release: Bump version to 0.3.2

This was mostly caused by Dart not copying values but referencing
them. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.

We know make some assumptions about received key exchanges, so this
needs some field testing.

.gitignore

@@ -12,6 +12,3 @@ pubspec.lock
 # NixOS
 .direnv
 .envrc
-
-# Protobuf build artifacts
-lib/protobuf/*.dart

.pubignore

@@ -0,0 +1 @@
+lib/protobuf

.woodpecker.yml

@@ -0,0 +1,11 @@
+pipeline:
+  lint:
+    image: dart:2.18.1
+    commands:
+      - dart pub get
+      - dart analyze --fatal-infos --fatal-warnings
+  test:
+    image: dart:2.18.1
+    commands:
+      - dart pub get
+      - dart test

CHANGELOG.md

@@ -20,3 +20,19 @@
 
 - Add `isRatchetAcknowledged`
 - Ratchets that are created due to accepting a kex are now unacknowledged
+
+## 0.3.0
+
+- Implement enabling and disabling ratchets via the TrustManager interface
+- Fix deserialization of the various objects
+- Remove the BTBV TrustManager's loadState method. Just use the constructor
+- Allow removing all ratchets for a given Jid
+- If an error occurs while decrypting the message, the ratchet will now be reset to its prior state
+- Fix a bug within the Varint encoding function. This should fix some occasional UnknownSignedPrekeyExceptions
+- Remove OmemoSessionManager's toJson and fromJson. Use toJsonWithoutSessions and fromJsonWithoutSessions. Restoring sessions is not out-of-scope for that function
+
+## 0.3.1
+
+- Fix a bug that caused the device's id to change when replacing a OPK
+- Every decryption failure now causes the ratchet to be restored to a pre-decryption state
+- Add method to get the device's fingerprint

README.md

@@ -28,7 +28,7 @@ Include `omemo_dart` in your `pubspec.yaml` like this:
 dependencies:
   omemo_dart:
     hosted: https://git.polynom.me/api/packages/PapaTutuWawa/pub
-    version: ^0.2.0
+    version: ^0.3.1
   # [...]
 
 # [...]

example/omemo_dart_example.dart

@@ -119,6 +119,8 @@ void main() async {
     aliceDevice.id,
     // The deserialised keys
     keys,
+    // Since the message was not delayed, we use the current time
+    DateTime.now().millisecondsSinceEpoch,
   );
 
