1package eu.siacs.conversations.crypto.axolotl;
2
3import android.os.Bundle;
4import android.security.KeyChain;
5import android.support.annotation.NonNull;
6import android.support.annotation.Nullable;
7import android.util.Log;
8import android.util.Pair;
9
10import org.bouncycastle.jce.provider.BouncyCastleProvider;
11import org.whispersystems.libsignal.SignalProtocolAddress;
12import org.whispersystems.libsignal.IdentityKey;
13import org.whispersystems.libsignal.IdentityKeyPair;
14import org.whispersystems.libsignal.InvalidKeyException;
15import org.whispersystems.libsignal.InvalidKeyIdException;
16import org.whispersystems.libsignal.SessionBuilder;
17import org.whispersystems.libsignal.UntrustedIdentityException;
18import org.whispersystems.libsignal.ecc.ECPublicKey;
19import org.whispersystems.libsignal.state.PreKeyBundle;
20import org.whispersystems.libsignal.state.PreKeyRecord;
21import org.whispersystems.libsignal.state.SignedPreKeyRecord;
22import org.whispersystems.libsignal.util.KeyHelper;
23
24import java.security.PrivateKey;
25import java.security.Security;
26import java.security.Signature;
27import java.security.cert.X509Certificate;
28import java.util.ArrayList;
29import java.util.Arrays;
30import java.util.Collection;
31import java.util.Collections;
32import java.util.HashMap;
33import java.util.HashSet;
34import java.util.Iterator;
35import java.util.List;
36import java.util.Map;
37import java.util.Random;
38import java.util.Set;
39import java.util.concurrent.atomic.AtomicBoolean;
40
41import eu.siacs.conversations.Config;
42import eu.siacs.conversations.entities.Account;
43import eu.siacs.conversations.entities.Contact;
44import eu.siacs.conversations.entities.Conversation;
45import eu.siacs.conversations.entities.Message;
46import eu.siacs.conversations.parser.IqParser;
47import eu.siacs.conversations.services.XmppConnectionService;
48import eu.siacs.conversations.utils.CryptoHelper;
49import eu.siacs.conversations.utils.SerialSingleThreadExecutor;
50import eu.siacs.conversations.xml.Element;
51import eu.siacs.conversations.xmpp.OnAdvancedStreamFeaturesLoaded;
52import eu.siacs.conversations.xmpp.OnIqPacketReceived;
53import eu.siacs.conversations.xmpp.jid.InvalidJidException;
54import eu.siacs.conversations.xmpp.jid.Jid;
55import eu.siacs.conversations.xmpp.pep.PublishOptions;
56import eu.siacs.conversations.xmpp.stanzas.IqPacket;
57
58public class AxolotlService implements OnAdvancedStreamFeaturesLoaded {
59
60 public static final String PEP_PREFIX = "eu.siacs.conversations.axolotl";
61 public static final String PEP_DEVICE_LIST = PEP_PREFIX + ".devicelist";
62 public static final String PEP_DEVICE_LIST_NOTIFY = PEP_DEVICE_LIST + "+notify";
63 public static final String PEP_BUNDLES = PEP_PREFIX + ".bundles";
64 public static final String PEP_VERIFICATION = PEP_PREFIX + ".verification";
65
66 public static final String LOGPREFIX = "AxolotlService";
67
68 public static final int NUM_KEYS_TO_PUBLISH = 100;
69 public static final int publishTriesThreshold = 3;
70
71 private final Account account;
72 private final XmppConnectionService mXmppConnectionService;
73 private final SQLiteAxolotlStore axolotlStore;
74 private final SessionMap sessions;
75 private final Map<Jid, Set<Integer>> deviceIds;
76 private final Map<String, XmppAxolotlMessage> messageCache;
77 private final FetchStatusMap fetchStatusMap;
78 private final HashMap<Jid,List<OnDeviceIdsFetched>> fetchDeviceIdsMap = new HashMap<>();
79 private final SerialSingleThreadExecutor executor;
80 private int numPublishTriesOnEmptyPep = 0;
81 private boolean pepBroken = false;
82
83 private AtomicBoolean ownPushPending = new AtomicBoolean(false);
84
85 @Override
86 public void onAdvancedStreamFeaturesAvailable(Account account) {
87 if (Config.supportOmemo()
88 && account.getXmppConnection() != null
89 && account.getXmppConnection().getFeatures().pep()) {
90 publishBundlesIfNeeded(true, false);
91 } else {
92 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": skipping OMEMO initialization");
93 }
94 }
95
96 public boolean fetchMapHasErrors(List<Jid> jids) {
97 for(Jid jid : jids) {
98 if (deviceIds.get(jid) != null) {
99 for (Integer foreignId : this.deviceIds.get(jid)) {
100 SignalProtocolAddress address = new SignalProtocolAddress(jid.toPreppedString(), foreignId);
101 if (fetchStatusMap.getAll(address.getName()).containsValue(FetchStatus.ERROR)) {
102 return true;
103 }
104 }
105 }
106 }
107 return false;
108 }
109
110 public void preVerifyFingerprint(Contact contact, String fingerprint) {
111 axolotlStore.preVerifyFingerprint(contact.getAccount(), contact.getJid().toBareJid().toPreppedString(), fingerprint);
112 }
113
114 public void preVerifyFingerprint(Account account, String fingerprint) {
115 axolotlStore.preVerifyFingerprint(account, account.getJid().toBareJid().toPreppedString(), fingerprint);
116 }
117
118 public boolean hasVerifiedKeys(String name) {
119 for(XmppAxolotlSession session : this.sessions.getAll(name).values()) {
120 if (session.getTrust().isVerified()) {
121 return true;
122 }
123 }
124 return false;
125 }
126
127 private static class AxolotlAddressMap<T> {
128 protected Map<String, Map<Integer, T>> map;
129 protected final Object MAP_LOCK = new Object();
130
131 public AxolotlAddressMap() {
132 this.map = new HashMap<>();
133 }
134
135 public void put(SignalProtocolAddress address, T value) {
136 synchronized (MAP_LOCK) {
137 Map<Integer, T> devices = map.get(address.getName());
138 if (devices == null) {
139 devices = new HashMap<>();
140 map.put(address.getName(), devices);
141 }
142 devices.put(address.getDeviceId(), value);
143 }
144 }
145
146 public T get(SignalProtocolAddress address) {
147 synchronized (MAP_LOCK) {
148 Map<Integer, T> devices = map.get(address.getName());
149 if (devices == null) {
150 return null;
151 }
152 return devices.get(address.getDeviceId());
153 }
154 }
155
156 public Map<Integer, T> getAll(String name) {
157 synchronized (MAP_LOCK) {
158 Map<Integer, T> devices = map.get(name);
159 if (devices == null) {
160 return new HashMap<>();
161 }
162 return devices;
163 }
164 }
165
166 public boolean hasAny(SignalProtocolAddress address) {
167 synchronized (MAP_LOCK) {
168 Map<Integer, T> devices = map.get(address.getName());
169 return devices != null && !devices.isEmpty();
170 }
171 }
172
173 public void clear() {
174 map.clear();
175 }
176
177 }
178
179 private static class SessionMap extends AxolotlAddressMap<XmppAxolotlSession> {
180 private final XmppConnectionService xmppConnectionService;
181 private final Account account;
182
183 public SessionMap(XmppConnectionService service, SQLiteAxolotlStore store, Account account) {
184 super();
185 this.xmppConnectionService = service;
186 this.account = account;
187 this.fillMap(store);
188 }
189
190 private void putDevicesForJid(String bareJid, List<Integer> deviceIds, SQLiteAxolotlStore store) {
191 for (Integer deviceId : deviceIds) {
192 SignalProtocolAddress axolotlAddress = new SignalProtocolAddress(bareJid, deviceId);
193 IdentityKey identityKey = store.loadSession(axolotlAddress).getSessionState().getRemoteIdentityKey();
194 if(Config.X509_VERIFICATION) {
195 X509Certificate certificate = store.getFingerprintCertificate(CryptoHelper.bytesToHex(identityKey.getPublicKey().serialize()));
196 if (certificate != null) {
197 Bundle information = CryptoHelper.extractCertificateInformation(certificate);
198 try {
199 final String cn = information.getString("subject_cn");
200 final Jid jid = Jid.fromString(bareJid);
201 Log.d(Config.LOGTAG,"setting common name for "+jid+" to "+cn);
202 account.getRoster().getContact(jid).setCommonName(cn);
203 } catch (final InvalidJidException ignored) {
204 //ignored
205 }
206 }
207 }
208 this.put(axolotlAddress, new XmppAxolotlSession(account, store, axolotlAddress, identityKey));
209 }
210 }
211
212 private void fillMap(SQLiteAxolotlStore store) {
213 List<Integer> deviceIds = store.getSubDeviceSessions(account.getJid().toBareJid().toPreppedString());
214 putDevicesForJid(account.getJid().toBareJid().toPreppedString(), deviceIds, store);
215 for (String address : store.getKnownAddresses()) {
216 deviceIds = store.getSubDeviceSessions(address);
217 Log.d(Config.LOGTAG,account.getJid().toBareJid()+" adding device ids for "+address+" "+deviceIds);
218 putDevicesForJid(address, deviceIds, store);
219 }
220
221 }
222
223 @Override
224 public void put(SignalProtocolAddress address, XmppAxolotlSession value) {
225 super.put(address, value);
226 value.setNotFresh();
227 xmppConnectionService.syncRosterToDisk(account); //TODO why?
