdout,
- )
- export_inbound_group.add_argument(
- "--message_index",
- help=("Index to export session at. Defaults to the earliest known " +
- "index"),
- type=int,
- )
- export_inbound_group.set_defaults(func=do_export_inbound_group)
-
- ed25519_verify = commands.add_parser("ed25519_verify",
- help="Verify an ed25519 signature")
- ed25519_verify.add_argument(
- "signing_key",
- help="Public signing key used to create the signature"
- )
- ed25519_verify.add_argument("signature",
- help="Signature to be verified")
- ed25519_verify.add_argument("message_file",
- help="Message file (default stdin)",
- type=argparse.FileType('r'), nargs='?',
- default=sys.stdin)
- ed25519_verify.set_defaults(func=do_verify_ed25519_signature)
- return parser
-
-
-def do_outbound_group(args):
- if os.path.exists(args.session_file):
- sys.stderr.write("Session %r file already exists" % (
- args.session_file,
- ))
- sys.exit(1)
- session = OutboundGroupSession()
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
-
-
-def do_group_encrypt(args):
- session = OutboundGroupSession()
- session.unpickle(args.key, read_base64_file(args.session_file))
- plaintext = args.plaintext_file.read()
- message = session.encrypt(plaintext)
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
- args.message_file.write(message)
-
-
-def do_group_credentials(args):
- session = OutboundGroupSession()
- session.unpickle(args.key, read_base64_file(args.session_file))
- result = {
- 'message_index': session.message_index(),
- 'session_key': session.session_key(),
- }
- json.dump(result, args.credentials_file, indent=4)
-
-
-def do_inbound_group(args):
- if os.path.exists(args.session_file):
- sys.stderr.write("Session %r file already exists\n" % (
- args.session_file,
- ))
- sys.exit(1)
- credentials = json.load(args.credentials_file)
- for k in ('session_key', ):
- if k not in credentials:
- sys.stderr.write("Credentials file is missing %s\n" % k)
- sys.exit(1)
-
- session = InboundGroupSession()
- session.init(credentials['session_key'])
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
-
-
-def do_import_inbound_group(args):
- if os.path.exists(args.session_file):
- sys.stderr.write("Session %r file already exists\n" % (
- args.session_file,
- ))
- sys.exit(1)
- data = args.export_file.read().translate(None, "\r\n")
-
- session = InboundGroupSession()
- session.import_session(data)
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
-
-
-def do_group_decrypt(args):
- session = InboundGroupSession()
- session.unpickle(args.key, read_base64_file(args.session_file))
- message = args.message_file.read()
- plaintext, message_index = session.decrypt(message)
- with open(args.session_file, "wb") as f:
- f.write(session.pickle(args.key))
- args.plaintext_file.write(plaintext)
-
-
-def do_export_inbound_group(args):
- session = InboundGroupSession()
- session.unpickle(args.key, read_base64_file(args.session_file))
- index = args.message_index
- if index is None:
- # default to first known index
- index = session.first_known_index()
- args.export_file.write(session.export_session(index))
-
-
-def do_verify_ed25519_signature(args):
- message = args.message_file.read()
- ed25519_verify(args.signing_key, message, args.signature)
-
-
-if __name__ == '__main__':
- parser = build_arg_parser()
- args = parser.parse_args()
- args.func(args)
diff --git a/python/olm/__version__.py b/python/olm/__version__.py
new file mode 100644
index 0000000..dccfdd0
--- /dev/null
+++ b/python/olm/__version__.py
@@ -0,0 +1,9 @@
+__title__ = "python-olm"
+__description__ = ("python CFFI bindings for the olm "
+ "cryptographic ratchet library")
+__url__ = "https://github.com/poljar/python-olm"
+__version__ = "0.1"
+__author__ = "Damir Jelić"
+__author_email__ = "poljar@termina.org.uk"
+__license__ = "Apache 2.0"
+__copyright__ = "Copyright 2018 Damir Jelić"
diff --git a/python/olm/_base.py b/python/olm/_base.py
deleted file mode 100644
index ad21d6f..0000000
--- a/python/olm/_base.py
+++ /dev/null
@@ -1,17 +0,0 @@
-import os.path
-
-from ctypes import *
-
-
-lib = cdll.LoadLibrary(os.path.join(
- os.path.dirname(__file__), "..", "..", "build", "libolm.so.2")
-)
-
-lib.olm_error.argtypes = []
-lib.olm_error.restypes = c_size_t
-
-ERR = lib.olm_error()
-
-
-class OlmError(Exception):
- pass
diff --git a/python/olm/_compat.py b/python/olm/_compat.py
new file mode 100644
index 0000000..91e4d1b
--- /dev/null
+++ b/python/olm/_compat.py
@@ -0,0 +1,46 @@
+# -*- coding: utf-8 -*-
+# libolm python bindings
+# Copyright © 2015-2017 OpenMarket Ltd
+# Copyright © 2018 Damir Jelić <poljar@termina.org.uk>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from builtins import bytes, str
+from typing import AnyStr
+
+try:
+ import secrets
+ URANDOM = secrets.token_bytes # pragma: no cover
+except ImportError: # pragma: no cover
+ from os import urandom
+ URANDOM = urandom # type: ignore
+
+
+def to_bytearray(string):
+ # type: (AnyStr) -> bytes
+ if isinstance(string, bytes):
+ return bytearray(string)
+ elif isinstance(string, str):
+ return bytearray(string, "utf-8")
+
+ raise TypeError("Invalid type {}".format(type(string)))
+
+
+def to_bytes(string):
+ # type: (AnyStr) -> bytes
+ if isinstance(string, bytes):
+ return string
+ elif isinstance(string, str):
+ return bytes(string, "utf-8")
+
+ raise TypeError("Invalid type {}".format(type(string)))
diff --git a/python/olm/_finalize.py b/python/olm/_finalize.py
new file mode 100644
index 0000000..9f467bc
--- /dev/null
+++ b/python/olm/_finalize.py
@@ -0,0 +1,65 @@
+# The MIT License (MIT)
+# Copyright (c) 2010 Benjamin Peterson <benjamin@python.org>
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+# OR OTHER DEALINGS IN THE SOFTWARE.
+
+"""Finalization with weakrefs
+
+This is designed for avoiding __del__.
+"""
+from __future__ import print_function
+
+import sys
+import traceback
+import weakref
+
+__author__ = "Benjamin Peterson <benjamin@python.org>"
+
+
+class OwnerRef(weakref.ref):
+ """A simple weakref.ref subclass, so attributes can be added."""
+ pass
+
+
+def _run_finalizer(ref):
+ """Internal weakref callback to run finalizers"""
+ del _finalize_refs[id(ref)]
+ finalizer = ref.finalizer
+ item = ref.item
+ try:
+ finalizer(item)
+ except Exception: # pragma: no cover
+ print("Exception running {}:".format(finalizer), file=sys.stderr)
+ traceback.print_exc()
+
+
+_finalize_refs = {}
+
+
+def track_for_finalization(owner, item, finalizer):
+ """Register an object for finalization.
+
+ ``owner`` is the the object which is responsible for ``item``.
+ ``finalizer`` will be called with ``item`` as its only argument when
+ ``owner`` is destroyed by the garbage collector.
+ """
+ ref = OwnerRef(owner, _run_finalizer)
+ ref.item = item
+ ref.finalizer = finalizer
+ _finalize_refs[id(ref)] = ref
diff --git a/python/olm/account.py b/python/olm/account.py
index b103a51..8455655 100644
--- a/python/olm/account.py
+++ b/python/olm/account.py
@@ -1,136 +1,271 @@
+# -*- coding: utf-8 -*-
+# libolm python bindings
+# Copyright © 2015-2017 OpenMarket Ltd
+# Copyright © 2018 Damir Jelić <poljar@termina.org.uk>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""libolm Account module.
+
+This module contains the account part of the Olm library. It contains a single
+Account class which handles the creation of new accounts as well as the storing
+and restoring of them.
+
+Examples:
+ >>> acc = Account()
+ >>> account.identity_keys()
+ >>> account.generate_one_time_keys(1)
+
+"""
+
import json
-from os import urandom
-
-from ._base import *
-
-lib.olm_account_size.argtypes = []
-lib.olm_account_size.restype = c_size_t
-
-lib.olm_account.argtypes = [c_void_p]
-lib.olm_account.restype = c_void_p
-
-lib.olm_account_last_error.argtypes = [c_void_p]
-lib.olm_account_last_error.restype = c_char_p
-
-
-def account_errcheck(res, func, args):
- if res == ERR:
- raise OlmError("%s: %s" % (
- func.__name__, lib.olm_account_last_error(args[0])
- ))
- return res
-
-
-def account_function(func, *types):
- func.argtypes = (c_void_p,) + types
- func.restypes = c_size_t
- func.errcheck = account_errcheck
-
-
-account_function(
- lib.olm_pickle_account, c_void_p, c_size_t, c_void_p, c_size_t
-)
-account_function(
- lib.olm_unpickle_account, c_void_p, c_size_t, c_void_p, c_size_t
-)
-account_function(lib.olm_create_account_random_length)
-account_function(lib.olm_create_account, c_void_p, c_size_t)
-account_function(lib.olm_account_identity_keys_length)
-account_function(lib.olm_account_identity_keys, c_void_p, c_size_t)
-account_function(lib.olm_account_signature_length)
-account_function(lib.olm_account_sign, c_void_p, c_size_t, c_void_p, c_size_t)
-account_function(lib.olm_account_one_time_keys_length)
-account_function(lib.olm_account_one_time_keys, c_void_p, c_size_t)
-account_function(lib.olm_account_mark_keys_as_published)
-account_function(lib.olm_account_max_number_of_one_time_keys)
-account_function(lib.olm_pickle_account_length)
-account_function(
- lib.olm_account_generate_one_time_keys_random_length,
- c_size_t
-)
-account_function(
- lib.olm_account_generate_one_time_keys,
- c_size_t,
- c_void_p, c_size_t
-)
-account_function(
- lib.olm_remove_one_time_keys,
- c_void_p # Session
-)
+# pylint: disable=redefined-builtin,unused-import
+from builtins import bytes, super
+from typing import AnyStr, Dict, Optional, Type
+
+from future.utils import bytes_to_native_str
+
+# pylint: disable=no-name-in-module
+from _libolm import ffi, lib # type: ignore
+
+from ._compat import URANDOM, to_bytearray
+from ._finalize import track_for_finalization
+
+# This is imported only for type checking purposes
+if False:
+ from .session import Session # pragma: no cover
+
+
+def _clear_account(account):
+ # type: (ffi.cdata) -> None
+ lib.olm_clear_account(account)
+
+
+class OlmAccountError(Exception):
+ """libolm Account error exception."""
class Account(object):
+ """libolm Account class."""
+
+ def __new__(cls):
+ # type: (Type[Account]) -> Account
+ obj = super().__new__(cls)
+ obj._buf = ffi.new("char[]", lib.olm_account_size())
+ obj._account = lib.olm_account(obj._buf)
+ track_for_finalization(obj, obj._account, _clear_account)
+ return obj
+
def __init__(self):
- self.buf = create_string_buffer(lib.olm_account_size())
- self.ptr = lib.olm_account(self.buf)
-
- def create(self):
- random_length = lib.olm_create_account_random_length(self.ptr)
- random = urandom(random_length)
- random_buffer = create_string_buffer(random)
- lib.olm_create_account(self.ptr, random_buffer, random_length)
-
- def pickle(self, key):
- key_buffer = create_string_buffer(key)
- pickle_length = lib.olm_pickle_account_length(self.ptr)
- pickle_buffer = create_string_buffer(pickle_length)
- lib.olm_pickle_account(
- self.ptr, key_buffer, len(key), pickle_buffer, pickle_length
- )
- return pickle_buffer.raw
-
- def unpickle(self, key, pickle):
- key_buffer = create_string_buffer(key)
- pickle_buffer = create_string_buffer(pickle)
- lib.olm_unpickle_account(
- self.ptr, key_buffer, len(key), pickle_buffer, len(pickle)
- )
+ # type: () -> None
+ """Create a new Olm account.
+
+ Creates a new account and its matching identity key pair.
+
+ Raises OlmAccountError on failure. If there weren't enough random bytes
+ for the account creation the error message for the exception will be
+ NOT_ENOUGH_RANDOM.
+ """
+ # This is needed to silence mypy not knowing the type of _account.
+ # There has to be a better way for this.
+ if False: # pragma: no cover
+ self._account = self._account # type: ffi.cdata
+
+ random_length = lib.olm_create_account_random_length(self._account)
+ random = URANDOM(random_length)
+
+ self._check_error(
+ lib.olm_create_account(self._account, ffi.from_buffer(random),
+ random_length))
+
+
+ def _check_error(self, ret):
+ # type: (int) -> None
+ if ret != lib.olm_error():
+ return
+
+ last_error = bytes_to_native_str(
+ ffi.string((lib.olm_account_last_error(self._account))))
+
+ raise OlmAccountError(last_error)
+
+ def pickle(self, passphrase=""):
+ # type: (Optional[str]) -> bytes
+ """Store an Olm account.
+
+ Stores an account as a base64 string. Encrypts the account using the
+ supplied passphrase. Returns a byte object containing the base64
+ encoded string of the pickled account. Raises OlmAccountError on
+ failure.
+
+ Args:
+ passphrase(str, optional): The passphrase to be used to encrypt
+ the account.
+ """
+ byte_key = bytearray(passphrase, "utf-8") if passphrase else b""
+ pickle_length = lib.olm_pickle_account_length(self._account)
+ pickle_buffer = ffi.new("char[]", pickle_length)
+
+ try:
+ self._check_error(
+ lib.olm_pickle_account(self._account,
+ ffi.from_buffer(byte_key),
+ len(byte_key),
+ pickle_buffer,
+ pickle_length))
+ finally:
+ # zero out copies of the passphrase
+ for i in range(0, len(byte_key)):
+ byte_key[i] = 0
+
+ return ffi.unpack(pickle_buffer, pickle_length)
+
+ @classmethod
+ def from_pickle(cls, pickle, passphrase=""):
+ # type: (bytes, Optional[str]) -> Account
+ """Load a previously stored olm account.
+
+ Loads an account from a pickled base64-encoded string and returns an
+ Account object. Decrypts the account using the supplied passphrase.
+ Raises OlmAccountError on failure. If the passphrase doesn't match the
+ one used to encrypt the account then the error message for the
+ exception will be "BAD_ACCOUNT_KEY". If the base64 couldn't be decoded
+ then the error message will be "INVALID_BASE64".
+
+ Args:
+ pickle(bytes): Base64 encoded byte string containing the pickled
+ account
+ passphrase(str, optional): The passphrase used to encrypt the
+ account.
+ """
+ if not pickle:
+ raise ValueError("Pickle can't be empty")
+
+ byte_key = bytearray(passphrase, "utf-8") if passphrase else b""
+ # copy because unpickle will destroy the buffer
+ pickle_buffer = ffi.new("char[]", pickle)
+
+ obj = cls.__new__(cls)
+
+ try:
+ ret = lib.olm_unpickle_account(obj._account,
+ ffi.from_buffer(byte_key),
+ len(byte_key),
+ pickle_buffer,
+ len(pickle))
+ obj._check_error(ret)
+ finally:
+ for i in range(0, len(byte_key)):
+ byte_key[i] = 0
+
+ return obj
+
+ @property
def identity_keys(self):
- out_length = lib.olm_account_identity_keys_length(self.ptr)
- out_buffer = create_string_buffer(out_length)
- lib.olm_account_identity_keys(
- self.ptr,
- out_buffer, out_length
- )
- return json.loads(out_buffer.raw)
+ # type: () -> Dict[str, str]
+ """dict: Public part of the identity keys of the account."""
