24 files changed, 1766 insertions, 894 deletions

diff --git a/include/olm/account.hh b/include/olm/account.hh
index 209139a..7e58ca3 100644
--- a/include/olm/account.hh
+++ b/include/olm/account.hh
@@ -16,8 +16,8 @@
 #define OLM_ACCOUNT_HH_
 
 #include "olm/list.hh"
-#include "olm/crypto.hh"
-#include "olm/error.hh"
+#include "olm/crypto.h"
+#include "olm/error.h"
 
 #include <cstdint>
 
@@ -25,14 +25,14 @@ namespace olm {
 
 
 struct IdentityKeys {
-    Ed25519KeyPair ed25519_key;
-    Curve25519KeyPair curve25519_key;
+    _olm_ed25519_key_pair ed25519_key;
+    _olm_curve25519_key_pair curve25519_key;
 };
 
 struct OneTimeKey {
     std::uint32_t id;
     bool published;
-    Curve25519KeyPair key;
+    _olm_curve25519_key_pair key;
 };
 
 
@@ -44,7 +44,7 @@ struct Account {
     IdentityKeys identity_keys;
     List<OneTimeKey, MAX_ONE_TIME_KEYS> one_time_keys;
     std::uint32_t next_one_time_key_id;
-    ErrorCode last_error;
+    OlmErrorCode last_error;
 
     /** Number of random bytes needed to create a new account */
     std::size_t new_account_random_length();
@@ -128,12 +128,12 @@ struct Account {
 
     /** Lookup a one time key with the given public key */
     OneTimeKey const * lookup_key(
-        Curve25519PublicKey const & public_key
+        _olm_curve25519_public_key const & public_key
     );
 
     /** Remove a one time key with the given public key */
     std::size_t remove_key(
-        Curve25519PublicKey const & public_key
+        _olm_curve25519_public_key const & public_key
     );
 };
 
diff --git a/include/olm/base64.h b/include/olm/base64.h
new file mode 100644
index 0000000..80384a8
--- /dev/null
+++ b/include/olm/base64.h
@@ -0,0 +1,77 @@
+/* Copyright 2015, 2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* C bindings for base64 functions */
+
+
+#ifndef OLM_BASE64_H_
+#define OLM_BASE64_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * The number of bytes of unpadded base64 needed to encode a length of input.
+ */
+size_t _olm_encode_base64_length(
+    size_t input_length
+);
+
+/**
+ * Encode the raw input as unpadded base64.
+ * Writes encode_base64_length(input_length) bytes to the output buffer.
+ * The input can overlap with the last three quarters of the output buffer.
+ * That is, the input pointer may be output + output_length - input_length.
+ *
+ * Returns number of bytes encoded
+ */
+size_t _olm_encode_base64(
+    uint8_t const * input, size_t input_length,
+    uint8_t * output
+);
+
+/**
+ * The number of bytes of raw data a length of unpadded base64 will encode to.
+ * Returns size_t(-1) if the length is not a valid length for base64.
+ */
+size_t _olm_decode_base64_length(
+    size_t input_length
+);
+
+/**
+ * Decodes the unpadded base64 input to raw bytes.
+ * Writes decode_base64_length(input_length) bytes to the output buffer.
+ * The output can overlap with the first three quarters of the input buffer.
+ * That is, the input pointers and output pointer may be the same.
+ *
+ * Returns number of bytes decoded
+ */
+size_t _olm_decode_base64(
+    uint8_t const * input, size_t input_length,
+    uint8_t * output
+);
+
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+
+#endif /* OLM_BASE64_H_ */
diff --git a/include/olm/base64.hh b/include/olm/base64.hh
index da4641d..dfdccd0 100644
--- a/include/olm/base64.hh
+++ b/include/olm/base64.hh
@@ -23,11 +23,9 @@ namespace olm {
 /**
  * The number of bytes of unpadded base64 needed to encode a length of input.
  */
-static std::size_t encode_base64_length(
+std::size_t encode_base64_length(
     std::size_t input_length
-) {
-    return 4 * ((input_length + 2) / 3) + (input_length + 2) % 3 - 2;
-}
+);
 
