Bump version to 2.3.3

// FREEBIE

.gitattributes

@@ -0,0 +1 @@
+*.ai binary

.tx/config

@@ -1,6 +1,6 @@
 [main]
 host = https://www.transifex.com
-lang_map = fr_CA:fr-rCA,pt_BR:pt-rBR,pt_PT:pt,zh_CN:zh-rCN,zh_HK:zh-rHK,zh_TW:zh-rTW,da_DK:da-rDK,de_DE:de,tr_TR:tr,fr_FR:fr,es_ES:es,hu_HU:hu,sv_SE:sv-rSE,bg_BG:bg,el_GR:el,kn_IN:kn-rIN,cs_CZ:cs
+lang_map = fr_CA:fr-rCA,pt_BR:pt-rBR,pt_PT:pt,zh_CN:zh-rCN,zh_HK:zh-rHK,zh_TW:zh-rTW,da_DK:da-rDK,de_DE:de,tr_TR:tr,fr_FR:fr,es_ES:es,hu_HU:hu,sv_SE:sv-rSE,bg_BG:bg,el_GR:el,kn_IN:kn-rIN,cs_CZ:cs,sr:sr
 
 
 [textsecure-official.master]

AndroidManifest.xml

@@ -2,10 +2,8 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
           xmlns:tools="http://schemas.android.com/tools"
           package="org.thoughtcrime.securesms"
-      android:versionCode="72"
-      android:versionName="2.1.0">
-
-    <uses-sdk android:minSdkVersion="9" android:targetSdkVersion="19"/>
+      android:versionCode="87"
+      android:versionName="2.3.3">
 
     <permission android:name="org.thoughtcrime.securesms.ACCESS_SECRETS"
                 android:label="Access to TextSecure Secrets"
@@ -33,18 +31,20 @@
     <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
     <uses-permission android:name="android.permission.READ_CALL_LOG" />
     <uses-permission android:name="android.permission.GET_ACCOUNTS" />
-    <uses-permission android:name="android.permission.WAKE_LOCK" />
     <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
 
     <permission android:name="org.thoughtcrime.securesms.permission.C2D_MESSAGE"
                 android:protectionLevel="signature" />
     <uses-permission android:name="org.thoughtcrime.securesms.permission.C2D_MESSAGE" />
 
-    <application android:name="org.thoughtcrime.securesms.ApplicationListener"
+    <application android:name=".ApplicationContext"
                  android:icon="@drawable/icon"
                  android:label="@string/app_name"
                  android:theme="@style/TextSecure.LightTheme">
 
+        <meta-data android:name="com.google.android.gms.version"
+                   android:value="@integer/google_play_services_version" />
+
         <activity android:name=".RoutingActivity"
                   android:theme="@style/NoAnimation.Theme.BlackScreen"
                   android:launchMode="singleTask"
@@ -114,19 +114,19 @@
               android:configChanges="touchscreen|keyboard|keyboardHidden|orientation|screenLayout|screenSize"/>
 
     <activity android:name=".DatabaseMigrationActivity"
-              android:theme="@style/NoAnimation.Theme.Sherlock.Light.DarkActionBar"
+              android:theme="@style/NoAnimation.Theme.AppCompat.Light.DarkActionBar"
               android:launchMode="singleTask"
               android:configChanges="touchscreen|keyboard|keyboardHidden|orientation|screenLayout|screenSize"/>
 
     <activity android:name=".DatabaseUpgradeActivity"
-              android:theme="@style/NoAnimation.Theme.Sherlock.Light.DarkActionBar"
+              android:theme="@style/NoAnimation.Theme.AppCompat.Light.DarkActionBar"
               android:launchMode="singleTask"
               android:configChanges="touchscreen|keyboard|keyboardHidden|orientation|screenLayout|screenSize"/>
 
     <activity android:name=".PassphraseCreateActivity"
               android:label="@string/AndroidManifest__create_passphrase"
               android:windowSoftInputMode="stateUnchanged"
-              android:theme="@style/NoAnimation.Theme.Sherlock.Light.DarkActionBar"
+              android:theme="@style/TextSecure.IntroTheme"
               android:launchMode="singleTop"
               android:configChanges="touchscreen|keyboard|keyboardHidden|orientation|screenLayout|screenSize"/>
 
@@ -192,6 +192,11 @@
               android:windowSoftInputMode="stateHidden"
               android:configChanges="touchscreen|keyboard|keyboardHidden|orientation|screenLayout|screenSize"/>
 
+    <activity android:name=".MediaPreviewActivity"
+              android:label="@string/AndroidManifest__media_preview"
+              android:windowSoftInputMode="stateHidden"
+              android:configChanges="touchscreen|keyboard|keyboardHidden|orientation|screenLayout|screenSize"/>
+
     <activity android:name=".DummyActivity"
               android:theme="@android:style/Theme.NoDisplay"
               android:enabled="true"
@@ -203,13 +208,14 @@
               android:clearTaskOnLaunch="true"
               android:finishOnTaskLaunch="true" />
 
+    <activity android:name=".PlayServicesProblemActivity"
+              android:theme="@android:style/Theme.Translucent.NoTitleBar"
+              android:configChanges="touchscreen|keyboard|keyboardHidden|orientation|screenLayout|screenSize"/>
+
     <service android:enabled="true" android:name=".service.ApplicationMigrationService"/>
     <service android:enabled="true" android:name=".service.KeyCachingService"/>
-    <service android:enabled="true" android:name=".service.SendReceiveService"/>
     <service android:enabled="true" android:name=".service.RegistrationService"/>
     <service android:enabled="true" android:name=".service.DirectoryRefreshService"/>
-    <service android:enabled="true" android:name=".service.PreKeyService"/>
-    <service android:enabled="true" android:name=".gcm.GcmIntentService"/>
 
     <service android:name=".service.QuickResponseService"
              android:permission="android.permission.SEND_RESPOND_VIA_MESSAGE"
@@ -236,7 +242,6 @@
     <receiver android:name=".gcm.GcmBroadcastReceiver" android:permission="com.google.android.c2dm.permission.SEND" >
         <intent-filter>
             <action android:name="com.google.android.c2dm.intent.RECEIVE" />
-            <action android:name="com.google.android.c2dm.intent.REGISTRATION" />
             <category android:name="org.thoughtcrime.securesms" />
         </intent-filter>
     </receiver>
@@ -302,8 +307,4 @@
 
        <uses-library android:name="android.test.runner" />
 </application>
-
-<instrumentation android:name="android.test.InstrumentationTestRunner"
-       android:targetPackage="org.thoughtcrime.securesms.tests" android:label="Tests for My App" />
-
 </manifest>

BUILDING.md

@@ -17,7 +17,11 @@ The following steps should help you (re)build TextSecure from the command line.
         git clone https://github.com/WhisperSystems/TextSecure.git
 
 2. Make sure you have the [Android SDK](https://developer.android.com/sdk/index.html) installed somewhere on your system.
-3. Ensure the "Android Support Repository" and "Android SDK Build-tools" are installed from the Android SDK manager.
+3. Ensure that the following packages are installed from the Android SDK manager:
+    * Android SDK Build Tools
+    * SDK Platform
+    * Android Support Repository
+    * Google Repository
 4. Create a local.properties file at the root of your source checkout and add an sdk.dir entry to it.
 
         sdk.dir=\<path to your sdk installation\>
@@ -29,13 +33,13 @@ The following steps should help you (re)build TextSecure from the command line.
 Re-building native components
 -----------------------------
 
-Note: This step is optional; native components are contained as binaries (see [library/libs](library/libs)).
+Note: This step is optional; native components are contained as binaries (see [libaxolotl/libs](libaxolotl/libs)).
 
 1. Ensure that the Android NDK is installed.
 
 Execute ndk-build:
 
-    cd library
+    cd libaxolotl
     ndk-build
 
 Afterwards, execute Gradle as above to re-create the APK.
@@ -45,12 +49,12 @@ Setting up a development environment
 
 [Android Studio](https://developer.android.com/sdk/installing/studio.html) is the recommended development environment.
 
-1. Install Android Studio
+1. Install Android Studio.
 2. Make sure the "Android Support Repository" is installed in the Android Studio SDK.
 3. Make sure the latest "Android SDK build-tools" is installed in the Android Studio SDK.
 4. Create a new Android Studio project. from the Quickstart pannel (use File > Close Project to see it), choose "Checkout from Version Control" then "git".
-5. Paste the URL for the TextSecure project when prompted (https://github.com/WhisperSystems/TextSecure.git)
-6. Android studio should detect the presence of a project file and ask you wethere to open it. Click "yes".
+5. Paste the URL for the TextSecure project when prompted (https://github.com/WhisperSystems/TextSecure.git).
+6. Android studio should detect the presence of a project file and ask you whether to open it. Click "yes".
 7. Default config options should be good enough.
 8. Project initialisation and build should proceed.
 