   // All Bob has to do now is replace the OMEMO wrapper element 

lib/protobuf/schema.pb.dart

@@ -0,0 +1,263 @@
+///
+//  Generated code. Do not modify.
+//  source: schema.proto
+//
+// @dart = 2.12
+// ignore_for_file: annotate_overrides,camel_case_types,constant_identifier_names,directives_ordering,library_prefixes,non_constant_identifier_names,prefer_final_fields,return_of_invalid_type,unnecessary_const,unnecessary_import,unnecessary_this,unused_import,unused_shown_name
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class OMEMOMessage extends $pb.GeneratedMessage {
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(const $core.bool.fromEnvironment('protobuf.omit_message_names') ? '' : 'OMEMOMessage', createEmptyInstance: create)
+    ..a<$core.int>(1, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'n', $pb.PbFieldType.QU3)
+    ..a<$core.int>(2, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'pn', $pb.PbFieldType.QU3)
+    ..a<$core.List<$core.int>>(3, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'dhPub', $pb.PbFieldType.QY)
+    ..a<$core.List<$core.int>>(4, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'ciphertext', $pb.PbFieldType.OY)
+  ;
+
+  OMEMOMessage._() : super();
+  factory OMEMOMessage({
+    $core.int? n,
+    $core.int? pn,
+    $core.List<$core.int>? dhPub,
+    $core.List<$core.int>? ciphertext,
+  }) {
+    final _result = create();
+    if (n != null) {
+      _result.n = n;
+    }
+    if (pn != null) {
+      _result.pn = pn;
+    }
+    if (dhPub != null) {
+      _result.dhPub = dhPub;
+    }
+    if (ciphertext != null) {
+      _result.ciphertext = ciphertext;
+    }
+    return _result;
+  }
+  factory OMEMOMessage.fromBuffer($core.List<$core.int> i, [$pb.ExtensionRegistry r = $pb.ExtensionRegistry.EMPTY]) => create()..mergeFromBuffer(i, r);
+  factory OMEMOMessage.fromJson($core.String i, [$pb.ExtensionRegistry r = $pb.ExtensionRegistry.EMPTY]) => create()..mergeFromJson(i, r);
+  @$core.Deprecated(
+  'Using this can add significant overhead to your binary. '
+  'Use [GeneratedMessageGenericExtensions.deepCopy] instead. '
+  'Will be removed in next major version')
+  OMEMOMessage clone() => OMEMOMessage()..mergeFromMessage(this);
+  @$core.Deprecated(
+  'Using this can add significant overhead to your binary. '
+  'Use [GeneratedMessageGenericExtensions.rebuild] instead. '
+  'Will be removed in next major version')
+  OMEMOMessage copyWith(void Function(OMEMOMessage) updates) => super.copyWith((message) => updates(message as OMEMOMessage)) as OMEMOMessage; // ignore: deprecated_member_use
+  $pb.BuilderInfo get info_ => _i;
+  @$core.pragma('dart2js:noInline')
+  static OMEMOMessage create() => OMEMOMessage._();
+  OMEMOMessage createEmptyInstance() => create();
+  static $pb.PbList<OMEMOMessage> createRepeated() => $pb.PbList<OMEMOMessage>();
+  @$core.pragma('dart2js:noInline')
+  static OMEMOMessage getDefault() => _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<OMEMOMessage>(create);
+  static OMEMOMessage? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get n => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set n($core.int v) { $_setUnsignedInt32(0, v); }
+  @$pb.TagNumber(1)
+  $core.bool hasN() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearN() => clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.int get pn => $_getIZ(1);
+  @$pb.TagNumber(2)
+  set pn($core.int v) { $_setUnsignedInt32(1, v); }
+  @$pb.TagNumber(2)
+  $core.bool hasPn() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearPn() => clearField(2);
+
+  @$pb.TagNumber(3)
+  $core.List<$core.int> get dhPub => $_getN(2);
+  @$pb.TagNumber(3)
+  set dhPub($core.List<$core.int> v) { $_setBytes(2, v); }
+  @$pb.TagNumber(3)
+  $core.bool hasDhPub() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearDhPub() => clearField(3);
+
+  @$pb.TagNumber(4)
+  $core.List<$core.int> get ciphertext => $_getN(3);
+  @$pb.TagNumber(4)
+  set ciphertext($core.List<$core.int> v) { $_setBytes(3, v); }
+  @$pb.TagNumber(4)
+  $core.bool hasCiphertext() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearCiphertext() => clearField(4);
+}
+
+class OMEMOAuthenticatedMessage extends $pb.GeneratedMessage {
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(const $core.bool.fromEnvironment('protobuf.omit_message_names') ? '' : 'OMEMOAuthenticatedMessage', createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(1, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'mac', $pb.PbFieldType.QY)
+    ..a<$core.List<$core.int>>(2, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'message', $pb.PbFieldType.QY)
+  ;
+
+  OMEMOAuthenticatedMessage._() : super();
+  factory OMEMOAuthenticatedMessage({
+    $core.List<$core.int>? mac,
+    $core.List<$core.int>? message,
+  }) {
+    final _result = create();
+    if (mac != null) {
+      _result.mac = mac;
+    }
+    if (message != null) {
+      _result.message = message;
+    }
+    return _result;
+  }
+  factory OMEMOAuthenticatedMessage.fromBuffer($core.List<$core.int> i, [$pb.ExtensionRegistry r = $pb.ExtensionRegistry.EMPTY]) => create()..mergeFromBuffer(i, r);
+  factory OMEMOAuthenticatedMessage.fromJson($core.String i, [$pb.ExtensionRegistry r = $pb.ExtensionRegistry.EMPTY]) => create()..mergeFromJson(i, r);
+  @$core.Deprecated(
+  'Using this can add significant overhead to your binary. '
+  'Use [GeneratedMessageGenericExtensions.deepCopy] instead. '
+  'Will be removed in next major version')
+  OMEMOAuthenticatedMessage clone() => OMEMOAuthenticatedMessage()..mergeFromMessage(this);
+  @$core.Deprecated(
+  'Using this can add significant overhead to your binary. '
+  'Use [GeneratedMessageGenericExtensions.rebuild] instead. '
+  'Will be removed in next major version')
+  OMEMOAuthenticatedMessage copyWith(void Function(OMEMOAuthenticatedMessage) updates) => super.copyWith((message) => updates(message as OMEMOAuthenticatedMessage)) as OMEMOAuthenticatedMessage; // ignore: deprecated_member_use
+  $pb.BuilderInfo get info_ => _i;
+  @$core.pragma('dart2js:noInline')
+  static OMEMOAuthenticatedMessage create() => OMEMOAuthenticatedMessage._();
+  OMEMOAuthenticatedMessage createEmptyInstance() => create();
+  static $pb.PbList<OMEMOAuthenticatedMessage> createRepeated() => $pb.PbList<OMEMOAuthenticatedMessage>();
+  @$core.pragma('dart2js:noInline')
+  static OMEMOAuthenticatedMessage getDefault() => _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<OMEMOAuthenticatedMessage>(create);
+  static OMEMOAuthenticatedMessage? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get mac => $_getN(0);
+  @$pb.TagNumber(1)
+  set mac($core.List<$core.int> v) { $_setBytes(0, v); }
+  @$pb.TagNumber(1)
+  $core.bool hasMac() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearMac() => clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get message => $_getN(1);
+  @$pb.TagNumber(2)
+  set message($core.List<$core.int> v) { $_setBytes(1, v); }
+  @$pb.TagNumber(2)
+  $core.bool hasMessage() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearMessage() => clearField(2);
+}
+
+class OMEMOKeyExchange extends $pb.GeneratedMessage {
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(const $core.bool.fromEnvironment('protobuf.omit_message_names') ? '' : 'OMEMOKeyExchange', createEmptyInstance: create)
+    ..a<$core.int>(1, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'pkId', $pb.PbFieldType.QU3)
+    ..a<$core.int>(2, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'spkId', $pb.PbFieldType.QU3)
+    ..a<$core.List<$core.int>>(3, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'ik', $pb.PbFieldType.QY)
+    ..a<$core.List<$core.int>>(4, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'ek', $pb.PbFieldType.QY)
+    ..aQM<OMEMOAuthenticatedMessage>(5, const $core.bool.fromEnvironment('protobuf.omit_field_names') ? '' : 'message', subBuilder: OMEMOAuthenticatedMessage.create)
+  ;
+
+  OMEMOKeyExchange._() : super();
+  factory OMEMOKeyExchange({
+    $core.int? pkId,
+    $core.int? spkId,
+    $core.List<$core.int>? ik,
+    $core.List<$core.int>? ek,
+    OMEMOAuthenticatedMessage? message,
+  }) {
+    final _result = create();
+    if (pkId != null) {
+      _result.pkId = pkId;
+    }
+    if (spkId != null) {
+      _result.spkId = spkId;
+    }
+    if (ik != null) {
+      _result.ik = ik;
+    }
+    if (ek != null) {
+      _result.ek = ek;
+    }
+    if (message != null) {
+      _result.message = message;
+    }
+    return _result;
+  }
+  factory OMEMOKeyExchange.fromBuffer($core.List<$core.int> i, [$pb.ExtensionRegistry r = $pb.ExtensionRegistry.EMPTY]) => create()..mergeFromBuffer(i, r);
+  factory OMEMOKeyExchange.fromJson($core.String i, [$pb.ExtensionRegistry r = $pb.ExtensionRegistry.EMPTY]) => create()..mergeFromJson(i, r);
+  @$core.Deprecated(
+  'Using this can add significant overhead to your binary. '
+  'Use [GeneratedMessageGenericExtensions.deepCopy] instead. '
+  'Will be removed in next major version')
+  OMEMOKeyExchange clone() => OMEMOKeyExchange()..mergeFromMessage(this);
+  @$core.Deprecated(
+  'Using this can add significant overhead to your binary. '
+  'Use [GeneratedMessageGenericExtensions.rebuild] instead. '
+  'Will be removed in next major version')
+  OMEMOKeyExchange copyWith(void Function(OMEMOKeyExchange) updates) => super.copyWith((message) => updates(message as OMEMOKeyExchange)) as OMEMOKeyExchange; // ignore: deprecated_member_use
+  $pb.BuilderInfo get info_ => _i;
+  @$core.pragma('dart2js:noInline')
+  static OMEMOKeyExchange create() => OMEMOKeyExchange._();
+  OMEMOKeyExchange createEmptyInstance() => create();
+  static $pb.PbList<OMEMOKeyExchange> createRepeated() => $pb.PbList<OMEMOKeyExchange>();
+  @$core.pragma('dart2js:noInline')
+  static OMEMOKeyExchange getDefault() => _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<OMEMOKeyExchange>(create);
+  static OMEMOKeyExchange? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get pkId => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set pkId($core.int v) { $_setUnsignedInt32(0, v); }
+  @$pb.TagNumber(1)
+  $core.bool hasPkId() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPkId() => clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.int get spkId => $_getIZ(1);
+  @$pb.TagNumber(2)
+  set spkId($core.int v) { $_setUnsignedInt32(1, v); }
+  @$pb.TagNumber(2)
+  $core.bool hasSpkId() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearSpkId() => clearField(2);
+
+  @$pb.TagNumber(3)
+  $core.List<$core.int> get ik => $_getN(2);
+  @$pb.TagNumber(3)
+  set ik($core.List<$core.int> v) { $_setBytes(2, v); }
+  @$pb.TagNumber(3)
+  $core.bool hasIk() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearIk() => clearField(3);
+
+  @$pb.TagNumber(4)
+  $core.List<$core.int> get ek => $_getN(3);
+  @$pb.TagNumber(4)
+  set ek($core.List<$core.int> v) { $_setBytes(3, v); }
+  @$pb.TagNumber(4)
+  $core.bool hasEk() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearEk() => clearField(4);
+
+  @$pb.TagNumber(5)
+  OMEMOAuthenticatedMessage get message => $_getN(4);
+  @$pb.TagNumber(5)
+  set message(OMEMOAuthenticatedMessage v) { setField(5, v); }
+  @$pb.TagNumber(5)
+  $core.bool hasMessage() => $_has(4);
+  @$pb.TagNumber(5)
+  void clearMessage() => clearField(5);
+  @$pb.TagNumber(5)
+  OMEMOAuthenticatedMessage ensureMessage() => $_ensure(4);
+}
+