228 }
229
230 public void put(XmppAxolotlSession session) {
231 this.put(session.getRemoteAddress(), session);
232 }
233 }
234
235 public enum FetchStatus {
236 PENDING,
237 SUCCESS,
238 SUCCESS_VERIFIED,
239 TIMEOUT,
240 SUCCESS_TRUSTED,
241 ERROR
242 }
243
244 private static class FetchStatusMap extends AxolotlAddressMap<FetchStatus> {
245
246 public void clearErrorFor(Jid jid) {
247 synchronized (MAP_LOCK) {
248 Map<Integer, FetchStatus> devices = this.map.get(jid.toBareJid().toPreppedString());
249 if (devices == null) {
250 return;
251 }
252 for(Map.Entry<Integer, FetchStatus> entry : devices.entrySet()) {
253 if (entry.getValue() == FetchStatus.ERROR) {
254 Log.d(Config.LOGTAG,"resetting error for "+jid.toBareJid()+"("+entry.getKey()+")");
255 entry.setValue(FetchStatus.TIMEOUT);
256 }
257 }
258 }
259 }
260 }
261
262 public static String getLogprefix(Account account) {
263 return LOGPREFIX + " (" + account.getJid().toBareJid().toString() + "): ";
264 }
265
266 public AxolotlService(Account account, XmppConnectionService connectionService) {
267 if (Security.getProvider("BC") == null) {
268 Security.addProvider(new BouncyCastleProvider());
269 }
270 this.mXmppConnectionService = connectionService;
271 this.account = account;
272 this.axolotlStore = new SQLiteAxolotlStore(this.account, this.mXmppConnectionService);
273 this.deviceIds = new HashMap<>();
274 this.messageCache = new HashMap<>();
275 this.sessions = new SessionMap(mXmppConnectionService, axolotlStore, account);
276 this.fetchStatusMap = new FetchStatusMap();
277 this.executor = new SerialSingleThreadExecutor();
278 }
279
280 public String getOwnFingerprint() {
281 return CryptoHelper.bytesToHex(axolotlStore.getIdentityKeyPair().getPublicKey().serialize());
282 }
283
284 public Set<IdentityKey> getKeysWithTrust(FingerprintStatus status) {
285 return axolotlStore.getContactKeysWithTrust(account.getJid().toBareJid().toPreppedString(), status);
286 }
287
288 public Set<IdentityKey> getKeysWithTrust(FingerprintStatus status, Jid jid) {
289 return axolotlStore.getContactKeysWithTrust(jid.toBareJid().toPreppedString(), status);
290 }
291
292 public Set<IdentityKey> getKeysWithTrust(FingerprintStatus status, List<Jid> jids) {
293 Set<IdentityKey> keys = new HashSet<>();
294 for(Jid jid : jids) {
295 keys.addAll(axolotlStore.getContactKeysWithTrust(jid.toPreppedString(), status));
296 }
297 return keys;
298 }
299
300 public long getNumTrustedKeys(Jid jid) {
301 return axolotlStore.getContactNumTrustedKeys(jid.toBareJid().toPreppedString());
302 }
303
304 public boolean anyTargetHasNoTrustedKeys(List<Jid> jids) {
305 for(Jid jid : jids) {
306 if (axolotlStore.getContactNumTrustedKeys(jid.toBareJid().toPreppedString()) == 0) {
307 return true;
308 }
309 }
310 return false;
311 }
312
313 private SignalProtocolAddress getAddressForJid(Jid jid) {
314 return new SignalProtocolAddress(jid.toPreppedString(), 0);
315 }
316
317 public Collection<XmppAxolotlSession> findOwnSessions() {
318 SignalProtocolAddress ownAddress = getAddressForJid(account.getJid().toBareJid());
319 ArrayList<XmppAxolotlSession> s = new ArrayList<>(this.sessions.getAll(ownAddress.getName()).values());
320 Collections.sort(s);
321 return s;
322 }
323
324
325
326 public Collection<XmppAxolotlSession> findSessionsForContact(Contact contact) {
327 SignalProtocolAddress contactAddress = getAddressForJid(contact.getJid());
328 ArrayList<XmppAxolotlSession> s = new ArrayList<>(this.sessions.getAll(contactAddress.getName()).values());
329 Collections.sort(s);
330 return s;
331 }
332
333 private Set<XmppAxolotlSession> findSessionsForConversation(Conversation conversation) {
334 HashSet<XmppAxolotlSession> sessions = new HashSet<>();
335 for(Jid jid : conversation.getAcceptedCryptoTargets()) {
336 sessions.addAll(this.sessions.getAll(getAddressForJid(jid).getName()).values());
337 }
338 return sessions;
339 }
340
341 private boolean hasAny(Jid jid) {
342 return sessions.hasAny(getAddressForJid(jid));
343 }
344
345 public boolean isPepBroken() {
346 return this.pepBroken;
347 }
348
349 public void resetBrokenness() {
350 this.pepBroken = false;
351 numPublishTriesOnEmptyPep = 0;
352 }
353
354 public void clearErrorsInFetchStatusMap(Jid jid) {
355 fetchStatusMap.clearErrorFor(jid);
356 }
357
358 public void regenerateKeys(boolean wipeOther) {
359 axolotlStore.regenerate();
360 sessions.clear();
361 fetchStatusMap.clear();
362 fetchDeviceIdsMap.clear();
363 publishBundlesIfNeeded(true, wipeOther);
364 }
365
366 public int getOwnDeviceId() {
367 return axolotlStore.getLocalRegistrationId();
368 }
369
370 public SignalProtocolAddress getOwnAxolotlAddress() {
371 return new SignalProtocolAddress(account.getJid().toBareJid().toPreppedString(),getOwnDeviceId());
372 }
373
374 public Set<Integer> getOwnDeviceIds() {
375 return this.deviceIds.get(account.getJid().toBareJid());
376 }
377
378 public void registerDevices(final Jid jid, @NonNull final Set<Integer> deviceIds) {
379 boolean me = jid.toBareJid().equals(account.getJid().toBareJid());
380 if (me && ownPushPending.getAndSet(false)) {
381 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": ignoring own device update because of pending push");
382 return;
383 }
384 boolean needsPublishing = me && !deviceIds.contains(getOwnDeviceId());
385 if (me) {
386 deviceIds.remove(getOwnDeviceId());
387 }
388 Set<Integer> expiredDevices = new HashSet<>(axolotlStore.getSubDeviceSessions(jid.toBareJid().toPreppedString()));
389 expiredDevices.removeAll(deviceIds);
390 for (Integer deviceId : expiredDevices) {
391 SignalProtocolAddress address = new SignalProtocolAddress(jid.toBareJid().toPreppedString(), deviceId);
392 XmppAxolotlSession session = sessions.get(address);
393 if (session != null && session.getFingerprint() != null) {
394 if (session.getTrust().isActive()) {
395 session.setTrust(session.getTrust().toInactive());
396 }
397 }
398 }
399 Set<Integer> newDevices = new HashSet<>(deviceIds);
400 for (Integer deviceId : newDevices) {
401 SignalProtocolAddress address = new SignalProtocolAddress(jid.toBareJid().toPreppedString(), deviceId);
402 XmppAxolotlSession session = sessions.get(address);
403 if (session != null && session.getFingerprint() != null) {
404 if (!session.getTrust().isActive()) {
405 Log.d(Config.LOGTAG,"reactivating device with fingerprint "+session.getFingerprint());