+ out_length = lib.olm_account_identity_keys_length(self._account)
+ out_buffer = ffi.new("char[]", out_length)
+
+ self._check_error(
+ lib.olm_account_identity_keys(self._account, out_buffer,
+ out_length))
+ return json.loads(ffi.unpack(out_buffer, out_length).decode("utf-8"))
def sign(self, message):
- out_length = lib.olm_account_signature_length(self.ptr)
- message_buffer = create_string_buffer(message)
- out_buffer = create_string_buffer(out_length)
- lib.olm_account_sign(
- self.ptr, message_buffer, len(message), out_buffer, out_length
- )
- return out_buffer.raw
+ # type: (AnyStr) -> str
+ """Signs a message with this account.
- def one_time_keys(self):
- out_length = lib.olm_account_one_time_keys_length(self.ptr)
- out_buffer = create_string_buffer(out_length)
- lib.olm_account_one_time_keys(self.ptr, out_buffer, out_length)
- return json.loads(out_buffer.raw)
+ Signs a message with the private ed25519 identity key of this account.
+ Returns the signature.
+ Raises OlmAccountError on failure.
- def mark_keys_as_published(self):
- lib.olm_account_mark_keys_as_published(self.ptr)
+ Args:
+ message(str): The message to sign.
+ """
+ bytes_message = to_bytearray(message)
+ out_length = lib.olm_account_signature_length(self._account)
+ out_buffer = ffi.new("char[]", out_length)
- def max_number_of_one_time_keys(self):
- return lib.olm_account_max_number_of_one_time_keys(self.ptr)
+ try:
+ self._check_error(
+ lib.olm_account_sign(self._account,
+ ffi.from_buffer(bytes_message),
+ len(bytes_message), out_buffer,
+ out_length))
+ finally:
+ # clear out copies of the message, which may be plaintext
+ if bytes_message is not message:
+ for i in range(0, len(bytes_message)):
+ bytes_message[i] = 0
+
+ return bytes_to_native_str(ffi.unpack(out_buffer, out_length))
+
+ @property
+ def max_one_time_keys(self):
+ # type: () -> int
+ """int: The maximum number of one-time keys the account can store."""
+ return lib.olm_account_max_number_of_one_time_keys(self._account)
+
+ def mark_keys_as_published(self):
+ # type: () -> None
+ """Mark the current set of one-time keys as being published."""
+ lib.olm_account_mark_keys_as_published(self._account)
def generate_one_time_keys(self, count):
+ # type: (int) -> None
+ """Generate a number of new one-time keys.
+
+ If the total number of keys stored by this account exceeds
+ max_one_time_keys() then the old keys are discarded.
+ Raises OlmAccountError on error.
+
+ Args:
+ count(int): The number of keys to generate.
+ """
random_length = lib.olm_account_generate_one_time_keys_random_length(
- self.ptr, count
- )
- random = urandom(random_length)
- random_buffer = create_string_buffer(random)
- lib.olm_account_generate_one_time_keys(
- self.ptr, count, random_buffer, random_length
- )
+ self._account, count)
+ random = URANDOM(random_length)
+
+ self._check_error(
+ lib.olm_account_generate_one_time_keys(
+ self._account, count, ffi.from_buffer(random), random_length))
+
+ @property
+ def one_time_keys(self):
+ # type: () -> Dict[str, Dict[str, str]]
+ """dict: The public part of the one-time keys for this account."""
+ out_length = lib.olm_account_one_time_keys_length(self._account)
+ out_buffer = ffi.new("char[]", out_length)
+
+ self._check_error(
+ lib.olm_account_one_time_keys(self._account, out_buffer,
+ out_length))
+
+ return json.loads(ffi.unpack(out_buffer, out_length).decode("utf-8"))
def remove_one_time_keys(self, session):
- lib.olm_remove_one_time_keys(
- self.ptr,
- session.ptr
- )
+ # type: (Session) -> None
+ """Remove used one-time keys.
+
+ Removes the one-time keys that the session used from the account.
+ Raises OlmAccountError on failure. If the account doesn't have any
+ matching one-time keys then the error message of the exception will be
+ "BAD_MESSAGE_KEY_ID".
- def clear(self):
- pass
+ Args:
+ session(Session): An Olm Session object that was created with this
+ account.
+ """
+ self._check_error(lib.olm_remove_one_time_keys(self._account,
+ session._session))
diff --git a/python/olm/group_session.py b/python/olm/group_session.py
new file mode 100644
index 0000000..737d9ef
--- /dev/null
+++ b/python/olm/group_session.py
@@ -0,0 +1,525 @@
+# -*- coding: utf-8 -*-
+# libolm python bindings
+# Copyright © 2015-2017 OpenMarket Ltd
+# Copyright © 2018 Damir Jelić <poljar@termina.org.uk>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""libolm Group session module.
+
+This module contains the group session part of the Olm library. It contains two
+classes for creating inbound and outbound group sessions.
+
+Examples:
+ >>> outbound = OutboundGroupSession()
+ >>> InboundGroupSession(outbound.session_key)
+"""
+
+# pylint: disable=redefined-builtin,unused-import
+from builtins import bytes, super
+from typing import AnyStr, Optional, Tuple, Type
+
+from future.utils import bytes_to_native_str
+
+# pylint: disable=no-name-in-module
+from _libolm import ffi, lib # type: ignore
+
+from ._compat import URANDOM, to_bytearray, to_bytes
+from ._finalize import track_for_finalization
+
+
+def _clear_inbound_group_session(session):
+ # type: (ffi.cdata) -> None
+ lib.olm_clear_inbound_group_session(session)
+
+
+def _clear_outbound_group_session(session):
+ # type: (ffi.cdata) -> None
+ lib.olm_clear_outbound_group_session(session)
+
+
+class OlmGroupSessionError(Exception):
+ """libolm Group session error exception."""
+
+
+class InboundGroupSession(object):
+ """Inbound group session for encrypted multiuser communication."""
+
+ def __new__(
+ cls, # type: Type[InboundGroupSession]
+ session_key=None # type: Optional[str]
+ ):
+ # type: (...) -> InboundGroupSession
+ obj = super().__new__(cls)
+ obj._buf = ffi.new("char[]", lib.olm_inbound_group_session_size())
+ obj._session = lib.olm_inbound_group_session(obj._buf)
+ track_for_finalization(obj, obj._session, _clear_inbound_group_session)
+ return obj
+
+ def __init__(self, session_key):
+ # type: (AnyStr) -> None
+ """Create a new inbound group session.
+ Start a new inbound group session, from a key exported from
+ an outbound group session.
+
+ Raises OlmGroupSessionError on failure. The error message of the
+ exception will be "OLM_INVALID_BASE64" if the session key is not valid
+ base64 and "OLM_BAD_SESSION_KEY" if the session key is invalid.
+ """
+ if False: # pragma: no cover
+ self._session = self._session # type: ffi.cdata
+
+ byte_session_key = to_bytearray(session_key)
+
+ try:
+ ret = lib.olm_init_inbound_group_session(
+ self._session,
+ ffi.from_buffer(byte_session_key), len(byte_session_key)
+ )
+ finally:
+ if byte_session_key is not session_key:
+ for i in range(0, len(byte_session_key)):
+ byte_session_key[i] = 0
+ self._check_error(ret)
+
+ def pickle(self, passphrase=""):
+ # type: (Optional[str]) -> bytes
+ """Store an inbound group session.
+
+ Stores a group session as a base64 string. Encrypts the session using
+ the supplied passphrase. Returns a byte object containing the base64
+ encoded string of the pickled session.
+
+ Args:
+ passphrase(str, optional): The passphrase to be used to encrypt
+ the session.
+ """
+ byte_passphrase = bytearray(passphrase, "utf-8") if passphrase else b""
+
+ pickle_length = lib.olm_pickle_inbound_group_session_length(
+ self._session)
+ pickle_buffer = ffi.new("char[]", pickle_length)
+
+ try:
+ ret = lib.olm_pickle_inbound_group_session(
+ self._session,
+ ffi.from_buffer(byte_passphrase), len(byte_passphrase),
+ pickle_buffer, pickle_length
+ )
+ self._check_error(ret)
+ finally:
+ # clear out copies of the passphrase
+ for i in range(0, len(byte_passphrase)):
+ byte_passphrase[i] = 0
+
+ return ffi.unpack(pickle_buffer, pickle_length)
+
+ @classmethod
+ def from_pickle(cls, pickle, passphrase=""):
+ # type: (bytes, Optional[str]) -> InboundGroupSession
+ """Load a previously stored inbound group session.
+
+ Loads an inbound group session from a pickled base64 string and returns
+ an InboundGroupSession object. Decrypts the session using the supplied
+ passphrase. Raises OlmSessionError on failure. If the passphrase
+ doesn't match the one used to encrypt the session then the error
+ message for the exception will be "BAD_ACCOUNT_KEY". If the base64
+ couldn't be decoded then the error message will be "INVALID_BASE64".
+
+ Args:
+ pickle(bytes): Base64 encoded byte string containing the pickled
+ session
+ passphrase(str, optional): The passphrase used to encrypt the
+ session
+ """
+ if not pickle:
+ raise ValueError("Pickle can't be empty")
+
+ byte_passphrase = bytearray(passphrase, "utf-8") if passphrase else b""
+ # copy because unpickle will destroy the buffer
+ pickle_buffer = ffi.new("char[]", pickle)
+
+ obj = cls.__new__(cls)
+
+ try:
+ ret = lib.olm_unpickle_inbound_group_session(
+ obj._session,
+ ffi.from_buffer(byte_passphrase),
+ len(byte_passphrase),
+ pickle_buffer,
+ len(pickle)
+ )
+ obj._check_error(ret)
+ finally:
+ # clear out copies of the passphrase
+ for i in range(0, len(byte_passphrase)):
+ byte_passphrase[i] = 0
+
+ return obj
+
+ def _check_error(self, ret):
+ # type: (int) -> None
+ if ret != lib.olm_error():
+ return
+
+ last_error = bytes_to_native_str(ffi.string(
+ lib.olm_inbound_group_session_last_error(self._session)))
+
+ raise OlmGroupSessionError(last_error)
+
+ def decrypt(self, ciphertext):
+ # type: (AnyStr) -> Tuple[str, int]
+ """Decrypt a message
+
+ Returns a tuple of the decrypted plain-text and the message index of
+ the decrypted message or raises OlmGroupSessionError on failure.
+ On failure the error message of the exception will be:
+
+ * OLM_INVALID_BASE64 if the message is not valid base64
+ * OLM_BAD_MESSAGE_VERSION if the message was encrypted with an
+ unsupported version of the protocol
+ * OLM_BAD_MESSAGE_FORMAT if the message headers could not be
+ decoded
+ * OLM_BAD_MESSAGE_MAC if the message could not be verified
+ * OLM_UNKNOWN_MESSAGE_INDEX if we do not have a session key
+ corresponding to the message's index (i.e., it was sent before
+ the session key was shared with us)
+
+ Args:
+ ciphertext(str): Base64 encoded ciphertext containing the encrypted
+ message
+ """
+ if not ciphertext:
+ raise ValueError("Ciphertext can't be empty.")
+
+ byte_ciphertext = to_bytes(ciphertext)
+
+ # copy because max_plaintext_length will destroy the buffer
+ ciphertext_buffer = ffi.new("char[]", byte_ciphertext)
+
+ max_plaintext_length = lib.olm_group_decrypt_max_plaintext_length(
+ self._session, ciphertext_buffer, len(byte_ciphertext)
+ )
+ self._check_error(max_plaintext_length)
+ plaintext_buffer = ffi.new("char[]", max_plaintext_length)
+ # copy because max_plaintext_length will destroy the buffer
+ ciphertext_buffer = ffi.new("char[]", byte_ciphertext)
+
+ message_index = ffi.new("uint32_t*")
+ plaintext_length = lib.olm_group_decrypt(
+ self._session, ciphertext_buffer, len(byte_ciphertext),
+ plaintext_buffer, max_plaintext_length,
+ message_index
+ )
+
+ self._check_error(plaintext_length)
+
+ plaintext = bytes_to_native_str(ffi.unpack(
+ plaintext_buffer,
+ plaintext_length
+ ))
+
+ # clear out copies of the plaintext
+ lib.memset(plaintext_buffer, 0, max_plaintext_length)
+
+ return plaintext, message_index[0]
+
+ @property
+ def id(self):
+ # type: () -> str
+ """str: A base64 encoded identifier for this session."""
+ id_length = lib.olm_inbound_group_session_id_length(self._session)
+ id_buffer = ffi.new("char[]", id_length)
+ ret = lib.olm_inbound_group_session_id(
+ self._session,
+ id_buffer,
+ id_length
+ )
+ self._check_error(ret)
+ return bytes_to_native_str(ffi.unpack(id_buffer, id_length))
+
+ @property
+ def first_known_index(self):
+ # type: () -> int
+ """int: The first message index we know how to decrypt."""
+ return lib.olm_inbound_group_session_first_known_index(self._session)
+
+ def export_session(self, message_index):
+ # type: (int) -> str
+ """Export an inbound group session
+
+ Export the base64-encoded ratchet key for this session, at the given
+ index, in a format which can be used by import_session().
+
+ Raises OlmGroupSessionError on failure. The error message for the
+ exception will be:
+
+ * OLM_UNKNOWN_MESSAGE_INDEX if we do not have a session key
+ corresponding to the given index (ie, it was sent before the
+ session key was shared with us)
+
+ Args:
+ message_index(int): The message index at which the session should
+ be exported.
+ """
+
+ export_length = lib.olm_export_inbound_group_session_length(
+ self._session)
+
+ export_buffer = ffi.new("char[]", export_length)
+ ret = lib.olm_export_inbound_group_session(
+ self._session,
+ export_buffer,
+ export_length,
+ message_index
+ )
+ self._check_error(ret)
+ export_str = bytes_to_native_str(ffi.unpack(export_buffer, export_length))
+
+ # clear out copies of the key
+ lib.memset(export_buffer, 0, export_length)
+
+ return export_str
+
+ @classmethod
+ def import_session(cls, session_key):
+ # type: (AnyStr) -> InboundGroupSession
+ """Create an InboundGroupSession from an exported session key.
+
+ Creates an InboundGroupSession with an previously exported session key,
+ raises OlmGroupSessionError on failure. The error message for the
+ exception will be:
+
+ * OLM_INVALID_BASE64 if the session_key is not valid base64
+ * OLM_BAD_SESSION_KEY if the session_key is invalid
+
+ Args:
+ session_key(str): The exported session key with which the inbound
+ group session will be created
+ """
+ obj = cls.__new__(cls)
+
+ byte_session_key = to_bytearray(session_key)
+
+ try:
+ ret = lib.olm_import_inbound_group_session(
+ obj._session,
+ ffi.from_buffer(byte_session_key),
+ len(byte_session_key)
+ )
+ obj._check_error(ret)
+ finally:
+ # clear out copies of the key
+ if byte_session_key is not session_key:
+ for i in range(0, len(byte_session_key)):
+ byte_session_key[i] = 0
+
+ return obj
+
+
+class OutboundGroupSession(object):
+ """Outbound group session for encrypted multiuser communication."""
+
+ def __new__(cls):
+ # type: (Type[OutboundGroupSession]) -> OutboundGroupSession
+ obj = super().__new__(cls)
+ obj._buf = ffi.new("char[]", lib.olm_outbound_group_session_size())
+ obj._session = lib.olm_outbound_group_session(obj._buf)
+ track_for_finalization(
+ obj,
+ obj._session,
+ _clear_outbound_group_session
+ )
+ return obj
+
+ def __init__(self):
+ # type: () -> None
+ """Create a new outbound group session.