androidTest/java/org/thoughtcrime/securesms/jobs/CleanPreKeysJobTest.java

@@ -0,0 +1,153 @@
+package org.thoughtcrime.securesms.jobs;
+
+import android.test.AndroidTestCase;
+
+import org.thoughtcrime.securesms.crypto.MasterSecret;
+import org.thoughtcrime.securesms.dependencies.AxolotlStorageModule;
+import org.whispersystems.libaxolotl.ecc.Curve;
+import org.whispersystems.libaxolotl.state.SignedPreKeyRecord;
+import org.whispersystems.libaxolotl.state.SignedPreKeyStore;
+import org.whispersystems.textsecure.api.TextSecureAccountManager;
+import org.whispersystems.textsecure.api.push.SignedPreKeyEntity;
+import org.whispersystems.textsecure.api.push.exceptions.PushNetworkException;
+
+import java.io.IOException;
+import java.util.LinkedList;
+import java.util.List;
+
+import dagger.Module;
+import dagger.ObjectGraph;
+import dagger.Provides;
+
+import static org.mockito.Matchers.anyInt;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
+
+public class CleanPreKeysJobTest extends AndroidTestCase {
+
+  public void testSignedPreKeyRotationNotRegistered() throws IOException, MasterSecretJob.RequirementNotMetException {
+    TextSecureAccountManager accountManager    = mock(TextSecureAccountManager.class);
+    SignedPreKeyStore        signedPreKeyStore = mock(SignedPreKeyStore.class);
+    MasterSecret             masterSecret      = mock(MasterSecret.class);
+    when(accountManager.getSignedPreKey()).thenReturn(null);
+
+    CleanPreKeysJob cleanPreKeysJob = new CleanPreKeysJob(getContext());
+
+    ObjectGraph objectGraph = ObjectGraph.create(new TestModule(accountManager, signedPreKeyStore));
+    objectGraph.inject(cleanPreKeysJob);
+
+    cleanPreKeysJob.onRun(masterSecret);
+
+    verify(accountManager).getSignedPreKey();
+    verifyNoMoreInteractions(signedPreKeyStore);
+  }
+
+  public void testSignedPreKeyEviction() throws Exception {
+    SignedPreKeyStore        signedPreKeyStore         = mock(SignedPreKeyStore.class);
+    TextSecureAccountManager accountManager            = mock(TextSecureAccountManager.class);
+    SignedPreKeyEntity       currentSignedPreKeyEntity = mock(SignedPreKeyEntity.class);
+    MasterSecret             masterSecret              = mock(MasterSecret.class);
+
+    when(currentSignedPreKeyEntity.getKeyId()).thenReturn(3133);
+    when(accountManager.getSignedPreKey()).thenReturn(currentSignedPreKeyEntity);
+
+    final SignedPreKeyRecord currentRecord = new SignedPreKeyRecord(3133, System.currentTimeMillis(), Curve.generateKeyPair(), new byte[64]);
+
+    List<SignedPreKeyRecord> records = new LinkedList<SignedPreKeyRecord>() {{
+      add(new SignedPreKeyRecord(2, 11, Curve.generateKeyPair(), new byte[32]));
+      add(new SignedPreKeyRecord(4, System.currentTimeMillis() - 100, Curve.generateKeyPair(), new byte[64]));
+      add(currentRecord);
+      add(new SignedPreKeyRecord(3, System.currentTimeMillis() - 90, Curve.generateKeyPair(), new byte[64]));
+      add(new SignedPreKeyRecord(1, 10, Curve.generateKeyPair(), new byte[32]));
+    }};
+
+    when(signedPreKeyStore.loadSignedPreKeys()).thenReturn(records);
+    when(signedPreKeyStore.loadSignedPreKey(eq(3133))).thenReturn(currentRecord);
+
+    CleanPreKeysJob cleanPreKeysJob = new CleanPreKeysJob(getContext());
+
+    ObjectGraph objectGraph = ObjectGraph.create(new TestModule(accountManager, signedPreKeyStore));
+    objectGraph.inject(cleanPreKeysJob);
+
+    cleanPreKeysJob.onRun(masterSecret);
+
+    verify(signedPreKeyStore).removeSignedPreKey(eq(1));
+    verify(signedPreKeyStore, times(1)).removeSignedPreKey(anyInt());
+  }
+
+  public void testSignedPreKeyNoEviction() throws Exception {
+    SignedPreKeyStore        signedPreKeyStore         = mock(SignedPreKeyStore.class);
+    TextSecureAccountManager accountManager            = mock(TextSecureAccountManager.class);
+    SignedPreKeyEntity       currentSignedPreKeyEntity = mock(SignedPreKeyEntity.class);
+
+    when(currentSignedPreKeyEntity.getKeyId()).thenReturn(3133);
+    when(accountManager.getSignedPreKey()).thenReturn(currentSignedPreKeyEntity);
+
+    final SignedPreKeyRecord currentRecord = new SignedPreKeyRecord(3133, System.currentTimeMillis(), Curve.generateKeyPair(), new byte[64]);
+
+    List<SignedPreKeyRecord> records = new LinkedList<SignedPreKeyRecord>() {{
+      add(currentRecord);
+    }};
+
+    when(signedPreKeyStore.loadSignedPreKeys()).thenReturn(records);
+    when(signedPreKeyStore.loadSignedPreKey(eq(3133))).thenReturn(currentRecord);
+
+    CleanPreKeysJob cleanPreKeysJob = new CleanPreKeysJob(getContext());
+
+    ObjectGraph objectGraph = ObjectGraph.create(new TestModule(accountManager, signedPreKeyStore));
+    objectGraph.inject(cleanPreKeysJob);
+
+    verify(signedPreKeyStore, never()).removeSignedPreKey(anyInt());
+  }
+
+  public void testConnectionError() throws Exception {
+    SignedPreKeyStore        signedPreKeyStore = mock(SignedPreKeyStore.class);
+    TextSecureAccountManager accountManager    = mock(TextSecureAccountManager.class);
+    MasterSecret             masterSecret      = mock(MasterSecret.class);
+
+    when(accountManager.getSignedPreKey()).thenThrow(new PushNetworkException("Connectivity error!"));
+
+    CleanPreKeysJob cleanPreKeysJob = new CleanPreKeysJob(getContext());
+
+    ObjectGraph objectGraph = ObjectGraph.create(new TestModule(accountManager, signedPreKeyStore));
+    objectGraph.inject(cleanPreKeysJob);
+
+    try {
+      cleanPreKeysJob.onRun(masterSecret);
+      throw new AssertionError("should have failed!");
+    } catch (IOException e) {
+      assertTrue(cleanPreKeysJob.onShouldRetry(e));
+    }
+  }
+
+  @Module(injects = {CleanPreKeysJob.class})
+  public static class TestModule {
+    private final TextSecureAccountManager accountManager;
+    private final SignedPreKeyStore        signedPreKeyStore;
+
+    private TestModule(TextSecureAccountManager accountManager, SignedPreKeyStore signedPreKeyStore) {
+      this.accountManager    = accountManager;
+      this.signedPreKeyStore = signedPreKeyStore;
+    }
+
+    @Provides TextSecureAccountManager provideTextSecureAccountManager() {
+      return accountManager;
+    }
+
+    @Provides
+    AxolotlStorageModule.SignedPreKeyStoreFactory provideSignedPreKeyStore() {
+      return new AxolotlStorageModule.SignedPreKeyStoreFactory() {
+        @Override
+        public SignedPreKeyStore create(MasterSecret masterSecret) {
+          return signedPreKeyStore;
+        }
+      };
+    }
+  }
+
+}

androidTest/java/org/thoughtcrime/securesms/jobs/DeliveryReceiptJobTest.java

@@ -0,0 +1,101 @@
+package org.thoughtcrime.securesms.jobs;
+
+import android.test.AndroidTestCase;
+
+import org.mockito.ArgumentCaptor;
+import org.mockito.Mockito;
+import org.thoughtcrime.securesms.crypto.MasterSecret;
+import org.whispersystems.textsecure.api.TextSecureMessageSender;
+import org.whispersystems.textsecure.api.push.PushAddress;
+import org.whispersystems.textsecure.api.push.exceptions.NotFoundException;
+import org.whispersystems.textsecure.api.push.exceptions.PushNetworkException;
+
+import java.io.IOException;
+
+import dagger.Module;
+import dagger.ObjectGraph;
+import dagger.Provides;
+
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.thoughtcrime.securesms.dependencies.TextSecureCommunicationModule.TextSecureMessageSenderFactory;
+
+public class DeliveryReceiptJobTest extends AndroidTestCase {
+
+  public void testDelivery() throws IOException {
+    TextSecureMessageSender textSecureMessageSender = mock(TextSecureMessageSender.class);
+    long                    timestamp               = System.currentTimeMillis();
+
+    DeliveryReceiptJob deliveryReceiptJob = new DeliveryReceiptJob(getContext(),
+                                                                   "+14152222222",
+                                                                   timestamp, "foo");
+
+    ObjectGraph objectGraph = ObjectGraph.create(new TestModule(textSecureMessageSender));
+    objectGraph.inject(deliveryReceiptJob);
+
+    deliveryReceiptJob.onRun();
+
+    ArgumentCaptor<PushAddress> captor = ArgumentCaptor.forClass(PushAddress.class);
+    verify(textSecureMessageSender).sendDeliveryReceipt(captor.capture(), eq(timestamp));
+
+    assertTrue(captor.getValue().getRelay().equals("foo"));
+    assertTrue(captor.getValue().getNumber().equals("+14152222222"));
+  }
+
+  public void testNetworkError() throws IOException {
+    TextSecureMessageSender textSecureMessageSender = mock(TextSecureMessageSender.class);
+    long                    timestamp               = System.currentTimeMillis();
+
+    Mockito.doThrow(new PushNetworkException("network error"))
+           .when(textSecureMessageSender)
+           .sendDeliveryReceipt(any(PushAddress.class), eq(timestamp));
+
+
+    DeliveryReceiptJob deliveryReceiptJob = new DeliveryReceiptJob(getContext(),
+                                                                   "+14152222222",
+                                                                   timestamp, "foo");
+
+    ObjectGraph objectGraph = ObjectGraph.create(new TestModule(textSecureMessageSender));
+    objectGraph.inject(deliveryReceiptJob);
+
+    try {
+      deliveryReceiptJob.onRun();
+      throw new AssertionError();
+    } catch (IOException e) {
+      assertTrue(deliveryReceiptJob.onShouldRetry(e));
+    }
+
+    Mockito.doThrow(new NotFoundException("not found"))
+           .when(textSecureMessageSender)
+           .sendDeliveryReceipt(any(PushAddress.class), eq(timestamp));
+
+    try {
+      deliveryReceiptJob.onRun();
+      throw new AssertionError();
+    } catch (IOException e) {
+      assertFalse(deliveryReceiptJob.onShouldRetry(e));
+    }
+  }
+
+  @Module(injects = DeliveryReceiptJob.class)
+  public static class TestModule {
+
+    private final TextSecureMessageSender textSecureMessageSender;
+
+    public TestModule(TextSecureMessageSender textSecureMessageSender) {
+      this.textSecureMessageSender = textSecureMessageSender;
+    }
+
+    @Provides TextSecureMessageSenderFactory provideTextSecureMessageSenderFactory() {
+      return new TextSecureMessageSenderFactory() {
+        @Override
+        public TextSecureMessageSender create(MasterSecret masterSecret) {
+          return textSecureMessageSender;
+        }
+      };
+    }
+  }
+
+}

androidTest/java/org/thoughtcrime/securesms/util/PhoneNumberFormatterTest.java

@@ -4,8 +4,8 @@ import android.test.AndroidTestCase;
 
 import junit.framework.AssertionFailedError;
 