lib/protobuf/schema.pbenum.dart

@@ -0,0 +1,7 @@
+///
+//  Generated code. Do not modify.
+//  source: schema.proto
+//
+// @dart = 2.12
+// ignore_for_file: annotate_overrides,camel_case_types,constant_identifier_names,directives_ordering,library_prefixes,non_constant_identifier_names,prefer_final_fields,return_of_invalid_type,unnecessary_const,unnecessary_import,unnecessary_this,unused_import,unused_shown_name
+

lib/protobuf/schema.pbjson.dart

@@ -0,0 +1,48 @@
+///
+//  Generated code. Do not modify.
+//  source: schema.proto
+//
+// @dart = 2.12
+// ignore_for_file: annotate_overrides,camel_case_types,constant_identifier_names,deprecated_member_use_from_same_package,directives_ordering,library_prefixes,non_constant_identifier_names,prefer_final_fields,return_of_invalid_type,unnecessary_const,unnecessary_import,unnecessary_this,unused_import,unused_shown_name
+
+import 'dart:core' as $core;
+import 'dart:convert' as $convert;
+import 'dart:typed_data' as $typed_data;
+@$core.Deprecated('Use oMEMOMessageDescriptor instead')
+const OMEMOMessage$json = const {
+  '1': 'OMEMOMessage',
+  '2': const [
+    const {'1': 'n', '3': 1, '4': 2, '5': 13, '10': 'n'},
+    const {'1': 'pn', '3': 2, '4': 2, '5': 13, '10': 'pn'},
+    const {'1': 'dh_pub', '3': 3, '4': 2, '5': 12, '10': 'dhPub'},
+    const {'1': 'ciphertext', '3': 4, '4': 1, '5': 12, '10': 'ciphertext'},
+  ],
+};
+
+/// Descriptor for `OMEMOMessage`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List oMEMOMessageDescriptor = $convert.base64Decode('CgxPTUVNT01lc3NhZ2USDAoBbhgBIAIoDVIBbhIOCgJwbhgCIAIoDVICcG4SFQoGZGhfcHViGAMgAigMUgVkaFB1YhIeCgpjaXBoZXJ0ZXh0GAQgASgMUgpjaXBoZXJ0ZXh0');
+@$core.Deprecated('Use oMEMOAuthenticatedMessageDescriptor instead')
+const OMEMOAuthenticatedMessage$json = const {
+  '1': 'OMEMOAuthenticatedMessage',
+  '2': const [
+    const {'1': 'mac', '3': 1, '4': 2, '5': 12, '10': 'mac'},
+    const {'1': 'message', '3': 2, '4': 2, '5': 12, '10': 'message'},
+  ],
+};
+
+/// Descriptor for `OMEMOAuthenticatedMessage`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List oMEMOAuthenticatedMessageDescriptor = $convert.base64Decode('ChlPTUVNT0F1dGhlbnRpY2F0ZWRNZXNzYWdlEhAKA21hYxgBIAIoDFIDbWFjEhgKB21lc3NhZ2UYAiACKAxSB21lc3NhZ2U=');
+@$core.Deprecated('Use oMEMOKeyExchangeDescriptor instead')
+const OMEMOKeyExchange$json = const {
+  '1': 'OMEMOKeyExchange',
+  '2': const [
+    const {'1': 'pk_id', '3': 1, '4': 2, '5': 13, '10': 'pkId'},
+    const {'1': 'spk_id', '3': 2, '4': 2, '5': 13, '10': 'spkId'},
+    const {'1': 'ik', '3': 3, '4': 2, '5': 12, '10': 'ik'},
+    const {'1': 'ek', '3': 4, '4': 2, '5': 12, '10': 'ek'},
+    const {'1': 'message', '3': 5, '4': 2, '5': 11, '6': '.OMEMOAuthenticatedMessage', '10': 'message'},
+  ],
+};
+
+/// Descriptor for `OMEMOKeyExchange`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List oMEMOKeyExchangeDescriptor = $convert.base64Decode('ChBPTUVNT0tleUV4Y2hhbmdlEhMKBXBrX2lkGAEgAigNUgRwa0lkEhUKBnNwa19pZBgCIAIoDVIFc3BrSWQSDgoCaWsYAyACKAxSAmlrEg4KAmVrGAQgAigMUgJlaxI0CgdtZXNzYWdlGAUgAigLMhouT01FTU9BdXRoZW50aWNhdGVkTWVzc2FnZVIHbWVzc2FnZQ==');

lib/protobuf/schema.pbserver.dart

@@ -0,0 +1,9 @@
+///
+//  Generated code. Do not modify.
+//  source: schema.proto
+//
+// @dart = 2.12
+// ignore_for_file: annotate_overrides,camel_case_types,constant_identifier_names,deprecated_member_use_from_same_package,directives_ordering,library_prefixes,non_constant_identifier_names,prefer_final_fields,return_of_invalid_type,unnecessary_const,unnecessary_import,unnecessary_this,unused_import,unused_shown_name
+
+export 'schema.pb.dart';
+

lib/src/double_ratchet/double_ratchet.dart

@@ -68,6 +68,8 @@ class OmemoDoubleRatchet {
     this.sessionAd,
     this.mkSkipped, // MKSKIPPED
     this.acknowledged,
+    this.kexTimestamp,
+    this.kex,
   );
   
   factory OmemoDoubleRatchet.fromJson(Map<String, dynamic> data) {
@@ -82,9 +84,11 @@ class OmemoDoubleRatchet {
       'ns': 0,
       'nr': 0,
       'pn': 0,
-      'ik_pub': 'base/64/encoded',
+      'ik_pub': null | 'base/64/encoded',
       'session_ad': 'base/64/encoded',
       'acknowledged': true | false,
+      'kex_timestamp': int,
+      'kex': 'base/64/encoded',
       'mkskipped': [
         {
           'key': 'base/64/encoded',
@@ -129,6 +133,8 @@ class OmemoDoubleRatchet {
       base64.decode(data['session_ad']! as String),
       mkSkipped,
       data['acknowledged']! as bool,
+      data['kex_timestamp']! as int,
+      data['kex'] as String?,
     );
   }
   
@@ -160,6 +166,13 @@ class OmemoDoubleRatchet {
 
   final Map<SkippedKey, List<int>> mkSkipped;
 