+
+ Start a new outbound group session. Raises OlmGroupSessionError on
+ failure.
+ """
+ if False: # pragma: no cover
+ self._session = self._session # type: ffi.cdata
+
+ random_length = lib.olm_init_outbound_group_session_random_length(
+ self._session
+ )
+ random = URANDOM(random_length)
+
+ ret = lib.olm_init_outbound_group_session(
+ self._session, ffi.from_buffer(random), random_length
+ )
+ self._check_error(ret)
+
+ def _check_error(self, ret):
+ # type: (int) -> None
+ if ret != lib.olm_error():
+ return
+
+ last_error = bytes_to_native_str(ffi.string(
+ lib.olm_outbound_group_session_last_error(self._session)
+ ))
+
+ raise OlmGroupSessionError(last_error)
+
+ def pickle(self, passphrase=""):
+ # type: (Optional[str]) -> bytes
+ """Store an outbound group session.
+
+ Stores a group session as a base64 string. Encrypts the session using
+ the supplied passphrase. Returns a byte object containing the base64
+ encoded string of the pickled session.
+
+ Args:
+ passphrase(str, optional): The passphrase to be used to encrypt
+ the session.
+ """
+ byte_passphrase = bytearray(passphrase, "utf-8") if passphrase else b""
+ pickle_length = lib.olm_pickle_outbound_group_session_length(
+ self._session)
+ pickle_buffer = ffi.new("char[]", pickle_length)
+
+ try:
+ ret = lib.olm_pickle_outbound_group_session(
+ self._session,
+ ffi.from_buffer(byte_passphrase), len(byte_passphrase),
+ pickle_buffer, pickle_length
+ )
+ self._check_error(ret)
+ finally:
+ # clear out copies of the passphrase
+ for i in range(0, len(byte_passphrase)):
+ byte_passphrase[i] = 0
+
+ return ffi.unpack(pickle_buffer, pickle_length)
+
+ @classmethod
+ def from_pickle(cls, pickle, passphrase=""):
+ # type: (bytes, Optional[str]) -> OutboundGroupSession
+ """Load a previously stored outbound group session.
+
+ Loads an outbound group session from a pickled base64 string and
+ returns an OutboundGroupSession object. Decrypts the session using the
+ supplied passphrase. Raises OlmSessionError on failure. If the
+ passphrase doesn't match the one used to encrypt the session then the
+ error message for the exception will be "BAD_ACCOUNT_KEY". If the
+ base64 couldn't be decoded then the error message will be
+ "INVALID_BASE64".
+
+ Args:
+ pickle(bytes): Base64 encoded byte string containing the pickled
+ session
+ passphrase(str, optional): The passphrase used to encrypt the
+ """
+ if not pickle:
+ raise ValueError("Pickle can't be empty")
+
+ byte_passphrase = bytearray(passphrase, "utf-8") if passphrase else b""
+ # copy because unpickle will destroy the buffer
+ pickle_buffer = ffi.new("char[]", pickle)
+
+ obj = cls.__new__(cls)
+
+ try:
+ ret = lib.olm_unpickle_outbound_group_session(
+ obj._session,
+ ffi.from_buffer(byte_passphrase),
+ len(byte_passphrase),
+ pickle_buffer,
+ len(pickle)
+ )
+ obj._check_error(ret)
+ finally:
+ # clear out copies of the passphrase
+ for i in range(0, len(byte_passphrase)):
+ byte_passphrase[i] = 0
+
+ return obj
+
+ def encrypt(self, plaintext):
+ # type: (AnyStr) -> str
+ """Encrypt a message.
+
+ Returns the encrypted ciphertext.
+
+ Args:
+ plaintext(str): A string that will be encrypted using the group
+ session.
+ """
+ byte_plaintext = to_bytearray(plaintext)
+ message_length = lib.olm_group_encrypt_message_length(
+ self._session, len(byte_plaintext)
+ )
+
+ message_buffer = ffi.new("char[]", message_length)
+
+ try:
+ ret = lib.olm_group_encrypt(
+ self._session,
+ ffi.from_buffer(byte_plaintext), len(byte_plaintext),
+ message_buffer, message_length,
+ )
+ self._check_error(ret)
+ finally:
+ # clear out copies of plaintext
+ if byte_plaintext is not plaintext:
+ for i in range(0, len(byte_plaintext)):
+ byte_plaintext[i] = 0
+
+ return bytes_to_native_str(ffi.unpack(message_buffer, message_length))
+
+ @property
+ def id(self):
+ # type: () -> str
+ """str: A base64 encoded identifier for this session."""
+ id_length = lib.olm_outbound_group_session_id_length(self._session)
+ id_buffer = ffi.new("char[]", id_length)
+
+ ret = lib.olm_outbound_group_session_id(
+ self._session,
+ id_buffer,
+ id_length
+ )
+ self._check_error(ret)
+
+ return bytes_to_native_str(ffi.unpack(id_buffer, id_length))
+
+ @property
+ def message_index(self):
+ # type: () -> int
+ """int: The current message index of the session.
+
+ Each message is encrypted with an increasing index. This is the index
+ for the next message.
+ """
+ return lib.olm_outbound_group_session_message_index(self._session)
+
+ @property
+ def session_key(self):
+ # type: () -> str
+ """The base64-encoded current ratchet key for this session.
+
+ Each message is encrypted with a different ratchet key. This function
+ returns the ratchet key that will be used for the next message.
+ """
+ key_length = lib.olm_outbound_group_session_key_length(self._session)
+ key_buffer = ffi.new("char[]", key_length)
+
+ ret = lib.olm_outbound_group_session_key(
+ self._session,
+ key_buffer,
+ key_length
+ )
+ self._check_error(ret)
+
+ return bytes_to_native_str(ffi.unpack(key_buffer, key_length))
diff --git a/python/olm/inbound_group_session.py b/python/olm/inbound_group_session.py
deleted file mode 100644
index 286aedb..0000000
--- a/python/olm/inbound_group_session.py
+++ /dev/null
@@ -1,138 +0,0 @@
-import json
-
-from ._base import *
-
-lib.olm_inbound_group_session_size.argtypes = []
-lib.olm_inbound_group_session_size.restype = c_size_t
-
-lib.olm_inbound_group_session.argtypes = [c_void_p]
-lib.olm_inbound_group_session.restype = c_void_p
-
-lib.olm_inbound_group_session_last_error.argtypes = [c_void_p]
-lib.olm_inbound_group_session_last_error.restype = c_char_p
-
-
-def inbound_group_session_errcheck(res, func, args):
- if res == ERR:
- raise OlmError("%s: %s" % (
- func.__name__, lib.olm_inbound_group_session_last_error(args[0])
- ))
- return res
-
-
-def inbound_group_session_function(func, *types):
- func.argtypes = (c_void_p,) + types
- func.restypes = c_size_t
- func.errcheck = inbound_group_session_errcheck
-
-
-inbound_group_session_function(
- lib.olm_pickle_inbound_group_session,
- c_void_p, c_size_t, c_void_p, c_size_t,
-)
-inbound_group_session_function(
- lib.olm_unpickle_inbound_group_session,
- c_void_p, c_size_t, c_void_p, c_size_t,
-)
-
-inbound_group_session_function(
- lib.olm_init_inbound_group_session, c_void_p, c_size_t
-)
-
-inbound_group_session_function(
- lib.olm_import_inbound_group_session, c_void_p, c_size_t
-)
-
-inbound_group_session_function(
- lib.olm_group_decrypt_max_plaintext_length, c_void_p, c_size_t
-)
-inbound_group_session_function(
- lib.olm_group_decrypt,
- c_void_p, c_size_t, # message
- c_void_p, c_size_t, # plaintext
- POINTER(c_uint32), # message_index
-)
-
-inbound_group_session_function(
- lib.olm_inbound_group_session_id_length,
-)
-inbound_group_session_function(
- lib.olm_inbound_group_session_id,
- c_void_p, c_size_t,
-)
-
-lib.olm_inbound_group_session_first_known_index.argtypes = (c_void_p,)
-lib.olm_inbound_group_session_first_known_index.restypes = c_uint32
-
-inbound_group_session_function(
- lib.olm_export_inbound_group_session_length,
-)
-inbound_group_session_function(
- lib.olm_export_inbound_group_session, c_void_p, c_size_t, c_uint32,
-)
-
-
-class InboundGroupSession(object):
- def __init__(self):
- self.buf = create_string_buffer(lib.olm_inbound_group_session_size())
- self.ptr = lib.olm_inbound_group_session(self.buf)
-
- def pickle(self, key):
- key_buffer = create_string_buffer(key)
- pickle_length = lib.olm_pickle_inbound_group_session_length(self.ptr)
- pickle_buffer = create_string_buffer(pickle_length)
- lib.olm_pickle_inbound_group_session(
- self.ptr, key_buffer, len(key), pickle_buffer, pickle_length
- )
- return pickle_buffer.raw
-
- def unpickle(self, key, pickle):
- key_buffer = create_string_buffer(key)
- pickle_buffer = create_string_buffer(pickle)
- lib.olm_unpickle_inbound_group_session(
- self.ptr, key_buffer, len(key), pickle_buffer, len(pickle)
- )
-
- def init(self, session_key):
- key_buffer = create_string_buffer(session_key)
- lib.olm_init_inbound_group_session(
- self.ptr, key_buffer, len(session_key)
- )
-
- def import_session(self, session_key):
- key_buffer = create_string_buffer(session_key)
- lib.olm_import_inbound_group_session(
- self.ptr, key_buffer, len(session_key)
- )
-
- def decrypt(self, message):
- message_buffer = create_string_buffer(message)
- max_plaintext_length = lib.olm_group_decrypt_max_plaintext_length(
- self.ptr, message_buffer, len(message)
- )
- plaintext_buffer = create_string_buffer(max_plaintext_length)
- message_buffer = create_string_buffer(message)
-
- message_index = c_uint32()
- plaintext_length = lib.olm_group_decrypt(
- self.ptr, message_buffer, len(message),
- plaintext_buffer, max_plaintext_length,
- byref(message_index)
- )
- return plaintext_buffer.raw[:plaintext_length], message_index.value
-
- def session_id(self):
- id_length = lib.olm_inbound_group_session_id_length(self.ptr)
- id_buffer = create_string_buffer(id_length)
- lib.olm_inbound_group_session_id(self.ptr, id_buffer, id_length)
- return id_buffer.raw
-
- def first_known_index(self):
- return lib.olm_inbound_group_session_first_known_index(self.ptr)
-
- def export_session(self, message_index):
- length = lib.olm_export_inbound_group_session_length(self.ptr)
- buffer = create_string_buffer(length)
- lib.olm_export_inbound_group_session(self.ptr, buffer, length,
- message_index)
- return buffer.raw
diff --git a/python/olm/outbound_group_session.py b/python/olm/outbound_group_session.py
deleted file mode 100644
index 5032b34..0000000
--- a/python/olm/outbound_group_session.py
+++ /dev/null
@@ -1,134 +0,0 @@
-import json
-from os import urandom
-
-from ._base import *
-
-lib.olm_outbound_group_session_size.argtypes = []
-lib.olm_outbound_group_session_size.restype = c_size_t
-
-lib.olm_outbound_group_session.argtypes = [c_void_p]
-lib.olm_outbound_group_session.restype = c_void_p
-
-lib.olm_outbound_group_session_last_error.argtypes = [c_void_p]
-lib.olm_outbound_group_session_last_error.restype = c_char_p
-
-
-def outbound_group_session_errcheck(res, func, args):
- if res == ERR:
- raise OlmError("%s: %s" % (
- func.__name__, lib.olm_outbound_group_session_last_error(args[0])
- ))
- return res
-
-
-def outbound_group_session_function(func, *types):
- func.argtypes = (c_void_p,) + types
- func.restypes = c_size_t
- func.errcheck = outbound_group_session_errcheck
-
-
-outbound_group_session_function(
- lib.olm_pickle_outbound_group_session,
- c_void_p, c_size_t, c_void_p, c_size_t,
-)
-outbound_group_session_function(
- lib.olm_unpickle_outbound_group_session,
- c_void_p, c_size_t, c_void_p, c_size_t,
-)
-
-outbound_group_session_function(
- lib.olm_init_outbound_group_session_random_length,
-)
-outbound_group_session_function(
- lib.olm_init_outbound_group_session,
- c_void_p, c_size_t,
-)
-
-lib.olm_outbound_group_session_message_index.argtypes = [c_void_p]
-lib.olm_outbound_group_session_message_index.restype = c_uint32
-
-outbound_group_session_function(
- lib.olm_group_encrypt_message_length,
- c_size_t,
-)
-outbound_group_session_function(
- lib.olm_group_encrypt,
- c_void_p, c_size_t, # Plaintext
- c_void_p, c_size_t, # Message
-)
-
-outbound_group_session_function(
- lib.olm_outbound_group_session_id_length,
-)
-outbound_group_session_function(
- lib.olm_outbound_group_session_id,
- c_void_p, c_size_t,
-)
-outbound_group_session_function(
- lib.olm_outbound_group_session_key_length,
-)
-outbound_group_session_function(
- lib.olm_outbound_group_session_key,
- c_void_p, c_size_t,
-)
-
-
-class OutboundGroupSession(object):
- def __init__(self):
- self.buf = create_string_buffer(lib.olm_outbound_group_session_size())
- self.ptr = lib.olm_outbound_group_session(self.buf)
-
- random_length = lib.olm_init_outbound_group_session_random_length(
- self.ptr
- )
- random = urandom(random_length)
- random_buffer = create_string_buffer(random)
- lib.olm_init_outbound_group_session(
- self.ptr, random_buffer, random_length
- )
-
- def pickle(self, key):
- key_buffer = create_string_buffer(key)
- pickle_length = lib.olm_pickle_outbound_group_session_length(self.ptr)
- pickle_buffer = create_string_buffer(pickle_length)
- lib.olm_pickle_outbound_group_session(
- self.ptr, key_buffer, len(key), pickle_buffer, pickle_length
- )
- return pickle_buffer.raw
-
- def unpickle(self, key, pickle):
- key_buffer = create_string_buffer(key)
- pickle_buffer = create_string_buffer(pickle)
- lib.olm_unpickle_outbound_group_session(
- self.ptr, key_buffer, len(key), pickle_buffer, len(pickle)
- )
-
- def encrypt(self, plaintext):
- message_length = lib.olm_group_encrypt_message_length(
- self.ptr, len(plaintext)
- )
- message_buffer = create_string_buffer(message_length)
-
- plaintext_buffer = create_string_buffer(plaintext)
-
- lib.olm_group_encrypt(
- self.ptr,
- plaintext_buffer, len(plaintext),
- message_buffer, message_length,
- )
- return message_buffer.raw
-
- def session_id(self):
- id_length = lib.olm_outbound_group_session_id_length(self.ptr)
- id_buffer = create_string_buffer(id_length)
- lib.olm_outbound_group_session_id(self.ptr, id_buffer, id_length)
- return id_buffer.raw
-
- def message_index(self):
- return lib.olm_outbound_group_session_message_index(self.ptr)
-
- def session_key(self):
- key_length = lib.olm_outbound_group_session_key_length(self.ptr)
- key_buffer = create_string_buffer(key_length)
- lib.olm_outbound_group_session_key(self.ptr, key_buffer, key_length)
- return key_buffer.raw
diff --git a/python/olm/session.py b/python/olm/session.py
index 019ea9e..cba9be0 100644
--- a/python/olm/session.py
+++ b/python/olm/session.py
@@ -1,204 +1,486 @@
-from os import urandom
+# -*- coding: utf-8 -*-
+# libolm python bindings
+# Copyright © 2015-2017 OpenMarket Ltd
+# Copyright © 2018 Damir Jelić <poljar@termina.org.uk>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""libolm Session module.