-import org.whispersystems.textsecure.util.InvalidNumberException;
-import org.whispersystems.textsecure.util.PhoneNumberFormatter;
+import org.whispersystems.textsecure.api.util.InvalidNumberException;
+import org.whispersystems.textsecure.api.util.PhoneNumberFormatter;
 import static org.fest.assertions.api.Assertions.assertThat;
 
 public class PhoneNumberFormatterTest extends AndroidTestCase {

androidTest/org/thoughtcrime/securesms/service/MmsReceiverTest.java

@@ -0,0 +1,28 @@
+package org.thoughtcrime.securesms.service;
+
+import android.content.Intent;
+import android.test.InstrumentationTestCase;
+
+import static org.fest.assertions.api.Assertions.*;
+
+public class MmsReceiverTest extends InstrumentationTestCase {
+
+  private MmsReceiver mmsReceiver;
+
+  public void setUp() throws Exception {
+    super.setUp();
+    mmsReceiver = new MmsReceiver(getInstrumentation().getContext());
+  }
+
+  public void tearDown() throws Exception {
+
+  }
+
+  public void testProcessMalformedData() throws Exception {
+    Intent intent = new Intent();
+    intent.setAction(SendReceiveService.RECEIVE_MMS_ACTION);
+    intent.putExtra("data", new byte[]{0x00});
+    mmsReceiver.process(null, intent);
+  }
+
+}

apntool/.gitignore

@@ -0,0 +1,2 @@
+*.db
+*.db.gz

apntool/apntool.py

@@ -0,0 +1,81 @@
+import sys
+import argparse
+import sqlite3
+import gzip
+from progressbar import ProgressBar, Counter, Timer
+from lxml import etree
+
+parser = argparse.ArgumentParser(prog='apntool', description="""Process Android's apn xml files and drop them into an easily
+                                                             queryable SQLite db. Tested up to version 9 of their APN file.""")
+parser.add_argument('-v', '--version', action='version', version='%(prog)s v1.0')
+parser.add_argument('-i', '--input', help='the xml file to parse', default='apns.xml', required=False)
+parser.add_argument('-o', '--output', help='the sqlite db output file', default='apns.db', required=False)
+parser.add_argument('--quiet', help='do not show progress or verbose instructions', action='store_true', required=False)
+parser.add_argument('--no-gzip', help="do not gzip after creation", action='store_true', required=False)
+args = parser.parse_args()
+
+try:
+    connection = sqlite3.connect(args.output)
+    cursor = connection.cursor()
+    cursor.execute('SELECT SQLITE_VERSION()')
+    version = cursor.fetchone()
+    if not args.quiet:
+        print("SQLite version: %s" % version)
+        print("Opening %s" % args.input)
+
+    cursor.execute("PRAGMA legacy_file_format=ON")
+    cursor.execute("PRAGMA journal_mode=DELETE")
+    cursor.execute("PRAGMA page_size=32768")
+    cursor.execute("VACUUM")
+    cursor.execute("DROP TABLE IF EXISTS apns")
+    cursor.execute("""CREATE TABLE apns(_id INTEGER PRIMARY KEY, mccmnc TEXT, mcc TEXT, mnc TEXT, carrier TEXT, apn TEXT,
+                mmsc TEXT, port INTEGER, type TEXT, protocol TEXT, bearer TEXT, roaming_protocol TEXT,
+                carrier_enabled INTEGER, mmsproxy TEXT, mmsport INTEGER, proxy TEXT,  mvno_match_data TEXT,
+                mvno_type TEXT, authtype INTEGER, user TEXT, password TEXT, server TEXT)""")
+
+    apns = etree.parse(args.input)
+    root = apns.getroot()
+    pbar = ProgressBar(widgets=['Processed: ', Counter(), ' apns (', Timer(), ')'], maxval=len(list(root))).start() if not args.quiet else None
+
+    count = 0
+    for apn in root.iter("apn"):
+        if apn.get("mmsc") == None:
+            continue
+        sqlvars = ["?" for x in apn.attrib.keys()] + ["?"]
+        mccmnc  = "%s%s" % (apn.get("mcc"), apn.get("mnc"))
+        values  = [apn.get(attrib) for attrib in apn.attrib.keys()] + [mccmnc]
+        keys    = apn.attrib.keys() + ["mccmnc"]
+
+        cursor.execute("SELECT 1 FROM apns WHERE mccmnc = ? AND apn = ?", [mccmnc, apn.get("apn")])
+        if cursor.fetchone() == None:
+            statement = "INSERT INTO apns (%s) VALUES (%s)" % (", ".join(keys), ", ".join(sqlvars))
+            cursor.execute(statement, values)
+
+        count += 1
+        if not args.quiet:
+            pbar.update(count)
+
+    if not args.quiet:
+        pbar.finish()
+    connection.commit()
+    print("Successfully written to %s" % args.output)
+
+    if not args.no_gzip:
+        gzipped_file = "%s.gz" % (args.output,)
+        with open(args.output, 'rb') as orig:
+            with gzip.open(gzipped_file, 'wb') as gzipped:
+                gzipped.writelines(orig)
+        print("Successfully gzipped to %s" % gzipped_file)
+
+    if not args.quiet:
+        print("\nTo include this in the distribution, copy it to the project's assets/databases/ directory.")
+        print("If you support API 10 or lower, you must use the gzipped version to avoid corruption.")
+
+except sqlite3.Error, e:
+    if connection:
+        connection.rollback()
+    print("Error: %s" % e.args[0])
+    sys.exit(1)
+finally:
+    if connection:
+        connection.close()

apntool/requirements.txt

@@ -0,0 +1,3 @@
+argparse>=1.2.1
+lxml>=3.3.3
+progressbar-latest>=2.4

build.gradle

@@ -1,60 +1,109 @@
 buildscript {
     repositories {
-        mavenCentral()
+        maven {
+            url "https://repo1.maven.org/maven2"
+        }
     }
     dependencies {
-        classpath 'com.android.tools.build:gradle:0.11.+'
+        classpath 'com.android.tools.build:gradle:0.14.2'
         classpath files('libs/gradle-witness.jar')
     }
 }
 
-apply plugin: 'android'
+apply plugin: 'com.android.application'
+apply from: 'strip_play_services.gradle'
 apply plugin: 'witness'
 
 repositories {
-    mavenCentral()
     maven {
-        url "https://raw.github.com/whispersystems/maven/master/gcm-client/releases/"
+        url "https://repo1.maven.org/maven2"
+    }
+    maven {
+        url "https://raw.github.com/whispersystems/maven/master/preferencefragment/releases/"
     }
     maven {
         url "https://raw.github.com/whispersystems/maven/master/gson/releases/"
     }
+    maven {
+        url "https://raw.github.com/whispersystems/maven/master/smil/releases/"
+    }
 }
 
 dependencies {
-    compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
-    compile 'com.android.support:support-v4:19.1.0'
-    compile 'com.google.android.gcm:gcm-client:1.0.2'
     compile 'se.emilsjolander:stickylistheaders:2.2.0'
+    compile 'com.google.android.gms:play-services:6.1.71'
+    compile 'com.astuetz:pagerslidingtabstrip:1.0.1'
+    compile 'org.w3c:smil:1.0.0'
+    compile 'org.apache.httpcomponents:httpclient-android:4.3.5'
+    compile 'com.github.chrisbanes.photoview:library:1.2.3'
+    compile 'com.android.support:appcompat-v7:20.0.0'
+    compile 'com.madgag.spongycastle:prov:1.51.0.0'
+    compile 'com.google.zxing:android-integration:3.1.0'
+    compile ('com.android.support:support-v4-preferencefragment:1.0.0@aar'){
+        exclude module: 'support-v4'
+    }
+    compile 'com.squareup.dagger:dagger:1.2.2'
+    provided 'com.squareup.dagger:dagger-compiler:1.2.2'
+
+    compile 'org.whispersystems:jobmanager:0.9.0'
+    compile 'org.whispersystems:libpastelog:1.0.2'
 
     androidTestCompile 'com.squareup:fest-android:1.0.8'
+    androidTestCompile 'com.google.dexmaker:dexmaker:1.1'
+    androidTestCompile 'com.google.dexmaker:dexmaker-mockito:1.1'
 