406 session.setTrust(session.getTrust().toActive());
407 }
408 }
409 }
410 if (me) {
411 if (Config.OMEMO_AUTO_EXPIRY != 0) {
412 needsPublishing |= deviceIds.removeAll(getExpiredDevices());
413 }
414 for (Integer deviceId : deviceIds) {
415 SignalProtocolAddress ownDeviceAddress = new SignalProtocolAddress(jid.toBareJid().toPreppedString(), deviceId);
416 if (sessions.get(ownDeviceAddress) == null) {
417 FetchStatus status = fetchStatusMap.get(ownDeviceAddress);
418 if (status == null || status == FetchStatus.TIMEOUT) {
419 fetchStatusMap.put(ownDeviceAddress, FetchStatus.PENDING);
420 this.buildSessionFromPEP(ownDeviceAddress);
421 }
422 }
423 }
424 if (needsPublishing) {
425 publishOwnDeviceId(deviceIds);
426 }
427 }
428 this.deviceIds.put(jid, deviceIds);
429 mXmppConnectionService.updateConversationUi(); //update the lock icon
430 mXmppConnectionService.keyStatusUpdated(null);
431 }
432
433 public void wipeOtherPepDevices() {
434 if (pepBroken) {
435 Log.d(Config.LOGTAG, getLogprefix(account) + "wipeOtherPepDevices called, but PEP is broken. Ignoring... ");
436 return;
437 }
438 Set<Integer> deviceIds = new HashSet<>();
439 deviceIds.add(getOwnDeviceId());
440 IqPacket publish = mXmppConnectionService.getIqGenerator().publishDeviceIds(deviceIds);
441 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Wiping all other devices from Pep:" + publish);
442 mXmppConnectionService.sendIqPacket(account, publish, new OnIqPacketReceived() {
443 @Override
444 public void onIqPacketReceived(Account account, IqPacket packet) {
445 if (packet.getType() == IqPacket.TYPE.RESULT) {
446 mXmppConnectionService.pushNodeConfiguration(account, AxolotlService.PEP_DEVICE_LIST, PublishOptions.openAccess(), null);
447 }
448 }
449 });
450 }
451
452 public void distrustFingerprint(final String fingerprint) {
453 final String fp = fingerprint.replaceAll("\\s", "");
454 final FingerprintStatus fingerprintStatus = axolotlStore.getFingerprintStatus(fp);
455 axolotlStore.setFingerprintStatus(fp,fingerprintStatus.toUntrusted());
456 }
457
458 public void publishOwnDeviceIdIfNeeded() {
459 if (pepBroken) {
460 Log.d(Config.LOGTAG, getLogprefix(account) + "publishOwnDeviceIdIfNeeded called, but PEP is broken. Ignoring... ");
461 return;
462 }
463 IqPacket packet = mXmppConnectionService.getIqGenerator().retrieveDeviceIds(account.getJid().toBareJid());
464 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
465 @Override
466 public void onIqPacketReceived(Account account, IqPacket packet) {
467 if (packet.getType() == IqPacket.TYPE.TIMEOUT) {
468 Log.d(Config.LOGTAG, getLogprefix(account) + "Timeout received while retrieving own Device Ids.");
469 } else {
470 Element item = mXmppConnectionService.getIqParser().getItem(packet);
471 Set<Integer> deviceIds = mXmppConnectionService.getIqParser().deviceIds(item);
472 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": retrieved own device list: "+deviceIds);
473 registerDevices(account.getJid().toBareJid(),deviceIds);
474 }
475 }
476 });
477 }
478
479 private Set<Integer> getExpiredDevices() {
480 Set<Integer> devices = new HashSet<>();
481 for(XmppAxolotlSession session : findOwnSessions()) {
482 if (session.getTrust().isActive()) {
483 long diff = System.currentTimeMillis() - session.getTrust().getLastActivation();
484 if (diff > Config.OMEMO_AUTO_EXPIRY) {
485 long lastMessageDiff = System.currentTimeMillis() - mXmppConnectionService.databaseBackend.getLastTimeFingerprintUsed(account,session.getFingerprint());
486 long hours = Math.round(lastMessageDiff/(1000*60.0*60.0));
487 if (lastMessageDiff > Config.OMEMO_AUTO_EXPIRY) {
488 devices.add(session.getRemoteAddress().getDeviceId());
489 session.setTrust(session.getTrust().toInactive());
490 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": added own device " + session.getFingerprint() + " to list of expired devices. Last message received "+hours+" hours ago");
491 } else {
492 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": own device "+session.getFingerprint()+" was active "+hours+" hours ago");
493 }
494 }
495 }
496 }
497 return devices;
498 }
499
500 public void publishOwnDeviceId(Set<Integer> deviceIds) {
501 Set<Integer> deviceIdsCopy = new HashSet<>(deviceIds);
502 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "publishing own device ids");
503 if (deviceIdsCopy.isEmpty()) {
504 if (numPublishTriesOnEmptyPep >= publishTriesThreshold) {
505 Log.w(Config.LOGTAG, getLogprefix(account) + "Own device publish attempt threshold exceeded, aborting...");
506 pepBroken = true;
507 return;
508 } else {
509 numPublishTriesOnEmptyPep++;
510 Log.w(Config.LOGTAG, getLogprefix(account) + "Own device list empty, attempting to publish (try " + numPublishTriesOnEmptyPep + ")");
511 }
512 } else {
513 numPublishTriesOnEmptyPep = 0;
514 }
515 deviceIdsCopy.add(getOwnDeviceId());
516 IqPacket publish = mXmppConnectionService.getIqGenerator().publishDeviceIds(deviceIdsCopy);
517 ownPushPending.set(true);
518 mXmppConnectionService.sendIqPacket(account, publish, new OnIqPacketReceived() {
519 @Override
520 public void onIqPacketReceived(Account account, IqPacket packet) {
521 ownPushPending.set(false);
522 if (packet.getType() == IqPacket.TYPE.ERROR) {
523 pepBroken = true;
524 Log.d(Config.LOGTAG, getLogprefix(account) + "Error received while publishing own device id" + packet.findChild("error"));
525 } else if (packet.getType() != IqPacket.TYPE.TIMEOUT) {
526 mXmppConnectionService.pushNodeConfiguration(account, AxolotlService.PEP_DEVICE_LIST, PublishOptions.openAccess(), null);
527 }
528 }
529 });
530 }
531
532 public void publishDeviceVerificationAndBundle(final SignedPreKeyRecord signedPreKeyRecord,
533 final Set<PreKeyRecord> preKeyRecords,
534 final boolean announceAfter,
535 final boolean wipe) {
536 try {
537 IdentityKey axolotlPublicKey = axolotlStore.getIdentityKeyPair().getPublicKey();
538 PrivateKey x509PrivateKey = KeyChain.getPrivateKey(mXmppConnectionService, account.getPrivateKeyAlias());
539 X509Certificate[] chain = KeyChain.getCertificateChain(mXmppConnectionService, account.getPrivateKeyAlias());
540 Signature verifier = Signature.getInstance("sha256WithRSA");
541 verifier.initSign(x509PrivateKey,mXmppConnectionService.getRNG());
542 verifier.update(axolotlPublicKey.serialize());
543 byte[] signature = verifier.sign();