 /**
  * Encode the raw input as unpadded base64.
diff --git a/include/olm/cipher.h b/include/olm/cipher.h
new file mode 100644
index 0000000..b26f8ba
--- /dev/null
+++ b/include/olm/cipher.h
@@ -0,0 +1,138 @@
+/* Copyright 2015 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef OLM_CIPHER_H_
+#define OLM_CIPHER_H_
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct _olm_cipher;
+
+struct _olm_cipher_ops {
+    /**
+     * Returns the length of the message authentication code that will be
+     * appended to the output.
+     */
+    size_t (*mac_length)(const struct _olm_cipher *cipher);
+
+    /**
+     * Returns the length of cipher-text for a given length of plain-text.
+     */
+    size_t (*encrypt_ciphertext_length)(
+        const struct _olm_cipher *cipher,
+        size_t plaintext_length
+    );
+
+    /*
+     * Encrypts the plain-text into the output buffer and authenticates the
+     * contents of the output buffer covering both cipher-text and any other
+     * associated data in the output buffer.
+     *
+     *  |---------------------------------------output_length-->|
+     *  output  |--ciphertext_length-->|       |---mac_length-->|
+     *          ciphertext
+     *
+     * The plain-text pointers and cipher-text pointers may be the same.
+     *
+     * Returns size_t(-1) if the length of the cipher-text or the output
+     * buffer is too small. Otherwise returns the length of the output buffer.
+     */
+    size_t (*encrypt)(
+        const struct _olm_cipher *cipher,
+        uint8_t const * key, size_t key_length,
+        uint8_t const * plaintext, size_t plaintext_length,
+        uint8_t * ciphertext, size_t ciphertext_length,
+        uint8_t * output, size_t output_length
+    );
+
+    /**
+     * Returns the maximum length of plain-text that a given length of
+     * cipher-text can contain.
+     */
+    size_t (*decrypt_max_plaintext_length)(
+        const struct _olm_cipher *cipher,
+        size_t ciphertext_length
+    );
+
+    /**
+     * Authenticates the input and decrypts the cipher-text into the plain-text
+     * buffer.
+     *
+     *  |----------------------------------------input_length-->|
+     *  input   |--ciphertext_length-->|       |---mac_length-->|
+     *          ciphertext
+     *
+     * The plain-text pointers and cipher-text pointers may be the same.
+     *
+     *  Returns size_t(-1) if the length of the plain-text buffer is too
+     *  small or if the authentication check fails. Otherwise returns the length
+     *  of the plain text.
+     */
+    size_t (*decrypt)(
+        const struct _olm_cipher *cipher,
+        uint8_t const * key, size_t key_length,
+        uint8_t const * input, size_t input_length,
+        uint8_t const * ciphertext, size_t ciphertext_length,
+        uint8_t * plaintext, size_t max_plaintext_length
+    );
+};
+
+struct _olm_cipher {
+    const struct _olm_cipher_ops *ops;
+    /* cipher-specific fields follow */
+};
+
+struct _olm_cipher_aes_sha_256 {
+    struct _olm_cipher base_cipher;
+
+    /** context string for the HKDF used for deriving the AES256 key, HMAC key,
+     * and AES IV, from the key material passed to encrypt/decrypt.
+     */
+    uint8_t const * kdf_info;
+
+    /** length of context string kdf_info */
+    size_t kdf_info_length;
+};
+
+extern const struct _olm_cipher_ops _olm_cipher_aes_sha_256_ops;
+
+/**
+ * get an initializer for an instance of struct _olm_cipher_aes_sha_256.
+ *
+ * To use it, declare:
+ *
+ *   struct _olm_cipher_aes_sha_256 MY_CIPHER =
+ *        OLM_CIPHER_INIT_AES_SHA_256("MY_KDF");
+ *   struct _olm_cipher *cipher = OLM_CIPHER_BASE(&MY_CIPHER);
+ */
+#define OLM_CIPHER_INIT_AES_SHA_256(KDF_INFO) {     \
+    .base_cipher = { &_olm_cipher_aes_sha_256_ops },\
+    .kdf_info = (uint8_t *)(KDF_INFO),              \
+    .kdf_info_length = sizeof(KDF_INFO) - 1         \
+}
+#define OLM_CIPHER_BASE(CIPHER) \
+    (&((CIPHER)->base_cipher))
+
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* OLM_CIPHER_H_ */
diff --git a/include/olm/cipher.hh b/include/olm/cipher.hh
deleted file mode 100644
index c561972..0000000
--- a/include/olm/cipher.hh
+++ /dev/null
@@ -1,132 +0,0 @@
-/* Copyright 2015 OpenMarket Ltd
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef OLM_CIPHER_HH_
-#define OLM_CIPHER_HH_
-
-#include <cstdint>
-#include <cstddef>
-
-namespace olm {
-
-class Cipher {
-public:
-    virtual ~Cipher();
-
-    /**
-     * Returns the length of the message authentication code that will be
-     * appended to the output.
-     */
-    virtual std::size_t mac_length() const = 0;
-
-    /**
-     * Returns the length of cipher-text for a given length of plain-text.
-     */
-    virtual std::size_t encrypt_ciphertext_length(
-        std::size_t plaintext_length
-    ) const = 0;
-
-    /*
-     * Encrypts the plain-text into the output buffer and authenticates the
-     * contents of the output buffer covering both cipher-text and any other
-     * associated data in the output buffer.
-     *
-     *  |---------------------------------------output_length-->|
-     *  output  |--ciphertext_length-->|       |---mac_length-->|
-     *          ciphertext
-     *
-     * The plain-text pointers and cipher-text pointers may be the same.
-     *
-     * Returns std::size_t(-1) if the length of the cipher-text or the output
-     * buffer is too small. Otherwise returns the length of the output buffer.
-     */
-    virtual std::size_t encrypt(
-        std::uint8_t const * key, std::size_t key_length,
-        std::uint8_t const * plaintext, std::size_t plaintext_length,
-        std::uint8_t * ciphertext, std::size_t ciphertext_length,
-        std::uint8_t * output, std::size_t output_length
-    ) const = 0;
-
-    /**
-     * Returns the maximum length of plain-text that a given length of
-     * cipher-text can contain.
-     */
-    virtual std::size_t decrypt_max_plaintext_length(
-        std::size_t ciphertext_length
-    ) const = 0;
-
-    /**
-     * Authenticates the input and decrypts the cipher-text into the plain-text
-     * buffer.
-     *
-     *  |----------------------------------------input_length-->|
-     *  input   |--ciphertext_length-->|       |---mac_length-->|
-     *          ciphertext
-     *
-     * The plain-text pointers and cipher-text pointers may be the same.
-     *
-     *  Returns std::size_t(-1) if the length of the plain-text buffer is too
-     *  small or if the authentication check fails. Otherwise returns the length
-     *  of the plain text.
-     */
-    virtual std::size_t decrypt(
-       std::uint8_t const * key, std::size_t key_length,
-       std::uint8_t const * input, std::size_t input_length,
-       std::uint8_t const * ciphertext, std::size_t ciphertext_length,
-       std::uint8_t * plaintext, std::size_t max_plaintext_length
-    ) const = 0;
-};
-
-
-class CipherAesSha256 : public Cipher {
-public:
-    CipherAesSha256(
-        std::uint8_t const * kdf_info, std::size_t kdf_info_length
-    );
-
-    virtual std::size_t mac_length() const;
-
-    virtual std::size_t encrypt_ciphertext_length(
-        std::size_t plaintext_length
-    ) const;
-
-    virtual std::size_t encrypt(
-        std::uint8_t const * key, std::size_t key_length,
-        std::uint8_t const * plaintext, std::size_t plaintext_length,
-        std::uint8_t * ciphertext, std::size_t ciphertext_length,
-        std::uint8_t * output, std::size_t output_length
-    ) const;
-
-    virtual std::size_t decrypt_max_plaintext_length(
-        std::size_t ciphertext_length
-    ) const;
-
-    virtual std::size_t decrypt(
-        std::uint8_t const * key, std::size_t key_length,
-        std::uint8_t const * input, std::size_t input_length,
-        std::uint8_t const * ciphertext, std::size_t ciphertext_length,
-        std::uint8_t * plaintext, std::size_t max_plaintext_length
-    ) const;
-
-private:
-    std::uint8_t const * kdf_info;
-    std::size_t kdf_info_length;
-};
-
-
-} // namespace
-
-
-#endif /* OLM_CIPHER_HH_ */
diff --git a/include/olm/crypto.h b/include/olm/crypto.h
new file mode 100644
index 0000000..dbf78ed
--- /dev/null
+++ b/include/olm/crypto.h
@@ -0,0 +1,202 @@
+/* Copyright 2015 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* C-compatible crpyto utility functions. At some point all of crypto.hh will
+ * move here.
+ */
+
+#ifndef OLM_CRYPTO_H_
+#define OLM_CRYPTO_H_
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** length of a sha256 hash */
+#define SHA256_OUTPUT_LENGTH 32
+
+/** length of a public or private Curve25519 key */
+#define CURVE25519_KEY_LENGTH 32
+
+/** length of the shared secret created by a Curve25519 ECDH operation */
+#define CURVE25519_SHARED_SECRET_LENGTH 32
+
+/** amount of random data required to create a Curve25519 keypair */
+#define CURVE25519_RANDOM_LENGTH CURVE25519_KEY_LENGTH
+
+/** length of a public Ed25519 key */
+#define ED25519_PUBLIC_KEY_LENGTH 32
+
+/** length of a private Ed25519 key */
+#define ED25519_PRIVATE_KEY_LENGTH 64
+
+/** amount of random data required to create a Ed25519 keypair */
+#define ED25519_RANDOM_LENGTH 32
+
+/** length of an Ed25519 signature */
+#define ED25519_SIGNATURE_LENGTH 64
+
+/** length of an aes256 key */
+#define AES256_KEY_LENGTH 32
+
+/** length of an aes256 initialisation vector */
+#define AES256_IV_LENGTH 16
+
+struct _olm_aes256_key {
+    uint8_t key[AES256_KEY_LENGTH];
+};
+
+struct _olm_aes256_iv {
+    uint8_t iv[AES256_IV_LENGTH];
+};
+
+
+struct _olm_curve25519_public_key {
+    uint8_t public_key[CURVE25519_KEY_LENGTH];
+};
+
+struct _olm_curve25519_private_key {
+    uint8_t private_key[CURVE25519_KEY_LENGTH];
+};
+
+struct _olm_curve25519_key_pair {
+    struct _olm_curve25519_public_key public_key;
+    struct _olm_curve25519_private_key private_key;
+};
+
+struct _olm_ed25519_public_key {
+    uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH];
+};
+
+struct _olm_ed25519_private_key {
+    uint8_t private_key[ED25519_PRIVATE_KEY_LENGTH];
+};
+
+struct _olm_ed25519_key_pair {
+    struct _olm_ed25519_public_key public_key;
+    struct _olm_ed25519_private_key private_key;
+};
+
+
+/** The length of output the aes_encrypt_cbc function will write */
+size_t _olm_crypto_aes_encrypt_cbc_length(
+    size_t input_length
+);
+
+/** Encrypts the input using AES256 in CBC mode with PKCS#7 padding.
+ * The output buffer must be big enough to hold the output including padding */
+void _olm_crypto_aes_encrypt_cbc(
+    const struct _olm_aes256_key *key,
+    const struct _olm_aes256_iv *iv,
+    const uint8_t *input, size_t input_length,
+    uint8_t *output
+);
+
+/** Decrypts the input using AES256 in CBC mode. The output buffer must be at
+ * least the same size as the input buffer. Returns the length of the plaintext
+ * without padding on success or std::size_t(-1) if the padding is invalid.
+ */
+size_t _olm_crypto_aes_decrypt_cbc(
+    const struct _olm_aes256_key *key,
+    const struct _olm_aes256_iv *iv,
+    uint8_t const * input, size_t input_length,
+    uint8_t * output
+);
+
+
+/** Computes SHA-256 of the input. The output buffer must be a least
+ * SHA256_OUTPUT_LENGTH (32) bytes long. */
+void _olm_crypto_sha256(
+    uint8_t const * input, size_t input_length,
+    uint8_t * output
+);
+
+/** HMAC: Keyed-Hashing for Message Authentication
+ * http://tools.ietf.org/html/rfc2104
+ * Computes HMAC-SHA-256 of the input for the key. The output buffer must
+ * be at least SHA256_OUTPUT_LENGTH (32) bytes long. */
+void _olm_crypto_hmac_sha256(
+    uint8_t const * key, size_t key_length,
+    uint8_t const * input, size_t input_length,
+    uint8_t * output
+);
+
+
+/** HMAC-based Key Derivation Function (HKDF)
+ * https://tools.ietf.org/html/rfc5869
+ * Derives key material from the input bytes. */
+void _olm_crypto_hkdf_sha256(
+    uint8_t const * input, size_t input_length,
+    uint8_t const * info, size_t info_length,
+    uint8_t const * salt, size_t salt_length,
+    uint8_t * output, size_t output_length
+);
+
+
+/** Generate a curve25519 key pair
+ * random_32_bytes should be CURVE25519_RANDOM_LENGTH (32) bytes long.
+ */
+void _olm_crypto_curve25519_generate_key(
+    uint8_t const * random_32_bytes,
+    struct _olm_curve25519_key_pair *output
+);
+
+
+/** Create a shared secret using our private key and their public key.
+ * The output buffer must be at least CURVE25519_SHARED_SECRET_LENGTH (32) bytes long.
+ */
+void _olm_crypto_curve25519_shared_secret(
+    const struct _olm_curve25519_key_pair *our_key,
+    const struct _olm_curve25519_public_key *their_key,
+    uint8_t * output
+);
+
+/** Generate an ed25519 key pair
+ * random_32_bytes should be ED25519_RANDOM_LENGTH (32) bytes long.
+ */
+void _olm_crypto_ed25519_generate_key(
+    uint8_t const * random_bytes,
+    struct _olm_ed25519_key_pair *output
+);
+
+/** Signs the message using our private key.
+ *
+ * The output buffer must be at least ED25519_SIGNATURE_LENGTH (64) bytes
+ * long. */
+void _olm_crypto_ed25519_sign(
+    const struct _olm_ed25519_key_pair *our_key,
+    const uint8_t * message, size_t message_length,
+    uint8_t * output
+);
+
+/** Verify an ed25519 signature
+ * The signature input buffer must be ED25519_SIGNATURE_LENGTH (64) bytes long.
+ * Returns non-zero if the signature is valid. */
+int _olm_crypto_ed25519_verify(
+    const struct _olm_ed25519_public_key *their_key,
+    const uint8_t * message, size_t message_length,
+    const uint8_t * signature
+);
+
+
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* OLM_CRYPTO_H_ */
diff --git a/include/olm/crypto.hh b/include/olm/crypto.hh
deleted file mode 100644
index 7a05f8d..0000000
--- a/include/olm/crypto.hh
+++ /dev/null
@@ -1,179 +0,0 @@
-/* Copyright 2015 OpenMarket Ltd
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef OLM_CRYPTO_HH_
-#define OLM_CRYPTO_HH_
-
-#include <cstdint>
-#include <cstddef>
-
-namespace olm {
-
-static const std::size_t KEY_LENGTH = 32;
-static const std::size_t SIGNATURE_LENGTH = 64;
-static const std::size_t IV_LENGTH = 16;
-
-struct Curve25519PublicKey {
-    std::uint8_t public_key[KEY_LENGTH];
-};
-
-
-struct Curve25519KeyPair : public Curve25519PublicKey {
-    std::uint8_t private_key[KEY_LENGTH];
-};
-
-
-struct Ed25519PublicKey {
-    std::uint8_t public_key[KEY_LENGTH];
-};
-
-
-struct Ed25519KeyPair : public Ed25519PublicKey {
-    std::uint8_t private_key[KEY_LENGTH];
-};
-
-
-/** Generate a curve25519 key pair from 32 random bytes. */
-void curve25519_generate_key(
-    std::uint8_t const * random_32_bytes,
-    Curve25519KeyPair & key_pair
-);
-
-
-/** Create a shared secret using our private key and their public key.
- * The output buffer must be at least 32 bytes long. */
-void curve25519_shared_secret(
-    Curve25519KeyPair const & our_key,
-    Curve25519PublicKey const & their_key,
-    std::uint8_t * output
-);
-
-
-/** Signs the message using our private key.
- * The output buffer must be at least 64 bytes long. */
-void curve25519_sign(
-    Curve25519KeyPair const & our_key,
-    std::uint8_t const * message, std::size_t message_length,