+  /// The point in time at which we performed the kex exchange to create this ratchet.
+  /// Precision is milliseconds since epoch.
+  int kexTimestamp;
+
+  /// The key exchange that was used for initiating the session.
+  final String? kex;
+  
   /// Indicates whether we received an empty OMEMO message after building a session with
   /// the device. 
   bool acknowledged;
@@ -167,7 +180,7 @@ class OmemoDoubleRatchet {
   /// Create an OMEMO session using the Signed Pre Key [spk], the shared secret [sk] that
   /// was obtained using a X3DH and the associated data [ad] that was also obtained through
   /// a X3DH. [ik] refers to Bob's (the receiver's) IK public key.
-  static Future<OmemoDoubleRatchet> initiateNewSession(OmemoPublicKey spk, OmemoPublicKey ik, List<int> sk, List<int> ad) async {
+  static Future<OmemoDoubleRatchet> initiateNewSession(OmemoPublicKey spk, OmemoPublicKey ik, List<int> sk, List<int> ad, int timestamp) async {
     final dhs = await OmemoKeyPair.generateNewPair(KeyPairType.x25519);
     final dhr = spk;
     final rk  = await kdfRk(sk, await omemoDH(dhs, dhr, 0));
@@ -186,6 +199,8 @@ class OmemoDoubleRatchet {
       ad,
       {},
       false,
+      timestamp,
+      '',
     );
   }
 
@@ -193,7 +208,7 @@ class OmemoDoubleRatchet {
   /// Pre Key keypair [spk], the shared secret [sk] that was obtained through a X3DH and
   /// the associated data [ad] that was also obtained through a X3DH. [ik] refers to
   /// Alice's (the initiator's) IK public key.
-  static Future<OmemoDoubleRatchet> acceptNewSession(OmemoKeyPair spk, OmemoPublicKey ik, List<int> sk, List<int> ad) async {
+  static Future<OmemoDoubleRatchet> acceptNewSession(OmemoKeyPair spk, OmemoPublicKey ik, List<int> sk, List<int> ad, int kexTimestamp) async {
     return OmemoDoubleRatchet(
       spk,
       null,
@@ -207,6 +222,8 @@ class OmemoDoubleRatchet {
       ad,
       {},
       false,
+      kexTimestamp,
+      null,
     );
   }
 
@@ -233,6 +250,8 @@ class OmemoDoubleRatchet {
       'session_ad': base64.encode(sessionAd),
       'mkskipped': mkSkippedSerialised,
       'acknowledged': acknowledged,
+      'kex_timestamp': kexTimestamp,
+      'kex': kex,
     };
   }
   
@@ -268,18 +287,18 @@ class OmemoDoubleRatchet {
   }
 
   Future<void> _dhRatchet(OmemoMessage header) async {
-    pn = header.n!;
+    pn = ns;
     ns = 0;
     nr = 0;
     dhr = OmemoPublicKey.fromBytes(header.dhPub!, KeyPairType.x25519);
 
     final newRk = await kdfRk(rk, await omemoDH(dhs, dhr!, 0));
-    rk = newRk;
-    ckr = newRk;
+    rk = List.from(newRk);
+    ckr = List.from(newRk);
     dhs = await OmemoKeyPair.generateNewPair(KeyPairType.x25519);
     final newNewRk = await kdfRk(rk, await omemoDH(dhs, dhr!, 0));
-    rk = newNewRk;
-    cks = newNewRk;
+    rk = List.from(newNewRk);
+    cks = List.from(newNewRk);
   }
 
   /// Encrypt [plaintext] using the Double Ratchet.
@@ -313,8 +332,8 @@ class OmemoDoubleRatchet {
     }
 
     final dhPubMatches = listsEqual(
-      header.dhPub ?? <int>[],
-      await dhr?.getBytes() ?? <int>[],
+      header.dhPub!,
+      (await dhr?.getBytes()) ?? <int>[],
     );
     if (!dhPubMatches) {
       await _skipMessageKeys(header.pn!);
@@ -330,12 +349,64 @@ class OmemoDoubleRatchet {
     return decrypt(mk, ciphertext, concat([sessionAd, header.writeToBuffer()]), sessionAd);
   }
 
+  OmemoDoubleRatchet clone() {
+    return OmemoDoubleRatchet(
+      dhs,
+      dhr,
+      rk,
+      cks != null ?
+        List<int>.from(cks!) :
+        null,
+      ckr != null ?
+        List<int>.from(ckr!) :
+        null,
+      ns,
+      nr,
+      pn,
+      ik,
+      sessionAd,
+      Map<SkippedKey, List<int>>.from(mkSkipped),
+      acknowledged,
+      kexTimestamp,
+      kex,
+    );
+  }
+
+  OmemoDoubleRatchet cloneWithKex(String kex) {
+    return OmemoDoubleRatchet(
+      dhs,
+      dhr,
+      rk,
+      cks != null ?
+        List<int>.from(cks!) :
+        null,
+      ckr != null ?
+        List<int>.from(ckr!) :
+        null,
+      ns,
+      nr,
+      pn,
+      ik,
+      sessionAd,
+      Map<SkippedKey, List<int>>.from(mkSkipped),
+      acknowledged,
+      kexTimestamp,
+      kex,
+    );
+  }
+  
   @visibleForTesting
   Future<bool> equals(OmemoDoubleRatchet other) async {
-    // ignore: invalid_use_of_visible_for_testing_member
-    final dhrMatch = dhr == null ? other.dhr == null : await dhr!.equals(other.dhr!);
-    final ckrMatch = ckr == null ? other.ckr == null : listsEqual(ckr!, other.ckr!);
-    final cksMatch = cks == null ? other.cks == null : listsEqual(cks!, other.cks!);
+    final dhrMatch = dhr == null ?
+      other.dhr == null :
+      // ignore: invalid_use_of_visible_for_testing_member
+      other.dhr != null && await dhr!.equals(other.dhr!);
+    final ckrMatch = ckr == null ?
+      other.ckr == null :
+      other.ckr != null && listsEqual(ckr!, other.ckr!);
+    final cksMatch = cks == null ?
+      other.cks == null :
+      other.cks != null && listsEqual(cks!, other.cks!);
  