-from ._base import *
+This module contains the Olm Session part of the Olm library.
+It is used to establish a peer-to-peer encrypted communication channel between
+two Olm accounts.
-lib.olm_session_size.argtypes = []
-lib.olm_session_size.restype = c_size_t
+Examples:
+ >>> alice = Account()
+ >>> bob = Account()
+ >>> bob.generate_one_time_keys(1)
+ >>> id_key = bob.identity_keys['curve25519']
+ >>> one_time = list(bob.one_time_keys["curve25519"].values())[0]
+ >>> session = OutboundSession(alice, id_key, one_time)
-lib.olm_session.argtypes = [c_void_p]
-lib.olm_session.restype = c_void_p
+"""
-lib.olm_session_last_error.argtypes = [c_void_p]
-lib.olm_session_last_error.restype = c_char_p
+# pylint: disable=redefined-builtin,unused-import
+from builtins import bytes, super
+from typing import AnyStr, Optional, Type
+from future.utils import bytes_to_native_str
-def session_errcheck(res, func, args):
- if res == ERR:
- raise OlmError("%s: %s" % (
- func.__name__, lib.olm_session_last_error(args[0])
- ))
- return res
-
-
-def session_function(func, *types):
- func.argtypes = (c_void_p,) + types
- func.restypes = c_size_t
- func.errcheck = session_errcheck
-
-session_function(lib.olm_session_last_error)
-session_function(
- lib.olm_pickle_session, c_void_p, c_size_t, c_void_p, c_size_t
-)
-session_function(
- lib.olm_unpickle_session, c_void_p, c_size_t, c_void_p, c_size_t
-)
-session_function(lib.olm_create_outbound_session_random_length)
-session_function(
- lib.olm_create_outbound_session,
- c_void_p, # Account
- c_void_p, c_size_t, # Identity Key
- c_void_p, c_size_t, # One Time Key
- c_void_p, c_size_t, # Random
-)
-session_function(
- lib.olm_create_inbound_session,
- c_void_p, # Account
- c_void_p, c_size_t, # Pre Key Message
-)
-session_function(
- lib.olm_create_inbound_session_from,
- c_void_p, # Account
- c_void_p, c_size_t, # Identity Key
- c_void_p, c_size_t, # Pre Key Message
-)
-session_function(lib.olm_session_id_length)
-session_function(lib.olm_session_id, c_void_p, c_size_t)
-session_function(lib.olm_matches_inbound_session, c_void_p, c_size_t)
-session_function(
- lib.olm_matches_inbound_session_from,
- c_void_p, c_size_t, # Identity Key
- c_void_p, c_size_t, # Pre Key Message
-)
-session_function(lib.olm_pickle_session_length)
-session_function(lib.olm_encrypt_message_type)
-session_function(lib.olm_encrypt_random_length)
-session_function(lib.olm_encrypt_message_length, c_size_t)
-session_function(
- lib.olm_encrypt,
- c_void_p, c_size_t, # Plaintext
- c_void_p, c_size_t, # Random
- c_void_p, c_size_t, # Message
-)
-session_function(
- lib.olm_decrypt_max_plaintext_length,
- c_size_t, # Message Type
- c_void_p, c_size_t, # Message
-)
-session_function(
- lib.olm_decrypt,
- c_size_t, # Message Type
- c_void_p, c_size_t, # Message
- c_void_p, c_size_t, # Plaintext
-)
+# pylint: disable=no-name-in-module
+from _libolm import ffi, lib # type: ignore
+
+from ._compat import URANDOM, to_bytearray, to_bytes
+from ._finalize import track_for_finalization
+
+# This is imported only for type checking purposes
+if False:
+ from .account import Account # pragma: no cover
+
+
+class OlmSessionError(Exception):
+ """libolm Session exception."""
+
+
+class _OlmMessage(object):
+ def __init__(self, ciphertext, message_type):
+ # type: (AnyStr, ffi.cdata) -> None
+ if not ciphertext:
+ raise ValueError("Ciphertext can't be empty")
+
+ # I don't know why mypy wants a type annotation here nor why AnyStr
+ # doesn't work
+ self.ciphertext = ciphertext # type: ignore
+ self.message_type = message_type
+
+ def __str__(self):
+ # type: () -> str
+ type_to_prefix = {
+ lib.OLM_MESSAGE_TYPE_PRE_KEY: "PRE_KEY",
+ lib.OLM_MESSAGE_TYPE_MESSAGE: "MESSAGE"
+ }
+
+ prefix = type_to_prefix[self.message_type]
+ return "{} {}".format(prefix, self.ciphertext)
+
+
+class OlmPreKeyMessage(_OlmMessage):
+ """Olm prekey message class
+
+ Prekey messages are used to establish an Olm session. After the first
+ message exchange the session switches to normal messages
+ """
+
+ def __init__(self, ciphertext):
+ # type: (AnyStr) -> None
+ """Create a new Olm prekey message with the supplied ciphertext
+
+ Args:
+ ciphertext(str): The ciphertext of the prekey message.
+ """
+ _OlmMessage.__init__(self, ciphertext, lib.OLM_MESSAGE_TYPE_PRE_KEY)
+
+ def __repr__(self):
+ # type: () -> str
+ return "OlmPreKeyMessage({})".format(self.ciphertext)
+
+
+class OlmMessage(_OlmMessage):
+ """Olm message class"""
+
+ def __init__(self, ciphertext):
+ # type: (AnyStr) -> None
+ """Create a new Olm message with the supplied ciphertext
+
+ Args:
+ ciphertext(str): The ciphertext of the message.
+ """
+ _OlmMessage.__init__(self, ciphertext, lib.OLM_MESSAGE_TYPE_MESSAGE)
+
+ def __repr__(self):
+ # type: () -> str
+ return "OlmMessage({})".format(self.ciphertext)
+
+
+def _clear_session(session):
+ # type: (ffi.cdata) -> None
+ lib.olm_clear_session(session)
class Session(object):
+ """libolm Session class.
+ This is an abstract class that can't be instantiated except when unpickling
+ a previously pickled InboundSession or OutboundSession object with
+ from_pickle.
+ """
+
+ def __new__(cls):
+ # type: (Type[Session]) -> Session
+
+ obj = super().__new__(cls)
+ obj._buf = ffi.new("char[]", lib.olm_session_size())
+ obj._session = lib.olm_session(obj._buf)
+ track_for_finalization(obj, obj._session, _clear_session)
+ return obj
+
def __init__(self):
- self.buf = create_string_buffer(lib.olm_session_size())
- self.ptr = lib.olm_session(self.buf)
-
- def pickle(self, key):
- key_buffer = create_string_buffer(key)
- pickle_length = lib.olm_pickle_session_length(self.ptr)
- pickle_buffer = create_string_buffer(pickle_length)
- lib.olm_pickle_session(
- self.ptr, key_buffer, len(key), pickle_buffer, pickle_length
- )
- return pickle_buffer.raw
+ # type: () -> None
+ if type(self) is Session:
+ raise TypeError("Session class may not be instantiated.")
- def unpickle(self, key, pickle):
- key_buffer = create_string_buffer(key)
- pickle_buffer = create_string_buffer(pickle)
- lib.olm_unpickle_session(
- self.ptr, key_buffer, len(key), pickle_buffer, len(pickle)
- )
+ if False:
+ self._session = self._session # type: ffi.cdata
- def create_outbound(self, account, identity_key, one_time_key):
- r_length = lib.olm_create_outbound_session_random_length(self.ptr)
- random = urandom(r_length)
- random_buffer = create_string_buffer(random)
- identity_key_buffer = create_string_buffer(identity_key)
- one_time_key_buffer = create_string_buffer(one_time_key)
- lib.olm_create_outbound_session(
- self.ptr,
- account.ptr,
- identity_key_buffer, len(identity_key),
- one_time_key_buffer, len(one_time_key),
- random_buffer, r_length
- )
+ def _check_error(self, ret):
+ # type: (int) -> None
+ if ret != lib.olm_error():
+ return
- def create_inbound(self, account, one_time_key_message):
- one_time_key_message_buffer = create_string_buffer(
- one_time_key_message
- )
- lib.olm_create_inbound_session(
- self.ptr,
- account.ptr,
- one_time_key_message_buffer, len(one_time_key_message)
- )
+ last_error = bytes_to_native_str(
+ ffi.string(lib.olm_session_last_error(self._session)))
- def create_inbound_from(self, account, identity_key, one_time_key_message):
- identity_key_buffer = create_string_buffer(identity_key)
- one_time_key_message_buffer = create_string_buffer(
- one_time_key_message
- )
- lib.olm_create_inbound_session_from(
- self.ptr,
- account.ptr,
- identity_key_buffer, len(identity_key),
- one_time_key_message_buffer, len(one_time_key_message)
- )
+ raise OlmSessionError(last_error)
- def session_id(self):
- id_length = lib.olm_session_id_length(self.ptr)
- id_buffer = create_string_buffer(id_length)
- lib.olm_session_id(self.ptr, id_buffer, id_length)
- return id_buffer.raw
+ def pickle(self, passphrase=""):
+ # type: (Optional[str]) -> bytes
+ """Store an Olm session.
- def matches_inbound(self, one_time_key_message):
- one_time_key_message_buffer = create_string_buffer(
- one_time_key_message,
- )
- return bool(lib.olm_matches_inbound_session(
- self.ptr,
- one_time_key_message_buffer, len(one_time_key_message)
- ))
+ Stores a session as a base64 string. Encrypts the session using the
+ supplied passphrase. Returns a byte object containing the base64
+ encoded string of the pickled session. Raises OlmSessionError on
+ failure.
- def matches_inbound_from(self, identity_key, one_time_key_message):
- identity_key_buffer = create_string_buffer(identity_key)
- one_time_key_message_buffer = create_string_buffer(
- one_time_key_message,
- )
- return bool(lib.olm_matches_inbound_session(
- self.ptr,
- identity_key_buffer, len(identity_key),
- one_time_key_message_buffer, len(one_time_key_message)
- ))
+ Args:
+ passphrase(str, optional): The passphrase to be used to encrypt
+ the session.
+ """
+ byte_key = bytearray(passphrase, "utf-8") if passphrase else b""
+
+ pickle_length = lib.olm_pickle_session_length(self._session)
+ pickle_buffer = ffi.new("char[]", pickle_length)
+
+ try:
+ self._check_error(
+ lib.olm_pickle_session(self._session,
+ ffi.from_buffer(byte_key),
+ len(byte_key),
+ pickle_buffer, pickle_length))
+ finally:
+ # clear out copies of the passphrase
+ for i in range(0, len(byte_key)):
+ byte_key[i] = 0
+
+ return ffi.unpack(pickle_buffer, pickle_length)
+
+ @classmethod
+ def from_pickle(cls, pickle, passphrase=""):
+ # type: (bytes, Optional[str]) -> Session
+ """Load a previously stored Olm session.
+
+ Loads a session from a pickled base64 string and returns a Session
+ object. Decrypts the session using the supplied passphrase. Raises
+ OlmSessionError on failure. If the passphrase doesn't match the one
+ used to encrypt the session then the error message for the
+ exception will be "BAD_ACCOUNT_KEY". If the base64 couldn't be decoded
+ then the error message will be "INVALID_BASE64".
+
+ Args:
+ pickle(bytes): Base64 encoded byte string containing the pickled
+ session
+ passphrase(str, optional): The passphrase used to encrypt the
+ session.
+ """
+ if not pickle:
+ raise ValueError("Pickle can't be empty")
+
+ byte_key = bytearray(passphrase, "utf-8") if passphrase else b""
+ # copy because unpickle will destroy the buffer
+ pickle_buffer = ffi.new("char[]", pickle)
+
+ session = cls.__new__(cls)
+
+ try:
+ ret = lib.olm_unpickle_session(session._session,
+ ffi.from_buffer(byte_key),
+ len(byte_key),
+ pickle_buffer,
+ len(pickle))
+ session._check_error(ret)
+ finally:
+ # clear out copies of the passphrase
+ for i in range(0, len(byte_key)):
+ byte_key[i] = 0
+
+ return session
def encrypt(self, plaintext):
- r_length = lib.olm_encrypt_random_length(self.ptr)
- random = urandom(r_length)
- random_buffer = create_string_buffer(random)
+ # type: (AnyStr) -> _OlmMessage
+ """Encrypts a message using the session. Returns the ciphertext as a
+ base64 encoded string on success. Raises OlmSessionError on failure.
- message_type = lib.olm_encrypt_message_type(self.ptr)
- message_length = lib.olm_encrypt_message_length(
- self.ptr, len(plaintext)
- )
- message_buffer = create_string_buffer(message_length)
+ Args:
+ plaintext(str): The plaintext message that will be encrypted.
+ """
+ byte_plaintext = to_bytearray(plaintext)
- plaintext_buffer = create_string_buffer(plaintext)
+ r_length = lib.olm_encrypt_random_length(self._session)
+ random = URANDOM(r_length)
- lib.olm_encrypt(
- self.ptr,
- plaintext_buffer, len(plaintext),
- random_buffer, r_length,
- message_buffer, message_length,
- )
- return message_type, message_buffer.raw
+ try:
+ message_type = lib.olm_encrypt_message_type(self._session)
+
+ self._check_error(message_type)
+
+ ciphertext_length = lib.olm_encrypt_message_length(
+ self._session, len(byte_plaintext)
+ )
+ ciphertext_buffer = ffi.new("char[]", ciphertext_length)
+
+ self._check_error(lib.olm_encrypt(
+ self._session,
+ ffi.from_buffer(byte_plaintext), len(byte_plaintext),
+ ffi.from_buffer(random), r_length,
+ ciphertext_buffer, ciphertext_length,
+ ))
+ finally:
+ # clear out copies of plaintext
+ if byte_plaintext is not plaintext:
+ for i in range(0, len(byte_plaintext)):
+ byte_plaintext[i] = 0
+
+ if message_type == lib.OLM_MESSAGE_TYPE_PRE_KEY:
+ return OlmPreKeyMessage(
+ bytes_to_native_str(ffi.unpack(
+ ciphertext_buffer,
+ ciphertext_length
+ )))
+ elif message_type == lib.OLM_MESSAGE_TYPE_MESSAGE:
+ return OlmMessage(
+ bytes_to_native_str(ffi.unpack(
+ ciphertext_buffer,
+ ciphertext_length
+ )))
+ else: # pragma: no cover
+ raise ValueError("Unknown message type")
+
+ def decrypt(self, message):
+ # type: (_OlmMessage) -> str
+ """Decrypts a message using the session. Returns the plaintext string
+ on success. Raises OlmSessionError on failure. If the base64 couldn't
+ be decoded then the error message will be "INVALID_BASE64". If the
+ message is for an unsupported version of the protocol the error message
+ will be "BAD_MESSAGE_VERSION". If the message couldn't be decoded then
+ the error message will be "BAD_MESSAGE_FORMAT". If the MAC on the
+ message was invalid then the error message will be "BAD_MESSAGE_MAC".
+
+ Args:
+ message(OlmMessage): The Olm message that will be decrypted. It can
+ be either an OlmPreKeyMessage or an OlmMessage.