-    compile project(':library')
+    compile project(':libtextsecure')
 }
 
 dependencyVerification {
     verify = [
-        'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819',
-        'com.android.support:support-v4:3f40fa7b3a4ead01ce15dce9453b061646e7fe2e7c51cb75ca01ee1e77037f3f',
-        'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca',
-        'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6',
-        'com.google.protobuf:protobuf-java:ad9769a22989e688a46af4d3accc348cc501ced22118033230542bc916e33f0b',
-        'com.madgag:sc-light-jdk15on:931f39d351429fb96c2f749e7ecb1a256a8ebbf5edca7995c9cc085b94d1841d',
-        'com.googlecode.libphonenumber:libphonenumber:eba17eae81dd622ea89a00a3a8c025b2f25d342e0d9644c5b62e16f15687c3ab',
-        'org.whispersystems:gson:08f4f7498455d1539c9233e5aac18e9b1805815ef29221572996508eb512fe51',
+            'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6',
+            'com.google.android.gms:play-services:32e7d1834a1cf8fa4b17e8d359db580c286e26c1eefbf84fdb9996eac8d74919',
+            'com.astuetz:pagerslidingtabstrip:f1641396732c7132a7abb837e482e5ee2b0ebb8d10813fc52bbaec2c15c184c2',
+            'org.w3c:smil:085dc40f2bb249651578bfa07499fd08b16ad0886dbe2c4078586a408da62f9b',
+            'org.apache.httpcomponents:httpclient-android:6f56466a9bd0d42934b90bfbfe9977a8b654c058bf44a12bdc2877c4e1f033f1',
+            'com.github.chrisbanes.photoview:library:8b5344e206f125e7ba9d684008f36c4992d03853c57e5814125f88496126e3cc',
+            'com.android.support:appcompat-v7:736f576ab0b68d27bdf18b1e7931566e6d8254b73965175313e87f8866b91547',
+            'com.madgag.spongycastle:prov:b8c3fec3a59aac1aa04ccf4dad7179351e54ef7672f53f508151b614c131398a',
+            'com.google.zxing:android-integration:89e56aadf1164bd71e57949163c53abf90af368b51669c0d4a47a163335f95c4',
+            'com.android.support:support-v4-preferencefragment:5470f5872514a6226fa1fc6f4e000991f38805691c534cf0bd2778911fc773ad',
+            'com.squareup.dagger:dagger:789aca24537022e49f91fc6444078d9de8f1dd99e1bfb090f18491b186967883',
+            'com.android.support:support-v4:81f2b1c2c94efd5a4ec7fcd97b6cdcd00e87a933905c5c86103c7319eb024572',
+            'com.madgag.spongycastle:core:8d6240b974b0aca4d3da9c7dd44d42339d8a374358aca5fc98e50a995764511f',
+            'javax.inject:javax.inject:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff',
+            'org.whispersystems:libpastelog:9798b3c93a91082c2c68542ce5b5c182e18556aebdcb7c8cebbd89eb48ac4047',
+            'com.google.protobuf:protobuf-java:e0c1c64575c005601725e7c6a02cebf9e1285e888f756b2a1d73ffa8d725cc74',
+            'com.googlecode.libphonenumber:libphonenumber:eba17eae81dd622ea89a00a3a8c025b2f25d342e0d9644c5b62e16f15687c3ab',
+            'org.whispersystems:gson:08f4f7498455d1539c9233e5aac18e9b1805815ef29221572996508eb512fe51',
+            'org.whispersystems:jobmanager:adb4329b69035053a7b6a48e22a3280235ac405b225ed8679b994612a8e6f5b6',
+            'com.android.support:support-annotations:1aa96ef0cc4a445bfc2f93ccf762305bc57fa107b12afe9d11f3863ae8a11036',
     ]
 }
 
 android {
-    compileSdkVersion 19
-    buildToolsVersion '19.1.0'
+    compileSdkVersion 21
+    buildToolsVersion '21.1.1'
 
     defaultConfig {
         minSdkVersion 9
         targetSdkVersion 19
     }
 
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_1_7
+        targetCompatibility JavaVersion.VERSION_1_7
+    }
+
     android {
+        buildTypes {
+            debug {
+                minifyEnabled false
+            }
+            release {
+                minifyEnabled false
+            }
+        }
+
         sourceSets {
             main {
                 manifest.srcFile 'AndroidManifest.xml'
@@ -66,10 +115,10 @@ android {
                 assets.srcDirs = ['assets']
             }
             androidTest {
-                java.srcDirs = ['androidTest']
-                resources.srcDirs = ['androidTest']
-                aidl.srcDirs = ['androidTest']
-                renderscript.srcDirs = ['androidTest']
+                java.srcDirs = ['androidTest/java']
+                resources.srcDirs = ['androidTest/java']
+                aidl.srcDirs = ['androidTest/java']
+                renderscript.srcDirs = ['androidTest/java']
             }
         }
     }
@@ -88,6 +137,12 @@ android {
     }
 }
 
+tasks.whenTaskAdded { task ->
+    if (task.name.equals("lint")) {
+        task.enabled = false
+    }
+}
+
 def Properties props = new Properties()
 def propFile = new File('signing.properties')
 

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
-#Mon Jun 09 23:26:49 PDT 2014
+#Fri Nov 28 10:03:17 PST 2014
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=http\://services.gradle.org/distributions/gradle-1.12-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-2.2.1-all.zip

libaxolotl/.gitignore

@@ -0,0 +1,2 @@
+/build
+/obj

libaxolotl/README.md

@@ -0,0 +1,85 @@
+
+# Overview
+
+This is a ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging 
+environments.  The protocol overview is available [here](https://github.com/trevp/axolotl/wiki),
+and the details of the wire format are available [here](https://github.com/WhisperSystems/TextSecure/wiki/ProtocolV2).
+
+## PreKeys
+
+This protocol uses a concept called 'PreKeys'.  A PreKey is an ECPublicKey and an associated unique 
+ID which are stored together by a server.  PreKeys can also be signed.
+
+At install time, clients generate a single signed PreKey, as well as a large list of unsigned
+PreKeys, and transmit all of them to the server.
+
+## Sessions
+
+The axolotl protocol is session-oriented.  Clients establish a "session," which is then used for
+all subsequent encrypt/decrypt operations.  There is no need to ever tear down a session once one
+has been established.
+
+Sessions are established in one of three ways:
+
+1. PreKeyBundles. A client that wishes to send a message to a recipient can establish a session by
+   retrieving a PreKeyBundle for that recipient from the server.
+1. PreKeyWhisperMessages.  A client can receive a PreKeyWhisperMessage from a recipient and use it
+   to establish a session.
+1. KeyExchangeMessages.  Two clients can exchange KeyExchange messages to establish a session.
+
+## State
+
+An established session encapsulates a lot of state between two clients.  That state is maintained
+in durable records which need to be kept for the life of the session.
+
+State is kept in the following places:
+
+1. Identity State.  Clients will need to maintain the state of their own identity key pair, as well
+   as identity keys received from other clients.
+1. PreKey State. Clients will need to maintain the state of their generated PreKeys.
+1. Signed PreKey States. Clients will need to maintain the state of their signed PreKeys.
+1. Session State.  Clients will need to maintain the state of the sessions they have established.
+
+# Using libaxolotl
+
+## Install time
+
+At install time, a libaxolotl client needs to generate its identity keys, registration id, and
+prekeys.
+
+    IdentityKeyPair    identityKeyPair = KeyHelper.generateIdentityKeyPair();
+    int                registrationId  = KeyHelper.generateRegistrationId();
+    List<PreKeyRecord> preKeys         = KeyHelper.generatePreKeys(startId, 100);
+    PreKeyRecord       lastResortKey   = KeyHelper.generateLastResortKey();
+    SignedPreKeyRecord signedPreKey    = KeyHelper.generateSignedPreKey(identityKeyPair, 5);
+
+    // Store identityKeyPair somewhere durable and safe.
+    // Store registrationId somewhere durable and safe.
+
+    // Store preKeys in PreKeyStore.
+    // Store signed prekey in SignedPreKeyStore.
+
+## Building a session
+
+A libaxolotl client needs to implement four interfaces: IdentityKeyStore, PreKeyStore, 
+SignedPreKeyStore, and SessionStore.  These will manage loading and storing of identity, 
+prekeys, signed prekeys, and session state.
+
+Once those are implemented, building a session is fairly straightforward:
+
+    SessionStore      sessionStore      = new MySessionStore();
+    PreKeyStore       preKeyStore       = new MyPreKeyStore();
+    SignedPreKeyStore signedPreKeyStore = new MySignedPreKeyStore();
+    IdentityKeyStore  identityStore     = new MyIdentityKeyStore();
+
+    // Instantiate a SessionBuilder for a remote recipientId + deviceId tuple.
+    SessionBuilder sessionBuilder = new SessionBuilder(sessionStore, preKeyStore, signedPreKeyStore,
+                                                       identityStore, recipientId, deviceId);
+
+    // Build a session with a PreKey retrieved from the server.
+    sessionBuilder.process(retrievedPreKey);
+
+    SessionCipher     sessionCipher = new SessionCipher(sessionStore, recipientId, deviceId);
+    CiphertextMessage message      = sessionCipher.encrypt("Hello world!".getBytes("UTF-8"));
+
+    deliver(message.serialize());

libaxolotl/build.gradle

@@ -0,0 +1,44 @@
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+
+    dependencies {
+        classpath 'com.android.tools.build:gradle:0.14.2'
+    }
+}
+
+apply plugin: 'com.android.library'
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    compile 'com.google.protobuf:protobuf-java:2.5.0'
+}
+
+android {
+    compileSdkVersion 21
+    buildToolsVersion '21.1.1'
+
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_1_7
+        targetCompatibility JavaVersion.VERSION_1_7
+    }
+
+    android {
+        sourceSets {
+            main {
+                jniLibs.srcDirs = ['libs']
+            }
+        }
+    }
+
+}
+
+tasks.whenTaskAdded { task ->
+    if (task.name.equals("lint")) {
+        task.enabled = false
+    }
+}