     // ignore: invalid_use_of_visible_for_testing_member
     final dhsMatch = await dhs.equals(other.dhs);
@@ -351,6 +422,7 @@ class OmemoDoubleRatchet {
       ns == other.ns &&
       nr == other.nr &&
       pn == other.pn &&
-      listsEqual(sessionAd, other.sessionAd);
+      listsEqual(sessionAd, other.sessionAd) &&
+      kexTimestamp == other.kexTimestamp;
   }
 }

lib/src/errors.dart

@@ -30,3 +30,16 @@ class NoDecryptionKeyException implements Exception {
 class UnknownSignedPrekeyException implements Exception {
   String errMsg() => 'Unknown Signed Prekey used.';
 }
+
+/// Triggered by the Session Manager when the received Key Exchange message does not meet
+/// the requirement that a key exchange, given that the ratchet already exists, must be
+/// sent after its creation.
+class InvalidKeyExchangeException implements Exception {
+  String errMsg() => 'The key exchange was sent before the last kex finished';
+}
+
+/// Triggered by the Session Manager when a message's sequence number is smaller than we
+/// expect it to be.
+class MessageAlreadyDecryptedException implements Exception {
+  String errMsg() => 'The message has already been decrypted';
+}

lib/src/helpers.dart

@@ -73,3 +73,7 @@ OmemoKeyPair? decodeKeyPairIfNotNull(String? pk, String? sk, KeyPairType type) {
     type,
   );
 }
+
+int getTimestamp() {
+  return DateTime.now().millisecondsSinceEpoch;
+}

lib/src/omemo/device.dart

@@ -140,7 +140,7 @@ class Device {
     
     return Device(
       jid,
-      id,
+      this.id,
       ik,
       spk,
       spkId,

lib/src/omemo/sessionmanager.dart

@@ -97,12 +97,7 @@ class OmemoSessionManager {
 
   /// Returns our own device.
   Future<Device> getDevice() async {
-    Device? dev;
-    await _deviceLock.synchronized(() async {
-      dev = _device;
-    });
-
-    return dev!;
+    return _deviceLock.synchronized(() => _device);
   }
 
   /// Returns the id attribute of our own device. This is just a short-hand for
@@ -159,6 +154,7 @@ class OmemoSessionManager {
       bundle.ik,
       kexResult.sk,
       kexResult.ad,
+      getTimestamp(),
     );
 
     await _trustManager.onNewSession(jid, deviceId);
@@ -174,17 +170,17 @@ class OmemoSessionManager {
   /// Build a new session with the user at [jid] with the device [deviceId] using data
   /// from the key exchange [kex]. In case [kex] contains an unknown Signed Prekey
   /// identifier an UnknownSignedPrekeyException will be thrown.
-  Future<void> _addSessionFromKeyExchange(String jid, int deviceId, OmemoKeyExchange kex) async {
+  Future<OmemoDoubleRatchet> _addSessionFromKeyExchange(String jid, int deviceId, OmemoKeyExchange kex) async {
     // Pick the correct SPK
     final device = await getDevice();
-    OmemoKeyPair? spk;
-
-    await _lock.synchronized(() async {
+    final spk = await _lock.synchronized(() async {
       if (kex.spkId == _device.spkId) {
-        spk = _device.spk;
+        return _device.spk;
       } else if (kex.spkId == _device.oldSpkId) {
-        spk = _device.oldSpk;
+        return _device.oldSpk;
       }
+
+      return null;
     });
     if (spk == null) {
       throw UnknownSignedPrekeyException();
@@ -196,19 +192,19 @@ class OmemoSessionManager {
         OmemoPublicKey.fromBytes(kex.ek!, KeyPairType.x25519),
         kex.pkId!,
       ),
-      spk!,
+      spk,
       device.opks.values.elementAt(kex.pkId!),
       device.ik,
     );
     final ratchet = await OmemoDoubleRatchet.acceptNewSession(
-      spk!,
+      spk,
       OmemoPublicKey.fromBytes(kex.ik!, KeyPairType.ed25519),
       kexResult.sk,
       kexResult.ad,
+      getTimestamp(),
     );
 
-    await _trustManager.onNewSession(jid, deviceId);
-    await _addSession(jid, deviceId, ratchet);
+    return ratchet;
   }
 
   /// Like [encryptToJids] but only for one Jid [jid].
@@ -245,7 +241,11 @@ class OmemoSessionManager {
     final kex = <int, OmemoKeyExchange>{};
     if (newSessions != null) {
       for (final newSession in newSessions) {
-        kex[newSession.id] = await addSessionFromBundle(newSession.jid, newSession.id, newSession);
+        kex[newSession.id] = await addSessionFromBundle(
+          newSession.jid,
+          newSession.id,
+          newSession,
+        );
       }
     }
     
@@ -263,24 +263,53 @@ class OmemoSessionManager {
           }
 
           final ratchetKey = RatchetMapKey(jid, deviceId);
-          final ratchet = _ratchetMap[ratchetKey]!;
+          var ratchet = _ratchetMap[ratchetKey]!;
           final ciphertext = (await ratchet.ratchetEncrypt(keyPayload)).ciphertext;
  
-          // Commit the ratchet
-          _eventStreamController.add(RatchetModifiedEvent(jid, deviceId, ratchet));
-          
           if (kex.isNotEmpty && kex.containsKey(deviceId)) {
+            // The ratchet did not exist
             final k = kex[deviceId]!
               ..message = OmemoAuthenticatedMessage.fromBuffer(ciphertext);
+            final buffer = base64.encode(k.writeToBuffer());
             encryptedKeys.add(
               EncryptedKey(
                 jid,
                 deviceId,
-                base64.encode(k.writeToBuffer()),
+                buffer,
                 true,
               ),
             );
+
+            ratchet = ratchet.cloneWithKex(buffer);
+            _ratchetMap[ratchetKey] = ratchet;
+          } else if (!ratchet.acknowledged) {
+            // The ratchet exists but is not acked
+            if (ratchet.kex != null) {
+              final oldKex = OmemoKeyExchange.fromBuffer(base64.decode(ratchet.kex!))
+              ..message = OmemoAuthenticatedMessage.fromBuffer(ciphertext);
+              
+              encryptedKeys.add(
+                EncryptedKey(
+                  jid,
+                  deviceId,
+                  base64.encode(oldKex.writeToBuffer()),
+                  true,
+                ),
+              );
+            } else {
+              // The ratchet is not acked but we don't have the old key exchange
+              _log.warning('Ratchet for $jid:$deviceId is not acked but the kex attribute is null');
+              encryptedKeys.add(
+                EncryptedKey(
+                  jid,
+                  deviceId,
+                  base64.encode(ciphertext),
+                  false,
+                ),
+              );
+            }
           } else {
+            // The ratchet exists and is acked
             encryptedKeys.add(
               EncryptedKey(
                 jid,
@@ -290,6 +319,9 @@ class OmemoSessionManager {
               ),
             );
           }
+
+          // Commit the ratchet
+          _eventStreamController.add(RatchetModifiedEvent(jid, deviceId, ratchet));
         }
       }
     });
@@ -305,7 +337,7 @@ class OmemoSessionManager {
   /// [mapKey] with [oldRatchet].
   Future<void> _restoreRatchet(RatchetMapKey mapKey, OmemoDoubleRatchet oldRatchet) async {
     await _lock.synchronized(() {
-      _log.finest('Restoring ratchet ${mapKey.jid}:${mapKey.deviceId}');
+      _log.finest('Restoring ratchet ${mapKey.jid}:${mapKey.deviceId} to ${oldRatchet.nr}');
       _ratchetMap[mapKey] = oldRatchet;
 
       // Commit the ratchet
@@ -319,16 +351,38 @@ class OmemoSessionManager {
     });
   }
 