-    std::uint8_t * output
-);
-
-
-/** Verify their message using their public key.
- * The signature input buffer must be 64 bytes long.
- * Returns true if the signature is valid. */
-bool curve25519_verify(
-    Curve25519PublicKey const & their_key,
-    std::uint8_t const * message, std::size_t message_length,
-    std::uint8_t const * signature
-);
-
-/** Generate a curve25519 key pair from 32 random bytes. */
-void ed25519_generate_key(
-    std::uint8_t const * random_32_bytes,
-    Ed25519KeyPair & key_pair
-);
-
-
-/** Signs the message using our private key.
- * The output buffer must be at least 64 bytes long. */
-void ed25519_sign(
-    Ed25519KeyPair const & our_key,
-    std::uint8_t const * message, std::size_t message_length,
-    std::uint8_t * output
-);
-
-
-/** Verify their message using their public key.
- * The signature input buffer must be 64 bytes long.
- * Returns true if the signature is valid. */
-bool ed25519_verify(
-    Ed25519PublicKey const & their_key,
-    std::uint8_t const * message, std::size_t message_length,
-    std::uint8_t const * signature
-);
-
-
-struct Aes256Key {
-    std::uint8_t key[KEY_LENGTH];
-};
-
-
-struct Aes256Iv {
-    std::uint8_t iv[IV_LENGTH];
-};
-
-
-/** The length of output the aes_encrypt_cbc function will write */
-std::size_t aes_encrypt_cbc_length(
-    std::size_t input_length
-);
-
-
-/** Encrypts the input using AES256 in CBC mode with PKCS#7 padding.
- * The output buffer must be big enough to hold the output including padding */
-void aes_encrypt_cbc(
-    Aes256Key const & key,
-    Aes256Iv const & iv,
-    std::uint8_t const * input, std::size_t input_length,
-    std::uint8_t * output
-);
-
-
-/** Decrypts the input using AES256 in CBC mode. The output buffer must be at
- * least the same size as the input buffer. Returns the length of the plaintext
- * without padding on success or std::size_t(-1) if the padding is invalid.
- */
-std::size_t aes_decrypt_cbc(
-    Aes256Key const & key,
-    Aes256Iv const & iv,
-    std::uint8_t const * input, std::size_t input_length,
-    std::uint8_t * output
-);
-
-
-/** Computes SHA-256 of the input. The output buffer must be a least 32
- * bytes long. */
-void sha256(
-    std::uint8_t const * input, std::size_t input_length,
-    std::uint8_t * output
-);
-
-
-const std::size_t SHA256_OUTPUT_LENGTH = 32;
-
-
-/** HMAC: Keyed-Hashing for Message Authentication
- * http://tools.ietf.org/html/rfc2104
- * Computes HMAC-SHA-256 of the input for the key. The output buffer must
- * be at least 32 bytes long. */
-void hmac_sha256(
-    std::uint8_t const * key, std::size_t key_length,
-    std::uint8_t const * input, std::size_t input_length,
-    std::uint8_t * output
-);
-
-
-/** HMAC-based Key Derivation Function (HKDF)
- * https://tools.ietf.org/html/rfc5869
- * Derives key material from the input bytes. */
-void hkdf_sha256(
-    std::uint8_t const * input, std::size_t input_length,
-    std::uint8_t const * info, std::size_t info_length,
-    std::uint8_t const * salt, std::size_t salt_length,
-    std::uint8_t * output, std::size_t output_length
-);
-
-} // namespace olm
-
-#endif /* OLM_CRYPTO_HH_ */
diff --git a/include/olm/error.h b/include/olm/error.h
new file mode 100644
index 0000000..9d44a94
--- /dev/null
+++ b/include/olm/error.h
@@ -0,0 +1,65 @@
+/* Copyright 2015-2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef OLM_ERROR_H_
+#define OLM_ERROR_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+enum OlmErrorCode {
+    OLM_SUCCESS = 0, /*!< There wasn't an error */
+    OLM_NOT_ENOUGH_RANDOM = 1,  /*!< Not enough entropy was supplied */
+    OLM_OUTPUT_BUFFER_TOO_SMALL = 2, /*!< Supplied output buffer is too small */
+    OLM_BAD_MESSAGE_VERSION = 3,  /*!< The message version is unsupported */
+    OLM_BAD_MESSAGE_FORMAT = 4, /*!< The message couldn't be decoded */
+    OLM_BAD_MESSAGE_MAC = 5, /*!< The message couldn't be decrypted */
+    OLM_BAD_MESSAGE_KEY_ID = 6, /*!< The message references an unknown key id */
+    OLM_INVALID_BASE64 = 7, /*!< The input base64 was invalid */
+    OLM_BAD_ACCOUNT_KEY = 8, /*!< The supplied account key is invalid */
+    OLM_UNKNOWN_PICKLE_VERSION = 9, /*!< The pickled object is too new */
+    OLM_CORRUPTED_PICKLE = 10, /*!< The pickled object couldn't be decoded */
+
+    OLM_BAD_SESSION_KEY = 11,  /*!< Attempt to initialise an inbound group
+                                 session from an invalid session key */
+    OLM_UNKNOWN_MESSAGE_INDEX = 12,  /*!< Attempt to decode a message whose
+                                      * index is earlier than our earliest
+                                      * known session key.
+                                      */
+
+    /**
+     * Attempt to unpickle an account which uses pickle version 1 (which did
+     * not save enough space for the Ed25519 key; the key should be considered
+     * compromised. We don't let the user reload the account.
+     */
+    OLM_BAD_LEGACY_ACCOUNT_PICKLE = 13,
+
+    /**
+     * Received message had a bad signature
+     */
+    OLM_BAD_SIGNATURE = 14,
+
+    /* remember to update the list of string constants in error.c when updating
+     * this list. */
+};
+
+/** get a string representation of the given error code. */
+const char * _olm_error_to_string(enum OlmErrorCode error);
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* OLM_ERROR_H_ */
diff --git a/include/olm/error.hh b/include/olm/error.hh
deleted file mode 100644
index b0d3764..0000000
--- a/include/olm/error.hh
+++ /dev/null
@@ -1,36 +0,0 @@
-/* Copyright 2015 OpenMarket Ltd
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef ERROR_HH_
-#define ERROR_HH_
-
-namespace olm {
-
-enum struct ErrorCode {
-    SUCCESS = 0, /*!< There wasn't an error */
-    NOT_ENOUGH_RANDOM = 1,  /*!< Not enough entropy was supplied */
-    OUTPUT_BUFFER_TOO_SMALL = 2, /*!< Supplied output buffer is too small */
-    BAD_MESSAGE_VERSION = 3,  /*!< The message version is unsupported */
-    BAD_MESSAGE_FORMAT = 4, /*!< The message couldn't be decoded */
-    BAD_MESSAGE_MAC = 5, /*!< The message couldn't be decrypted */
-    BAD_MESSAGE_KEY_ID = 6, /*!< The message references an unknown key id */
-    INVALID_BASE64 = 7, /*!< The input base64 was invalid */
-    BAD_ACCOUNT_KEY = 8, /*!< The supplied account key is invalid */
-    UNKNOWN_PICKLE_VERSION = 9, /*!< The pickled object is too new */
-    CORRUPTED_PICKLE = 10, /*!< The pickled object couldn't be decoded */
-};
-
-} // namespace olm
-
-#endif /* ERROR_HH_ */
diff --git a/include/olm/inbound_group_session.h b/include/olm/inbound_group_session.h
new file mode 100644
index 0000000..59146c2
--- /dev/null
+++ b/include/olm/inbound_group_session.h
@@ -0,0 +1,172 @@
+/* Copyright 2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef OLM_INBOUND_GROUP_SESSION_H_
+#define OLM_INBOUND_GROUP_SESSION_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct OlmInboundGroupSession OlmInboundGroupSession;
+
+/** get the size of an inbound group session, in bytes. */
+size_t olm_inbound_group_session_size();
+
+/**
+ * Initialise an inbound group session object using the supplied memory
+ * The supplied memory should be at least olm_inbound_group_session_size()
+ * bytes.
+ */
+OlmInboundGroupSession * olm_inbound_group_session(
+    void *memory
+);
+
+/**
+ * A null terminated string describing the most recent error to happen to a
+ * group session */
+const char *olm_inbound_group_session_last_error(
+    const OlmInboundGroupSession *session
+);
+
+/** Clears the memory used to back this group session */
+size_t olm_clear_inbound_group_session(
+    OlmInboundGroupSession *session
+);
+
+/** Returns the number of bytes needed to store an inbound group session */
+size_t olm_pickle_inbound_group_session_length(
+    const OlmInboundGroupSession *session
+);
+
+/**
+ * Stores a group session as a base64 string. Encrypts the session using the
+ * supplied key. Returns the length of the session on success.
+ *
+ * Returns olm_error() on failure. If the pickle output buffer
+ * is smaller than olm_pickle_inbound_group_session_length() then
+ * olm_inbound_group_session_last_error() will be "OUTPUT_BUFFER_TOO_SMALL"
+ */
+size_t olm_pickle_inbound_group_session(
+    OlmInboundGroupSession *session,
+    void const * key, size_t key_length,
+    void * pickled, size_t pickled_length
+);
+
+/**
+ * Loads a group session from a pickled base64 string. Decrypts the session
+ * using the supplied key.
+ *
+ * Returns olm_error() on failure. If the key doesn't match the one used to
+ * encrypt the account then olm_inbound_group_session_last_error() will be
+ * "BAD_ACCOUNT_KEY". If the base64 couldn't be decoded then
+ * olm_inbound_group_session_last_error() will be "INVALID_BASE64". The input
+ * pickled buffer is destroyed
+ */
+size_t olm_unpickle_inbound_group_session(
+    OlmInboundGroupSession *session,
+    void const * key, size_t key_length,
+    void * pickled, size_t pickled_length
+);
+
+
+/**
+ * Start a new inbound group session, based on the parameters supplied.
+ *
+ * Returns olm_error() on failure. On failure last_error will be set with an
+ * error code. The last_error will be:
+ *
+ *  * OLM_INVALID_BASE64  if the session_key is not valid base64
+ *  * OLM_BAD_SESSION_KEY if the session_key is invalid
+ */
+size_t olm_init_inbound_group_session(
+    OlmInboundGroupSession *session,
+    /* base64-encoded keys */
+    uint8_t const * session_key, size_t session_key_length
+);
+
+/**
+ * Get an upper bound on the number of bytes of plain-text the decrypt method
+ * will write for a given input message length. The actual size could be
+ * different due to padding.
+ *
+ * The input message buffer is destroyed.
+ *
+ * Returns olm_error() on failure.
+ */
+size_t olm_group_decrypt_max_plaintext_length(
+    OlmInboundGroupSession *session,
+    uint8_t * message, size_t message_length
+);
+
+/**
+ * Decrypt a message.
+ *
+ * The input message buffer is destroyed.
+ *
+ * Returns the length of the decrypted plain-text, or olm_error() on failure.
+ *
+ * On failure last_error will be set with an error code. The last_error will
+ * be:
+ *   * OLM_OUTPUT_BUFFER_TOO_SMALL if the plain-text buffer is too small
+ *   * OLM_INVALID_BASE64 if the message is not valid base-64
+ *   * OLM_BAD_MESSAGE_VERSION if the message was encrypted with an unsupported
+ *     version of the protocol
+ *   * OLM_BAD_MESSAGE_FORMAT if the message headers could not be decoded
+ *   * OLM_BAD_MESSAGE_MAC    if the message could not be verified
+ *   * OLM_UNKNOWN_MESSAGE_INDEX  if we do not have a session key corresponding to the
+ *     message's index (ie, it was sent before the session key was shared with
+ *     us)
+ */
+size_t olm_group_decrypt(
+    OlmInboundGroupSession *session,
+
+    /* input; note that it will be overwritten with the base64-decoded
+       message. */
+    uint8_t * message, size_t message_length,
+
+    /* output */
+    uint8_t * plaintext, size_t max_plaintext_length
+);
+
+
+/**
+ * Get the number of bytes returned by olm_inbound_group_session_id()
+ */
+size_t olm_inbound_group_session_id_length(
+    const OlmInboundGroupSession *session
+);
+
+/**
+ * Get a base64-encoded identifier for this session.
+ *
+ * Returns the length of the session id on success or olm_error() on
+ * failure. On failure last_error will be set with an error code. The
+ * last_error will be OUTPUT_BUFFER_TOO_SMALL if the id buffer was too
+ * small.
+ */
+size_t olm_inbound_group_session_id(
+    OlmInboundGroupSession *session,
+    uint8_t * id, size_t id_length
+);
+
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* OLM_INBOUND_GROUP_SESSION_H_ */
diff --git a/include/olm/megolm.h b/include/olm/megolm.h
new file mode 100644
index 0000000..e4e5d0b
--- /dev/null
+++ b/include/olm/megolm.h
@@ -0,0 +1,95 @@
+/* Copyright 2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef OLM_MEGOLM_H_
+#define OLM_MEGOLM_H_
+
+/**
+ * implementation of the Megolm multi-part ratchet used in group chats.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * number of bytes in each part of the ratchet; this should be the same as
+ * the length of the hash function used in the HMAC (32 bytes for us, as we
+ * use HMAC-SHA-256)
+ */
+#define MEGOLM_RATCHET_PART_LENGTH 32 /* SHA256_OUTPUT_LENGTH */
+
+/**
+ * number of parts in the ratchet; the advance() implementations rely on
+ * this being 4.
+ */
+#define MEGOLM_RATCHET_PARTS 4
+
+#define MEGOLM_RATCHET_LENGTH (MEGOLM_RATCHET_PARTS * MEGOLM_RATCHET_PART_LENGTH)
+
+typedef struct Megolm {
+    uint8_t data[MEGOLM_RATCHET_PARTS][MEGOLM_RATCHET_PART_LENGTH];
+    uint32_t counter;
+} Megolm;
+
+
+/**
+ * The cipher used in megolm-backed conversations
+ *
+ * (AES256 + SHA256, with keys based on an HKDF with info of MEGOLM_KEYS)
+ */
+extern const struct _olm_cipher *megolm_cipher;
+
+/**
+ * initialize the megolm ratchet. random_data should be at least
+ * MEGOLM_RATCHET_LENGTH bytes of randomness.
+ */
+void megolm_init(Megolm *megolm, uint8_t const *random_data, uint32_t counter);
+
+/** Returns the number of bytes needed to store a megolm */
+size_t megolm_pickle_length(const Megolm *megolm);
+
+/**
+ * Pickle the megolm. Returns a pointer to the next free space in the buffer.
+ */
+uint8_t * megolm_pickle(const Megolm *megolm, uint8_t *pos);
+
+/**
+ * Unpickle the megolm. Returns a pointer to the next item in the buffer.
+ */
+const uint8_t * megolm_unpickle(Megolm *megolm, const uint8_t *pos,
+                                const uint8_t *end);
+
+
+/** advance the ratchet by one step */
+void megolm_advance(Megolm *megolm);
+
+/**
+ * get the key data in the ratchet. The returned data is
+ * MEGOLM_RATCHET_LENGTH bytes long.
+ */
+#define megolm_get_data(megolm) ((const uint8_t *)((megolm)->data))
+
+/** advance the ratchet to a given count */
+void megolm_advance_to(Megolm *megolm, uint32_t advance_to);
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* OLM_MEGOLM_H_ */
diff --git a/include/olm/memory.h b/include/olm/memory.h
new file mode 100644
index 0000000..cc346d0
--- /dev/null
+++ b/include/olm/memory.h
@@ -0,0 +1,41 @@
+/* Copyright 2015, 2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* C bindings for memory functions */
+
+
+#ifndef OLM_MEMORY_H_
+#define OLM_MEMORY_H_
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Clear the memory held in the buffer. This is more resilient to being
+ * optimised away than memset or bzero.
+ */
+void _olm_unset(
+    void volatile * buffer, size_t buffer_length
+);
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+
+#endif /* OLM_MEMORY_H_ */
diff --git a/include/olm/memory.hh b/include/olm/memory.hh
index 128990a..74ff9f8 100644
--- a/include/olm/memory.hh
+++ b/include/olm/memory.hh
@@ -1,4 +1,4 @@
-/* Copyright 2015 OpenMarket Ltd
+/* Copyright 2015, 2016 OpenMarket Ltd
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,9 @@
 #include <cstddef>
 #include <cstdint>
 #include <cstring>
+#include <iomanip>
+#include <iostream>
+#include <sstream>
 #include <type_traits>
 