544 IqPacket packet = mXmppConnectionService.getIqGenerator().publishVerification(signature, chain, getOwnDeviceId());
545 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + ": publish verification for device "+getOwnDeviceId());
546 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
547 @Override
548 public void onIqPacketReceived(final Account account, IqPacket packet) {
549 String node = AxolotlService.PEP_VERIFICATION+":"+getOwnDeviceId();
550 mXmppConnectionService.pushNodeConfiguration(account, node, PublishOptions.openAccess(), new XmppConnectionService.OnConfigurationPushed() {
551 @Override
552 public void onPushSucceeded() {
553 Log.d(Config.LOGTAG,getLogprefix(account) + "configured verification node to be world readable");
554 publishDeviceBundle(signedPreKeyRecord, preKeyRecords, announceAfter, wipe);
555 }
556
557 @Override
558 public void onPushFailed() {
559 Log.d(Config.LOGTAG,getLogprefix(account) + "unable to set access model on verification node");
560 publishDeviceBundle(signedPreKeyRecord, preKeyRecords, announceAfter, wipe);
561 }
562 });
563 }
564 });
565 } catch (Exception e) {
566 e.printStackTrace();
567 }
568 }
569
570 public void publishBundlesIfNeeded(final boolean announce, final boolean wipe) {
571 if (pepBroken) {
572 Log.d(Config.LOGTAG, getLogprefix(account) + "publishBundlesIfNeeded called, but PEP is broken. Ignoring... ");
573 return;
574 }
575 IqPacket packet = mXmppConnectionService.getIqGenerator().retrieveBundlesForDevice(account.getJid().toBareJid(), getOwnDeviceId());
576 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
577 @Override
578 public void onIqPacketReceived(Account account, IqPacket packet) {
579
580 if (packet.getType() == IqPacket.TYPE.TIMEOUT) {
581 return; //ignore timeout. do nothing
582 }
583
584 if (packet.getType() == IqPacket.TYPE.ERROR) {
585 Element error = packet.findChild("error");
586 if (error == null || !error.hasChild("item-not-found")) {
587 pepBroken = true;
588 Log.w(Config.LOGTAG, AxolotlService.getLogprefix(account) + "request for device bundles came back with something other than item-not-found" + packet);
589 return;
590 }
591 }
592
593 PreKeyBundle bundle = mXmppConnectionService.getIqParser().bundle(packet);
594 Map<Integer, ECPublicKey> keys = mXmppConnectionService.getIqParser().preKeyPublics(packet);
595 boolean flush = false;
596 if (bundle == null) {
597 Log.w(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Received invalid bundle:" + packet);
598 bundle = new PreKeyBundle(-1, -1, -1, null, -1, null, null, null);
599 flush = true;
600 }
601 if (keys == null) {
602 Log.w(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Received invalid prekeys:" + packet);
603 }
604 try {
605 boolean changed = false;
606 // Validate IdentityKey
607 IdentityKeyPair identityKeyPair = axolotlStore.getIdentityKeyPair();
608 if (flush || !identityKeyPair.getPublicKey().equals(bundle.getIdentityKey())) {
609 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Adding own IdentityKey " + identityKeyPair.getPublicKey() + " to PEP.");
610 changed = true;
611 }
612
613 // Validate signedPreKeyRecord + ID
614 SignedPreKeyRecord signedPreKeyRecord;
615 int numSignedPreKeys = axolotlStore.getSignedPreKeysCount();
616 try {
617 signedPreKeyRecord = axolotlStore.loadSignedPreKey(bundle.getSignedPreKeyId());
618 if (flush
619 || !bundle.getSignedPreKey().equals(signedPreKeyRecord.getKeyPair().getPublicKey())
620 || !Arrays.equals(bundle.getSignedPreKeySignature(), signedPreKeyRecord.getSignature())) {
621 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Adding new signedPreKey with ID " + (numSignedPreKeys + 1) + " to PEP.");
622 signedPreKeyRecord = KeyHelper.generateSignedPreKey(identityKeyPair, numSignedPreKeys + 1);
623 axolotlStore.storeSignedPreKey(signedPreKeyRecord.getId(), signedPreKeyRecord);
624 changed = true;
625 }
626 } catch (InvalidKeyIdException e) {
627 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Adding new signedPreKey with ID " + (numSignedPreKeys + 1) + " to PEP.");
628 signedPreKeyRecord = KeyHelper.generateSignedPreKey(identityKeyPair, numSignedPreKeys + 1);
629 axolotlStore.storeSignedPreKey(signedPreKeyRecord.getId(), signedPreKeyRecord);
630 changed = true;
631 }
632
633 // Validate PreKeys
634 Set<PreKeyRecord> preKeyRecords = new HashSet<>();
635 if (keys != null) {
636 for (Integer id : keys.keySet()) {
637 try {
638 PreKeyRecord preKeyRecord = axolotlStore.loadPreKey(id);
639 if (preKeyRecord.getKeyPair().getPublicKey().equals(keys.get(id))) {
640 preKeyRecords.add(preKeyRecord);
641 }
642 } catch (InvalidKeyIdException ignored) {
643 }
644 }
645 }
646 int newKeys = NUM_KEYS_TO_PUBLISH - preKeyRecords.size();
647 if (newKeys > 0) {
648 List<PreKeyRecord> newRecords = KeyHelper.generatePreKeys(
649 axolotlStore.getCurrentPreKeyId() + 1, newKeys);
650 preKeyRecords.addAll(newRecords);
651 for (PreKeyRecord record : newRecords) {
652 axolotlStore.storePreKey(record.getId(), record);
653 }
654 changed = true;
655 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Adding " + newKeys + " new preKeys to PEP.");
656 }
657
658
659 if (changed) {
660 if (account.getPrivateKeyAlias() != null && Config.X509_VERIFICATION) {
661 mXmppConnectionService.publishDisplayName(account);
662 publishDeviceVerificationAndBundle(signedPreKeyRecord, preKeyRecords, announce, wipe);
663 } else {
664 publishDeviceBundle(signedPreKeyRecord, preKeyRecords, announce, wipe);
665 }
666 } else {
667 Log.d(Config.LOGTAG, getLogprefix(account) + "Bundle " + getOwnDeviceId() + " in PEP was current");
668 if (wipe) {
669 wipeOtherPepDevices();
670 } else if (announce) {
671 Log.d(Config.LOGTAG, getLogprefix(account) + "Announcing device " + getOwnDeviceId());
672 publishOwnDeviceIdIfNeeded();
673 }
674 }
675 } catch (InvalidKeyException e) {
676 Log.e(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Failed to publish bundle " + getOwnDeviceId() + ", reason: " + e.getMessage());
677 }
678 }
679 });
680 }
681
682 private void publishDeviceBundle(SignedPreKeyRecord signedPreKeyRecord,
683 Set<PreKeyRecord> preKeyRecords,
684 final boolean announceAfter,
685 final boolean wipe) {
686 IqPacket publish = mXmppConnectionService.getIqGenerator().publishBundles(
687 signedPreKeyRecord, axolotlStore.getIdentityKeyPair().getPublicKey(),
688 preKeyRecords, getOwnDeviceId());