+  Future<String?> _decryptAndVerifyHmac(List<int>? ciphertext, List<int> keyAndHmac) async {
+    // Empty OMEMO messages should just have the key decrypted and/or session set up.
+    if (ciphertext == null) {
+      return null;
+    }
+    
+    final key = keyAndHmac.sublist(0, 32);
+    final hmac = keyAndHmac.sublist(32, 48);
+    final derivedKeys = await deriveEncryptionKeys(key, omemoPayloadInfoString);
+    final computedHmac = await truncatedHmac(ciphertext, derivedKeys.authenticationKey);
+    if (!listsEqual(hmac, computedHmac)) {
+      throw InvalidMessageHMACException();
+    }
+    
+    return utf8.decode(
+      await aes256CbcDecrypt(ciphertext, derivedKeys.encryptionKey, derivedKeys.iv),
+    );
+  }
+  
   /// Attempt to decrypt [ciphertext]. [keys] refers to the <key /> elements inside the
   /// <keys /> element with a "jid" attribute matching our own. [senderJid] refers to the
   /// bare Jid of the sender. [senderDeviceId] refers to the "sid" attribute of the
   /// <encrypted /> element.
+  /// [timestamp] refers to the time the message was sent. This might be either what the
+  /// server tells you via "XEP-0203: Delayed Delivery" or the point in time at which
+  /// you received the stanza, if no Delayed Delivery element was found.
   ///
   /// If the received message is an empty OMEMO message, i.e. there is no <payload />
   /// element, then [ciphertext] must be set to null. In this case, this function
   /// will return null as there is no message to be decrypted. This, however, is used
   /// to set up sessions or advance the ratchets.
-  Future<String?> decryptMessage(List<int>? ciphertext, String senderJid, int senderDeviceId, List<EncryptedKey> keys) async {
+  Future<String?> decryptMessage(List<int>? ciphertext, String senderJid, int senderDeviceId, List<EncryptedKey> keys, int timestamp) async {
     // Try to find a session we can decrypt with.
     var device = await getDevice();
     final rawKey = keys.firstWhereOrNull((key) => key.rid == device.id);
@@ -338,24 +392,55 @@ class OmemoSessionManager {
 
     final ratchetKey = RatchetMapKey(senderJid, senderDeviceId);
     final decodedRawKey = base64.decode(rawKey.value);
+    List<int>? keyAndHmac;
     OmemoAuthenticatedMessage authMessage;
     OmemoDoubleRatchet? oldRatchet;
+    OmemoMessage? message;
     if (rawKey.kex) {
       // If the ratchet already existed, we store it. If it didn't, oldRatchet will stay
       // null.
-      oldRatchet = await _getRatchet(ratchetKey);
-
-      // TODO(PapaTutuWawa): Only do this when we should
+      final oldRatchet = (await _getRatchet(ratchetKey))?.clone();
       final kex = OmemoKeyExchange.fromBuffer(decodedRawKey);
-      await _addSessionFromKeyExchange(
-        senderJid,
-        senderDeviceId,
-        kex,
-      );
-
       authMessage = kex.message!;
+      message = OmemoMessage.fromBuffer(authMessage.message!);
+
+      // Guard against old key exchanges
+      if (oldRatchet != null) {
+        _log.finest('KEX for existent ratchet. ${oldRatchet.pn}');
+        if (oldRatchet.kexTimestamp > timestamp) {
+          throw InvalidKeyExchangeException();
+        }
+        
+        // Try to decrypt it
+        try {
+          final decrypted = await oldRatchet.ratchetDecrypt(message, authMessage.writeToBuffer());
+
+          // Commit the ratchet
+          _eventStreamController.add(
+            RatchetModifiedEvent(
+              senderJid,
+              senderDeviceId,
+              oldRatchet,
+            ),
+          );
+          
+          final plaintext = await _decryptAndVerifyHmac(
+            ciphertext,
+            decrypted,
+          );
+          await _addSession(senderJid, senderDeviceId, oldRatchet);
+          return plaintext;
+        } catch (_) {
+          _log.finest('Failed to use old ratchet with KEX for existing ratchet');
+        }
+      }
+
+      final r = await _addSessionFromKeyExchange(senderJid, senderDeviceId, kex);
+      await _trustManager.onNewSession(senderJid, senderDeviceId);
+      await _addSession(senderJid, senderDeviceId, r);
 
       // Replace the OPK
+      // TODO(PapaTutuWawa): Replace the OPK when we know that the KEX worked
       await _deviceLock.synchronized(() async {
         device = await device.replaceOnetimePrekey(kex.pkId!);
 
@@ -364,6 +449,7 @@ class OmemoSessionManager {
       });
     } else {
       authMessage = OmemoAuthenticatedMessage.fromBuffer(decodedRawKey);
+      message = OmemoMessage.fromBuffer(authMessage.message!);
     }
     
     final devices = _deviceMap[senderJid];
@@ -374,11 +460,9 @@ class OmemoSessionManager {
       throw NoDecryptionKeyException();
     }
 
-    final message = OmemoMessage.fromBuffer(authMessage.message!);
-    List<int>? keyAndHmac;
     // We can guarantee that the ratchet exists at this point in time
     final ratchet = (await _getRatchet(ratchetKey))!;
-    oldRatchet ??= ratchet ;
+    oldRatchet ??= ratchet.clone();
 
     try {
       if (rawKey.kex) {
@@ -386,7 +470,7 @@ class OmemoSessionManager {
       } else {
         keyAndHmac = await ratchet.ratchetDecrypt(message, decodedRawKey);
       }
-    } on InvalidMessageHMACException {
+    } catch (_) {
       await _restoreRatchet(ratchetKey, oldRatchet);
       rethrow;
     }
@@ -394,24 +478,12 @@ class OmemoSessionManager {
     // Commit the ratchet
     _eventStreamController.add(RatchetModifiedEvent(senderJid, senderDeviceId, ratchet));
 
-    // Empty OMEMO messages should just have the key decrypted and/or session set up.
-    if (ciphertext == null) {
-      return null;
-    }
-    
-    final key = keyAndHmac.sublist(0, 32);
-    final hmac = keyAndHmac.sublist(32, 48);
-    final derivedKeys = await deriveEncryptionKeys(key, omemoPayloadInfoString);
-
-    final computedHmac = await truncatedHmac(ciphertext, derivedKeys.authenticationKey);
-    if (!listsEqual(hmac, computedHmac)) {
-      // TODO(PapaTutuWawa): I am unsure if we should restore the ratchet here
+    try {
+      return _decryptAndVerifyHmac(ciphertext, keyAndHmac);
+    } catch (_) { 
       await _restoreRatchet(ratchetKey, oldRatchet);
-      throw InvalidMessageHMACException();
+      rethrow;
     }
-    
-    final plaintext = await aes256CbcDecrypt(ciphertext, derivedKeys.encryptionKey, derivedKeys.iv);
-    return utf8.decode(plaintext);
   }
 