 namespace olm {
diff --git a/include/olm/message.h b/include/olm/message.h
new file mode 100644
index 0000000..61012c9
--- /dev/null
+++ b/include/olm/message.h
@@ -0,0 +1,93 @@
+/* Copyright 2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * functions for encoding and decoding messages in the Olm protocol.
+ *
+ * Some of these functions have only C++ bindings, and are declared in
+ * message.hh; in time, they should probably be converted to plain C and
+ * declared here.
+ */
+
+#ifndef OLM_MESSAGE_H_
+#define OLM_MESSAGE_H_
+
+#include <stdint.h>
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * The length of the buffer needed to hold a group message.
+ */
+size_t _olm_encode_group_message_length(
+    uint32_t chain_index,
+    size_t ciphertext_length,
+    size_t mac_length,
+    size_t signature_length
+);
+
+/**
+ * Writes the message headers into the output buffer.
+ *
+ * version:            version number of the olm protocol
+ * message_index:      message index
+ * ciphertext_length:  length of the ciphertext
+ * output:             where to write the output. Should be at least
+ *                     olm_encode_group_message_length() bytes long.
+ * ciphertext_ptr:     returns the address that the ciphertext
+ *                     should be written to, followed by the MAC and the
+ *                     signature.
+ *
+ * Returns the size of the message, up to the MAC.
+ */
+size_t _olm_encode_group_message(
+    uint8_t version,
+    uint32_t message_index,
+    size_t ciphertext_length,
+    uint8_t *output,
+    uint8_t **ciphertext_ptr
+);
+
+
+struct _OlmDecodeGroupMessageResults {
+    uint8_t version;
+    uint32_t message_index;
+    int has_message_index;
+    const uint8_t *ciphertext;
+    size_t ciphertext_length;
+};
+
+
+/**
+ * Reads the message headers from the input buffer.
+ */
+void _olm_decode_group_message(
+    const uint8_t *input, size_t input_length,
+    size_t mac_length, size_t signature_length,
+
+    /* output structure: updated with results */
+    struct _OlmDecodeGroupMessageResults *results
+);
+
+
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* OLM_MESSAGE_H_ */
diff --git a/include/olm/message.hh b/include/olm/message.hh
index 5ce0a62..bd912d9 100644
--- a/include/olm/message.hh
+++ b/include/olm/message.hh
@@ -12,6 +12,18 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
+
+/**
+ * functions for encoding and decoding messages in the Olm protocol.
+ *
+ * Some of these functions have plain-C bindings, and are declared in
+ * message.h; in time, all of the functions declared here should probably be
+ * converted to plain C and moved to message.h.
+ */
+
+#include "message.h"
+
 #include <cstddef>
 #include <cstdint>
 