689 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + ": Bundle " + getOwnDeviceId() + " in PEP not current. Publishing...");
690 mXmppConnectionService.sendIqPacket(account, publish, new OnIqPacketReceived() {
691 @Override
692 public void onIqPacketReceived(final Account account, IqPacket packet) {
693 if (packet.getType() == IqPacket.TYPE.RESULT) {
694 final String node = AxolotlService.PEP_BUNDLES + ":" + getOwnDeviceId();
695 mXmppConnectionService.pushNodeConfiguration(account, node, PublishOptions.openAccess(), new XmppConnectionService.OnConfigurationPushed() {
696 @Override
697 public void onPushSucceeded() {
698 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Successfully published bundle. ");
699 if (wipe) {
700 wipeOtherPepDevices();
701 } else if (announceAfter) {
702 Log.d(Config.LOGTAG, getLogprefix(account) + "Announcing device " + getOwnDeviceId());
703 publishOwnDeviceIdIfNeeded();
704 }
705 }
706
707 @Override
708 public void onPushFailed() {
709 Log.d(Config.LOGTAG,"unable to change access model for pubsub node");
710 }
711 });
712 } else if (packet.getType() == IqPacket.TYPE.ERROR) {
713 pepBroken = true;
714 Log.d(Config.LOGTAG, getLogprefix(account) + "Error received while publishing bundle: " + packet.findChild("error"));
715 }
716 }
717 });
718 }
719
720 public enum AxolotlCapability {
721 FULL,
722 MISSING_PRESENCE,
723 MISSING_KEYS,
724 WRONG_CONFIGURATION,
725 NO_MEMBERS
726 }
727
728 public boolean isConversationAxolotlCapable(Conversation conversation) {
729 return isConversationAxolotlCapableDetailed(conversation).first == AxolotlCapability.FULL;
730 }
731
732 public Pair<AxolotlCapability,Jid> isConversationAxolotlCapableDetailed(Conversation conversation) {
733 if (conversation.getMode() == Conversation.MODE_SINGLE
734 || (conversation.getMucOptions().membersOnly() && conversation.getMucOptions().nonanonymous())) {
735 final List<Jid> jids = getCryptoTargets(conversation);
736 for(Jid jid : jids) {
737 if (!hasAny(jid) && (!deviceIds.containsKey(jid) || deviceIds.get(jid).isEmpty())) {
738 if (conversation.getAccount().getRoster().getContact(jid).mutualPresenceSubscription()) {
739 return new Pair<>(AxolotlCapability.MISSING_KEYS,jid);
740 } else {
741 return new Pair<>(AxolotlCapability.MISSING_PRESENCE,jid);
742 }
743 }
744 }
745 if (jids.size() > 0) {
746 return new Pair<>(AxolotlCapability.FULL, null);
747 } else {
748 return new Pair<>(AxolotlCapability.NO_MEMBERS, null);
749 }
750 } else {
751 return new Pair<>(AxolotlCapability.WRONG_CONFIGURATION, null);
752 }
753 }
754
755 public List<Jid> getCryptoTargets(Conversation conversation) {
756 final List<Jid> jids;
757 if (conversation.getMode() == Conversation.MODE_SINGLE) {
758 jids = new ArrayList<>();
759 jids.add(conversation.getJid().toBareJid());
760 } else {
761 jids = conversation.getMucOptions().getMembers();
762 }
763 return jids;
764 }
765
766 public FingerprintStatus getFingerprintTrust(String fingerprint) {
767 return axolotlStore.getFingerprintStatus(fingerprint);
768 }
769
770 public X509Certificate getFingerprintCertificate(String fingerprint) {
771 return axolotlStore.getFingerprintCertificate(fingerprint);
772 }
773
774 public void setFingerprintTrust(String fingerprint, FingerprintStatus status) {
775 axolotlStore.setFingerprintStatus(fingerprint, status);
776 }
777
778 private void verifySessionWithPEP(final XmppAxolotlSession session) {
779 Log.d(Config.LOGTAG, "trying to verify fresh session (" + session.getRemoteAddress().getName() + ") with pep");
780 final SignalProtocolAddress address = session.getRemoteAddress();
781 final IdentityKey identityKey = session.getIdentityKey();
782 try {
783 IqPacket packet = mXmppConnectionService.getIqGenerator().retrieveVerificationForDevice(Jid.fromString(address.getName()), address.getDeviceId());
784 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
785 @Override
786 public void onIqPacketReceived(Account account, IqPacket packet) {
787 Pair<X509Certificate[],byte[]> verification = mXmppConnectionService.getIqParser().verification(packet);
788 if (verification != null) {
789 try {
790 Signature verifier = Signature.getInstance("sha256WithRSA");
791 verifier.initVerify(verification.first[0]);
792 verifier.update(identityKey.serialize());
793 if (verifier.verify(verification.second)) {
794 try {
795 mXmppConnectionService.getMemorizingTrustManager().getNonInteractive().checkClientTrusted(verification.first, "RSA");
796 String fingerprint = session.getFingerprint();
797 Log.d(Config.LOGTAG, "verified session with x.509 signature. fingerprint was: "+fingerprint);
798 setFingerprintTrust(fingerprint, FingerprintStatus.createActiveVerified(true));
799 axolotlStore.setFingerprintCertificate(fingerprint, verification.first[0]);
800 fetchStatusMap.put(address, FetchStatus.SUCCESS_VERIFIED);
801 Bundle information = CryptoHelper.extractCertificateInformation(verification.first[0]);
802 try {
803 final String cn = information.getString("subject_cn");
804 final Jid jid = Jid.fromString(address.getName());
805 Log.d(Config.LOGTAG,"setting common name for "+jid+" to "+cn);
806 account.getRoster().getContact(jid).setCommonName(cn);
807 } catch (final InvalidJidException ignored) {
808 //ignored
809 }
810 finishBuildingSessionsFromPEP(address);
811 return;
812 } catch (Exception e) {
813 Log.d(Config.LOGTAG,"could not verify certificate");
814 }
815 }
816 } catch (Exception e) {
817 Log.d(Config.LOGTAG, "error during verification " + e.getMessage());
818 }
819 } else {
820 Log.d(Config.LOGTAG,"no verification found");
821 }
822 fetchStatusMap.put(address, FetchStatus.SUCCESS);
823 finishBuildingSessionsFromPEP(address);
824 }
825 });
826 } catch (InvalidJidException e) {
827 fetchStatusMap.put(address, FetchStatus.SUCCESS);
828 finishBuildingSessionsFromPEP(address);
829 }
830 }
831
832 private final Set<Integer> PREVIOUSLY_REMOVED_FROM_ANNOUNCEMENT = new HashSet<>();
833
834 private void finishBuildingSessionsFromPEP(final SignalProtocolAddress address) {
835 SignalProtocolAddress ownAddress = new SignalProtocolAddress(account.getJid().toBareJid().toPreppedString(), 0);
836 Map<Integer, FetchStatus> own = fetchStatusMap.getAll(ownAddress.getName());
837 Map<Integer, FetchStatus> remote = fetchStatusMap.getAll(address.getName());
