And adjust the existing ENCLAVE_SECRET tests and examples to use this
(including Rust and Node's).
This also requires adding an AndroidManifest.xml that notes the tests
might use the network.
Treat the first 16 bytes of the stream as the IV for the AES block cipher. This
is incompatible with the previous scheme, where the IV was derived from the
master key.
getPreKeyId was returning an incorrect value, and the Kyber fields
were missing altogether. None of this affected security of the iOS app
because the iOS app only constructed PreKeyBundles for libsignal to
process, and never read any of these fields. If it did, it would have
failed to establish a session due to the incorrect pre-key ID.
Caught by @dtimoshenko99; thank you!
The enclave interactions have internal progress monitoring in the form of
websocket PING/PONG frames, so the timeout parameters aren't necessary for
broken connection detection.
Examine the Rust signature to determine what the FFI output type should be.
This lets us remove all usages of #[bridge_fn_void] since #[bridge_fn] now
correctly detects the return type.
Right now the benefits of receiving GroupSendEndorsementsResponse
using member ciphertexts are balanced by the increased cost of
deserializing the full ciphertexts instead of just the part we need.
We can improve things here if needed, but for now let's just not claim
that the ciphertext approach is "significantly" better than the
alternative.
Previously we'd attempt to create a combination of zero endorsements
for the everybody-but-me credential, and panic (throw an error). Now
we correctly create an endorsement that represents zero people, which
is better than returning some dummy value because it behaves
reasonably if endorsements from multiple groups are combined wholesale
(not something we plan to do, but something that shouldn't have weird
edge cases if we end up needing to).
If apps want to cache these tokens, they should prefer to cache the
non-"full" version because it won't redundantly contain the
expiration, but if they don't, dealing with two token types is
unnecessary complexity.
Move the implementation of the CDSI service into its own module to provide
better scoping. Move the CdsiError that is used only for bridging out of
libsignal-net and into the bridging crate.
Benchmarks should normally be run in the release configuration, but CI
just wants to make sure they still work by running them with a debug
libsignal_ffi.a. Instead of making that a fallback, make it
configuration-dependent, so you can't ever accidentally test the wrong
thing.
Specifically, make this on the Rust side bridge layer, and tack it on
to the end of per-member endorsements for the app side to peel off
later, rather than the app layer calling back down to Rust to compute
it. This saves a fair amount of marshalling work.
Not actually distinct from Vec<Vec<u8>>, but works better with the
jni_result_type and ffi_result_type macros because `[Vec<u8>]` is a
single grouped token tree. Generalizes the string array helpers to
support bytestrings too.
Add a new version of the existing auth credential used for groups, but
implemented with the zkcredential crate instead of hand-written proofs. Expose
issuance point for the server, and extend existing client methods to support it
and the existing formats transparently.
This involves a family of new types that will be used for issuing and
verifying these endorsements.
This is a breaking change for zkgroup: it adds a new key to
ServerSecretParams and ServerPublicParams.
Add a flag to the CLI validation tool and an argument to the bridged validation
functions so users can specify whether a provided message backup should be
validated according to the rules for device-to-device transfers or backups
intended for remote storage.
Run tests that call native TESTING_ functions on Android. This requires
building a separate version of libsignal_jni.so with the testing functions
included. The test code is still omitted from the published artifacts.
Use the string bridging code introduced previously to provide string arrays to
client directly instead of joining and splitting. This eliminates the use of a
magic ',' character as a delimiter.
The Swift helper invokeFnReturningStringArray was using the wrong
indices when slicing up the concatenated strings to produce individual
values. Instead of advancing the base pointer by the N bytes read for a
given string, the base pointer was adjusted to point to LEN - N. This
wasn't detected by the bridging test case since it passed two strings
over, both of length three. For two strings with the same length, the
buggy and corrected code have the same behavior!
This patch adjusts the test case to include strings of different
lengths and fixes the now-revealed bug.
Re-raise errors produced by an input stream after bubbling them through Rust
code. This makes the interface less magic and avoids unnecessary
stringification of error values.
If a client already has the members of a group as ciphertexts, it's
more efficient to receive a GroupSendCredential that way, because then
they get to skip the conversion from ServiceId to UidStruct. If they
don't, however, the existing entry point is going to be both more
convenient and faster.
For Swift and Java, this is an overload of the existing receive()
method; for TypeScript, it's receiveWithCiphertexts.