diff --git a/include/olm/olm.h b/include/olm/olm.h
new file mode 100644
index 0000000..3257e53
--- /dev/null
+++ b/include/olm/olm.h
@@ -0,0 +1,449 @@
+/* Copyright 2015, 2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef OLM_H_
+#define OLM_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "olm/inbound_group_session.h"
+#include "olm/outbound_group_session.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+static const size_t OLM_MESSAGE_TYPE_PRE_KEY = 0;
+static const size_t OLM_MESSAGE_TYPE_MESSAGE = 1;
+
+typedef struct OlmAccount OlmAccount;
+typedef struct OlmSession OlmSession;
+typedef struct OlmUtility OlmUtility;
+
+/** Get the version number of the library.
+ * Arguments will be updated if non-null.
+ */
+void olm_get_library_version(uint8_t *major, uint8_t *minor, uint8_t *patch);
+
+/** The size of an account object in bytes */
+size_t olm_account_size();
+
+/** The size of a session object in bytes */
+size_t olm_session_size();
+
+/** The size of a utility object in bytes */
+size_t olm_utility_size();
+
+/** Initialise an account object using the supplied memory
+ *  The supplied memory must be at least olm_account_size() bytes */
+OlmAccount * olm_account(
+    void * memory
+);
+
+/** Initialise a session object using the supplied memory
+ *  The supplied memory must be at least olm_session_size() bytes */
+OlmSession * olm_session(
+    void * memory
+);
+
+/** Initialise a utility object using the supplied memory
+ *  The supplied memory must be at least olm_utility_size() bytes */
+OlmUtility * olm_utility(
+    void * memory
+);
+
+/** The value that olm will return from a function if there was an error */
+size_t olm_error();
+
+/** A null terminated string describing the most recent error to happen to an
+ * account */
+const char * olm_account_last_error(
+    OlmAccount * account
+);
+
+/** A null terminated string describing the most recent error to happen to a
+ * session */
+const char * olm_session_last_error(
+    OlmSession * session
+);
+
+/** A null terminated string describing the most recent error to happen to a
+ * utility */
+const char * olm_utility_last_error(
+    OlmUtility * utility
+);
+
+/** Clears the memory used to back this account */
+size_t olm_clear_account(
+    OlmAccount * account
+);
+
+/** Clears the memory used to back this session */
+size_t olm_clear_session(
+    OlmSession * session
+);
+
+/** Clears the memory used to back this utility */
+size_t olm_clear_utility(
+    OlmUtility * utility
+);
+
+/** Returns the number of bytes needed to store an account */
+size_t olm_pickle_account_length(
+    OlmAccount * account
+);
+
+/** Returns the number of bytes needed to store a session */
+size_t olm_pickle_session_length(
+    OlmSession * session
+);
+
+/** Stores an account as a base64 string. Encrypts the account using the
+ * supplied key. Returns the length of the pickled account on success.
+ * Returns olm_error() on failure. If the pickle output buffer
+ * is smaller than olm_pickle_account_length() then
+ * olm_account_last_error() will be "OUTPUT_BUFFER_TOO_SMALL" */
+size_t olm_pickle_account(
+    OlmAccount * account,
+    void const * key, size_t key_length,
+    void * pickled, size_t pickled_length
+);
+
+/** Stores a session as a base64 string. Encrypts the session using the
+ * supplied key. Returns the length of the pickled session on success.
+ * Returns olm_error() on failure. If the pickle output buffer
+ * is smaller than olm_pickle_session_length() then
+ * olm_session_last_error() will be "OUTPUT_BUFFER_TOO_SMALL" */
+size_t olm_pickle_session(
+    OlmSession * session,
+    void const * key, size_t key_length,
+    void * pickled, size_t pickled_length
+);
+
+/** Loads an account from a pickled base64 string. Decrypts the account using
+ * the supplied key. Returns olm_error() on failure. If the key doesn't
+ * match the one used to encrypt the account then olm_account_last_error()
+ * will be "BAD_ACCOUNT_KEY". If the base64 couldn't be decoded then
+ * olm_account_last_error() will be "INVALID_BASE64". The input pickled
+ * buffer is destroyed */
+size_t olm_unpickle_account(
+    OlmAccount * account,
+    void const * key, size_t key_length,
+    void * pickled, size_t pickled_length
+);
+
+/** Loads a session from a pickled base64 string. Decrypts the session using
+ * the supplied key. Returns olm_error() on failure. If the key doesn't
+ * match the one used to encrypt the account then olm_session_last_error()
+ * will be "BAD_ACCOUNT_KEY". If the base64 couldn't be decoded then
+ * olm_session_last_error() will be "INVALID_BASE64". The input pickled
+ * buffer is destroyed */
+size_t olm_unpickle_session(
+    OlmSession * session,
+    void const * key, size_t key_length,
+    void * pickled, size_t pickled_length
+);
+
+/** The number of random bytes needed to create an account.*/
+size_t olm_create_account_random_length(
+    OlmAccount * account
+);
+
+/** Creates a new account. Returns olm_error() on failure. If weren't
+ * enough random bytes then olm_account_last_error() will be
+ * "NOT_ENOUGH_RANDOM" */
+size_t olm_create_account(
+    OlmAccount * account,
+    void * random, size_t random_length
+);
+
+/** The size of the output buffer needed to hold the identity keys */
+size_t olm_account_identity_keys_length(
+    OlmAccount * account
+);
+
+/** Writes the public parts of the identity keys for the account into the
+ * identity_keys output buffer. Returns olm_error() on failure. If the
+ * identity_keys buffer was too small then olm_account_last_error() will be
+ * "OUTPUT_BUFFER_TOO_SMALL". */
+size_t olm_account_identity_keys(
+    OlmAccount * account,
+    void * identity_keys, size_t identity_key_length
+);
+
+
+/** The length of an ed25519 signature encoded as base64. */
+size_t olm_account_signature_length(
+    OlmAccount * account
+);
+
+/** Signs a message with the ed25519 key for this account. Returns olm_error()
+ * on failure. If the signature buffer was too small then
+ * olm_account_last_error() will be "OUTPUT_BUFFER_TOO_SMALL" */
+size_t olm_account_sign(
+    OlmAccount * account,
+    void const * message, size_t message_length,
+    void * signature, size_t signature_length
+);
+
+/** The size of the output buffer needed to hold the one time keys */
+size_t olm_account_one_time_keys_length(
+    OlmAccount * account
+);
+
+/** Writes the public parts of the unpublished one time keys for the account
+ * into the one_time_keys output buffer.
+ * <p>
+ * The returned data is a JSON-formatted object with the single property
+ * <tt>curve25519</tt>, which is itself an object mapping key id to
+ * base64-encoded Curve25519 key. For example:
+ * <pre>
+ * {
+ *     curve25519: {
+ *         "AAAAAA": "wo76WcYtb0Vk/pBOdmduiGJ0wIEjW4IBMbbQn7aSnTo",
+ *         "AAAAAB": "LRvjo46L1X2vx69sS9QNFD29HWulxrmW11Up5AfAjgU"
+ *     }
+ * }
+ * </pre>
+ * Returns olm_error() on failure.
+ * <p>
+ * If the one_time_keys buffer was too small then olm_account_last_error()
+ * will be "OUTPUT_BUFFER_TOO_SMALL". */
+size_t olm_account_one_time_keys(
+    OlmAccount * account,
+    void * one_time_keys, size_t one_time_keys_length
+);
+
+/** Marks the current set of one time keys as being published. */
+size_t olm_account_mark_keys_as_published(
+    OlmAccount * account
+);
+
+/** The largest number of one time keys this account can store. */
+size_t olm_account_max_number_of_one_time_keys(
+    OlmAccount * account
+);
+
+/** The number of random bytes needed to generate a given number of new one
+ * time keys. */
+size_t olm_account_generate_one_time_keys_random_length(
+    OlmAccount * account,
+    size_t number_of_keys
+);
+
+/** Generates a number of new one time keys. If the total number of keys stored
+ * by this account exceeds max_number_of_one_time_keys() then the old keys are
+ * discarded. Returns olm_error() on error. If the number of random bytes is
+ * too small then olm_account_last_error() will be "NOT_ENOUGH_RANDOM". */
+size_t olm_account_generate_one_time_keys(
+    OlmAccount * account,
+    size_t number_of_keys,
+    void * random, size_t random_length
+);
+
+/** The number of random bytes needed to create an outbound session */
+size_t olm_create_outbound_session_random_length(
+    OlmSession * session
+);
+
+/** Creates a new out-bound session for sending messages to a given identity_key
+ * and one_time_key. Returns olm_error() on failure. If the keys couldn't be
+ * decoded as base64 then olm_session_last_error() will be "INVALID_BASE64"
+ * If there weren't enough random bytes then olm_session_last_error() will
+ * be "NOT_ENOUGH_RANDOM". */
+size_t olm_create_outbound_session(
+    OlmSession * session,
+    OlmAccount * account,
+    void const * their_identity_key, size_t their_identity_key_length,
+    void const * their_one_time_key, size_t their_one_time_key_length,
+    void * random, size_t random_length
+);
+
+/** Create a new in-bound session for sending/receiving messages from an
+ * incoming PRE_KEY message. Returns olm_error() on failure. If the base64
+ * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
+ * If the message was for an unsupported protocol version then
+ * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
+ * couldn't be decoded then then olm_session_last_error() will be
+ * "BAD_MESSAGE_FORMAT". If the message refers to an unknown one time
+ * key then olm_session_last_error() will be "BAD_MESSAGE_KEY_ID". */
+size_t olm_create_inbound_session(
+    OlmSession * session,
+    OlmAccount * account,
+    void * one_time_key_message, size_t message_length
+);
+
+/** Create a new in-bound session for sending/receiving messages from an
+ * incoming PRE_KEY message. Returns olm_error() on failure. If the base64
+ * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
+ * If the message was for an unsupported protocol version then
+ * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
+ * couldn't be decoded then then olm_session_last_error() will be
+ * "BAD_MESSAGE_FORMAT". If the message refers to an unknown one time
+ * key then olm_session_last_error() will be "BAD_MESSAGE_KEY_ID". */
+size_t olm_create_inbound_session_from(
+    OlmSession * session,
+    OlmAccount * account,
+    void const * their_identity_key, size_t their_identity_key_length,
+    void * one_time_key_message, size_t message_length
+);
+
+/** The length of the buffer needed to return the id for this session. */
+size_t olm_session_id_length(
+    OlmSession * session
+);
+
+/** An identifier for this session. Will be the same for both ends of the
+ * conversation. If the id buffer is too small then olm_session_last_error()
+ * will be "OUTPUT_BUFFER_TOO_SMALL". */
+size_t olm_session_id(
+    OlmSession * session,
+    void * id, size_t id_length
+);
+
+int olm_session_has_received_message(
+    OlmSession *session
+);
+
+/** Checks if the PRE_KEY message is for this in-bound session. This can happen
+ * if multiple messages are sent to this account before this account sends a
+ * message in reply. Returns olm_error() on failure. If the base64
+ * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
+ * If the message was for an unsupported protocol version then
+ * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
+ * couldn't be decoded then then olm_session_last_error() will be
+ * "BAD_MESSAGE_FORMAT". */
+size_t olm_matches_inbound_session(
+    OlmSession * session,
+    void * one_time_key_message, size_t message_length
+);
+
+/** Checks if the PRE_KEY message is for this in-bound session. This can happen
+ * if multiple messages are sent to this account before this account sends a
+ * message in reply. Returns olm_error() on failure. If the base64
+ * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
+ * If the message was for an unsupported protocol version then
+ * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
+ * couldn't be decoded then then olm_session_last_error() will be
+ * "BAD_MESSAGE_FORMAT". */
+size_t olm_matches_inbound_session_from(
+    OlmSession * session,
+    void const * their_identity_key, size_t their_identity_key_length,
+    void * one_time_key_message, size_t message_length
+);
+
+/** Removes the one time keys that the session used from the account. Returns
+ * olm_error() on failure. If the account doesn't have any matching one time
+ * keys then olm_account_last_error() will be "BAD_MESSAGE_KEY_ID". */
+size_t olm_remove_one_time_keys(
+    OlmAccount * account,
+    OlmSession * session
+);
+
+/** The type of the next message that olm_encrypt() will return. Returns
+ * OLM_MESSAGE_TYPE_PRE_KEY if the message will be a PRE_KEY message.
+ * Returns OLM_MESSAGE_TYPE_MESSAGE if the message will be a normal message.
+ * Returns olm_error on failure. */
+size_t olm_encrypt_message_type(
+    OlmSession * session
+);
+
+/** The number of random bytes needed to encrypt the next message. */
+size_t olm_encrypt_random_length(
+    OlmSession * session
+);
+
+/** The size of the next message in bytes for the given number of plain-text
+ * bytes. */
+size_t olm_encrypt_message_length(
+    OlmSession * session,
+    size_t plaintext_length
+);
+
+/** Encrypts a message using the session. Returns the length of the message in
+ * bytes on success. Writes the message as base64 into the message buffer.
+ * Returns olm_error() on failure. If the message buffer is too small then
+ * olm_session_last_error() will be "OUTPUT_BUFFER_TOO_SMALL". If there
+ * weren't enough random bytes then olm_session_last_error() will be
+ * "NOT_ENOUGH_RANDOM". */
+size_t olm_encrypt(
+    OlmSession * session,
+    void const * plaintext, size_t plaintext_length,
+    void * random, size_t random_length,
+    void * message, size_t message_length
+);
+
+/** The maximum number of bytes of plain-text a given message could decode to.
+ * The actual size could be different due to padding. The input message buffer
+ * is destroyed. Returns olm_error() on failure. If the message base64
+ * couldn't be decoded then olm_session_last_error() will be
+ * "INVALID_BASE64". If the message is for an unsupported version of the
+ * protocol then olm_session_last_error() will be "BAD_MESSAGE_VERSION".
+ * If the message couldn't be decoded then olm_session_last_error() will be
+ * "BAD_MESSAGE_FORMAT". */
+size_t olm_decrypt_max_plaintext_length(
+    OlmSession * session,
+    size_t message_type,
+    void * message, size_t message_length
+);
+
+/** Decrypts a message using the session. The input message buffer is destroyed.
+ * Returns the length of the plain-text on success. Returns olm_error() on
+ * failure. If the plain-text buffer is smaller than
+ * olm_decrypt_max_plaintext_length() then olm_session_last_error()
+ * will be "OUTPUT_BUFFER_TOO_SMALL". If the base64 couldn't be decoded then
+ * olm_session_last_error() will be "INVALID_BASE64". If the message is for
+ * an unsupported version of the protocol then olm_session_last_error() will
+ *  be "BAD_MESSAGE_VERSION". If the message couldn't be decoded then
+ *  olm_session_last_error() will be BAD_MESSAGE_FORMAT".
+ *  If the MAC on the message was invalid then olm_session_last_error() will
+ *  be "BAD_MESSAGE_MAC". */
+size_t olm_decrypt(
+    OlmSession * session,
+    size_t message_type,
+    void * message, size_t message_length,
+    void * plaintext, size_t max_plaintext_length
+);
+
+/** The length of the buffer needed to hold the SHA-256 hash. */
+size_t olm_sha256_length(
+   OlmUtility * utility
+);
+
+/** Calculates the SHA-256 hash of the input and encodes it as base64. If the
+ * output buffer is smaller than olm_sha256_length() then
+ * olm_session_last_error() will be "OUTPUT_BUFFER_TOO_SMALL". */
+size_t olm_sha256(
+    OlmUtility * utility,
+    void const * input, size_t input_length,
+    void * output, size_t output_length
+);
+
+/** Verify an ed25519 signature. If the key was too small then
+ * olm_session_last_error will be "INVALID_BASE64". If the signature was invalid
+ * then olm_session_last_error() will be "BAD_MESSAGE_MAC". */
+size_t olm_ed25519_verify(
+    OlmUtility * utility,
+    void const * key, size_t key_length,
+    void const * message, size_t message_length,
+    void * signature, size_t signature_length
+);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* OLM_HH_ */
diff --git a/include/olm/olm.hh b/include/olm/olm.hh
index bee1ae4..5ca59c3 100644
--- a/include/olm/olm.hh
+++ b/include/olm/olm.hh
@@ -1,422 +1,4 @@
-/* Copyright 2015 OpenMarket Ltd
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+/* this file exists only for compatibility with existing applications.
+ * You should use "#include <olm/olm.h>" instead.
  */
-#ifndef OLM_HH_
-#define OLM_HH_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-static const size_t OLM_MESSAGE_TYPE_PRE_KEY = 0;
-static const size_t OLM_MESSAGE_TYPE_MESSAGE = 1;
-
-typedef struct OlmAccount OlmAccount;
-typedef struct OlmSession OlmSession;
-typedef struct OlmUtility OlmUtility;
-
-/** The size of an account object in bytes */
-size_t olm_account_size();
-
-/** The size of a session object in bytes */
-size_t olm_session_size();
-
-/** The size of a utility object in bytes */
-size_t olm_utility_size();
-
-/** Initialise an account object using the supplied memory
- *  The supplied memory must be at least olm_account_size() bytes */
-OlmAccount * olm_account(
-    void * memory
-);
-
-/** Initialise a session object using the supplied memory
- *  The supplied memory must be at least olm_session_size() bytes */
-OlmSession * olm_session(
-    void * memory
-);
-
-/** Initialise a utility object using the supplied memory
- *  The supplied memory must be at least olm_utility_size() bytes */
-OlmUtility * olm_utility(
-    void * memory
-);
-
-/** The value that olm will return from a function if there was an error */
-size_t olm_error();
-
-/** A null terminated string describing the most recent error to happen to an
- * account */
-const char * olm_account_last_error(
-    OlmAccount * account
-);
-
-/** A null terminated string describing the most recent error to happen to a
- * session */
-const char * olm_session_last_error(
-    OlmSession * session
-);
-
-/** A null terminated string describing the most recent error to happen to a
- * utility */
-const char * olm_utility_last_error(
-    OlmUtility * utility
-);
-
-/** Clears the memory used to back this account */
-size_t olm_clear_account(
-    OlmAccount * account
-);
-
-/** Clears the memory used to back this session */
-size_t olm_clear_session(
-    OlmSession * session
-);
-
-/** Clears the memory used to back this utility */
-size_t olm_clear_utility(
-    OlmUtility * utility
-);
-
-/** Returns the number of bytes needed to store an account */
-size_t olm_pickle_account_length(
-    OlmAccount * account
-);
-
-/** Returns the number of bytes needed to store a session */
-size_t olm_pickle_session_length(
-    OlmSession * session
-);
-
-/** Stores an account as a base64 string. Encrypts the account using the
- * supplied key. Returns the length of the pickled account on success.
- * Returns olm_error() on failure. If the pickle output buffer
- * is smaller than olm_pickle_account_length() then
- * olm_account_last_error() will be "OUTPUT_BUFFER_TOO_SMALL" */
-size_t olm_pickle_account(
-    OlmAccount * account,
-    void const * key, size_t key_length,
-    void * pickled, size_t pickled_length
-);
-
-/** Stores a session as a base64 string. Encrypts the session using the
- * supplied key. Returns the length of the pickled session on success.
- * Returns olm_error() on failure. If the pickle output buffer
- * is smaller than olm_pickle_session_length() then
- * olm_session_last_error() will be "OUTPUT_BUFFER_TOO_SMALL" */
-size_t olm_pickle_session(
-    OlmSession * session,
-    void const * key, size_t key_length,
-    void * pickled, size_t pickled_length
-);
-
-/** Loads an account from a pickled base64 string. Decrypts the account using
- * the supplied key. Returns olm_error() on failure. If the key doesn't