libaxolotl/jni/Android.mk

@@ -0,0 +1,27 @@
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := libcurve25519-donna
+LOCAL_SRC_FILES := curve25519-donna.c
+
+include $(BUILD_STATIC_LIBRARY)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE     := libcurve25519-ref10
+LOCAL_SRC_FILES  := $(wildcard ed25519/*.c) $(wildcard ed25519/additions/*.c) $(wildcard ed25519/nacl_sha512/*.c)
+LOCAL_C_INCLUDES := ed25519/nacl_includes ed25519/additions ed25519/sha512 ed25519
+
+include $(BUILD_STATIC_LIBRARY)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE     := libcurve25519
+LOCAL_SRC_FILES  := curve25519-jni.c
+LOCAL_C_INCLUDES := ed25519/additions
+
+LOCAL_STATIC_LIBRARIES := libcurve25519-donna libcurve25519-ref10
+
+include $(BUILD_SHARED_LIBRARY)
+

libaxolotl/jni/Application.mk

@@ -0,0 +1 @@
+APP_ABI := armeabi armeabi-v7a x86 mips

libaxolotl/jni/curve25519-donna.c

@@ -43,8 +43,7 @@
  *
  * This is, almost, a clean room reimplementation from the curve25519 paper. It
  * uses many of the tricks described therein. Only the crecip function is taken
- * from the sample implementation.
- */
+ * from the sample implementation. */
 
 #include <string.h>
 #include <stdint.h>
@@ -63,25 +62,23 @@ typedef int64_t limb;
  * significant first. The value of the field element is:
  *   x[0] + 2^26·x[1] + x^51·x[2] + 2^102·x[3] + ...
  *
- * i.e. the limbs are 26, 25, 26, 25, ... bits wide.
- */
+ * i.e. the limbs are 26, 25, 26, 25, ... bits wide. */
 
 /* Sum two numbers: output += in */
 static void fsum(limb *output, const limb *in) {
   unsigned i;
   for (i = 0; i < 10; i += 2) {
-    output[0+i] = (output[0+i] + in[0+i]);
-    output[1+i] = (output[1+i] + in[1+i]);
+    output[0+i] = output[0+i] + in[0+i];
+    output[1+i] = output[1+i] + in[1+i];
   }
 }
 
 /* Find the difference of two numbers: output = in - output
- * (note the order of the arguments!)
- */
+ * (note the order of the arguments!). */
 static void fdifference(limb *output, const limb *in) {
   unsigned i;
   for (i = 0; i < 10; ++i) {
-    output[i] = (in[i] - output[i]);
+    output[i] = in[i] - output[i];
   }
 }
 
@@ -97,7 +94,8 @@ static void fscalar_product(limb *output, const limb *in, const limb scalar) {
  *
  * output must be distinct to both inputs. The inputs are reduced coefficient
  * form, the output is not.
- */
+ *
+ * output[x] <= 14 * the largest product of the input limbs. */
 static void fproduct(limb *output, const limb *in2, const limb *in) {
   output[0] =       ((limb) ((s32) in2[0])) * ((s32) in[0]);
   output[1] =       ((limb) ((s32) in2[0])) * ((s32) in[1]) +
@@ -201,9 +199,15 @@ static void fproduct(limb *output, const limb *in2, const limb *in) {
   output[18] = 2 *  ((limb) ((s32) in2[9])) * ((s32) in[9]);
 }
 
-/* Reduce a long form to a short form by taking the input mod 2^255 - 19. */
+/* Reduce a long form to a short form by taking the input mod 2^255 - 19.
+ *
+ * On entry: |output[i]| < 14*2^54
+ * On exit: |output[0..8]| < 280*2^54 */
 static void freduce_degree(limb *output) {
-  /* Each of these shifts and adds ends up multiplying the value by 19. */
+  /* Each of these shifts and adds ends up multiplying the value by 19.
+   *
+   * For output[0..8], the absolute entry value is < 14*2^54 and we add, at
+   * most, 19*14*2^54 thus, on exit, |output[0..8]| < 280*2^54. */
   output[8] += output[18] << 4;
   output[8] += output[18] << 1;
   output[8] += output[18];
@@ -237,11 +241,13 @@ static void freduce_degree(limb *output) {
 #error "This code only works on a two's complement system"
 #endif
 
-/* return v / 2^26, using only shifts and adds. */
+/* return v / 2^26, using only shifts and adds.
+ *
+ * On entry: v can take any value. */
 static inline limb
 div_by_2_26(const limb v)
 {
-  /* High word of v; no shift needed*/
+  /* High word of v; no shift needed. */
   const uint32_t highword = (uint32_t) (((uint64_t) v) >> 32);
   /* Set to all 1s if v was negative; else set to 0s. */
   const int32_t sign = ((int32_t) highword) >> 31;
@@ -251,7 +257,9 @@ div_by_2_26(const limb v)
   return (v + roundoff) >> 26;
 }
 
-/* return v / (2^25), using only shifts and adds. */
+/* return v / (2^25), using only shifts and adds.
+ *
+ * On entry: v can take any value. */
 static inline limb
 div_by_2_25(const limb v)
 {
@@ -265,6 +273,9 @@ div_by_2_25(const limb v)
   return (v + roundoff) >> 25;
 }
 
+/* return v / (2^25), using only shifts and adds.
+ *
+ * On entry: v can take any value. */
 static inline s32
 div_s32_by_2_25(const s32 v)
 {
@@ -274,8 +285,7 @@ div_s32_by_2_25(const s32 v)
 
 /* Reduce all coefficients of the short form input so that |x| < 2^26.
  *
- * On entry: |output[i]| < 2^62
- */
+ * On entry: |output[i]| < 280*2^54 */
 static void freduce_coefficients(limb *output) {
   unsigned i;
 
@@ -283,56 +293,65 @@ static void freduce_coefficients(limb *output) {
 
   for (i = 0; i < 10; i += 2) {
     limb over = div_by_2_26(output[i]);
+    /* The entry condition (that |output[i]| < 280*2^54) means that over is, at
+     * most, 280*2^28 in the first iteration of this loop. This is added to the
+     * next limb and we can approximate the resulting bound of that limb by
+     * 281*2^54. */
     output[i] -= over << 26;
     output[i+1] += over;
 
+    /* For the first iteration, |output[i+1]| < 281*2^54, thus |over| <
+     * 281*2^29. When this is added to the next limb, the resulting bound can
+     * be approximated as 281*2^54.
+     *
+     * For subsequent iterations of the loop, 281*2^54 remains a conservative
+     * bound and no overflow occurs. */
     over = div_by_2_25(output[i+1]);
     output[i+1] -= over << 25;
     output[i+2] += over;
   }
-  /* Now |output[10]| < 2 ^ 38 and all other coefficients are reduced. */
+  /* Now |output[10]| < 281*2^29 and all other coefficients are reduced. */
   output[0] += output[10] << 4;
   output[0] += output[10] << 1;
   output[0] += output[10];
 
   output[10] = 0;
 
-  /* Now output[1..9] are reduced, and |output[0]| < 2^26 + 19 * 2^38
-   * So |over| will be no more than 77825  */
+  /* Now output[1..9] are reduced, and |output[0]| < 2^26 + 19*281*2^29
+   * So |over| will be no more than 2^16. */
   {
     limb over = div_by_2_26(output[0]);
     output[0] -= over << 26;
     output[1] += over;
   }
 
-  /* Now output[0,2..9] are reduced, and |output[1]| < 2^25 + 77825
-   * So |over| will be no more than 1. */
-  {
-    /* output[1] fits in 32 bits, so we can use div_s32_by_2_25 here. */
-    s32 over32 = div_s32_by_2_25((s32) output[1]);
-    output[1] -= over32 << 25;
-    output[2] += over32;
-  }
-
-  /* Finally, output[0,1,3..9] are reduced, and output[2] is "nearly reduced":
-   * we have |output[2]| <= 2^26.  This is good enough for all of our math,
-   * but it will require an extra freduce_coefficients before fcontract. */
+  /* Now output[0,2..9] are reduced, and |output[1]| < 2^25 + 2^16 < 2^26. The
+   * bound on |output[1]| is sufficient to meet our needs. */
 }
 
 /* A helpful wrapper around fproduct: output = in * in2.
  *
- * output must be distinct to both inputs. The output is reduced degree and
- * reduced coefficient.
- */
+ * On entry: |in[i]| < 2^27 and |in2[i]| < 2^27.
+ *
+ * output must be distinct to both inputs. The output is reduced degree
+ * (indeed, one need only provide storage for 10 limbs) and |output[i]| < 2^26. */
 static void
 fmul(limb *output, const limb *in, const limb *in2) {
   limb t[19];
   fproduct(t, in, in2);
+  /* |t[i]| < 14*2^54 */
   freduce_degree(t);
   freduce_coefficients(t);
+  /* |t[i]| < 2^26 */
   memcpy(output, t, sizeof(limb) * 10);
 }
 
+/* Square a number: output = in**2
+ *
+ * output must be distinct from the input. The inputs are reduced coefficient
+ * form, the output is not.
+ *
+ * output[x] <= 14 * the largest product of the input limbs. */
 static void fsquare_inner(limb *output, const limb *in) {
   output[0] =       ((limb) ((s32) in[0])) * ((s32) in[0]);
   output[1] =  2 *  ((limb) ((s32) in[0])) * ((s32) in[1]);
@@ -391,12 +410,23 @@ static void fsquare_inner(limb *output, const limb *in) {
   output[18] = 2 *  ((limb) ((s32) in[9])) * ((s32) in[9]);
 }
 