   /// Returns the list of hex-encoded fingerprints we have for sessions with [jid].
@@ -420,7 +492,7 @@ class OmemoSessionManager {
 
     await _lock.synchronized(() async {
       // Get devices for jid
-      final devices = _deviceMap[jid]!;
+      final devices = _deviceMap[jid] ?? [];
 
       for (final deviceId in devices) {
         final ratchet = _ratchetMap[RatchetMapKey(jid, deviceId)]!;
@@ -437,6 +509,16 @@ class OmemoSessionManager {
     return fingerprints;
   }
 
+  /// Returns the hex-encoded fingerprint of the current device.
+  Future<DeviceFingerprint> getHexFingerprintForDevice() async {
+    final device = await getDevice();
+
+    return DeviceFingerprint(
+      device.id,
+      HEX.encode(await device.ik.pk.getBytes()),
+    );
+  }
+
   /// Replaces the Signed Prekey and its signature in our own device bundle. Triggers
   /// a DeviceModifiedEvent when done.
   /// See https://xmpp.org/extensions/xep-0384.html#protocol-key_exchange under the point

pubspec.yaml

@@ -1,6 +1,6 @@
 name: omemo_dart
 description: An XMPP library independent OMEMO library
-version: 0.2.1
+version: 0.3.2
 homepage: https://github.com/PapaTutuWawa/omemo_dart
 publish_to: https://git.polynom.me/api/packages/PapaTutuWawa/pub
 

test/double_ratchet_test.dart

@@ -84,12 +84,14 @@ void main() {
       ikBob.pk,
       resultAlice.sk,
       resultAlice.ad,
+      0,
     );
     final bobsRatchet = await OmemoDoubleRatchet.acceptNewSession(
       spkBob,
       ikAlice.pk,
       resultBob.sk,
       resultBob.ad,
+      0,
     );
 
     expect(alicesRatchet.sessionAd, bobsRatchet.sessionAd);

test/omemo_test.dart

@@ -12,6 +12,36 @@ void main() {
       print('${record.level.name}: ${record.message}');
     });
 
+  test('Test replacing a onetime prekey', () async {
+    const aliceJid = 'alice@server.example';
+    final device = await Device.generateNewDevice(aliceJid, opkAmount: 1);
+
+    final newDevice = await device.replaceOnetimePrekey(0);
+
+    expect(device.jid, newDevice.jid);
+    expect(device.id, newDevice.id);
+
+    var opksMatch = true;
+    if (newDevice.opks.length != device.opks.length) {
+      opksMatch = false;
+    } else {
+      for (final entry in device.opks.entries) {
+        final m = await newDevice.opks[entry.key]?.equals(entry.value) ?? false;
+        if (!m) opksMatch = false;
+      }
+    }
+    
+    expect(opksMatch, true);
+    expect(await device.ik.equals(newDevice.ik), true);
+    expect(await device.spk.equals(newDevice.spk), true);
+
+    final oldSpkMatch = device.oldSpk != null ?
+      await device.oldSpk!.equals(newDevice.oldSpk!) :
+      newDevice.oldSpk == null;
+    expect(oldSpkMatch, true);
+    expect(listsEqual(device.spkSignature, newDevice.spkSignature), true);
+  });
+    
   test('Test using OMEMO sessions with only one device per user', () async {
     const aliceJid = 'alice@server.example';
     const bobJid = 'bob@other.server.example';
@@ -60,6 +90,7 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       aliceMessage.encryptedKeys,
+      0,
     );
     expect(messagePlaintext, bobMessage);
     // The ratchet should be modified two times: Once for when the ratchet is created and
@@ -75,6 +106,10 @@ void main() {
       false,
     );
 
+    // Ratchets are acked
+    await aliceSession.ratchetAcknowledged(bobJid, await bobSession.getDeviceId());
+    await bobSession.ratchetAcknowledged(aliceJid, await aliceSession.getDeviceId());
+    
     // Bob responds to Alice
     const bobResponseText = 'Oh, hello Alice!';
     final bobResponseMessage = await bobSession.encryptToJid(
@@ -91,6 +126,7 @@ void main() {
       bobJid,
       await bobSession.getDeviceId(),
       bobResponseMessage.encryptedKeys,
+      0,
     );
     expect(bobResponseText, aliceReceivedMessage);
   });
@@ -140,9 +176,14 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       aliceMessage.encryptedKeys,
+      0,
     );
     expect(messagePlaintext, bobMessage);
 
+    // Ratchets are acked
+    await aliceSession.ratchetAcknowledged(bobJid, await bobSession.getDeviceId());
+    await bobSession.ratchetAcknowledged(aliceJid, await aliceSession.getDeviceId());
+    
     // Bob responds to Alice
     const bobResponseText = 'Oh, hello Alice!';
     final bobResponseMessage = await bobSession.encryptToJid(
@@ -159,6 +200,7 @@ void main() {
       bobJid,
       await bobSession.getDeviceId(),
       bobResponseMessage.encryptedKeys,
+      0,
     );
     expect(bobResponseText, aliceReceivedMessage);
 
@@ -215,6 +257,7 @@ void main() {
       aliceJid,
       await aliceSession1.getDeviceId(),
       aliceMessage.encryptedKeys,
+      0,
     );
     expect(messagePlaintext, bobMessage);
 
@@ -224,6 +267,7 @@ void main() {
       aliceJid,
       await aliceSession1.getDeviceId(),
       aliceMessage.encryptedKeys,
+      0,
     );
     expect(messagePlaintext, aliceMessage2);
   });
@@ -264,6 +308,7 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       aliceMessage.encryptedKeys,
+      0,
     );
     expect(bobMessage, null);
 
@@ -341,6 +386,7 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       aliceMessage.encryptedKeys,
+      0,
     );
     expect(messagePlaintext, bobMessage);
   });
@@ -407,8 +453,13 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       aliceMessage.encryptedKeys,
+      0,
     );
 
+    // Ratchets are acked
+    await aliceSession.ratchetAcknowledged(bobJid, await bobSession.getDeviceId());
+    await bobSession.ratchetAcknowledged(aliceJid, await aliceSession.getDeviceId());
+    
     for (var i = 0; i < 100; i++) {
       final messageText = 'Test Message #$i';
       // Bob responds to Alice
@@ -426,6 +477,7 @@ void main() {
         bobJid,
         await bobSession.getDeviceId(),
         bobResponseMessage.encryptedKeys,
+        0,
       );
       expect(messageText, aliceReceivedMessage);
     }
@@ -580,6 +632,7 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       msg1.encryptedKeys,
+      0,
     );
     final aliceRatchet1 = aliceSession.getRatchet(
       bobJid,
@@ -604,6 +657,7 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       msg2.encryptedKeys,
+      getTimestamp(),
     );
     final aliceRatchet2 = aliceSession.getRatchet(
       bobJid,
@@ -623,7 +677,7 @@ void main() {
     expect(await bobRatchet1.equals(bobRatchet2), false);
   });
 