- * match the one used to encrypt the account then olm_account_last_error()
- * will be "BAD_ACCOUNT_KEY". If the base64 couldn't be decoded then
- * olm_account_last_error() will be "INVALID_BASE64". The input pickled
- * buffer is destroyed */
-size_t olm_unpickle_account(
-    OlmAccount * account,
-    void const * key, size_t key_length,
-    void * pickled, size_t pickled_length
-);
-
-/** Loads a session from a pickled base64 string. Decrypts the session using
- * the supplied key. Returns olm_error() on failure. If the key doesn't
- * match the one used to encrypt the account then olm_session_last_error()
- * will be "BAD_ACCOUNT_KEY". If the base64 couldn't be decoded then
- * olm_session_last_error() will be "INVALID_BASE64". The input pickled
- * buffer is destroyed */
-size_t olm_unpickle_session(
-    OlmSession * session,
-    void const * key, size_t key_length,
-    void * pickled, size_t pickled_length
-);
-
-/** The number of random bytes needed to create an account.*/
-size_t olm_create_account_random_length(
-    OlmAccount * account
-);
-
-/** Creates a new account. Returns olm_error() on failure. If weren't
- * enough random bytes then olm_account_last_error() will be
- * "NOT_ENOUGH_RANDOM" */
-size_t olm_create_account(
-    OlmAccount * account,
-    void * random, size_t random_length
-);
-
-/** The size of the output buffer needed to hold the identity keys */
-size_t olm_account_identity_keys_length(
-    OlmAccount * account
-);
-
-/** Writes the public parts of the identity keys for the account into the
- * identity_keys output buffer. Returns olm_error() on failure. If the
- * identity_keys buffer was too small then olm_account_last_error() will be
- * "OUTPUT_BUFFER_TOO_SMALL". */
-size_t olm_account_identity_keys(
-    OlmAccount * account,
-    void * identity_keys, size_t identity_key_length
-);
-
-
-/** The length of an ed25519 signature encoded as base64. */
-size_t olm_account_signature_length(
-    OlmAccount * account
-);
-
-/** Signs a message with the ed25519 key for this account. Returns olm_error()
- * on failure. If the signature buffer was too small then
- * olm_account_last_error() will be "OUTPUT_BUFFER_TOO_SMALL" */
-size_t olm_account_sign(
-    OlmAccount * account,
-    void const * message, size_t message_length,
-    void * signature, size_t signature_length
-);
-
-/** The size of the output buffer needed to hold the one time keys */
-size_t olm_account_one_time_keys_length(
-    OlmAccount * account
-);
-
-/** Writes the public parts of the unpublished one time keys for the account
- * into the one_time_keys output buffer. Returns olm_error() on failure.
- * If the one_time_keys buffer was too small then olm_account_last_error()
- * will be "OUTPUT_BUFFER_TOO_SMALL". */
-size_t olm_account_one_time_keys(
-    OlmAccount * account,
-    void * one_time_keys, size_t one_time_keys_length
-);
-
-/** Marks the current set of one time keys as being published. */
-size_t olm_account_mark_keys_as_published(
-    OlmAccount * account
-);
-
-/** The largest number of one time keys this account can store. */
-size_t olm_account_max_number_of_one_time_keys(
-    OlmAccount * account
-);
-
-/** The number of random bytes needed to generate a given number of new one
- * time keys. */
-size_t olm_account_generate_one_time_keys_random_length(
-    OlmAccount * account,
-    size_t number_of_keys
-);
-
-/** Generates a number of new one time keys. If the total number of keys stored
- * by this account exceeds max_number_of_one_time_keys() then the old keys are
- * discarded. Returns olm_error() on error. If the number of random bytes is
- * too small then olm_account_last_error() will be "NOT_ENOUGH_RANDOM". */
-size_t olm_account_generate_one_time_keys(
-    OlmAccount * account,
-    size_t number_of_keys,
-    void * random, size_t random_length
-);
-
-/** The number of random bytes needed to create an outbound session */
-size_t olm_create_outbound_session_random_length(
-    OlmSession * session
-);
-
-/** Creates a new out-bound session for sending messages to a given identity_key
- * and one_time_key. Returns olm_error() on failure. If the keys couldn't be
- * decoded as base64 then olm_session_last_error() will be "INVALID_BASE64"
- * If there weren't enough random bytes then olm_session_last_error() will
- * be "NOT_ENOUGH_RANDOM". */
-size_t olm_create_outbound_session(
-    OlmSession * session,
-    OlmAccount * account,
-    void const * their_identity_key, size_t their_identity_key_length,
-    void const * their_one_time_key, size_t their_one_time_key_length,
-    void * random, size_t random_length
-);
-
-/** Create a new in-bound session for sending/receiving messages from an
- * incoming PRE_KEY message. Returns olm_error() on failure. If the base64
- * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
- * If the message was for an unsupported protocol version then
- * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
- * couldn't be decoded then then olm_session_last_error() will be
- * "BAD_MESSAGE_FORMAT". If the message refers to an unknown one time
- * key then olm_session_last_error() will be "BAD_MESSAGE_KEY_ID". */
-size_t olm_create_inbound_session(
-    OlmSession * session,
-    OlmAccount * account,
-    void * one_time_key_message, size_t message_length
-);
-
-/** Create a new in-bound session for sending/receiving messages from an
- * incoming PRE_KEY message. Returns olm_error() on failure. If the base64
- * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
- * If the message was for an unsupported protocol version then
- * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
- * couldn't be decoded then then olm_session_last_error() will be
- * "BAD_MESSAGE_FORMAT". If the message refers to an unknown one time
- * key then olm_session_last_error() will be "BAD_MESSAGE_KEY_ID". */
-size_t olm_create_inbound_session_from(
-    OlmSession * session,
-    OlmAccount * account,
-    void const * their_identity_key, size_t their_identity_key_length,
-    void * one_time_key_message, size_t message_length
-);
-
-/** The length of the buffer needed to return the id for this session. */
-size_t olm_session_id_length(
-    OlmSession * session
-);
-
-/** An identifier for this session. Will be the same for both ends of the
- * conversation. If the id buffer is too small then olm_session_last_error()
- * will be "OUTPUT_BUFFER_TOO_SMALL". */
-size_t olm_session_id(
-    OlmSession * session,
-    void * id, size_t id_length
-);
-
-/** Checks if the PRE_KEY message is for this in-bound session. This can happen
- * if multiple messages are sent to this account before this account sends a
- * message in reply. Returns olm_error() on failure. If the base64
- * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
- * If the message was for an unsupported protocol version then
- * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
- * couldn't be decoded then then olm_session_last_error() will be
- * "BAD_MESSAGE_FORMAT". */
-size_t olm_matches_inbound_session(
-    OlmSession * session,
-    void * one_time_key_message, size_t message_length
-);
-
-/** Checks if the PRE_KEY message is for this in-bound session. This can happen
- * if multiple messages are sent to this account before this account sends a
- * message in reply. Returns olm_error() on failure. If the base64
- * couldn't be decoded then olm_session_last_error will be "INVALID_BASE64".
- * If the message was for an unsupported protocol version then
- * olm_session_last_error() will be "BAD_MESSAGE_VERSION". If the message
- * couldn't be decoded then then olm_session_last_error() will be
- * "BAD_MESSAGE_FORMAT". */
-size_t olm_matches_inbound_session_from(
-    OlmSession * session,
-    void const * their_identity_key, size_t their_identity_key_length,
-    void * one_time_key_message, size_t message_length
-);
-
-/** Removes the one time keys that the session used from the account. Returns
- * olm_error() on failure. If the account doesn't have any matching one time
- * keys then olm_account_last_error() will be "BAD_MESSAGE_KEY_ID". */
-size_t olm_remove_one_time_keys(
-    OlmAccount * account,
-    OlmSession * session
-);
-
-/** The type of the next message that olm_encrypt() will return. Returns
- * OLM_MESSAGE_TYPE_PRE_KEY if the message will be a PRE_KEY message.
- * Returns OLM_MESSAGE_TYPE_MESSAGE if the message will be a normal message.
- * Returns olm_error on failure. */
-size_t olm_encrypt_message_type(
-    OlmSession * session
-);
-
-/** The number of random bytes needed to encrypt the next message. */
-size_t olm_encrypt_random_length(
-    OlmSession * session
-);
-
-/** The size of the next message in bytes for the given number of plain-text
- * bytes. */
-size_t olm_encrypt_message_length(
-    OlmSession * session,
-    size_t plaintext_length
-);
-
-/** Encrypts a message using the session. Returns the length of the message in
- * bytes on success. Writes the message as base64 into the message buffer.
- * Returns olm_error() on failure. If the message buffer is too small then
- * olm_session_last_error() will be "OUTPUT_BUFFER_TOO_SMALL". If there
- * weren't enough random bytes then olm_session_last_error() will be
- * "NOT_ENOUGH_RANDOM". */
-size_t olm_encrypt(
-    OlmSession * session,
-    void const * plaintext, size_t plaintext_length,
-    void * random, size_t random_length,
-    void * message, size_t message_length
-);
-
-/** The maximum number of bytes of plain-text a given message could decode to.
- * The actual size could be different due to padding. The input message buffer
- * is destroyed. Returns olm_error() on failure. If the message base64
- * couldn't be decoded then olm_session_last_error() will be
- * "INVALID_BASE64". If the message is for an unsupported version of the
- * protocol then olm_session_last_error() will be "BAD_MESSAGE_VERSION".
- * If the message couldn't be decoded then olm_session_last_error() will be
- * "BAD_MESSAGE_FORMAT". */
-size_t olm_decrypt_max_plaintext_length(
-    OlmSession * session,
-    size_t message_type,
-    void * message, size_t message_length
-);
-
-/** Decrypts a message using the session. The input message buffer is destroyed.
- * Returns the length of the plain-text on success. Returns olm_error() on
- * failure. If the plain-text buffer is smaller than
- * olm_decrypt_max_plaintext_length() then olm_session_last_error()
- * will be "OUTPUT_BUFFER_TOO_SMALL". If the base64 couldn't be decoded then
- * olm_session_last_error() will be "INVALID_BASE64". If the message is for
- * an unsupported version of the protocol then olm_session_last_error() will
- *  be "BAD_MESSAGE_VERSION". If the message couldn't be decoded then
- *  olm_session_last_error() will be BAD_MESSAGE_FORMAT".
- *  If the MAC on the message was invalid then olm_session_last_error() will
- *  be "BAD_MESSAGE_MAC". */
-size_t olm_decrypt(
-    OlmSession * session,
-    size_t message_type,
-    void * message, size_t message_length,
-    void * plaintext, size_t max_plaintext_length
-);
-
-/** The length of the buffer needed to hold the SHA-256 hash. */
-size_t olm_sha256_length(
-   OlmUtility * utility
-);
-
-/** Calculates the SHA-256 hash of the input and encodes it as base64. If the
- * output buffer is smaller than olm_sha256_length() then
- * olm_session_last_error() will be "OUTPUT_BUFFER_TOO_SMALL". */
-size_t olm_sha256(
-    OlmUtility * utility,
-    void const * input, size_t input_length,
-    void * output, size_t output_length
-);
-
-/** Verify an ed25519 signature. If the key was too small then
- * olm_session_last_error will be "INVALID_BASE64". If the signature was invalid
- * then olm_session_last_error() will be "BAD_MESSAGE_MAC". */
-size_t olm_ed25519_verify(
-    OlmUtility * utility,
-    void const * key, size_t key_length,
-    void const * message, size_t message_length,
-    void * signature, size_t signature_length
-);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* OLM_HH_ */
+#include "olm/olm.h"
diff --git a/include/olm/outbound_group_session.h b/include/olm/outbound_group_session.h
new file mode 100644
index 0000000..90ccca3
--- /dev/null
+++ b/include/olm/outbound_group_session.h
@@ -0,0 +1,181 @@
+/* Copyright 2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef OLM_OUTBOUND_GROUP_SESSION_H_
+#define OLM_OUTBOUND_GROUP_SESSION_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct OlmOutboundGroupSession OlmOutboundGroupSession;
+
+/** get the size of an outbound group session, in bytes. */
+size_t olm_outbound_group_session_size();
+
+/**
+ * Initialise an outbound group session object using the supplied memory
+ * The supplied memory should be at least olm_outbound_group_session_size()
+ * bytes.
+ */
+OlmOutboundGroupSession * olm_outbound_group_session(
+    void *memory
+);
+
+/**
+ * A null terminated string describing the most recent error to happen to a
+ * group session */
+const char *olm_outbound_group_session_last_error(
+    const OlmOutboundGroupSession *session
+);
+
+/** Clears the memory used to back this group session */
+size_t olm_clear_outbound_group_session(
+    OlmOutboundGroupSession *session
+);
+
+/** Returns the number of bytes needed to store an outbound group session */
+size_t olm_pickle_outbound_group_session_length(
+    const OlmOutboundGroupSession *session
+);
+
+/**
+ * Stores a group session as a base64 string. Encrypts the session using the
+ * supplied key. Returns the length of the session on success.
+ *
+ * Returns olm_error() on failure. If the pickle output buffer
+ * is smaller than olm_pickle_outbound_group_session_length() then
+ * olm_outbound_group_session_last_error() will be "OUTPUT_BUFFER_TOO_SMALL"
+ */
+size_t olm_pickle_outbound_group_session(
+    OlmOutboundGroupSession *session,
+    void const * key, size_t key_length,
+    void * pickled, size_t pickled_length
+);
+
+/**
+ * Loads a group session from a pickled base64 string. Decrypts the session
+ * using the supplied key.
+ *
+ * Returns olm_error() on failure. If the key doesn't match the one used to
+ * encrypt the account then olm_outbound_group_session_last_error() will be
+ * "BAD_ACCOUNT_KEY". If the base64 couldn't be decoded then
+ * olm_outbound_group_session_last_error() will be "INVALID_BASE64". The input
+ * pickled buffer is destroyed
+ */
+size_t olm_unpickle_outbound_group_session(
+    OlmOutboundGroupSession *session,
+    void const * key, size_t key_length,
+    void * pickled, size_t pickled_length
+);
+
+
+/** The number of random bytes needed to create an outbound group session */
+size_t olm_init_outbound_group_session_random_length(
+    const OlmOutboundGroupSession *session
+);
+
+/**
+ * Start a new outbound group session. Returns olm_error() on failure. On
+ * failure last_error will be set with an error code. The last_error will be
+ * NOT_ENOUGH_RANDOM if the number of random bytes was too small.
+ */
+size_t olm_init_outbound_group_session(
+    OlmOutboundGroupSession *session,
+    uint8_t const * random, size_t random_length
+);
+
+/**
+ * The number of bytes that will be created by encrypting a message
+ */
+size_t olm_group_encrypt_message_length(
+    OlmOutboundGroupSession *session,
+    size_t plaintext_length
+);
+
+/**
+ * Encrypt some plain-text. Returns the length of the encrypted message or
+ * olm_error() on failure. On failure last_error will be set with an
+ * error code. The last_error will be OUTPUT_BUFFER_TOO_SMALL if the output
+ * buffer is too small.
+ */
+size_t olm_group_encrypt(
+    OlmOutboundGroupSession *session,
+    uint8_t const * plaintext, size_t plaintext_length,
+    uint8_t * message, size_t message_length
+);
+
+
+/**
+ * Get the number of bytes returned by olm_outbound_group_session_id()
+ */
+size_t olm_outbound_group_session_id_length(
+    const OlmOutboundGroupSession *session
+);
+
+/**
+ * Get a base64-encoded identifier for this session.
+ *
+ * Returns the length of the session id on success or olm_error() on
+ * failure. On failure last_error will be set with an error code. The
+ * last_error will be OUTPUT_BUFFER_TOO_SMALL if the id buffer was too
+ * small.
+ */
+size_t olm_outbound_group_session_id(
+    OlmOutboundGroupSession *session,
+    uint8_t * id, size_t id_length
+);
+
+/**
+ * Get the current message index for this session.
+ *
+ * Each message is sent with an increasing index; this returns the index for
+ * the next message.
+ */
+uint32_t olm_outbound_group_session_message_index(
+    OlmOutboundGroupSession *session
+);
+
+/**
+ * Get the number of bytes returned by olm_outbound_group_session_key()
+ */
+size_t olm_outbound_group_session_key_length(
+    const OlmOutboundGroupSession *session
+);
+
+/**
+ * Get the base64-encoded current ratchet key for this session.
+ *
+ * Each message is sent with a different ratchet key. This function returns the
+ * ratchet key that will be used for the next message.
+ *
+ * Returns the length of the ratchet key on success or olm_error() on
+ * failure. On failure last_error will be set with an error code. The
+ * last_error will be OUTPUT_BUFFER_TOO_SMALL if the buffer was too small.
+ */
+size_t olm_outbound_group_session_key(
+    OlmOutboundGroupSession *session,
+    uint8_t * key, size_t key_length
+);
+
+
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* OLM_OUTBOUND_GROUP_SESSION_H_ */
diff --git a/include/olm/pickle.h b/include/olm/pickle.h
new file mode 100644
index 0000000..0e668bb
--- /dev/null
+++ b/include/olm/pickle.h
@@ -0,0 +1,90 @@
+/* Copyright 2015-2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef OLM_PICKLE_H_
+#define OLM_PICKLE_H_
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct _olm_ed25519_public_key;
+struct _olm_ed25519_key_pair;
+
+
+#define _olm_pickle_uint32_length(value) 4
+uint8_t * _olm_pickle_uint32(uint8_t * pos, uint32_t value);
+uint8_t const * _olm_unpickle_uint32(
+    uint8_t const * pos, uint8_t const * end,
+    uint32_t *value
+);
+
+
+#define _olm_pickle_bool_length(value) 1
+uint8_t * _olm_pickle_bool(uint8_t * pos, int value);
+uint8_t const * _olm_unpickle_bool(
+    uint8_t const * pos, uint8_t const * end,
+    int *value
+);
+
+#define _olm_pickle_bytes_length(bytes, bytes_length) (bytes_length)
+uint8_t * _olm_pickle_bytes(uint8_t * pos, uint8_t const * bytes,
+                           size_t bytes_length);
+uint8_t const * _olm_unpickle_bytes(uint8_t const * pos, uint8_t const * end,
+                                   uint8_t * bytes, size_t bytes_length);
+
+
+/** Get the number of bytes needed to pickle an ed25519 public key */
+size_t _olm_pickle_ed25519_public_key_length(
+    const struct _olm_ed25519_public_key * value
+);
+
+/** Pickle the ed25519 public key. Returns a pointer to the next free space in
+ * the buffer. */
+uint8_t * _olm_pickle_ed25519_public_key(
+    uint8_t *pos, const struct _olm_ed25519_public_key * value
+);
+
+/** Unpickle the ed25519 public key. Returns a pointer to the next item in the
+ * buffer. */
+const uint8_t * _olm_unpickle_ed25519_public_key(
+    const uint8_t *pos, const uint8_t *end,
+    struct _olm_ed25519_public_key * value
+);
+
+/** Get the number of bytes needed to pickle an ed25519 key pair */
+size_t _olm_pickle_ed25519_key_pair_length(
+    const struct _olm_ed25519_key_pair * value
+);
+
+/** Pickle the ed25519 key pair. Returns a pointer to the next free space in
+ * the buffer. */
+uint8_t * _olm_pickle_ed25519_key_pair(
+    uint8_t *pos, const struct _olm_ed25519_key_pair * value
+);
+
+/** Unpickle the ed25519 key pair. Returns a pointer to the next item in the
+ * buffer. */
+const uint8_t * _olm_unpickle_ed25519_key_pair(
+    const uint8_t *pos, const uint8_t *end,
+    struct _olm_ed25519_key_pair * value
+);
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* OLM_PICKLE_H */
diff --git a/include/olm/pickle.hh b/include/olm/pickle.hh
index 27f1f26..4cf3f36 100644
--- a/include/olm/pickle.hh
+++ b/include/olm/pickle.hh
@@ -16,65 +16,45 @@
 #define OLM_PICKLE_HH_
 
