Add a new crate, libsignal-message-backup-io, and move the existing code that
handles backup decryption, deframing, and protobuf deserialization there. Keep
the actual validation of the protobuf contents in the libsignal-message-backup
crate.
This allows the existing example binproto<->json binaries to be built with
local modifications to the backup.proto file without also requiring all the
validation code to be modified.
This (1) actually works on iOS and Android, and (2) will likely be
more full-featured and better-supported going forward. But it does
mean plugging one system's certificate verifier (rustls) into
another's TLS implementation (BoringSSL). Still, having *all* of
rustls used alongside BoringSSL would be redundant.
Handle encrypted & compressed message backup files with additional padding
after the compressed contents (the padding bytes are encrypted, but not
compressed). Update the example encrypter binary to add padding by default.
Add a flag to the CLI validation tool and an argument to the bridged validation
functions so users can specify whether a provided message backup should be
validated according to the rules for device-to-device transfers or backups
intended for remote storage.
- Feature flags removed for unconditionally-provided APIs.
- A function's this() is no longer guaranteed to be an object,
so we have to check and error out more often.
- Use of usize instead of i32 in a few places.
- Convenience for fetching globals.
Update snow to include a fix for a DoS opportunity in the latest
release.
Thank you to Joe Doyle and Jim Miller from Trail of Bits for bringing
this to our attention.
Add a derive macro and attach it to each generated protobuf message. The
generated code will walk each field in the message and dispatch recursively to
the same trait to find all unknown fields. Keep the existing
dynamically-dispatched descriptor-walking implementation since it's easier to
understand, but only use it to ensure parity with the macro-generated version
via test cases.