+ """
+ if not message.ciphertext:
+ raise ValueError("Ciphertext can't be empty")
+
+ byte_ciphertext = to_bytes(message.ciphertext)
+ # make a copy the ciphertext buffer, because
+ # olm_decrypt_max_plaintext_length wants to destroy something
+ ciphertext_buffer = ffi.new("char[]", byte_ciphertext)
- def decrypt(self, message_type, message):
- message_buffer = create_string_buffer(message)
max_plaintext_length = lib.olm_decrypt_max_plaintext_length(
- self.ptr, message_type, message_buffer, len(message)
+ self._session, message.message_type, ciphertext_buffer,
+ len(byte_ciphertext)
)
- plaintext_buffer = create_string_buffer(max_plaintext_length)
- message_buffer = create_string_buffer(message)
+ self._check_error(max_plaintext_length)
+ plaintext_buffer = ffi.new("char[]", max_plaintext_length)
+
+ # make a copy the ciphertext buffer, because
+ # olm_decrypt_max_plaintext_length wants to destroy something
+ ciphertext_buffer = ffi.new("char[]", byte_ciphertext)
plaintext_length = lib.olm_decrypt(
- self.ptr, message_type, message_buffer, len(message),
+ self._session, message.message_type,
+ ciphertext_buffer, len(byte_ciphertext),
plaintext_buffer, max_plaintext_length
)
- return plaintext_buffer.raw[:plaintext_length]
+ self._check_error(plaintext_length)
+ plaintext = bytes_to_native_str(
+ ffi.unpack(plaintext_buffer, plaintext_length))
+
+ # clear out copies of the plaintext
+ lib.memset(plaintext_buffer, 0, max_plaintext_length)
+
+ return plaintext
+
+ @property
+ def id(self):
+ # type: () -> str
+ """str: An identifier for this session. Will be the same for both
+ ends of the conversation.
+ """
+ id_length = lib.olm_session_id_length(self._session)
+ id_buffer = ffi.new("char[]", id_length)
+
+ self._check_error(
+ lib.olm_session_id(self._session, id_buffer, id_length)
+ )
+ return bytes_to_native_str(ffi.unpack(id_buffer, id_length))
+
+ def matches(self, message, identity_key=None):
+ # type: (OlmPreKeyMessage, Optional[AnyStr]) -> bool
+ """Checks if the PRE_KEY message is for this in-bound session.
+ This can happen if multiple messages are sent to this session before
+ this session sends a message in reply. Returns True if the session
+ matches. Returns False if the session does not match. Raises
+ OlmSessionError on failure. If the base64 couldn't be decoded then the
+ error message will be "INVALID_BASE64". If the message was for an
+ unsupported protocol version then the error message will be
+ "BAD_MESSAGE_VERSION". If the message couldn't be decoded then then the
+ error message will be * "BAD_MESSAGE_FORMAT".
+
+ Args:
+ message(OlmPreKeyMessage): The Olm prekey message that will checked
+ if it is intended for this session.
+ identity_key(str, optional): The identity key of the sender. To
+ check if the message was also sent using this identity key.
+ """
+ if not isinstance(message, OlmPreKeyMessage):
+ raise TypeError("Matches can only be called with prekey messages.")
+
+ if not message.ciphertext:
+ raise ValueError("Ciphertext can't be empty")
+
+ ret = None
+
+ byte_ciphertext = to_bytes(message.ciphertext)
+ # make a copy, because olm_matches_inbound_session(_from) will distroy
+ # it
+ message_buffer = ffi.new("char[]", byte_ciphertext)
+
+ if identity_key:
+ byte_id_key = to_bytes(identity_key)
+
+ ret = lib.olm_matches_inbound_session_from(
+ self._session,
+ ffi.from_buffer(byte_id_key), len(byte_id_key),
+ message_buffer, len(byte_ciphertext)
+ )
+
+ else:
+ ret = lib.olm_matches_inbound_session(
+ self._session,
+ message_buffer, len(byte_ciphertext))
- def clear(self):
- pass
+ self._check_error(ret)
+
+ return bool(ret)
+
+
+class InboundSession(Session):
+ """Inbound Olm session for p2p encrypted communication.
+ """
+
+ def __new__(cls, account, message, identity_key=None):
+ # type: (Account, OlmPreKeyMessage, Optional[AnyStr]) -> Session
+ return super().__new__(cls)
+
+ def __init__(self, account, message, identity_key=None):
+ # type: (Account, OlmPreKeyMessage, Optional[AnyStr]) -> None
+ """Create a new inbound Olm session.
+
+ Create a new in-bound session for sending/receiving messages from an
+ incoming prekey message. Raises OlmSessionError on failure. If the
+ base64 couldn't be decoded then error message will be "INVALID_BASE64".
+ If the message was for an unsupported protocol version then
+ the errror message will be "BAD_MESSAGE_VERSION". If the message
+ couldn't be decoded then then the error message will be
+ "BAD_MESSAGE_FORMAT". If the message refers to an unknown one-time
+ key then the error message will be "BAD_MESSAGE_KEY_ID".
+
+ Args:
+ account(Account): The Olm Account that will be used to create this
+ session.
+ message(OlmPreKeyMessage): The Olm prekey message that will checked
+ that will be used to create this session.
+ identity_key(str, optional): The identity key of the sender. To
+ check if the message was also sent using this identity key.
+ """
+ if not message.ciphertext:
+ raise ValueError("Ciphertext can't be empty")
+
+ super().__init__()
+ byte_ciphertext = to_bytes(message.ciphertext)
+ message_buffer = ffi.new("char[]", byte_ciphertext)
+
+ if identity_key:
+ byte_id_key = to_bytes(identity_key)
+ identity_key_buffer = ffi.new("char[]", byte_id_key)
+ self._check_error(lib.olm_create_inbound_session_from(
+ self._session,
+ account._account,
+ identity_key_buffer, len(byte_id_key),
+ message_buffer, len(byte_ciphertext)
+ ))
+ else:
+ self._check_error(lib.olm_create_inbound_session(
+ self._session,
+ account._account,
+ message_buffer, len(byte_ciphertext)
+ ))
+
+
+class OutboundSession(Session):
+ """Outbound Olm session for p2p encrypted communication."""
+
+ def __new__(cls, account, identity_key, one_time_key):
+ # type: (Account, AnyStr, AnyStr) -> Session
+ return super().__new__(cls)
+
+ def __init__(self, account, identity_key, one_time_key):
+ # type: (Account, AnyStr, AnyStr) -> None
+ """Create a new outbound Olm session.
+
+ Creates a new outbound session for sending messages to a given
+ identity key and one-time key.
+
+ Raises OlmSessionError on failure. If the keys couldn't be decoded as
+ base64 then the error message will be "INVALID_BASE64".
+
+ Args:
+ account(Account): The Olm Account that will be used to create this
+ session.
+ identity_key(str): The identity key of the person with whom we want
+ to start the session.
+ one_time_key(str): A one-time key from the person with whom we want
+ to start the session.
+ """
+ if not identity_key:
+ raise ValueError("Identity key can't be empty")
+
+ if not one_time_key:
+ raise ValueError("One-time key can't be empty")
+
+ super().__init__()
+
+ byte_id_key = to_bytes(identity_key)
+ byte_one_time = to_bytes(one_time_key)
+
+ session_random_length = lib.olm_create_outbound_session_random_length(
+ self._session)
+
+ random = URANDOM(session_random_length)
+
+ self._check_error(lib.olm_create_outbound_session(
+ self._session,
+ account._account,
+ ffi.from_buffer(byte_id_key), len(byte_id_key),
+ ffi.from_buffer(byte_one_time), len(byte_one_time),
+ ffi.from_buffer(random), session_random_length
+ ))
diff --git a/python/olm/utility.py b/python/olm/utility.py
index dac0225..0a64128 100644
--- a/python/olm/utility.py
+++ b/python/olm/utility.py
@@ -1,56 +1,110 @@
-from ._base import lib, c_void_p, c_size_t, c_char_p, \
- create_string_buffer, ERR, OlmError
+# -*- coding: utf-8 -*-
+# libolm python bindings
+# Copyright © 2015-2017 OpenMarket Ltd
+# Copyright © 2018 Damir Jelić <poljar@termina.org.uk>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""libolm Utility module.
-lib.olm_utility_size.argtypes = []
-lib.olm_utility_size.restype = c_size_t
+This module contains utilities for olm.
+It only contains the ed25519_verify function for signature verification.
-lib.olm_utility.argtypes = [c_void_p]
-lib.olm_utility.restype = c_void_p
+Examples:
+ >>> alice = Account()
-lib.olm_utility_last_error.argtypes = [c_void_p]
-lib.olm_utility_last_error.restype = c_char_p
+ >>> message = "Test"
+ >>> signature = alice.sign(message)
+ >>> signing_key = alice.identity_keys["ed25519"]
+ >>> ed25519_verify(signing_key, message, signature)
-def utility_errcheck(res, func, args):
- if res == ERR:
- raise OlmError("%s: %s" % (
- func.__name__, lib.olm_utility_last_error(args[0])
- ))
- return res
+"""
+# pylint: disable=redefined-builtin,unused-import
+from typing import AnyStr, Type
-def utility_function(func, *types):
- func.argtypes = (c_void_p,) + types
- func.restypes = c_size_t
- func.errcheck = utility_errcheck
+# pylint: disable=no-name-in-module
+from _libolm import ffi, lib # type: ignore
-utility_function(
- lib.olm_ed25519_verify,
- c_void_p, c_size_t, # key, key_length
- c_void_p, c_size_t, # message, message_length
- c_void_p, c_size_t, # signature, signature_length
-)
+from ._compat import to_bytearray, to_bytes
+from ._finalize import track_for_finalization
-class Utility(object):
- def __init__(self):
- self.buf = create_string_buffer(lib.olm_utility_size())
- self.ptr = lib.olm_utility(self.buf)
+def _clear_utility(utility): # pragma: no cover
+ # type: (ffi.cdata) -> None
+ lib.olm_clear_utility(utility)
-_utility = None
+
+class OlmVerifyError(Exception):
+ """libolm signature verification exception."""
+
+
+class _Utility(object):
+ # pylint: disable=too-few-public-methods
+ """libolm Utility class."""
+
+ _buf = None
+ _utility = None
+
+ @classmethod
+ def _allocate(cls):
+ # type: (Type[_Utility]) -> None
+ cls._buf = ffi.new("char[]", lib.olm_utility_size())
+ cls._utility = lib.olm_utility(cls._buf)
+ track_for_finalization(cls, cls._utility, _clear_utility)
+
+ @classmethod
+ def _check_error(cls, ret):
+ # type: (int) -> None
+ if ret != lib.olm_error():
+ return
+
+ raise OlmVerifyError("{}".format(
+ ffi.string(lib.olm_utility_last_error(
+ cls._utility)).decode("utf-8")))
+
+ @classmethod
+ def _ed25519_verify(cls, key, message, signature):
+ # type: (Type[_Utility], AnyStr, AnyStr, AnyStr) -> None
+ if not cls._utility:
+ cls._allocate()
+
+ byte_key = to_bytes(key)
+ byte_message = to_bytearray(message)
+ byte_signature = to_bytes(signature)
+
+ try:
+ cls._check_error(
+ lib.olm_ed25519_verify(cls._utility, byte_key, len(byte_key),
+ ffi.from_buffer(byte_message),
+ len(byte_message),
+ byte_signature, len(byte_signature)))
+ finally:
+ # clear out copies of the message, which may be a plaintext
+ if byte_message is not message:
+ for i in range(0, len(byte_message)):
+ byte_message[i] = 0
def ed25519_verify(key, message, signature):
- """ Verify an ed25519 signature. Raises an OlmError if verification fails.
+ # type: (AnyStr, AnyStr, AnyStr) -> None
+ """Verify an ed25519 signature.
+
+ Raises an OlmVerifyError if verification fails.
+
Args:
- key(bytes): The ed25519 public key used for signing.
- message(bytes): The signed message.
+ key(str): The ed25519 public key used for signing.
+ message(str): The signed message.
signature(bytes): The message signature.