 #include "olm/list.hh"
-#include "olm/crypto.hh"
+#include "olm/crypto.h"
 
 #include <cstring>
 #include <cstdint>
 
 namespace olm {
 
-static std::size_t pickle_length(
+inline std::size_t pickle_length(
     const std::uint32_t & value
 ) {
     return 4;
 }
 
-
-static std::uint8_t * pickle(
+std::uint8_t * pickle(
     std::uint8_t * pos,
     std::uint32_t value
-) {
-    pos += 4;
-    for (unsigned i = 4; i--;) { *(--pos) = value; value >>= 8; }
-    return pos + 4;
-}
-
+);
 
-static std::uint8_t const * unpickle(
+std::uint8_t const * unpickle(
     std::uint8_t const * pos, std::uint8_t const * end,
     std::uint32_t & value
-) {
-    value = 0;
-    if (end - pos < 4) return end;
-    for (unsigned i = 4; i--;) { value <<= 8; value |= *(pos++); }
-    return pos;
-}
+);
+
 
-static std::size_t pickle_length(
+inline std::size_t pickle_length(
     const bool & value
 ) {
     return 1;
 }
 
-
-static std::uint8_t * pickle(
+std::uint8_t * pickle(
     std::uint8_t * pos,
     bool value
-) {
-    *(pos++) = value ? 1 : 0;
-    return pos;
-}
-
+);
 
-static std::uint8_t const * unpickle(
+std::uint8_t const * unpickle(
     std::uint8_t const * pos, std::uint8_t const * end,
     bool & value
-) {
-    if (pos == end) return end;
-    value = *(pos++);
-    return pos;
-}
-
+);
 
 
 template<typename T, std::size_t max_size>
@@ -117,90 +97,48 @@ std::uint8_t const * unpickle(
 }
 