+/* fsquare sets output = in^2.
+ *
+ * On entry: The |in| argument is in reduced coefficients form and |in[i]| <
+ * 2^27.
+ *
+ * On exit: The |output| argument is in reduced coefficients form (indeed, one
+ * need only provide storage for 10 limbs) and |out[i]| < 2^26. */
 static void
 fsquare(limb *output, const limb *in) {
   limb t[19];
   fsquare_inner(t, in);
+  /* |t[i]| < 14*2^54 because the largest product of two limbs will be <
+   * 2^(27+27) and fsquare_inner adds together, at most, 14 of those
+   * products. */
   freduce_degree(t);
   freduce_coefficients(t);
+  /* |t[i]| < 2^26 */
   memcpy(output, t, sizeof(limb) * 10);
 }
 
@@ -417,7 +447,7 @@ fexpand(limb *output, const u8 *input) {
   F(6, 19, 1, 0x3ffffff);
   F(7, 22, 3, 0x1ffffff);
   F(8, 25, 4, 0x3ffffff);
-  F(9, 28, 6, 0x3ffffff);
+  F(9, 28, 6, 0x1ffffff);
 #undef F
 }
 
@@ -425,60 +455,143 @@ fexpand(limb *output, const u8 *input) {
 #error "This code only works when >> does sign-extension on negative numbers"
 #endif
 
+/* s32_eq returns 0xffffffff iff a == b and zero otherwise. */
+static s32 s32_eq(s32 a, s32 b) {
+  a = ~(a ^ b);
+  a &= a << 16;
+  a &= a << 8;
+  a &= a << 4;
+  a &= a << 2;
+  a &= a << 1;
+  return a >> 31;
+}
+
+/* s32_gte returns 0xffffffff if a >= b and zero otherwise, where a and b are
+ * both non-negative. */
+static s32 s32_gte(s32 a, s32 b) {
+  a -= b;
+  /* a >= 0 iff a >= b. */
+  return ~(a >> 31);
+}
+
 /* Take a fully reduced polynomial form number and contract it into a
- * little-endian, 32-byte array
- */
+ * little-endian, 32-byte array.
+ *
+ * On entry: |input_limbs[i]| < 2^26 */
 static void
-fcontract(u8 *output, limb *input) {
+fcontract(u8 *output, limb *input_limbs) {
   int i;
   int j;
+  s32 input[10];
+  s32 mask;
+
+  /* |input_limbs[i]| < 2^26, so it's valid to convert to an s32. */
+  for (i = 0; i < 10; i++) {
+    input[i] = input_limbs[i];
+  }
 
   for (j = 0; j < 2; ++j) {
     for (i = 0; i < 9; ++i) {
       if ((i & 1) == 1) {
-        /* This calculation is a time-invariant way to make input[i] positive
-           by borrowing from the next-larger limb.
-        */
-        const s32 mask = (s32)(input[i]) >> 31;
-        const s32 carry = -(((s32)(input[i]) & mask) >> 25);
-        input[i] = (s32)(input[i]) + (carry << 25);
-        input[i+1] = (s32)(input[i+1]) - carry;
+        /* This calculation is a time-invariant way to make input[i]
+         * non-negative by borrowing from the next-larger limb. */
+        const s32 mask = input[i] >> 31;
+        const s32 carry = -((input[i] & mask) >> 25);
+        input[i] = input[i] + (carry << 25);
+        input[i+1] = input[i+1] - carry;
       } else {
-        const s32 mask = (s32)(input[i]) >> 31;
-        const s32 carry = -(((s32)(input[i]) & mask) >> 26);
-        input[i] = (s32)(input[i]) + (carry << 26);
-        input[i+1] = (s32)(input[i+1]) - carry;
+        const s32 mask = input[i] >> 31;
+        const s32 carry = -((input[i] & mask) >> 26);
+        input[i] = input[i] + (carry << 26);
+        input[i+1] = input[i+1] - carry;
       }
     }
+
+    /* There's no greater limb for input[9] to borrow from, but we can multiply
+     * by 19 and borrow from input[0], which is valid mod 2^255-19. */
     {
-      const s32 mask = (s32)(input[9]) >> 31;
-      const s32 carry = -(((s32)(input[9]) & mask) >> 25);
-      input[9] = (s32)(input[9]) + (carry << 25);
-      input[0] = (s32)(input[0]) - (carry * 19);
+      const s32 mask = input[9] >> 31;
+      const s32 carry = -((input[9] & mask) >> 25);
+      input[9] = input[9] + (carry << 25);
+      input[0] = input[0] - (carry * 19);
     }
+
+    /* After the first iteration, input[1..9] are non-negative and fit within
+     * 25 or 26 bits, depending on position. However, input[0] may be
+     * negative. */
   }
 
   /* The first borrow-propagation pass above ended with every limb
      except (possibly) input[0] non-negative.
 
-     Since each input limb except input[0] is decreased by at most 1
-     by a borrow-propagation pass, the second borrow-propagation pass
-     could only have wrapped around to decrease input[0] again if the
-     first pass left input[0] negative *and* input[1] through input[9]
-     were all zero.  In that case, input[1] is now 2^25 - 1, and this
-     last borrow-propagation step will leave input[1] non-negative.
-  */
+     If input[0] was negative after the first pass, then it was because of a
+     carry from input[9]. On entry, input[9] < 2^26 so the carry was, at most,
+     one, since (2**26-1) >> 25 = 1. Thus input[0] >= -19.
+
+     In the second pass, each limb is decreased by at most one. Thus the second
+     borrow-propagation pass could only have wrapped around to decrease
+     input[0] again if the first pass left input[0] negative *and* input[1]
+     through input[9] were all zero.  In that case, input[1] is now 2^25 - 1,
+     and this last borrow-propagation step will leave input[1] non-negative. */
   {
-    const s32 mask = (s32)(input[0]) >> 31;
-    const s32 carry = -(((s32)(input[0]) & mask) >> 26);
-    input[0] = (s32)(input[0]) + (carry << 26);
-    input[1] = (s32)(input[1]) - carry;
+    const s32 mask = input[0] >> 31;
+    const s32 carry = -((input[0] & mask) >> 26);
+    input[0] = input[0] + (carry << 26);
+    input[1] = input[1] - carry;
   }
 
-  /* Both passes through the above loop, plus the last 0-to-1 step, are
-     necessary: if input[9] is -1 and input[0] through input[8] are 0,
-     negative values will remain in the array until the end.
-   */
+  /* All input[i] are now non-negative. However, there might be values between
+   * 2^25 and 2^26 in a limb which is, nominally, 25 bits wide. */
+  for (j = 0; j < 2; j++) {
+    for (i = 0; i < 9; i++) {
+      if ((i & 1) == 1) {
+        const s32 carry = input[i] >> 25;
+        input[i] &= 0x1ffffff;
+        input[i+1] += carry;
+      } else {
+        const s32 carry = input[i] >> 26;
+        input[i] &= 0x3ffffff;
+        input[i+1] += carry;
+      }
+    }
+
+    {
+      const s32 carry = input[9] >> 25;
+      input[9] &= 0x1ffffff;
+      input[0] += 19*carry;
+    }
+  }
+
+  /* If the first carry-chain pass, just above, ended up with a carry from
+   * input[9], and that caused input[0] to be out-of-bounds, then input[0] was
+   * < 2^26 + 2*19, because the carry was, at most, two.
+   *
+   * If the second pass carried from input[9] again then input[0] is < 2*19 and
+   * the input[9] -> input[0] carry didn't push input[0] out of bounds. */
+
+  /* It still remains the case that input might be between 2^255-19 and 2^255.
+   * In this case, input[1..9] must take their maximum value and input[0] must
+   * be >= (2^255-19) & 0x3ffffff, which is 0x3ffffed. */
+  mask = s32_gte(input[0], 0x3ffffed);
+  for (i = 1; i < 10; i++) {
+    if ((i & 1) == 1) {
+      mask &= s32_eq(input[i], 0x1ffffff);
+    } else {
+      mask &= s32_eq(input[i], 0x3ffffff);
+    }
+  }
+
+  /* mask is either 0xffffffff (if input >= 2^255-19) and zero otherwise. Thus
+   * this conditionally subtracts 2^255-19. */
+  input[0] -= mask & 0x3ffffed;
+
+  for (i = 1; i < 10; i++) {
+    if ((i & 1) == 1) {
+      input[i] -= mask & 0x1ffffff;
+    } else {
+      input[i] -= mask & 0x3ffffff;
+    }
+  }
 
   input[1] <<= 2;
   input[2] <<= 3;
@@ -516,7 +629,9 @@ fcontract(u8 *output, limb *input) {
  *   x z: short form, destroyed
  *   xprime zprime: short form, destroyed
  *   qmqp: short form, preserved
- */
+ *
+ * On entry and exit, the absolute value of the limbs of all inputs and outputs
+ * are < 2^26. */
 static void fmonty(limb *x2, limb *z2,  /* output 2Q */
                    limb *x3, limb *z3,  /* output Q + Q' */
                    limb *x, limb *z,    /* input Q */
@@ -527,43 +642,69 @@ static void fmonty(limb *x2, limb *z2,  /* output 2Q */
 
   memcpy(origx, x, 10 * sizeof(limb));
   fsum(x, z);
-  fdifference(z, origx);  // does x - z
+  /* |x[i]| < 2^27 */
+  fdifference(z, origx);  /* does x - z */
+  /* |z[i]| < 2^27 */
 