838 if (!own.containsValue(FetchStatus.PENDING) && !remote.containsValue(FetchStatus.PENDING)) {
839 FetchStatus report = null;
840 if (own.containsValue(FetchStatus.SUCCESS) || remote.containsValue(FetchStatus.SUCCESS)) {
841 report = FetchStatus.SUCCESS;
842 } else if (own.containsValue(FetchStatus.SUCCESS_VERIFIED) || remote.containsValue(FetchStatus.SUCCESS_VERIFIED)) {
843 report = FetchStatus.SUCCESS_VERIFIED;
844 } else if (own.containsValue(FetchStatus.SUCCESS_TRUSTED) || remote.containsValue(FetchStatus.SUCCESS_TRUSTED)) {
845 report = FetchStatus.SUCCESS_TRUSTED;
846 } else if (own.containsValue(FetchStatus.ERROR) || remote.containsValue(FetchStatus.ERROR)) {
847 report = FetchStatus.ERROR;
848 }
849 mXmppConnectionService.keyStatusUpdated(report);
850 }
851 if (Config.REMOVE_BROKEN_DEVICES) {
852 Set<Integer> ownDeviceIds = new HashSet<>(getOwnDeviceIds());
853 boolean publish = false;
854 for (Map.Entry<Integer, FetchStatus> entry : own.entrySet()) {
855 int id = entry.getKey();
856 if (entry.getValue() == FetchStatus.ERROR && PREVIOUSLY_REMOVED_FROM_ANNOUNCEMENT.add(id) && ownDeviceIds.remove(id)) {
857 publish = true;
858 Log.d(Config.LOGTAG, account.getJid().toBareJid() + ": error fetching own device with id " + id + ". removing from announcement");
859 }
860 }
861 if (publish) {
862 publishOwnDeviceId(ownDeviceIds);
863 }
864 }
865 }
866
867 public boolean hasEmptyDeviceList(Jid jid) {
868 return !hasAny(jid) && (!deviceIds.containsKey(jid) || deviceIds.get(jid).isEmpty());
869 }
870
871 public interface OnDeviceIdsFetched {
872 void fetched(Jid jid, Set<Integer> deviceIds);
873 }
874
875 public interface OnMultipleDeviceIdFetched {
876 void fetched();
877 }
878
879 public void fetchDeviceIds(final Jid jid) {
880 fetchDeviceIds(jid,null);
881 }
882
883 public void fetchDeviceIds(final Jid jid, OnDeviceIdsFetched callback) {
884 synchronized (this.fetchDeviceIdsMap) {
885 List<OnDeviceIdsFetched> callbacks = this.fetchDeviceIdsMap.get(jid);
886 if (callbacks != null) {
887 if (callback != null) {
888 callbacks.add(callback);
889 }
890 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": fetching device ids for "+jid+" already running. adding callback");
891 } else {
892 callbacks = new ArrayList<>();
893 if (callback != null) {
894 callbacks.add(callback);
895 }
896 this.fetchDeviceIdsMap.put(jid,callbacks);
897 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": fetching device ids for " + jid);
898 IqPacket packet = mXmppConnectionService.getIqGenerator().retrieveDeviceIds(jid);
899 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
900 @Override
901 public void onIqPacketReceived(Account account, IqPacket packet) {
902 synchronized (fetchDeviceIdsMap) {
903 List<OnDeviceIdsFetched> callbacks = fetchDeviceIdsMap.remove(jid);
904 if (packet.getType() == IqPacket.TYPE.RESULT) {
905 Element item = mXmppConnectionService.getIqParser().getItem(packet);
906 Set<Integer> deviceIds = mXmppConnectionService.getIqParser().deviceIds(item);
907 registerDevices(jid, deviceIds);
908 if (callbacks != null) {
909 for(OnDeviceIdsFetched callback : callbacks) {
910 callback.fetched(jid, deviceIds);
911 }
912 }
913 } else {
914 Log.d(Config.LOGTAG, packet.toString());
915 if (callbacks != null) {
916 for(OnDeviceIdsFetched callback : callbacks) {
917 callback.fetched(jid, null);
918 }
919 }
920 }
921 }
922 }
923 });
924 }
925 }
926 }
927
928 private void fetchDeviceIds(List<Jid> jids, final OnMultipleDeviceIdFetched callback) {
929 final ArrayList<Jid> unfinishedJids = new ArrayList<>(jids);
930 synchronized (unfinishedJids) {
931 for (Jid jid : unfinishedJids) {
932 fetchDeviceIds(jid, new OnDeviceIdsFetched() {
933 @Override
934 public void fetched(Jid jid, Set<Integer> deviceIds) {
935 synchronized (unfinishedJids) {
936 unfinishedJids.remove(jid);
937 if (unfinishedJids.size() == 0 && callback != null) {
938 callback.fetched();
939 }
940 }
941 }
942 });
943 }
944 }
945 }
946
947 private void buildSessionFromPEP(final SignalProtocolAddress address) {
948 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Building new session for " + address.toString());
949 if (address.equals(getOwnAxolotlAddress())) {
950 throw new AssertionError("We should NEVER build a session with ourselves. What happened here?!");
951 }
952
953 try {
954 IqPacket bundlesPacket = mXmppConnectionService.getIqGenerator().retrieveBundlesForDevice(
955 Jid.fromString(address.getName()), address.getDeviceId());
956 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Retrieving bundle: " + bundlesPacket);
957 mXmppConnectionService.sendIqPacket(account, bundlesPacket, new OnIqPacketReceived() {
958
959 @Override
960 public void onIqPacketReceived(Account account, IqPacket packet) {
961 if (packet.getType() == IqPacket.TYPE.TIMEOUT) {
962 fetchStatusMap.put(address, FetchStatus.TIMEOUT);
963 } else if (packet.getType() == IqPacket.TYPE.RESULT) {
964 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Received preKey IQ packet, processing...");
965 final IqParser parser = mXmppConnectionService.getIqParser();
966 final List<PreKeyBundle> preKeyBundleList = parser.preKeys(packet);
967 final PreKeyBundle bundle = parser.bundle(packet);
968 if (preKeyBundleList.isEmpty() || bundle == null) {
969 Log.e(Config.LOGTAG, AxolotlService.getLogprefix(account) + "preKey IQ packet invalid: " + packet);
970 fetchStatusMap.put(address, FetchStatus.ERROR);
971 finishBuildingSessionsFromPEP(address);
972 return;
973 }
974 Random random = new Random();
975 final PreKeyBundle preKey = preKeyBundleList.get(random.nextInt(preKeyBundleList.size()));
976 if (preKey == null) {
977 //should never happen
978 fetchStatusMap.put(address, FetchStatus.ERROR);
979 finishBuildingSessionsFromPEP(address);
980 return;
981 }
982
983 final PreKeyBundle preKeyBundle = new PreKeyBundle(0, address.getDeviceId(),
984 preKey.getPreKeyId(), preKey.getPreKey(),
985 bundle.getSignedPreKeyId(), bundle.getSignedPreKey(),
986 bundle.getSignedPreKeySignature(), bundle.getIdentityKey());
987
988 try {
989 SessionBuilder builder = new SessionBuilder(axolotlStore, address);
990 builder.process(preKeyBundle);
991 XmppAxolotlSession session = new XmppAxolotlSession(account, axolotlStore, address, bundle.getIdentityKey());
992 sessions.put(address, session);
993 if (Config.X509_VERIFICATION) {
994 verifySessionWithPEP(session);
995 } else {