 
-static std::uint8_t * pickle_bytes(
+std::uint8_t * pickle_bytes(
     std::uint8_t * pos,
     std::uint8_t const * bytes, std::size_t bytes_length
-) {
-    std::memcpy(pos, bytes, bytes_length);
-    return pos + bytes_length;
-}
-
-
-static std::uint8_t const * unpickle_bytes(
-    std::uint8_t const * pos, std::uint8_t const * end,
-    std::uint8_t * bytes, std::size_t bytes_length
-) {
-    if (end - pos < bytes_length) return end;
-    std::memcpy(bytes, pos, bytes_length);
-    return pos + bytes_length;
-}
-
-
-std::size_t pickle_length(
-    const Curve25519PublicKey & value
 );
 
-
-std::uint8_t * pickle(
-    std::uint8_t * pos,
-    const Curve25519PublicKey & value
-);
-
-
-std::uint8_t const * unpickle(
+std::uint8_t const * unpickle_bytes(
     std::uint8_t const * pos, std::uint8_t const * end,
-    Curve25519PublicKey & value
-);
-
-
-std::size_t pickle_length(
-    const Curve25519KeyPair & value
-);
-
-
-std::uint8_t * pickle(
-    std::uint8_t * pos,
-    const Curve25519KeyPair & value
-);
-
-
-std::uint8_t const * unpickle(
-    std::uint8_t const * pos, std::uint8_t const * end,
-    Curve25519KeyPair & value
+    std::uint8_t * bytes, std::size_t bytes_length
 );
 
 
 std::size_t pickle_length(
-    const Ed25519PublicKey & value
+    const _olm_curve25519_public_key & value
 );
 
 
 std::uint8_t * pickle(
     std::uint8_t * pos,
-    const Ed25519PublicKey & value
+    const _olm_curve25519_public_key & value
 );
 
 
 std::uint8_t const * unpickle(
     std::uint8_t const * pos, std::uint8_t const * end,
-    Ed25519PublicKey & value
+    _olm_curve25519_public_key & value
 );
 
 
 std::size_t pickle_length(
-    const Ed25519KeyPair & value
+    const _olm_curve25519_key_pair & value
 );
 
 
 std::uint8_t * pickle(
     std::uint8_t * pos,
-    const Ed25519KeyPair & value
+    const _olm_curve25519_key_pair & value
 );
 
 
 std::uint8_t const * unpickle(
     std::uint8_t const * pos, std::uint8_t const * end,
-    Ed25519KeyPair & value
+    _olm_curve25519_key_pair & value
 );
 
 } // namespace olm
diff --git a/include/olm/pickle_encoding.h b/include/olm/pickle_encoding.h
new file mode 100644
index 0000000..03611df
--- /dev/null
+++ b/include/olm/pickle_encoding.h
@@ -0,0 +1,76 @@
+/* Copyright 2016 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* functions for encrypting and decrypting pickled representations of objects */
+
+#ifndef OLM_PICKLE_ENCODING_H_
+#define OLM_PICKLE_ENCODING_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "olm/error.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * Get the number of bytes needed to encode a pickle of the length given
+ */
+size_t _olm_enc_output_length(size_t raw_length);
+
+/**
+ * Get the point in the output buffer that the raw pickle should be written to.
+ *
+ * In order that we can use the same buffer for the raw pickle, and the encoded
+ * pickle, the raw pickle needs to be written at the end of the buffer. (The
+ * base-64 encoding would otherwise overwrite the end of the input before it
+ * was encoded.)
+ */
+ uint8_t *_olm_enc_output_pos(uint8_t * output, size_t raw_length);
+
+/**
+ * Encrypt and encode the given pickle in-situ.
+ *
+ * The raw pickle should have been written to enc_output_pos(pickle,
+ * raw_length).
+ *
+ * Returns the number of bytes in the encoded pickle.
+ */
+size_t _olm_enc_output(
+    uint8_t const * key, size_t key_length,
+    uint8_t *pickle, size_t raw_length
+);
+
+/**
+ * Decode and decrypt the given pickle in-situ.
+ *
+ * Returns the number of bytes in the decoded pickle, or olm_error() on error,
+ * in which case *last_error will be updated, if last_error is non-NULL.
+ */
+size_t _olm_enc_input(
+    uint8_t const * key, size_t key_length,
+    uint8_t * input, size_t b64_length,
+    enum OlmErrorCode * last_error
+);
+
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* OLM_PICKLE_ENCODING_H_ */
diff --git a/include/olm/ratchet.hh b/include/olm/ratchet.hh
index 2393e5b..2e87e35 100644
--- a/include/olm/ratchet.hh
+++ b/include/olm/ratchet.hh
@@ -13,23 +13,29 @@
  * limitations under the License.
  */
 
-#include "olm/crypto.hh"
+#include <cstdint>
+
+#include "olm/crypto.h"
 #include "olm/list.hh"
-#include "olm/error.hh"
+#include "olm/error.h"
 
-namespace olm {
+struct _olm_cipher;
 
-class Cipher;
+namespace olm {
 
-typedef std::uint8_t SharedKey[olm::KEY_LENGTH];
+/** length of a shared key: the root key R(i), chain key C(i,j), and message key
+ * M(i,j)). They are all only used to stuff into HMACs, so could be any length
+ * for that. The chain key and message key are both derived from SHA256
+ * operations, so their length is determined by that. */
+const std::size_t OLM_SHARED_KEY_LENGTH = SHA256_OUTPUT_LENGTH;
 
+typedef std::uint8_t SharedKey[OLM_SHARED_KEY_LENGTH];
 
 struct ChainKey {
     std::uint32_t index;
     SharedKey key;
 };
 
-
 struct MessageKey {
     std::uint32_t index;
     SharedKey key;
@@ -37,19 +43,19 @@ struct MessageKey {
 
 
 struct SenderChain {
-    Curve25519KeyPair ratchet_key;
+    _olm_curve25519_key_pair ratchet_key;
     ChainKey chain_key;
 };
 
 
 struct ReceiverChain {
-    Curve25519PublicKey ratchet_key;
+    _olm_curve25519_public_key ratchet_key;
     ChainKey chain_key;
 };
 
 
 struct SkippedMessageKey {
-    Curve25519PublicKey ratchet_key;
+    _olm_curve25519_public_key ratchet_key;
     MessageKey message_key;
 };
 
@@ -70,20 +76,20 @@ struct Ratchet {
 
     Ratchet(
         KdfInfo const & kdf_info,
-        Cipher const & ratchet_cipher
+        _olm_cipher const *ratchet_cipher
     );
 
     /** A some strings identifying the application to feed into the KDF. */
     KdfInfo const & kdf_info;
 
     /** The AEAD cipher to use for encrypting messages. */
-    Cipher const & ratchet_cipher;
+    _olm_cipher const *ratchet_cipher;
 
     /** The last error that happened encrypting or decrypting a message. */
-    ErrorCode last_error;
+    OlmErrorCode last_error;
 
     /** The root key is used to generate chain keys from the ephemeral keys.
-     * A new root_key derived each time a chain key is derived. */
+     * A new root_key derived each time a new chain is started. */
     SharedKey root_key;
 
     /** The sender chain is used to send messages. Each time a new ephemeral
@@ -104,14 +110,14 @@ struct Ratchet {
      * remote's first ratchet key */
     void initialise_as_bob(
         std::uint8_t const * shared_secret, std::size_t shared_secret_length,
-        Curve25519PublicKey const & their_ratchet_key
+        _olm_curve25519_public_key const & their_ratchet_key
     );
 
     /** Initialise the session using a shared secret and the public/private key
      * pair for the first ratchet key */
     void initialise_as_alice(
         std::uint8_t const * shared_secret, std::size_t shared_secret_length,
-        Curve25519KeyPair const & our_ratchet_key
+        _olm_curve25519_key_pair const & our_ratchet_key
     );
 
     /** The number of bytes of output the encrypt method will write for
@@ -170,7 +176,8 @@ std::uint8_t * pickle(
 
 std::uint8_t const * unpickle(
     std::uint8_t const * pos, std::uint8_t const * end,
-    Ratchet & value
+    Ratchet & value,
+    bool includes_chain_index
 );
 
 
diff --git a/include/olm/session.hh b/include/olm/session.hh
index b21b0aa..9d44816 100644
--- a/include/olm/session.hh
+++ b/include/olm/session.hh
@@ -19,7 +19,7 @@
 
 namespace olm {
 
-class Account;
+struct Account;
 
 enum struct MessageType {
     PRE_KEY = 0,
@@ -31,13 +31,13 @@ struct Session {
     Session();
 
     Ratchet ratchet;
-    ErrorCode last_error;
+    OlmErrorCode last_error;
 
     bool received_message;
 
-    Curve25519PublicKey alice_identity_key;
-    Curve25519PublicKey alice_base_key;
-    Curve25519PublicKey bob_one_time_key;
+    _olm_curve25519_public_key alice_identity_key;
+    _olm_curve25519_public_key alice_base_key;
+    _olm_curve25519_public_key bob_one_time_key;
 
     /** The number of random bytes that are needed to create a new outbound
      * session. This will be 64 bytes since two ephemeral keys are needed. */
@@ -48,8 +48,8 @@ struct Session {
      * NOT_ENOUGH_RANDOM if the number of random bytes was too small. */
     std::size_t new_outbound_session(
         Account const & local_account,
-        Curve25519PublicKey const & identity_key,
-        Curve25519PublicKey const & one_time_key,
+        _olm_curve25519_public_key const & identity_key,
+        _olm_curve25519_public_key const & one_time_key,
         std::uint8_t const * random, std::size_t random_length
     );
 
@@ -59,7 +59,7 @@ struct Session {
      * the message headers could not be decoded. */
     std::size_t new_inbound_session(
         Account & local_account,
-        Curve25519PublicKey const * their_identity_key,
+        _olm_curve25519_public_key const * their_identity_key,
         std::uint8_t const * pre_key_message, std::size_t message_length
     );
 
@@ -82,7 +82,7 @@ struct Session {
      * session does not match or the pre-key message could not be decoded.
      */
     bool matches_inbound_session(
-        Curve25519PublicKey const * their_identity_key,
+        _olm_curve25519_public_key const * their_identity_key,
         std::uint8_t const * pre_key_message, std::size_t message_length
     );
 
diff --git a/include/olm/utility.hh b/include/olm/utility.hh
index 5329a59..d650abc 100644
--- a/include/olm/utility.hh
+++ b/include/olm/utility.hh
@@ -16,20 +16,20 @@
 #ifndef UTILITY_HH_
 #define UTILITY_HH_
 
-#include "olm/error.hh"
+#include "olm/error.h"
 
 #include <cstddef>
 #include <cstdint>
 
-namespace olm {
+struct _olm_ed25519_public_key;
 
-class Ed25519PublicKey;
+namespace olm {
 
 struct Utility {
 
     Utility();
 
-    ErrorCode last_error;
+    OlmErrorCode last_error;
 
     /** The length of a SHA-256 hash in bytes. */
     std::size_t sha256_length();
@@ -48,7 +48,7 @@ struct Utility {
      * last_error will be set with an error code. If the signature was too short
      * or was not a valid signature then last_error will be BAD_MESSAGE_MAC. */
     std::size_t ed25519_verify(
-        Ed25519PublicKey const & key,
+        _olm_ed25519_public_key const & key,
         std::uint8_t const * message, std::size_t message_length,
         std::uint8_t const * signature, std::size_t signature_length
     );