   memcpy(origxprime, xprime, sizeof(limb) * 10);
   fsum(xprime, zprime);
+  /* |xprime[i]| < 2^27 */
   fdifference(zprime, origxprime);
+  /* |zprime[i]| < 2^27 */
   fproduct(xxprime, xprime, z);
+  /* |xxprime[i]| < 14*2^54: the largest product of two limbs will be <
+   * 2^(27+27) and fproduct adds together, at most, 14 of those products.
+   * (Approximating that to 2^58 doesn't work out.) */
   fproduct(zzprime, x, zprime);
+  /* |zzprime[i]| < 14*2^54 */
   freduce_degree(xxprime);
   freduce_coefficients(xxprime);
+  /* |xxprime[i]| < 2^26 */
   freduce_degree(zzprime);
   freduce_coefficients(zzprime);
+  /* |zzprime[i]| < 2^26 */
   memcpy(origxprime, xxprime, sizeof(limb) * 10);
   fsum(xxprime, zzprime);
+  /* |xxprime[i]| < 2^27 */
   fdifference(zzprime, origxprime);
+  /* |zzprime[i]| < 2^27 */
   fsquare(xxxprime, xxprime);
+  /* |xxxprime[i]| < 2^26 */
   fsquare(zzzprime, zzprime);
+  /* |zzzprime[i]| < 2^26 */
   fproduct(zzprime, zzzprime, qmqp);
+  /* |zzprime[i]| < 14*2^52 */
   freduce_degree(zzprime);
   freduce_coefficients(zzprime);
+  /* |zzprime[i]| < 2^26 */
   memcpy(x3, xxxprime, sizeof(limb) * 10);
   memcpy(z3, zzprime, sizeof(limb) * 10);
 
   fsquare(xx, x);
+  /* |xx[i]| < 2^26 */
   fsquare(zz, z);
+  /* |zz[i]| < 2^26 */
   fproduct(x2, xx, zz);
+  /* |x2[i]| < 14*2^52 */
   freduce_degree(x2);
   freduce_coefficients(x2);
+  /* |x2[i]| < 2^26 */
   fdifference(zz, xx);  // does zz = xx - zz
+  /* |zz[i]| < 2^27 */
   memset(zzz + 10, 0, sizeof(limb) * 9);
   fscalar_product(zzz, zz, 121665);
+  /* |zzz[i]| < 2^(27+17) */
   /* No need to call freduce_degree here:
      fscalar_product doesn't increase the degree of its input. */
   freduce_coefficients(zzz);
+  /* |zzz[i]| < 2^26 */
   fsum(zzz, xx);
+  /* |zzz[i]| < 2^27 */
   fproduct(z2, zz, zzz);
+  /* |z2[i]| < 14*2^(26+27) */
   freduce_degree(z2);
   freduce_coefficients(z2);
+  /* |z2|i| < 2^26 */
 }
 
 /* Conditionally swap two reduced-form limb arrays if 'iswap' is 1, but leave
@@ -574,8 +715,7 @@ static void fmonty(limb *x2, limb *z2,  /* output 2Q */
  * wrong results.  Also, the two limb arrays must be in reduced-coefficient,
  * reduced-degree form: the values in a[10..19] or b[10..19] aren't swapped,
  * and all all values in a[0..9],b[0..9] must have magnitude less than
- * INT32_MAX.
- */
+ * INT32_MAX. */
 static void
 swap_conditional(limb a[19], limb b[19], limb iswap) {
   unsigned i;
@@ -592,8 +732,7 @@ swap_conditional(limb a[19], limb b[19], limb iswap) {
  *
  *   resultx/resultz: the x coordinate of the resulting curve point (short form)
  *   n: a little endian, 32-byte number
- *   q: a point of the curve (short form)
- */
+ *   q: a point of the curve (short form) */
 static void
 cmult(limb *resultx, limb *resultz, const u8 *n, const limb *q) {
   limb a[19] = {0}, b[19] = {1}, c[19] = {1}, d[19] = {0};
@@ -711,8 +850,6 @@ crecip(limb *out, const limb *z) {
   /* 2^255 - 21 */ fmul(out,t1,z11);
 }
 
-int curve25519_donna(u8 *, const u8 *, const u8 *);
-
 int
 curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
   limb bp[10], x[10], z[11], zmone[10];
@@ -720,12 +857,14 @@ curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
   int i;
 
   for (i = 0; i < 32; ++i) e[i] = secret[i];
+//  e[0] &= 248;
+//  e[31] &= 127;
+//  e[31] |= 64;
 
   fexpand(bp, basepoint);
   cmult(x, z, e, bp);
   crecip(zmone, z);
   fmul(z, x, zmone);
-  freduce_coefficients(z);
   fcontract(mypublic, z);
   return 0;
 }

libaxolotl/jni/curve25519-jni.c

@@ -0,0 +1,109 @@
+/**
+ * Copyright (C) 2013-2014 Open Whisper Systems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <string.h>
+#include <stdint.h>
+
+#include <jni.h>
+#include "curve25519-donna.h"
+#include "curve_sigs.h"
+
+JNIEXPORT jbyteArray JNICALL Java_org_whispersystems_libaxolotl_ecc_Curve25519_generatePrivateKey
+  (JNIEnv *env, jclass clazz, jbyteArray random)
+{
+  uint8_t* privateKey = (uint8_t*)(*env)->GetByteArrayElements(env, random, 0);
+
+  privateKey[0] &= 248;
+  privateKey[31] &= 127;
+  privateKey[31] |= 64;
+
+  (*env)->ReleaseByteArrayElements(env, random, privateKey, 0);
+
+  return random;
+}
+
+JNIEXPORT jbyteArray JNICALL Java_org_whispersystems_libaxolotl_ecc_Curve25519_generatePublicKey
+  (JNIEnv *env, jclass clazz, jbyteArray privateKey)
+{
+    static const uint8_t  basepoint[32] = {9};
+
+    jbyteArray publicKey       = (*env)->NewByteArray(env, 32);
+    uint8_t*   publicKeyBytes  = (uint8_t*)(*env)->GetByteArrayElements(env, publicKey, 0);
+    uint8_t*   privateKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, privateKey, 0);
+
+    curve25519_donna(publicKeyBytes, privateKeyBytes, basepoint);
+
+    (*env)->ReleaseByteArrayElements(env, publicKey, publicKeyBytes, 0);
+    (*env)->ReleaseByteArrayElements(env, privateKey, privateKeyBytes, 0);
+
+    return publicKey;
+}
+
+JNIEXPORT jbyteArray JNICALL Java_org_whispersystems_libaxolotl_ecc_Curve25519_calculateAgreement
+  (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey)
+{
+    jbyteArray sharedKey       = (*env)->NewByteArray(env, 32);
+    uint8_t*   sharedKeyBytes  = (uint8_t*)(*env)->GetByteArrayElements(env, sharedKey, 0);
+    uint8_t*   privateKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, privateKey, 0);
+    uint8_t*   publicKeyBytes  = (uint8_t*)(*env)->GetByteArrayElements(env, publicKey, 0);
+
+    curve25519_donna(sharedKeyBytes, privateKeyBytes, publicKeyBytes);
+
+    (*env)->ReleaseByteArrayElements(env, sharedKey, sharedKeyBytes, 0);
+    (*env)->ReleaseByteArrayElements(env, publicKey, publicKeyBytes, 0);
+    (*env)->ReleaseByteArrayElements(env, privateKey, privateKeyBytes, 0);
+
+    return sharedKey;
+}
+
+JNIEXPORT jbyteArray JNICALL Java_org_whispersystems_libaxolotl_ecc_Curve25519_calculateSignature
+  (JNIEnv *env, jclass clazz, jbyteArray random, jbyteArray privateKey, jbyteArray message)
+{
+    jbyteArray signature       = (*env)->NewByteArray(env, 64);
+    uint8_t*   signatureBytes  = (uint8_t*)(*env)->GetByteArrayElements(env, signature, 0);
+    uint8_t*   randomBytes     = (uint8_t*)(*env)->GetByteArrayElements(env, random, 0);
+    uint8_t*   privateKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, privateKey, 0);
+    uint8_t*   messageBytes    = (uint8_t*)(*env)->GetByteArrayElements(env, message, 0);
+    jsize      messageLength   = (*env)->GetArrayLength(env, message);
+
+    int result = curve25519_sign(signatureBytes, privateKeyBytes, messageBytes, messageLength, randomBytes);
+
+    (*env)->ReleaseByteArrayElements(env, signature, signatureBytes, 0);
+    (*env)->ReleaseByteArrayElements(env, random, randomBytes, 0);
+    (*env)->ReleaseByteArrayElements(env, privateKey, privateKeyBytes, 0);
+    (*env)->ReleaseByteArrayElements(env, message, messageBytes, 0);
+
+    if (result == 0) return signature;
+    else             (*env)->ThrowNew(env, (*env)->FindClass(env, "java/lang/AssertionError"), "Signature failed!");
+}
+
+JNIEXPORT jboolean JNICALL Java_org_whispersystems_libaxolotl_ecc_Curve25519_verifySignature
+  (JNIEnv *env, jclass clazz, jbyteArray publicKey, jbyteArray message, jbyteArray signature)
+{
+    uint8_t*   signatureBytes = (uint8_t*)(*env)->GetByteArrayElements(env, signature, 0);
+    uint8_t*   publicKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, publicKey, 0);
+    uint8_t*   messageBytes   = (uint8_t*)(*env)->GetByteArrayElements(env, message, 0);
+    jsize      messageLength  = (*env)->GetArrayLength(env, message);
+
+    jboolean result = (curve25519_verify(signatureBytes, publicKeyBytes, messageBytes, messageLength) == 0);
+
+    (*env)->ReleaseByteArrayElements(env, signature, signatureBytes, 0);
+    (*env)->ReleaseByteArrayElements(env, publicKey, publicKeyBytes, 0);
+    (*env)->ReleaseByteArrayElements(env, message, messageBytes, 0);
+
+    return result;
+}