996 FingerprintStatus status = getFingerprintTrust(CryptoHelper.bytesToHex(bundle.getIdentityKey().getPublicKey().serialize()));
997 FetchStatus fetchStatus;
998 if (status != null && status.isVerified()) {
999 fetchStatus = FetchStatus.SUCCESS_VERIFIED;
1000 } else if (status != null && status.isTrusted()) {
1001 fetchStatus = FetchStatus.SUCCESS_TRUSTED;
1002 } else {
1003 fetchStatus = FetchStatus.SUCCESS;
1004 }
1005 fetchStatusMap.put(address, fetchStatus);
1006 finishBuildingSessionsFromPEP(address);
1007 }
1008 } catch (UntrustedIdentityException | InvalidKeyException e) {
1009 Log.e(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Error building session for " + address + ": "
1010 + e.getClass().getName() + ", " + e.getMessage());
1011 fetchStatusMap.put(address, FetchStatus.ERROR);
1012 finishBuildingSessionsFromPEP(address);
1013 }
1014 } else {
1015 fetchStatusMap.put(address, FetchStatus.ERROR);
1016 Log.d(Config.LOGTAG, getLogprefix(account) + "Error received while building session:" + packet.findChild("error"));
1017 finishBuildingSessionsFromPEP(address);
1018 }
1019 }
1020 });
1021 } catch (InvalidJidException e) {
1022 Log.e(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Got address with invalid jid: " + address.getName());
1023 }
1024 }
1025
1026 public Set<SignalProtocolAddress> findDevicesWithoutSession(final Conversation conversation) {
1027 Set<SignalProtocolAddress> addresses = new HashSet<>();
1028 for(Jid jid : getCryptoTargets(conversation)) {
1029 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Finding devices without session for " + jid);
1030 if (deviceIds.get(jid) != null) {
1031 for (Integer foreignId : this.deviceIds.get(jid)) {
1032 SignalProtocolAddress address = new SignalProtocolAddress(jid.toPreppedString(), foreignId);
1033 if (sessions.get(address) == null) {
1034 IdentityKey identityKey = axolotlStore.loadSession(address).getSessionState().getRemoteIdentityKey();
1035 if (identityKey != null) {
1036 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Already have session for " + address.toString() + ", adding to cache...");
1037 XmppAxolotlSession session = new XmppAxolotlSession(account, axolotlStore, address, identityKey);
1038 sessions.put(address, session);
1039 } else {
1040 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Found device " + jid + ":" + foreignId);
1041 if (fetchStatusMap.get(address) != FetchStatus.ERROR) {
1042 addresses.add(address);
1043 } else {
1044 Log.d(Config.LOGTAG, getLogprefix(account) + "skipping over " + address + " because it's broken");
1045 }
1046 }
1047 }
1048 }
1049 } else {
1050 Log.w(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Have no target devices in PEP!");
1051 }
1052 }
1053 if (deviceIds.get(account.getJid().toBareJid()) != null) {
1054 for (Integer ownId : this.deviceIds.get(account.getJid().toBareJid())) {
1055 SignalProtocolAddress address = new SignalProtocolAddress(account.getJid().toBareJid().toPreppedString(), ownId);
1056 if (sessions.get(address) == null) {
1057 IdentityKey identityKey = axolotlStore.loadSession(address).getSessionState().getRemoteIdentityKey();
1058 if (identityKey != null) {
1059 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Already have session for " + address.toString() + ", adding to cache...");
1060 XmppAxolotlSession session = new XmppAxolotlSession(account, axolotlStore, address, identityKey);
1061 sessions.put(address, session);
1062 } else {
1063 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Found device " + account.getJid().toBareJid() + ":" + ownId);
1064 if (fetchStatusMap.get(address) != FetchStatus.ERROR) {
1065 addresses.add(address);
1066 } else {
1067 Log.d(Config.LOGTAG,getLogprefix(account)+"skipping over "+address+" because it's broken");
1068 }
1069 }
1070 }
1071 }
1072 }
1073
1074 return addresses;
1075 }
1076
1077 public boolean createSessionsIfNeeded(final Conversation conversation) {
1078 final List<Jid> jidsWithEmptyDeviceList = getCryptoTargets(conversation);
1079 for(Iterator<Jid> iterator = jidsWithEmptyDeviceList.iterator(); iterator.hasNext();) {
1080 final Jid jid = iterator.next();
1081 if (!hasEmptyDeviceList(jid)) {
1082 iterator.remove();
1083 }
1084 }
1085 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": createSessionsIfNeeded() - jids with empty device list: "+jidsWithEmptyDeviceList);
1086 if (jidsWithEmptyDeviceList.size() > 0) {
1087 fetchDeviceIds(jidsWithEmptyDeviceList, new OnMultipleDeviceIdFetched() {
1088 @Override
1089 public void fetched() {
1090 createSessionsIfNeededActual(conversation);
1091 }
1092 });
1093 return true;
1094 } else {
1095 return createSessionsIfNeededActual(conversation);
1096 }
1097 }
1098
1099 private boolean createSessionsIfNeededActual(final Conversation conversation) {
1100 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Creating axolotl sessions if needed...");
1101 boolean newSessions = false;
1102 Set<SignalProtocolAddress> addresses = findDevicesWithoutSession(conversation);
1103 for (SignalProtocolAddress address : addresses) {
1104 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Processing device: " + address.toString());
1105 FetchStatus status = fetchStatusMap.get(address);
1106 if (status == null || status == FetchStatus.TIMEOUT) {
1107 fetchStatusMap.put(address, FetchStatus.PENDING);
1108 this.buildSessionFromPEP(address);
1109 newSessions = true;
1110 } else if (status == FetchStatus.PENDING) {
1111 newSessions = true;
1112 } else {
1113 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Already fetching bundle for " + address.toString());
1114 }
1115 }
1116
1117 return newSessions;
1118 }
1119
1120 public boolean trustedSessionVerified(final Conversation conversation) {
1121 Set<XmppAxolotlSession> sessions = findSessionsForConversation(conversation);
1122 sessions.addAll(findOwnSessions());
1123 boolean verified = false;
1124 for(XmppAxolotlSession session : sessions) {
1125 if (session.getTrust().isTrustedAndActive()) {
1126 if (session.getTrust().getTrust() == FingerprintStatus.Trust.VERIFIED_X509) {
1127 verified = true;
1128 } else {
1129 return false;
1130 }
1131 }
1132 }
1133 return verified;
1134 }
1135
1136 public boolean hasPendingKeyFetches(Account account, List<Jid> jids) {
1137 SignalProtocolAddress ownAddress = new SignalProtocolAddress(account.getJid().toBareJid().toPreppedString(), 0);