"""
- global _utility
- if not _utility:
- _utility = Utility()
- lib.olm_ed25519_verify(_utility.ptr,
- key, len(key),
- message, len(message),
- signature, len(signature))
+ return _Utility._ed25519_verify(key, message, signature)
diff --git a/python/olm_build.py b/python/olm_build.py
new file mode 100644
index 0000000..ee836d8
--- /dev/null
+++ b/python/olm_build.py
@@ -0,0 +1,51 @@
+# -*- coding: utf-8 -*-
+
+# libolm python bindings
+# Copyright © 2018 Damir Jelić <poljar@termina.org.uk>
+#
+# Permission to use, copy, modify, and/or distribute this software for
+# any purpose with or without fee is hereby granted, provided that the
+# above copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
+# RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
+# CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+from __future__ import unicode_literals
+
+import os
+
+from cffi import FFI
+
+ffibuilder = FFI()
+PATH = os.path.dirname(__file__)
+
+DEVELOP = os.environ.get("DEVELOP")
+
+compile_args = ["-I../include"]
+link_args = ["-L../build"]
+
+if DEVELOP and DEVELOP.lower() in ["yes", "true", "1"]:
+ link_args.append('-Wl,-rpath=../build')
+
+
+ffibuilder.set_source(
+ "_libolm",
+ r"""
+ #include <olm/olm.h>
+ #include <olm/inbound_group_session.h>
+ #include <olm/outbound_group_session.h>
+ """,
+ libraries=["olm"],
+ extra_compile_args=compile_args,
+ extra_link_args=link_args)
+
+with open(os.path.join(PATH, "include/olm/olm.h")) as f:
+ ffibuilder.cdef(f.read(), override=True)
+
+if __name__ == "__main__":
+ ffibuilder.compile(verbose=True)
diff --git a/python/requirements.txt b/python/requirements.txt
new file mode 100644
index 0000000..c627b85
--- /dev/null
+++ b/python/requirements.txt
@@ -0,0 +1,3 @@
+future
+cffi
+typing
diff --git a/python/setup.cfg b/python/setup.cfg
new file mode 100644
index 0000000..d10b7e4
--- /dev/null
+++ b/python/setup.cfg
@@ -0,0 +1,8 @@
+[tool:pytest]
+testpaths = tests
+flake8-ignore =
+ olm/*.py F401
+ tests/*.py W503
+
+[coverage:run]
+omit=olm/__version__.py
diff --git a/python/setup.py b/python/setup.py
new file mode 100644
index 0000000..4b0deb1
--- /dev/null
+++ b/python/setup.py
@@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+
+import os
+from codecs import open
+
+from setuptools import setup
+
+here = os.path.abspath(os.path.dirname(__file__))
+
+about = {}
+with open(os.path.join(here, "olm", "__version__.py"), "r", "utf-8") as f:
+ exec(f.read(), about)
+
+setup(
+ name=about["__title__"],
+ version=about["__version__"],
+ description=about["__description__"],
+ author=about["__author__"],
+ author_email=about["__author_email__"],
+ url=about["__url__"],
+ license=about["__license__"],
+ packages=["olm"],
+ setup_requires=["cffi>=1.0.0"],
+ cffi_modules=["olm_build.py:ffibuilder"],
+ install_requires=["cffi>=1.0.0", "future", "typing"],
+ zip_safe=False
+)
diff --git a/python/test-requirements.txt b/python/test-requirements.txt
new file mode 100644
index 0000000..eb89250
--- /dev/null
+++ b/python/test-requirements.txt
@@ -0,0 +1,7 @@
+pytest
+hypothesis
+pytest-flake8
+pytest-isort
+pytest-cov
+pytest-benchmark
+aspectlib
diff --git a/python/test_olm.sh b/python/test_olm.sh
deleted file mode 100755
index 1554720..0000000
--- a/python/test_olm.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /bin/bash
-
-set -e
-
-cd `dirname $0`
-
-OLM="python -m olm"
-
-ALICE_ACCOUNT=alice.account
-ALICE_SESSION=alice.session
-ALICE_GROUP_SESSION=alice.group_session
-BOB_ACCOUNT=bob.account
-BOB_SESSION=bob.session
-BOB_GROUP_SESSION=bob.group_session
-CHARLIE_GROUP_SESSION=charlie.group_session
-
-rm -f $ALICE_ACCOUNT $BOB_ACCOUNT
-rm -f $ALICE_SESSION $BOB_SESSION
-rm -f $ALICE_GROUP_SESSION $BOB_GROUP_SESSION $CHARLIE_GROUP_SESSION
-
-$OLM create_account $ALICE_ACCOUNT
-$OLM create_account $BOB_ACCOUNT
-$OLM generate_keys $BOB_ACCOUNT 1
-
-BOB_IDENTITY_KEY="$($OLM identity_key $BOB_ACCOUNT)"
-BOB_ONE_TIME_KEY="$($OLM one_time_key $BOB_ACCOUNT)"
-
-$OLM outbound $ALICE_ACCOUNT $ALICE_SESSION "$BOB_IDENTITY_KEY" "$BOB_ONE_TIME_KEY"
-
-echo "Hello world" | $OLM encrypt $ALICE_SESSION - - | $OLM inbound $BOB_ACCOUNT $BOB_SESSION - -
-
-
-### group sessions
-
-$OLM outbound_group $ALICE_GROUP_SESSION
-$OLM group_credentials $ALICE_GROUP_SESSION | $OLM inbound_group $BOB_GROUP_SESSION
-echo "Hello group" | $OLM group_encrypt $ALICE_GROUP_SESSION - group_message
-$OLM group_decrypt $BOB_GROUP_SESSION group_message
-
-$OLM export_inbound_group $BOB_GROUP_SESSION | $OLM import_inbound_group $CHARLIE_GROUP_SESSION
-$OLM group_decrypt $CHARLIE_GROUP_SESSION group_message
-
-### Sign/verify
-ALICE_SIGNING_KEY="$($OLM signing_key $ALICE_ACCOUNT)"
-sig="$(echo "Test message" | $OLM sign $ALICE_ACCOUNT - -)"
-echo "Test message" | $OLM ed25519_verify $ALICE_SIGNING_KEY $sig -
diff --git a/python/tests/account_test.py b/python/tests/account_test.py
new file mode 100644
index 0000000..4fef72c
--- /dev/null
+++ b/python/tests/account_test.py
@@ -0,0 +1,100 @@
+from builtins import int
+
+import pytest
+from hypothesis import given
+from hypothesis.strategies import text
+
+from olm import Account, OlmAccountError, OlmVerifyError, ed25519_verify
+from olm._compat import to_bytes
+
+
+class TestClass(object):
+ def test_to_bytes(self):
+ assert isinstance(to_bytes("a"), bytes)
+ assert isinstance(to_bytes(u"a"), bytes)
+ assert isinstance(to_bytes(b"a"), bytes)
+ assert isinstance(to_bytes(r"a"), bytes)
+ with pytest.raises(TypeError):
+ to_bytes(0)
+
+ def test_account_creation(self):
+ alice = Account()
+ assert alice.identity_keys
+ assert len(alice.identity_keys) == 2
+
+ def test_account_pickle(self):
+ alice = Account()
+ pickle = alice.pickle()
+ assert (alice.identity_keys == Account.from_pickle(pickle)
+ .identity_keys)
+
+ def test_invalid_unpickle(self):
+ with pytest.raises(ValueError):
+ Account.from_pickle(b"")
+
+ def test_passphrase_pickle(self):
+ alice = Account()
+ passphrase = "It's a secret to everybody"
+ pickle = alice.pickle(passphrase)
+ assert (alice.identity_keys == Account.from_pickle(
+ pickle, passphrase).identity_keys)
+
+ def test_wrong_passphrase_pickle(self):
+ alice = Account()
+ passphrase = "It's a secret to everybody"
+ pickle = alice.pickle(passphrase)
+
+ with pytest.raises(OlmAccountError):
+ Account.from_pickle(pickle, "")
+
+ def test_one_time_keys(self):
+ alice = Account()
+ alice.generate_one_time_keys(10)
+ one_time_keys = alice.one_time_keys
+ assert one_time_keys
+ assert len(one_time_keys["curve25519"]) == 10
+
+ def test_max_one_time_keys(self):
+ alice = Account()
+ assert isinstance(alice.max_one_time_keys, int)
+
+ def test_publish_one_time_keys(self):
+ alice = Account()
+ alice.generate_one_time_keys(10)
+ one_time_keys = alice.one_time_keys
+
+ assert one_time_keys
+ assert len(one_time_keys["curve25519"]) == 10
+
+ alice.mark_keys_as_published()
+ assert not alice.one_time_keys["curve25519"]
+
+ def test_clear(self):
+ alice = Account()
+ del alice
+
+ @given(text())
+ def test_valid_signature(self, message):
+ alice = Account()
+
+ signature = alice.sign(message)
+ signing_key = alice.identity_keys["ed25519"]
+
+ assert signature
+ assert signing_key
+
+ ed25519_verify(signing_key, message, signature)
+
+ @given(text())
+ def test_invalid_signature(self, message):
+ alice = Account()
+ bob = Account()
+
+ signature = alice.sign(message)
+ signing_key = bob.identity_keys["ed25519"]
+
+ assert signature
+ assert signing_key
+
+ with pytest.raises(OlmVerifyError):
+ ed25519_verify(signing_key, message, signature)
diff --git a/python/tests/group_session_test.py b/python/tests/group_session_test.py
new file mode 100644
index 0000000..c17e84f
--- /dev/null
+++ b/python/tests/group_session_test.py
@@ -0,0 +1,114 @@
+import pytest
+
+from olm import InboundGroupSession, OlmGroupSessionError, OutboundGroupSession
+
+
+class TestClass(object):
+ def test_session_create(self):
+ OutboundGroupSession()
+
+ def test_session_id(self):
+ session = OutboundGroupSession()
+ assert isinstance(session.id, str)
+
+ def test_session_index(self):
+ session = OutboundGroupSession()
+ assert isinstance(session.message_index, int)
+ assert session.message_index == 0
+
+ def test_outbound_pickle(self):
+ session = OutboundGroupSession()
+ pickle = session.pickle()
+
+ assert (session.id == OutboundGroupSession.from_pickle(
+ pickle).id)
+
+ def test_invalid_unpickle(self):
+ with pytest.raises(ValueError):
+ OutboundGroupSession.from_pickle(b"")
+
+ with pytest.raises(ValueError):
+ InboundGroupSession.from_pickle(b"")
+
+ def test_inbound_create(self):
+ outbound = OutboundGroupSession()
+ InboundGroupSession(outbound.session_key)
+
+ def test_invalid_decrypt(self):
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+
+ with pytest.raises(ValueError):
+ inbound.decrypt("")
+
+ def test_inbound_pickle(self):
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ pickle = inbound.pickle()
+ InboundGroupSession.from_pickle(pickle)
+
+ def test_inbound_export(self):
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ imported = InboundGroupSession.import_session(
+ inbound.export_session(inbound.first_known_index)
+ )
+ assert "Test", 0 == imported.decrypt(outbound.encrypt("Test"))
+
+ def test_first_index(self):
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ index = inbound.first_known_index
+ assert isinstance(index, int)
+
+ def test_encrypt(self, benchmark):
+ benchmark.weave(OutboundGroupSession.encrypt, lazy=True)
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ assert "Test", 0 == inbound.decrypt(outbound.encrypt("Test"))
+
+ def test_decrypt(self, benchmark):
+ benchmark.weave(InboundGroupSession.decrypt, lazy=True)
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ assert "Test", 0 == inbound.decrypt(outbound.encrypt("Test"))
+
+ def test_decrypt_twice(self):
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ outbound.encrypt("Test 1")
+ message, index = inbound.decrypt(outbound.encrypt("Test 2"))
+ assert isinstance(index, int)
+ assert ("Test 2", 1) == (message, index)
+
+ def test_decrypt_failure(self):
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ eve_outbound = OutboundGroupSession()
+ with pytest.raises(OlmGroupSessionError):
+ inbound.decrypt(eve_outbound.encrypt("Test"))
+
+ def test_id(self):
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ assert outbound.id == inbound.id
+
+ def test_inbound_fail(self):
+ with pytest.raises(TypeError):
+ InboundGroupSession()
+
+ def test_oubtound_pickle_fail(self):
+ outbound = OutboundGroupSession()
+ pickle = outbound.pickle("Test")
+
+ with pytest.raises(OlmGroupSessionError):
+ OutboundGroupSession.from_pickle(pickle)
+
+ def test_outbound_clear(self):
+ session = OutboundGroupSession()
+ del session
+
+ def test_inbound_clear(self):
+ outbound = OutboundGroupSession()
+ inbound = InboundGroupSession(outbound.session_key)
+ del inbound
diff --git a/python/tests/session_test.py b/python/tests/session_test.py
new file mode 100644
index 0000000..ab1c38b
--- /dev/null
+++ b/python/tests/session_test.py
@@ -0,0 +1,143 @@
+import pytest
+
+from olm import (Account, InboundSession, OlmMessage, OlmPreKeyMessage,
+ OlmSessionError, OutboundSession, Session)
+
+
+class TestClass(object):
+ def _create_session(self):
+ alice = Account()
+ bob = Account()
+ bob.generate_one_time_keys(1)
+ id_key = bob.identity_keys["curve25519"]
+ one_time = list(bob.one_time_keys["curve25519"].values())[0]
+ session = OutboundSession(alice, id_key, one_time)
+ return alice, bob, session
+
+ def test_session_create(self):
+ _, _, session_1 = self._create_session()
+ _, _, session_2 = self._create_session()
+ assert session_1
+ assert session_2
+ assert session_1.id != session_2.id
+ assert isinstance(session_1.id, str)
+
+ def test_session_clear(self):
+ _, _, session = self._create_session()
+ del session
+
+ def test_invalid_session_create(self):
+ with pytest.raises(TypeError):
+ Session()
+
+ def test_session_pickle(self):
+ alice, bob, session = self._create_session()
+ Session.from_pickle(session.pickle()).id == session.id
+
+ def test_session_invalid_pickle(self):
+ with pytest.raises(ValueError):
+ Session.from_pickle(b"")
+
+ def test_wrong_passphrase_pickle(self):
+ alice, bob, session = self._create_session()
+ passphrase = "It's a secret to everybody"
+ pickle = alice.pickle(passphrase)
+
+ with pytest.raises(OlmSessionError):
+ Session.from_pickle(pickle, "")
+
+ def test_encrypt(self):
+ plaintext = "It's a secret to everybody"
+ alice, bob, session = self._create_session()
+ message = session.encrypt(plaintext)
+
+ assert (repr(message)
+ == "OlmPreKeyMessage({})".format(message.ciphertext))
+
+ assert (str(message)
+ == "PRE_KEY {}".format(message.ciphertext))
+
+ bob_session = InboundSession(bob, message)
+ assert plaintext == bob_session.decrypt(message)
+
+ def test_empty_message(self):
+ with pytest.raises(ValueError):
+ OlmPreKeyMessage("")
+ empty = OlmPreKeyMessage("x")
+ empty.ciphertext = ""
+ alice, bob, session = self._create_session()
+
+ with pytest.raises(ValueError):
+ session.decrypt(empty)
+
+ def test_inbound_with_id(self):
+ plaintext = "It's a secret to everybody"
+ alice, bob, session = self._create_session()
+ message = session.encrypt(plaintext)
+ alice_id = alice.identity_keys["curve25519"]
+ bob_session = InboundSession(bob, message, alice_id)
+ assert plaintext == bob_session.decrypt(message)
+
+ def test_two_messages(self):
+ plaintext = "It's a secret to everybody"
+ alice, bob, session = self._create_session()
+ message = session.encrypt(plaintext)
+ alice_id = alice.identity_keys["curve25519"]
+ bob_session = InboundSession(bob, message, alice_id)
+ bob.remove_one_time_keys(bob_session)
+ assert plaintext == bob_session.decrypt(message)
+
+ bob_plaintext = "Grumble, Grumble"
+ bob_message = bob_session.encrypt(bob_plaintext)
+
+ assert (repr(bob_message)
+ == "OlmMessage({})".format(bob_message.ciphertext))
+
+ assert bob_plaintext == session.decrypt(bob_message)
+
+ def test_matches(self):
+ plaintext = "It's a secret to everybody"
+ alice, bob, session = self._create_session()
+ message = session.encrypt(plaintext)
+ alice_id = alice.identity_keys["curve25519"]
+ bob_session = InboundSession(bob, message, alice_id)
+ assert plaintext == bob_session.decrypt(message)
+
+ message_2nd = session.encrypt("Hey! Listen!")