libaxolotl/jni/ed25519/additions/compare.c

@@ -0,0 +1,44 @@
+#include <string.h>
+#include "compare.h"
+
+/* Const-time comparison from SUPERCOP, but here it's only used for 
+   signature verification, so doesn't need to be const-time.  But
+   copied the nacl version anyways. */
+int crypto_verify_32_ref(const unsigned char *x, const unsigned char *y)
+{
+  unsigned int differentbits = 0;
+#define F(i) differentbits |= x[i] ^ y[i];
+  F(0)
+  F(1)
+  F(2)
+  F(3)
+  F(4)
+  F(5)
+  F(6)
+  F(7)
+  F(8)
+  F(9)
+  F(10)
+  F(11)
+  F(12)
+  F(13)
+  F(14)
+  F(15)
+  F(16)
+  F(17)
+  F(18)
+  F(19)
+  F(20)
+  F(21)
+  F(22)
+  F(23)
+  F(24)
+  F(25)
+  F(26)
+  F(27)
+  F(28)
+  F(29)
+  F(30)
+  F(31)
+  return (1 & ((differentbits - 1) >> 8)) - 1;
+}

libaxolotl/jni/ed25519/additions/compare.h

@@ -0,0 +1,6 @@
+#ifndef __COMPARE_H__
+#define __COMPARE_H__
+
+int crypto_verify_32_ref(const unsigned char *b1, const unsigned char *b2);
+
+#endif

libaxolotl/jni/ed25519/additions/crypto_hash_sha512.h

@@ -0,0 +1,6 @@
+#ifndef crypto_hash_sha512_H
+#define crypto_hash_sha512_H
+
+extern int crypto_hash_sha512(unsigned char *,const unsigned char *,unsigned long long);
+
+#endif

libaxolotl/jni/ed25519/additions/curve_sigs.c

@@ -0,0 +1,116 @@
+#include <string.h>
+#include "ge.h"
+#include "curve_sigs.h"
+#include "crypto_sign.h"
+
+void curve25519_keygen(unsigned char* curve25519_pubkey_out,
+                       const unsigned char* curve25519_privkey_in)
+{
+  ge_p3 ed; /* Ed25519 pubkey point */
+  fe ed_y, ed_y_plus_one, one_minus_ed_y, inv_one_minus_ed_y;
+  fe mont_x;
+
+  /* Perform a fixed-base multiplication of the Edwards base point,
+     (which is efficient due to precalculated tables), then convert
+     to the Curve25519 montgomery-format public key.  In particular,
+     convert Curve25519's "montgomery" x-coordinate into an Ed25519
+     "edwards" y-coordinate:
+
+     mont_x = (ed_y + 1) / (1 - ed_y)
+     
+     with projective coordinates:
+
+     mont_x = (ed_y + ed_z) / (ed_z - ed_y)
+
+     NOTE: ed_y=1 is converted to mont_x=0 since fe_invert is mod-exp
+  */
+
+  ge_scalarmult_base(&ed, curve25519_privkey_in);
+  fe_add(ed_y_plus_one, ed.Y, ed.Z);
+  fe_sub(one_minus_ed_y, ed.Z, ed.Y);  
+  fe_invert(inv_one_minus_ed_y, one_minus_ed_y);
+  fe_mul(mont_x, ed_y_plus_one, inv_one_minus_ed_y);
+  fe_tobytes(curve25519_pubkey_out, mont_x);
+}
+
+int curve25519_sign(unsigned char* signature_out,
+                    const unsigned char* curve25519_privkey,
+                    const unsigned char* msg, const unsigned long msg_len,
+                    const unsigned char* random)
+{
+  ge_p3 ed_pubkey_point; /* Ed25519 pubkey point */
+  unsigned char ed_pubkey[32]; /* Ed25519 encoded pubkey */
+  unsigned char sigbuf[MAX_MSG_LEN + 128]; /* working buffer */
+  unsigned char sign_bit = 0;
+
+  if (msg_len > MAX_MSG_LEN) {
+    memset(signature_out, 0, 64);
+    return -1;
+  }
+
+  /* Convert the Curve25519 privkey to an Ed25519 public key */
+  ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey);
+  ge_p3_tobytes(ed_pubkey, &ed_pubkey_point);
+  sign_bit = ed_pubkey[31] & 0x80;
+
+  /* Perform an Ed25519 signature with explicit private key */
+  crypto_sign_modified(sigbuf, msg, msg_len, curve25519_privkey,
+                       ed_pubkey, random);
+  memmove(signature_out, sigbuf, 64);
+
+  /* Encode the sign bit into signature (in unused high bit of S) */
+   signature_out[63] &= 0x7F; /* bit should be zero already, but just in case */
+   signature_out[63] |= sign_bit;
+   return 0;
+}
+
+int curve25519_verify(const unsigned char* signature,
+                      const unsigned char* curve25519_pubkey,
+                      const unsigned char* msg, const unsigned long msg_len)
+{
+  fe mont_x, mont_x_minus_one, mont_x_plus_one, inv_mont_x_plus_one;
+  fe one;
+  fe ed_y;
+  unsigned char ed_pubkey[32];
+  unsigned long long some_retval;
+  unsigned char verifybuf[MAX_MSG_LEN + 64]; /* working buffer */
+  unsigned char verifybuf2[MAX_MSG_LEN + 64]; /* working buffer #2 */
+
+  if (msg_len > MAX_MSG_LEN) {
+    return -1;
+  }
+
+  /* Convert the Curve25519 public key into an Ed25519 public key.  In
+     particular, convert Curve25519's "montgomery" x-coordinate into an
+     Ed25519 "edwards" y-coordinate:
+
+     ed_y = (mont_x - 1) / (mont_x + 1)
+
+     NOTE: mont_x=-1 is converted to ed_y=0 since fe_invert is mod-exp
+
+     Then move the sign bit into the pubkey from the signature.
+  */
+  fe_frombytes(mont_x, curve25519_pubkey);
+  fe_1(one);
+  fe_sub(mont_x_minus_one, mont_x, one);
+  fe_add(mont_x_plus_one, mont_x, one);
+  fe_invert(inv_mont_x_plus_one, mont_x_plus_one);
+  fe_mul(ed_y, mont_x_minus_one, inv_mont_x_plus_one);
+  fe_tobytes(ed_pubkey, ed_y);
+
+  /* Copy the sign bit, and remove it from signature */
+  ed_pubkey[31] &= 0x7F;  /* bit should be zero already, but just in case */
+  ed_pubkey[31] |= (signature[63] & 0x80);
+  memmove(verifybuf, signature, 64);
+  verifybuf[63] &= 0x7F;
+
+  memmove(verifybuf+64, msg, msg_len);
+
+  /* Then perform a normal Ed25519 verification, return 0 on success */
+  /* The below call has a strange API: */
+  /* verifybuf = R || S || message */
+  /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets 
+     replaced with pubkey for hashing, then the whole thing gets zeroized
+     (if bad sig), or contains a copy of msg (good sig) */
+  return crypto_sign_open(verifybuf2, &some_retval, verifybuf, 64 + msg_len, ed_pubkey);
+}

libaxolotl/jni/ed25519/additions/curve_sigs.h

@@ -0,0 +1,50 @@
+
+#ifndef __CURVE_SIGS_H__
+#define __CURVE_SIGS_H__
+
+#define MAX_MSG_LEN 256
+
+void curve25519_keygen(unsigned char* curve25519_pubkey_out, /* 32 bytes */
+                       const unsigned char* curve25519_privkey_in); /* 32 bytes */
+
+/* returns 0 on success */
+int curve25519_sign(unsigned char* signature_out, /* 64 bytes */
+                     const unsigned char* curve25519_privkey, /* 32 bytes */
+                     const unsigned char* msg, const unsigned long msg_len,
+                     const unsigned char* random); /* 64 bytes */
+
+/* returns 0 on success */
+int curve25519_verify(const unsigned char* signature, /* 64 bytes */
+                      const unsigned char* curve25519_pubkey, /* 32 bytes */
+                      const unsigned char* msg, const unsigned long msg_len);
+
+/* helper function - modified version of crypto_sign() to use 
+   explicit private key.  In particular:
+
+   sk     : private key
+   pk     : public key
+   msg    : message
+   prefix : 0xFE || [0xFF]*31
+   random : 64 bytes random
+   q      : main subgroup order
+
+   The prefix is chosen to distinguish the two SHA512 uses below, since
+   prefix is an invalid encoding for R (it would encode a "field element"
+   of 2^255 - 2).  0xFF*32 is set aside for use in ECDH protocols, which
+   is why the first byte here ix 0xFE.
+
+   sig_nonce = SHA512(prefix || sk ||  msg || random) % q
+   R = g^sig_nonce
+   M = SHA512(R || pk || m)
+   S = sig_nonce + (m * sk)
+   signature = (R || S)
+ */
+int crypto_sign_modified(
+  unsigned char *sm,
+  const unsigned char *m,unsigned long long mlen,
+  const unsigned char *sk, /* Curve/Ed25519 private key */
+  const unsigned char *pk, /* Ed25519 public key */
+  const unsigned char *random /* 64 bytes random to hash into nonce */
+  );
+
+#endif