1138 if (fetchStatusMap.getAll(ownAddress.getName()).containsValue(FetchStatus.PENDING)) {
1139 return true;
1140 }
1141 for(Jid jid : jids) {
1142 SignalProtocolAddress foreignAddress = new SignalProtocolAddress(jid.toBareJid().toPreppedString(), 0);
1143 if (fetchStatusMap.getAll(foreignAddress.getName()).containsValue(FetchStatus.PENDING)) {
1144 return true;
1145 }
1146 }
1147 return false;
1148 }
1149
1150 @Nullable
1151 private boolean buildHeader(XmppAxolotlMessage axolotlMessage, Conversation conversation) {
1152 Set<XmppAxolotlSession> remoteSessions = findSessionsForConversation(conversation);
1153 Collection<XmppAxolotlSession> ownSessions = findOwnSessions();
1154 if (remoteSessions.isEmpty()) {
1155 return false;
1156 }
1157 for (XmppAxolotlSession session : remoteSessions) {
1158 axolotlMessage.addDevice(session);
1159 }
1160 for (XmppAxolotlSession session : ownSessions) {
1161 axolotlMessage.addDevice(session);
1162 }
1163
1164 return true;
1165 }
1166
1167 @Nullable
1168 public XmppAxolotlMessage encrypt(Message message) {
1169 final XmppAxolotlMessage axolotlMessage = new XmppAxolotlMessage(account.getJid().toBareJid(), getOwnDeviceId());
1170 final String content;
1171 if (message.hasFileOnRemoteHost()) {
1172 content = message.getFileParams().url.toString();
1173 } else {
1174 content = message.getBody();
1175 }
1176 try {
1177 axolotlMessage.encrypt(content);
1178 } catch (CryptoFailedException e) {
1179 Log.w(Config.LOGTAG, getLogprefix(account) + "Failed to encrypt message: " + e.getMessage());
1180 return null;
1181 }
1182 if (!buildHeader(axolotlMessage,message.getConversation())) {
1183 return null;
1184 }
1185
1186 return axolotlMessage;
1187 }
1188
1189 public void preparePayloadMessage(final Message message, final boolean delay) {
1190 executor.execute(new Runnable() {
1191 @Override
1192 public void run() {
1193 XmppAxolotlMessage axolotlMessage = encrypt(message);
1194 if (axolotlMessage == null) {
1195 mXmppConnectionService.markMessage(message, Message.STATUS_SEND_FAILED);
1196 //mXmppConnectionService.updateConversationUi();
1197 } else {
1198 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Generated message, caching: " + message.getUuid());
1199 messageCache.put(message.getUuid(), axolotlMessage);
1200 mXmppConnectionService.resendMessage(message, delay);
1201 }
1202 }
1203 });
1204 }
1205
1206 public void prepareKeyTransportMessage(final Conversation conversation, final OnMessageCreatedCallback onMessageCreatedCallback) {
1207 executor.execute(new Runnable() {
1208 @Override
1209 public void run() {
1210 final XmppAxolotlMessage axolotlMessage = new XmppAxolotlMessage(account.getJid().toBareJid(), getOwnDeviceId());
1211 if (buildHeader(axolotlMessage,conversation)) {
1212 onMessageCreatedCallback.run(axolotlMessage);
1213 } else {
1214 onMessageCreatedCallback.run(null);
1215 }
1216 }
1217 });
1218 }
1219
1220 public XmppAxolotlMessage fetchAxolotlMessageFromCache(Message message) {
1221 XmppAxolotlMessage axolotlMessage = messageCache.get(message.getUuid());
1222 if (axolotlMessage != null) {
1223 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Cache hit: " + message.getUuid());
1224 messageCache.remove(message.getUuid());
1225 } else {
1226 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Cache miss: " + message.getUuid());
1227 }
1228 return axolotlMessage;
1229 }
1230
1231 private XmppAxolotlSession recreateUncachedSession(SignalProtocolAddress address) {
1232 IdentityKey identityKey = axolotlStore.loadSession(address).getSessionState().getRemoteIdentityKey();
1233 return (identityKey != null)
1234 ? new XmppAxolotlSession(account, axolotlStore, address, identityKey)
1235 : null;
1236 }
1237
1238 private XmppAxolotlSession getReceivingSession(XmppAxolotlMessage message) {
1239 SignalProtocolAddress senderAddress = new SignalProtocolAddress(message.getFrom().toPreppedString(),
1240 message.getSenderDeviceId());
1241 XmppAxolotlSession session = sessions.get(senderAddress);
1242 if (session == null) {
1243 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Account: " + account.getJid() + " No axolotl session found while parsing received message " + message);
1244 session = recreateUncachedSession(senderAddress);
1245 if (session == null) {
1246 session = new XmppAxolotlSession(account, axolotlStore, senderAddress);
1247 }
1248 }
1249 return session;
1250 }
1251
1252 public XmppAxolotlMessage.XmppAxolotlPlaintextMessage processReceivingPayloadMessage(XmppAxolotlMessage message) {
1253 XmppAxolotlMessage.XmppAxolotlPlaintextMessage plaintextMessage = null;
1254
1255 XmppAxolotlSession session = getReceivingSession(message);
1256 try {
1257 plaintextMessage = message.decrypt(session, getOwnDeviceId());
1258 Integer preKeyId = session.getPreKeyId();
1259 if (preKeyId != null) {
1260 publishBundlesIfNeeded(false, false);
1261 session.resetPreKeyId();
1262 }
1263 } catch (CryptoFailedException e) {
1264 Log.w(Config.LOGTAG, getLogprefix(account) + "Failed to decrypt message from "+message.getFrom()+": " + e.getMessage());
1265 }
1266
1267 if (session.isFresh() && plaintextMessage != null) {
1268 putFreshSession(session);
1269 }
1270
1271 return plaintextMessage;
1272 }
1273
1274 public XmppAxolotlMessage.XmppAxolotlKeyTransportMessage processReceivingKeyTransportMessage(XmppAxolotlMessage message) {
1275 XmppAxolotlMessage.XmppAxolotlKeyTransportMessage keyTransportMessage;
1276
1277 XmppAxolotlSession session = getReceivingSession(message);
1278 try {
1279 keyTransportMessage = message.getParameters(session, getOwnDeviceId());
1280 } catch (CryptoFailedException e) {
1281 Log.d(Config.LOGTAG,"could not decrypt keyTransport message "+e.getMessage());
1282 keyTransportMessage = null;
1283 }
1284
1285 if (session.isFresh() && keyTransportMessage != null) {
1286 putFreshSession(session);
1287 }
1288
1289 return keyTransportMessage;
1290 }
1291
1292 private void putFreshSession(XmppAxolotlSession session) {
1293 Log.d(Config.LOGTAG,"put fresh session");
1294 sessions.put(session);
1295 if (Config.X509_VERIFICATION) {
1296 if (session.getIdentityKey() != null) {
1297 verifySessionWithPEP(session);
1298 } else {
1299 Log.e(Config.LOGTAG,account.getJid().toBareJid()+": identity key was empty after reloading for x509 verification");
1300 }
1301 }
1302 }
1303}