+
+ assert bob_session.matches(message_2nd) is True
+ assert bob_session.matches(message_2nd, alice_id) is True
+
+ def test_invalid(self):
+ alice, bob, session = self._create_session()
+ message = OlmMessage("x")
+
+ with pytest.raises(TypeError):
+ session.matches(message)
+
+ message = OlmPreKeyMessage("x")
+ message.ciphertext = ""
+
+ with pytest.raises(ValueError):
+ session.matches(message)
+
+ with pytest.raises(ValueError):
+ InboundSession(bob, message)
+
+ with pytest.raises(ValueError):
+ OutboundSession(alice, "", "x")
+
+ with pytest.raises(ValueError):
+ OutboundSession(alice, "x", "")
+
+ def test_doesnt_match(self):
+ plaintext = "It's a secret to everybody"
+ alice, bob, session = self._create_session()
+ message = session.encrypt(plaintext)
+ alice_id = alice.identity_keys["curve25519"]
+ bob_session = InboundSession(bob, message, alice_id)
+
+ _, _, new_session = self._create_session()
+
+ new_message = new_session.encrypt(plaintext)
+ assert bob_session.matches(new_message) is False
diff --git a/python/tox.ini b/python/tox.ini
new file mode 100644
index 0000000..e3a0188
--- /dev/null
+++ b/python/tox.ini
@@ -0,0 +1,43 @@
+# content of: tox.ini , put in same dir as setup.py
+[tox]
+envlist = py27,py36,pypy,{py2,py3}-cov,coverage
+[testenv]
+basepython =
+ py27: python2.7
+ py36: python3.6
+ pypy: pypy
+ py2: python2.7
+ py3: python3.6
+
+deps = -rrequirements.txt
+ -rtest-requirements.txt
+
+passenv = TOXENV CI TRAVIS TRAVIS_*
+commands = pytest --benchmark-disable
+usedevelop = True
+
+[testenv:py2-cov]
+commands =
+ pytest --cov-report term-missing --cov=olm --benchmark-disable --cov-branch
+setenv =
+ COVERAGE_FILE=.coverage.py2
+
+[testenv:py3-cov]
+commands =
+ py.test --cov=olm --cov-report term-missing --benchmark-disable --cov-branch
+setenv =
+ COVERAGE_FILE=.coverage.py3
+
+[testenv:coverage]
+basepython = python3.6
+commands =
+ coverage erase
+ coverage combine
+ coverage xml
+ coverage report --show-missing
+ codecov -e TOXENV
+deps =
+ coverage
+ codecov>=1.4.0
+setenv =
+ COVERAGE_FILE=.coverage
diff --git a/src/pk.cpp b/src/pk.cpp
index 5cfcea2..8db958a 100644
--- a/src/pk.cpp
+++ b/src/pk.cpp
@@ -70,7 +70,7 @@ size_t olm_pk_encryption_set_recipient_key (
) {
if (key_length < olm_pk_key_length()) {
encryption->last_error =
- OlmErrorCode::OLM_OUTPUT_BUFFER_TOO_SMALL; // FIXME:
+ OlmErrorCode::OLM_INPUT_BUFFER_TOO_SMALL;
return std::size_t(-1);
}
olm::decode_base64(
diff --git a/xcode/OLMKit.xcodeproj/project.pbxproj b/xcode/OLMKit.xcodeproj/project.pbxproj
index ded14f1..7ea3d5b 100644
--- a/xcode/OLMKit.xcodeproj/project.pbxproj
+++ b/xcode/OLMKit.xcodeproj/project.pbxproj
@@ -7,6 +7,7 @@
objects = {
/* Begin PBXBuildFile section */
+ 3244277D2175EF700023EDF1 /* OLMKitPkTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 3244277C2175EF700023EDF1 /* OLMKitPkTests.m */; };
3274F6021D9A633A005282E4 /* OLMKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 3274F5F81D9A633A005282E4 /* OLMKit.framework */; };
3274F6071D9A633A005282E4 /* OLMKitTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 3274F6061D9A633A005282E4 /* OLMKitTests.m */; };
3274F6131D9A698E005282E4 /* OLMKit.h in Headers */ = {isa = PBXBuildFile; fileRef = 3274F6121D9A698E005282E4 /* OLMKit.h */; };
@@ -27,6 +28,7 @@
/* Begin PBXFileReference section */
1B226B371526F2782C9D6372 /* Pods-OLMKit.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-OLMKit.release.xcconfig"; path = "Pods/Target Support Files/Pods-OLMKit/Pods-OLMKit.release.xcconfig"; sourceTree = "<group>"; };
+ 3244277C2175EF700023EDF1 /* OLMKitPkTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = OLMKitPkTests.m; sourceTree = "<group>"; };
3274F5F81D9A633A005282E4 /* OLMKit.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = OLMKit.framework; sourceTree = BUILT_PRODUCTS_DIR; };
3274F5FC1D9A633A005282E4 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
3274F6011D9A633A005282E4 /* OLMKitTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = OLMKitTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -105,6 +107,7 @@
3274F6051D9A633A005282E4 /* OLMKitTests */ = {
isa = PBXGroup;
children = (
+ 3244277C2175EF700023EDF1 /* OLMKitPkTests.m */,
3274F6061D9A633A005282E4 /* OLMKitTests.m */,
32A151301DABDD4300400192 /* OLMKitGroupTests.m */,
3274F6081D9A633A005282E4 /* Info.plist */,
@@ -279,6 +282,7 @@
buildActionMask = 2147483647;
files = (
3274F6071D9A633A005282E4 /* OLMKitTests.m in Sources */,
+ 3244277D2175EF700023EDF1 /* OLMKitPkTests.m in Sources */,
32A151311DABDD4300400192 /* OLMKitGroupTests.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
diff --git a/xcode/OLMKit/OLMAccount.m b/xcode/OLMKit/OLMAccount.m
index 058b389..9e48c2d 100644
--- a/xcode/OLMKit/OLMAccount.m
+++ b/xcode/OLMKit/OLMAccount.m
@@ -193,6 +193,7 @@
}
NSMutableData *pickle = [serializedData dataUsingEncoding:NSUTF8StringEncoding].mutableCopy;
size_t result = olm_unpickle_account(_account, key.bytes, key.length, pickle.mutableBytes, pickle.length);
+ [pickle resetBytesInRange:NSMakeRange(0, pickle.length)];
if (result == olm_error()) {
const char *olm_error = olm_account_last_error(_account);
NSString *errorString = [NSString stringWithUTF8String:olm_error];
@@ -219,6 +220,7 @@
return nil;
}
NSString *pickleString = [[NSString alloc] initWithData:pickled encoding:NSUTF8StringEncoding];
+ [pickled resetBytesInRange:NSMakeRange(0, pickled.length)];
return pickleString;
}
diff --git a/xcode/OLMKit/OLMInboundGroupSession.m b/xcode/OLMKit/OLMInboundGroupSession.m
index 68750ec..9e57741 100644
--- a/xcode/OLMKit/OLMInboundGroupSession.m
+++ b/xcode/OLMKit/OLMInboundGroupSession.m
@@ -227,6 +227,7 @@
}
NSMutableData *pickle = [serializedData dataUsingEncoding:NSUTF8StringEncoding].mutableCopy;
size_t result = olm_unpickle_inbound_group_session(session, key.bytes, key.length, pickle.mutableBytes, pickle.length);
+ [pickle resetBytesInRange:NSMakeRange(0, pickle.length)];
if (result == olm_error()) {
const char *olm_error = olm_inbound_group_session_last_error(session);
NSString *errorString = [NSString stringWithUTF8String:olm_error];
@@ -253,6 +254,7 @@
return nil;
}
NSString *pickleString = [[NSString alloc] initWithData:pickled encoding:NSUTF8StringEncoding];
+ [pickled resetBytesInRange:NSMakeRange(0, pickled.length)];
return pickleString;
}
diff --git a/xcode/OLMKit/OLMKit.h b/xcode/OLMKit/OLMKit.h
index 455d11b..6f79399 100644
--- a/xcode/OLMKit/OLMKit.h
+++ b/xcode/OLMKit/OLMKit.h
@@ -26,6 +26,8 @@
#import <OLMKit/OLMUtility.h>
#import <OLMKit/OLMInboundGroupSession.h>
#import <OLMKit/OLMOutboundGroupSession.h>
+#import <OLMKit/OLMPkEncryption.h>
+#import <OLMKit/OLMPkDecryption.h>
@interface OLMKit : NSObject
diff --git a/xcode/OLMKit/OLMOutboundGroupSession.m b/xcode/OLMKit/OLMOutboundGroupSession.m
index a3421fd..a0a7cc6 100644
--- a/xcode/OLMKit/OLMOutboundGroupSession.m
+++ b/xcode/OLMKit/OLMOutboundGroupSession.m
@@ -148,6 +148,7 @@
}
NSMutableData *pickle = [serializedData dataUsingEncoding:NSUTF8StringEncoding].mutableCopy;
size_t result = olm_unpickle_outbound_group_session(session, key.bytes, key.length, pickle.mutableBytes, pickle.length);
+ [pickle resetBytesInRange:NSMakeRange(0, pickle.length)];
if (result == olm_error()) {
const char *olm_error = olm_outbound_group_session_last_error(session);
NSString *errorString = [NSString stringWithUTF8String:olm_error];
@@ -174,6 +175,7 @@
return nil;
}
NSString *pickleString = [[NSString alloc] initWithData:pickled encoding:NSUTF8StringEncoding];
+ [pickled resetBytesInRange:NSMakeRange(0, pickled.length)];
return pickleString;
}
diff --git a/xcode/OLMKit/OLMPKEncryption.h b/xcode/OLMKit/OLMPKEncryption.h
new file mode 100644
index 0000000..a55d5bc
--- /dev/null
+++ b/xcode/OLMKit/OLMPKEncryption.h
@@ -0,0 +1,42 @@
+/*
+ Copyright 2018 New Vector Ltd
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0OLMPKEncryption
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "OLMPkMessage.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface OLMPkEncryption : NSObject
+
+/**
+ Set the recipient's public key for encrypting to.
+
+ @param recipientKey the recipient's public key.
+ */
+- (void)setRecipientKey:(NSString*)recipientKey;
+
+/**
+ Encrypt a plaintext for the recipient.
+
+ @param message the message to encrypt.
+ @param error the error if any.
+ @return the encrypted message.
+ */
+- (OLMPkMessage *)encryptMessage:(NSString*)message error:(NSError* _Nullable *)error;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/xcode/OLMKit/OLMPKEncryption.m b/xcode/OLMKit/OLMPKEncryption.m
new file mode 100644
index 0000000..c2e3d04
--- /dev/null
+++ b/xcode/OLMKit/OLMPKEncryption.m
@@ -0,0 +1,111 @@
+/*
+ Copyright 2018 New Vector Ltd
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#import "OLMPkEncryption.h"
+
+#include "olm/olm.h"
+#include "olm/pk.h"
+#include "OLMUtility.h"
+
+@interface OLMPkEncryption ()
+{
+ OlmPkEncryption *session;
+}
+@end
+
+@implementation OLMPkEncryption
+
+- (void)dealloc {
+ olm_clear_pk_encryption(session);
+ free(session);
+}
+
+
+- (instancetype)init {
+ self = [super init];
+ if (self) {
+ session = (OlmPkEncryption *)malloc(olm_pk_encryption_size());
+ olm_pk_encryption(session);
+ }
+ return self;
+}
+
+- (void)setRecipientKey:(NSString*)recipientKey {
+ NSData *recipientKeyData = [recipientKey dataUsingEncoding:NSUTF8StringEncoding];
+ olm_pk_encryption_set_recipient_key(session, recipientKeyData.bytes, recipientKeyData.length);
+}
+
+- (OLMPkMessage *)encryptMessage:(NSString *)message error:(NSError *__autoreleasing _Nullable *)error {
+ NSData *plaintextData = [message dataUsingEncoding:NSUTF8StringEncoding];
+
+ size_t randomLength = olm_pk_encrypt_random_length(session);
+ NSMutableData *random = [OLMUtility randomBytesOfLength:randomLength];
+ if (!random) {
+ return nil;
+ }
+
+ size_t ciphertextLength = olm_pk_ciphertext_length(session, plaintextData.length);
+ NSMutableData *ciphertext = [NSMutableData dataWithLength:ciphertextLength];
+ if (!ciphertext) {
+ return nil;
+ }
+
+ size_t macLength = olm_pk_mac_length(session);
+ NSMutableData *macData = [NSMutableData dataWithLength:macLength];
+ if (!ciphertext) {
+ return nil;
+ }
+
+ size_t ephemeralKeyLength = olm_pk_key_length();
+ NSMutableData *ephemeralKeyData = [NSMutableData dataWithLength:ephemeralKeyLength];
+ if (!ciphertext) {
+ return nil;
+ }
+
+ size_t result = olm_pk_encrypt(session,
+ plaintextData.bytes, plaintextData.length,
+ ciphertext.mutableBytes, ciphertext.length,
+ macData.mutableBytes, macLength,
+ ephemeralKeyData.mutableBytes, ephemeralKeyLength,
+ random.mutableBytes, randomLength);
+ if (result == olm_error()) {
+ const char *olm_error = olm_pk_encryption_last_error(session);
+
+ NSString *errorString = [NSString stringWithUTF8String:olm_error];
+ NSLog(@"[OLMPkEncryption] encryptMessage: olm_group_encrypt error: %@", errorString);
+
+ if (error && olm_error && errorString) {
+ *error = [NSError errorWithDomain:OLMErrorDomain
+ code:0
+ userInfo:@{
+ NSLocalizedDescriptionKey: errorString,
+ NSLocalizedFailureReasonErrorKey: [NSString stringWithFormat:@"olm_group_encrypt error: %@", errorString]
+ }];
+ }
+
+ return nil;
+ }
+
+ OLMPkMessage *encryptedMessage = [[OLMPkMessage alloc]
+ initWithCiphertext:[[NSString alloc] initWithData:ciphertext encoding:NSUTF8StringEncoding]
+ mac:[[NSString alloc] initWithData:macData encoding:NSUTF8StringEncoding]
+ ephemeralKey:[[NSString alloc] initWithData:ephemeralKeyData encoding:NSUTF8StringEncoding]];
+
+
+ return encryptedMessage;
+}
+
+@end
diff --git a/xcode/OLMKit/OLMPkDecryption.h b/xcode/OLMKit/OLMPkDecryption.h
new file mode 100644
index 0000000..8715a99
--- /dev/null
+++ b/xcode/OLMKit/OLMPkDecryption.h
@@ -0,0 +1,64 @@
+/*
+ Copyright 2018 New Vector Ltd
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "OLMSerializable.h"
+#import "OLMPkMessage.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface OLMPkDecryption : NSObject <OLMSerializable, NSSecureCoding>
+
+/**
+ Initialise the key from the private part of a key as returned by `privateKey`.
+
+ Note that the pubkey is a base64 encoded string, but the private key is
+ an unencoded byte array.
+
+ @param privateKey the private key part.
+ @param error the error if any.
+ @return the associated public key.
+ */
+- (NSString *)setPrivateKey:(NSData*)privateKey error:(NSError* _Nullable *)error;
+
+/**
+ Generate a new key to use for decrypting messages.
+
+ @param error the error if any.
+ @return the public part of the generated key.
+ */
+- (NSString *)generateKey:(NSError* _Nullable *)error;
+
+/**
+ Get the private key.
+
+ @return the private key;
+ */
+- (NSData *)privateKey;
+
+/**
+ Decrypt a ciphertext.
+
+ @param message the cipher message to decrypt.
+ @param error the error if any.
+ @return the decrypted message.
+ */
+- (NSString *)decryptMessage:(OLMPkMessage*)message error:(NSError* _Nullable *)error;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/xcode/OLMKit/OLMPkDecryption.m b/xcode/OLMKit/OLMPkDecryption.m
new file mode 100644
index 0000000..75fe5f2
--- /dev/null
+++ b/xcode/OLMKit/OLMPkDecryption.m
@@ -0,0 +1,295 @@
+/*
+ Copyright 2018 New Vector Ltd
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#import "OLMPkDecryption.h"
+
+#include "olm/olm.h"
+#include "olm/pk.h"
+#include "OLMUtility.h"
+
+@interface OLMPkDecryption ()
+{
+ OlmPkDecryption *session;
+}
+@end
+
+@implementation OLMPkDecryption
+
+- (void)dealloc {
+ olm_clear_pk_decryption(session);
+ free(session);
+}
+
+- (instancetype)init {
+ self = [super init];
+ if (self) {
+ session = (OlmPkDecryption *)malloc(olm_pk_decryption_size());
+ olm_pk_decryption(session);
+ }
+ return self;
+}
+
+- (NSString *)setPrivateKey:(NSData *)privateKey error:(NSError *__autoreleasing _Nullable *)error {
+ size_t publicKeyLength = olm_pk_key_length();
+ NSMutableData *publicKeyData = [NSMutableData dataWithLength:publicKeyLength];
+ if (!publicKeyData) {
+ return nil;
+ }
+
+ size_t result = olm_pk_key_from_private(session,
+ publicKeyData.mutableBytes, publicKeyLength,
+ (void*)privateKey.bytes, privateKey.length);
+ if (result == olm_error()) {
+ const char *olm_error = olm_pk_decryption_last_error(session);
+ NSLog(@"[OLMPkDecryption] setPrivateKey: olm_pk_key_from_private error: %s", olm_error);
+
+ NSString *errorString = [NSString stringWithUTF8String:olm_error];
+ if (error && olm_error && errorString) {
+ *error = [NSError errorWithDomain:OLMErrorDomain
+ code:0
+ userInfo:@{
+ NSLocalizedDescriptionKey: errorString,
+ NSLocalizedFailureReasonErrorKey: [NSString stringWithFormat:@"olm_pk_key_from_private error: %@", errorString]
+ }];
+ }
+ return nil;
+ }
+
+ NSString *publicKey = [[NSString alloc] initWithData:publicKeyData encoding:NSUTF8StringEncoding];
+ return publicKey;
+}
+
+- (NSString *)generateKey:(NSError *__autoreleasing _Nullable *)error {
+ size_t randomLength = olm_pk_private_key_length();
+ NSMutableData *random = [OLMUtility randomBytesOfLength:randomLength];
+ if (!random) {
+ return nil;
+ }
+
+ size_t publicKeyLength = olm_pk_key_length();
+ NSMutableData *publicKeyData = [NSMutableData dataWithLength:publicKeyLength];
+ if (!publicKeyData) {
+ return nil;
+ }
+
+ size_t result = olm_pk_key_from_private(session,
+ publicKeyData.mutableBytes, publicKeyData.length,
+ random.mutableBytes, randomLength);
+ [random resetBytesInRange:NSMakeRange(0, randomLength)];
+ if (result == olm_error()) {
+ const char *olm_error = olm_pk_decryption_last_error(session);
+ NSLog(@"[OLMPkDecryption] generateKey: olm_pk_key_from_private error: %s", olm_error);
+
+ NSString *errorString = [NSString stringWithUTF8String:olm_error];
+ if (error && olm_error && errorString) {
+ *error = [NSError errorWithDomain:OLMErrorDomain
+ code:0
+ userInfo:@{
+ NSLocalizedDescriptionKey: errorString,
+ NSLocalizedFailureReasonErrorKey: [NSString stringWithFormat:@"olm_pk_key_from_private error: %@", errorString]
+ }];
+ }
+ return nil;
+ }
+
+ NSString *publicKey = [[NSString alloc] initWithData:publicKeyData encoding:NSUTF8StringEncoding];
+ return publicKey;
+}
+
+- (NSData *)privateKey {
+ size_t privateKeyLength = olm_pk_private_key_length();
+ NSMutableData *privateKeyData = [NSMutableData dataWithLength:privateKeyLength];
+ if (!privateKeyData) {
+ return nil;
+ }
+
+ size_t result = olm_pk_get_private_key(session,
+ privateKeyData.mutableBytes, privateKeyLength);
+ if (result == olm_error()) {
+ const char *olm_error = olm_pk_decryption_last_error(session);
+ NSLog(@"[OLMPkDecryption] privateKey: olm_pk_get_private_key error: %s", olm_error);
+ return nil;
+ }
+
+ NSData *privateKey = [privateKeyData copy];
+ [privateKeyData resetBytesInRange:NSMakeRange(0, privateKeyData.length)];
+
+ return privateKey;
+}
+
+-(NSString *)decryptMessage:(OLMPkMessage *)message error:(NSError *__autoreleasing _Nullable *)error {
+ NSData *messageData = [message.ciphertext dataUsingEncoding:NSUTF8StringEncoding];
+ NSData *macData = [message.mac dataUsingEncoding:NSUTF8StringEncoding];
+ NSData *ephemeralKeyData = [message.ephemeralKey dataUsingEncoding:NSUTF8StringEncoding];
+ if (!messageData || !macData || !ephemeralKeyData) {
+ return nil;
+ }
+
+ NSMutableData *mutMessage = messageData.mutableCopy;
+ size_t maxPlaintextLength = olm_pk_max_plaintext_length(session, mutMessage.length);
+ if (maxPlaintextLength == olm_error()) {
+ const char *olm_error = olm_pk_decryption_last_error(session);
+
+ NSString *errorString = [NSString stringWithUTF8String:olm_error];
+ NSLog(@"[OLMPkDecryption] decryptMessage: olm_pk_max_plaintext_length error: %@", errorString);
+
+ if (error && olm_error && errorString) {
+ *error = [NSError errorWithDomain:OLMErrorDomain
+ code:0
+ userInfo:@{
+ NSLocalizedDescriptionKey: errorString,
+ NSLocalizedFailureReasonErrorKey: [NSString stringWithFormat:@"olm_pk_max_plaintext_length error: %@", errorString]
+ }];
+ }
+
+ return nil;
+ }
+
+ mutMessage = messageData.mutableCopy;
+ NSMutableData *plaintextData = [NSMutableData dataWithLength:maxPlaintextLength];
+ size_t plaintextLength = olm_pk_decrypt(session,
+ ephemeralKeyData.bytes, ephemeralKeyData.length,
+ macData.bytes, macData.length,
+ mutMessage.mutableBytes, mutMessage.length,
+ plaintextData.mutableBytes, plaintextData.length);
+ if (plaintextLength == olm_error()) {
+ const char *olm_error = olm_pk_decryption_last_error(session);
+
+ NSString *errorString = [NSString stringWithUTF8String:olm_error];
+ NSLog(@"[OLMPkDecryption] decryptMessage: olm_pk_decrypt error: %@", errorString);
+
+ if (error && olm_error && errorString) {
+ *error = [NSError errorWithDomain:OLMErrorDomain
+ code:0
+ userInfo:@{
+ NSLocalizedDescriptionKey: errorString,
+ NSLocalizedFailureReasonErrorKey: [NSString stringWithFormat:@"olm_decrypt error: %@", errorString]
+ }];
+ }
+
+ return nil;
+ }
+
+ plaintextData.length = plaintextLength;
+ NSString *plaintext = [[NSString alloc] initWithData:plaintextData encoding:NSUTF8StringEncoding];
+ [plaintextData resetBytesInRange:NSMakeRange(0, plaintextData.length)];
+ return plaintext;
+}
+
+#pragma mark OLMSerializable
+
+/** Initializes from encrypted serialized data. Will throw error if invalid key or invalid base64. */
+- (instancetype) initWithSerializedData:(NSString *)serializedData key:(NSData *)key error:(NSError *__autoreleasing *)error {
+ self = [self init];
+ if (!self) {
+ return nil;
+ }
+
+ NSParameterAssert(key.length > 0);
+ NSParameterAssert(serializedData.length > 0);
+ if (key.length == 0 || serializedData.length == 0) {
+ if (error) {
+ *error = [NSError errorWithDomain:OLMErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: @"Bad length."}];
+ }
+ return nil;
+ }
+
+ size_t ephemeralLength = olm_pk_key_length();
+ NSMutableData *ephemeralBuffer = [NSMutableData dataWithLength:ephemeralLength];
+
+ NSMutableData *pickle = [serializedData dataUsingEncoding:NSUTF8StringEncoding].mutableCopy;
+ size_t result = olm_unpickle_pk_decryption(session,
+ key.bytes, key.length,
+ pickle.mutableBytes, pickle.length,
+ ephemeralBuffer.mutableBytes, ephemeralLength);
+ [pickle resetBytesInRange:NSMakeRange(0, pickle.length)];
+ if (result == olm_error()) {
+ const char *olm_error = olm_pk_decryption_last_error(session);
+ NSString *errorString = [NSString stringWithUTF8String:olm_error];
+ if (error && errorString) {
+ *error = [NSError errorWithDomain:OLMErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: errorString}];
+ }
+ return nil;
+ }
+ return self;
+}
+
+/** Serializes and encrypts object data, outputs base64 blob */
+- (NSString*) serializeDataWithKey:(NSData*)key error:(NSError**)error {
+ NSParameterAssert(key.length > 0);
+ size_t length = olm_pickle_pk_decryption_length(session);
+ NSMutableData *pickled = [NSMutableData dataWithLength:length];
+
+ size_t result = olm_pickle_pk_decryption(session,
+ key.bytes, key.length,
+ pickled.mutableBytes, pickled.length);
+ if (result == olm_error()) {
+ const char *olm_error = olm_pk_decryption_last_error(session);
+ NSString *errorString = [NSString stringWithUTF8String:olm_error];
+ if (error && errorString) {
+ *error = [NSError errorWithDomain:OLMErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: errorString}];
+ }
+ return nil;
+ }
+
+ NSString *pickleString = [[NSString alloc] initWithData:pickled encoding:NSUTF8StringEncoding];
+ [pickled resetBytesInRange:NSMakeRange(0, pickled.length)];
+
+ return pickleString;
+}
+
+#pragma mark NSSecureCoding
+
++ (BOOL) supportsSecureCoding {
+ return YES;
+}
+
+#pragma mark NSCoding
+
+- (id)initWithCoder:(NSCoder *)decoder {
+ NSString *version = [decoder decodeObjectOfClass:[NSString class] forKey:@"version"];
+
+ NSError *error = nil;
+
+ if ([version isEqualToString:@"1"]) {
+ NSString *pickle = [decoder decodeObjectOfClass:[NSString class] forKey:@"pickle"];
+ NSData *key = [decoder decodeObjectOfClass:[NSData class] forKey:@"key"];
+
+ self = [self initWithSerializedData:pickle key:key error:&error];
+ }
+
+ NSParameterAssert(error == nil);
+ NSParameterAssert(self != nil);
+ if (!self) {
+ return nil;
+ }
+
+ return self;
+}
+
+- (void)encodeWithCoder:(NSCoder *)encoder {
+ NSData *key = [OLMUtility randomBytesOfLength:32];
+ NSError *error = nil;
+
+ NSString *pickle = [self serializeDataWithKey:key error:&error];
+ NSParameterAssert(pickle.length > 0 && error == nil);
+
+ [encoder encodeObject:pickle forKey:@"pickle"];
+ [encoder encodeObject:key forKey:@"key"];
+ [encoder encodeObject:@"1" forKey:@"version"];
+}
+
+@end
diff --git a/xcode/OLMKit/OLMPkMessage.h b/xcode/OLMKit/OLMPkMessage.h
new file mode 100644
index 0000000..1559fca
--- /dev/null
+++ b/xcode/OLMKit/OLMPkMessage.h
@@ -0,0 +1,31 @@
+/*
+ Copyright 2018 New Vector Ltd
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface OLMPkMessage : NSObject
+
+@property (nonatomic, copy, readonly) NSString *ciphertext;
+@property (nonatomic, copy, readonly,) NSString *mac;
+@property (nonatomic, copy, readonly) NSString *ephemeralKey;
+
+- (instancetype) initWithCiphertext:(NSString*)ciphertext mac:(NSString*)mac ephemeralKey:(NSString*)ephemeralKey;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/xcode/OLMKit/OLMPkMessage.m b/xcode/OLMKit/OLMPkMessage.m
new file mode 100644
index 0000000..0f24512
--- /dev/null
+++ b/xcode/OLMKit/OLMPkMessage.m
@@ -0,0 +1,32 @@
+/*
+ Copyright 2018 New Vector Ltd
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#import "OLMPkMessage.h"
+
+@implementation OLMPkMessage
+
+- (instancetype)initWithCiphertext:(NSString *)ciphertext mac:(NSString *)mac ephemeralKey:(NSString *)ephemeralKey {
+ self = [super init];
+ if (!self) {
+ return nil;
+ }
+ _ciphertext = [ciphertext copy];
+ _mac = [mac copy];
+ _ephemeralKey = [ephemeralKey copy];
+ return self;
+}
+
+@end
diff --git a/xcode/OLMKit/OLMSession.m b/xcode/OLMKit/OLMSession.m
index 8c29113..fc58a08 100644
--- a/xcode/OLMKit/OLMSession.m
+++ b/xcode/OLMKit/OLMSession.m
@@ -309,6 +309,7 @@
}
NSMutableData *pickle = [serializedData dataUsingEncoding:NSUTF8StringEncoding].mutableCopy;
size_t result = olm_unpickle_session(_session, key.bytes, key.length, pickle.mutableBytes, pickle.length);
+ [pickle resetBytesInRange:NSMakeRange(0, pickle.length)];
if (result == olm_error()) {
const char *olm_error = olm_session_last_error(_session);
NSString *errorString = [NSString stringWithUTF8String:olm_error];
@@ -335,6 +336,7 @@
return nil;
}
NSString *pickleString = [[NSString alloc] initWithData:pickled encoding:NSUTF8StringEncoding];
+ [pickled resetBytesInRange:NSMakeRange(0, pickled.length)];
return pickleString;
}
diff --git a/xcode/OLMKitTests/OLMKitPkTests.m b/xcode/OLMKitTests/OLMKitPkTests.m
new file mode 100644
index 0000000..04d2e30
--- /dev/null
+++ b/xcode/OLMKitTests/OLMKitPkTests.m
@@ -0,0 +1,107 @@
+/*
+ Copyright 2018 New Vector Ltd
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#import <XCTest/XCTest.h>
+#import <OLMKit/OLMKit.h>
+
+/**
+ Tests are inspired from js tests.
+ */
+@interface OLMKitPkTests : XCTestCase {
+ OLMPkEncryption *encryption;
+ OLMPkDecryption *decryption;
+}
+
+@end
+
+@implementation OLMKitPkTests
+
+- (void)setUp {
+ encryption = [OLMPkEncryption new];
+ decryption = [OLMPkDecryption new];
+}
+
+- (void)tearDown {
+ encryption = nil;
+ decryption = nil;
+}
+
+- (void)testImportExportKeys {
+ UInt8 alicePrivateBytes[] = {
+ 0x77, 0x07, 0x6D, 0x0A, 0x73, 0x18, 0xA5, 0x7D,
+ 0x3C, 0x16, 0xC1, 0x72, 0x51, 0xB2, 0x66, 0x45,
+ 0xDF, 0x4C, 0x2F, 0x87, 0xEB, 0xC0, 0x99, 0x2A,
+ 0xB1, 0x77, 0xFB, 0xA5, 0x1D, 0xB9, 0x2C, 0x2A
+ };
+
+ NSData *alicePrivate = [NSData dataWithBytes:alicePrivateBytes length:sizeof(alicePrivateBytes)];
+
+ NSError *error;
+ NSString *alicePublic = [decryption setPrivateKey:alicePrivate error:&error];
+ XCTAssertNil(error);
+ XCTAssertEqualObjects(alicePublic, @"hSDwCYkwp1R0i33ctD73Wg2/Og0mOBr066SpjqqbTmo");
+
+ NSData *alicePrivateOut = decryption.privateKey;
+ XCTAssertNil(error);
+ XCTAssertEqualObjects(alicePrivateOut, alicePrivate);
+}
+
+- (void)testEncryptAndDecrypt {
+
+ NSString *pubKey = [decryption generateKey:nil];
+ NSLog(@"Ephemeral Key: %@", pubKey);
+ XCTAssertNotNil(pubKey);
+
+ NSString *TEST_TEXT = @"têst1";
+ NSError *error;
+ [encryption setRecipientKey:pubKey];
+ OLMPkMessage *message = [encryption encryptMessage:TEST_TEXT error:&error];
+ NSLog(@"message: %@ %@ %@", message.ciphertext, message.mac, message.ephemeralKey);
+ XCTAssertNil(error);
+ XCTAssertNotNil(message);
+ XCTAssertNotNil(message.ciphertext);
+ XCTAssertNotNil(message.mac);
+ XCTAssertNotNil(message.ephemeralKey);
+
+ NSString *decrypted = [decryption decryptMessage:message error:&error];
+ XCTAssertNil(error);
+ XCTAssertEqualObjects(decrypted, TEST_TEXT);
+
+ TEST_TEXT = @"hot beverage: ☕";
+ [encryption setRecipientKey:pubKey];
+ message = [encryption encryptMessage:TEST_TEXT error:&error];
+ decrypted = [decryption decryptMessage:message error:&error];
+ XCTAssertEqualObjects(decrypted, TEST_TEXT);
+}
+
+- (void)testOLMPkDecryptionSerialization {
+ NSString *TEST_TEXT = @"têst1";
+ NSString *pubKey = [decryption generateKey:nil];
+ [encryption setRecipientKey:pubKey];
+ OLMPkMessage *encrypted = [encryption encryptMessage:TEST_TEXT error:nil];
+
+
+ NSData *pickle = [NSKeyedArchiver archivedDataWithRootObject:decryption];
+ decryption = nil;
+
+ OLMPkDecryption *newDecryption = [NSKeyedUnarchiver unarchiveObjectWithData:pickle];
+
+ NSError *error;
+ NSString *decrypted = [newDecryption decryptMessage:encrypted error:&error];
+ XCTAssertEqualObjects(decrypted, TEST_TEXT);
+}
+
+@end