-  test('Test receiving an old message that contains a KEX', () async {
+  test('Test resending key exchanges', () async {
     const aliceJid = 'alice@server.example';
     const bobJid = 'bob@other.server.example';
     // Alice and Bob generate their sessions
@@ -646,40 +700,145 @@ void main() {
         await bobSession.getDeviceBundle(),
       ],
     );
+    // The first message should be a kex message
+    expect(msg1.encryptedKeys.first.kex, true);
 
     await bobSession.decryptMessage(
       msg1.ciphertext,
       aliceJid,
       await aliceSession.getDeviceId(),
       msg1.encryptedKeys,
+      0,
     );
 
+    // Alice is impatient and immediately sends another message before the original one
+    // can be acknowledged by Bob
+    final msg2 = await aliceSession.encryptToJid(
+      bobJid,
+      "Why don't you answer?",
+    );
+    expect(msg2.encryptedKeys.first.kex, true);
+
+    await bobSession.decryptMessage(
+      msg2.ciphertext,
+      aliceJid,
+      await aliceSession.getDeviceId(),
+      msg2.encryptedKeys,
+      getTimestamp(),
+    );
+
+  });
+  
+  test('Test receiving old messages including a KEX', () async {
+    const aliceJid = 'alice@server.example';
+    const bobJid = 'bob@other.server.example';
+    // Alice and Bob generate their sessions
+    final aliceSession = await OmemoSessionManager.generateNewIdentity(
+      aliceJid,
+      AlwaysTrustingTrustManager(),
+      opkAmount: 1,
+    );
+    final bobSession = await OmemoSessionManager.generateNewIdentity(
+      bobJid,
+      AlwaysTrustingTrustManager(),
+      opkAmount: 2,
+    );
+
+    final bobsReceivedMessages = List<EncryptionResult>.empty(growable: true);
+    final bobsReceivedMessagesTimestamps = List<int>.empty(growable: true);
+    
+    // Alice sends Bob a message
+    final msg1 = await aliceSession.encryptToJid(
+      bobJid,
+      'Hallo Welt',
+      newSessions: [
+        await bobSession.getDeviceBundle(),
+      ],
+    );
+    bobsReceivedMessages.add(msg1);
+    final t1 = getTimestamp();
+    bobsReceivedMessagesTimestamps.add(t1);
+
+    await bobSession.decryptMessage(
+      msg1.ciphertext,
+      aliceJid,
+      await aliceSession.getDeviceId(),
+      msg1.encryptedKeys,
+      t1,
+    );
+
+    // Ratchets are acked
+    await aliceSession.ratchetAcknowledged(bobJid, await bobSession.getDeviceId());
+    await bobSession.ratchetAcknowledged(aliceJid, await aliceSession.getDeviceId());
+    
     // Bob responds
     final msg2 = await bobSession.encryptToJid(
       aliceJid,
       'Hello!',
     );
+
     await aliceSession.decryptMessage(
       msg2.ciphertext,
       bobJid,
       await bobSession.getDeviceId(),
       msg2.encryptedKeys,
+      getTimestamp(),
     );
     
-    // Due to some issue with the transport protocol, the first message Bob received is
-    // received again
-    try {
-      await bobSession.decryptMessage(
-        msg1.ciphertext,
+    // Send some messages between the two
+    for (var i = 0; i < 100; i++) {
+      final msg = await aliceSession.encryptToJid(
+        bobJid,
+        'Hello $i',
+      );
+      bobsReceivedMessages.add(msg);
+      final t = getTimestamp();
+      bobsReceivedMessagesTimestamps.add(t);
+      final result = await bobSession.decryptMessage(
+        msg.ciphertext,
         aliceJid,
         await aliceSession.getDeviceId(),
-        msg1.encryptedKeys,
+        msg.encryptedKeys,
+        t,
       );
-      expect(true, false);
-    } on InvalidMessageHMACException {
-      // NOOP
+
+      expect(result, 'Hello $i');
     }
 
+    // Due to some issue with the transport protocol, the messages to Bob are received
+    // again.
+    final ratchetPreError = bobSession
+      .getRatchet(aliceJid, await aliceSession.getDeviceId())
+      .clone();
+    var invalidKex = 0;
+    var errorCounter = 0;
+    for (var i = 0; i < bobsReceivedMessages.length; i++) {
+      final msg = bobsReceivedMessages[i];
+      try {
+        await bobSession.decryptMessage(
+          msg.ciphertext,
+          aliceJid,
+          await aliceSession.getDeviceId(),
+          msg.encryptedKeys,
+          bobsReceivedMessagesTimestamps[i],
+        );
+        expect(true, false);
+      } on InvalidMessageHMACException catch (_) {
+        errorCounter++;
+      } on InvalidKeyExchangeException catch (_) {
+        invalidKex++;
+      }
+    }
+    final ratchetPostError = bobSession
+      .getRatchet(aliceJid, await aliceSession.getDeviceId())
+      .clone();
+
+    // The 100 messages including the initial KEX message
+    expect(invalidKex, 1);
+    expect(errorCounter, 100);
+    expect(await ratchetPreError.equals(ratchetPostError), true);
+
+    
     final msg3 = await aliceSession.encryptToJid(
       bobJid,
       'Are you okay?',
@@ -689,12 +848,13 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       msg3.encryptedKeys,
+      104,
     );
 
     expect(result, 'Are you okay?');
   });
 
-  test('Test receiving an old message that does not contain a KEX', () async {
+  test("Test ignoring a new KEX when we haven't acket it yet", () async {
     const aliceJid = 'alice@server.example';
     const bobJid = 'bob@other.server.example';
     // Alice and Bob generate their sessions
@@ -706,7 +866,7 @@ void main() {
     final bobSession = await OmemoSessionManager.generateNewIdentity(
       bobJid,
       AlwaysTrustingTrustManager(),
-      opkAmount: 2,
+      opkAmount: 1,
     );
 
     // Alice sends Bob a message
@@ -717,50 +877,70 @@ void main() {
         await bobSession.getDeviceBundle(),
       ],
     );
+    expect(msg1.encryptedKeys.first.kex, true);
+
     await bobSession.decryptMessage(
       msg1.ciphertext,
       aliceJid,
       await aliceSession.getDeviceId(),
       msg1.encryptedKeys,
+      getTimestamp(),
     );
 
-    // Bob responds
-    final msg2 = await bobSession.encryptToJid(
-      aliceJid,
-      'Hello!',
-    );
-    await aliceSession.decryptMessage(
-      msg2.ciphertext,
+    // Alice sends another message before the ack can reach us
+    final msg2 = await aliceSession.encryptToJid(
       bobJid,
-      await bobSession.getDeviceId(),
+      'ANSWER ME!',
+    );
+    expect(msg2.encryptedKeys.first.kex, true);
+
+    await bobSession.decryptMessage(
+      msg2.ciphertext,
+      aliceJid,
+      await aliceSession.getDeviceId(),
       msg2.encryptedKeys,
+      getTimestamp(),
     );
 
-    // Due to some issue with the transport protocol, the first message Alice received is
-    // received again.
-    try {
-      await aliceSession.decryptMessage(
-        msg2.ciphertext,
-        bobJid,
-        await bobSession.getDeviceId(),
-        msg2.encryptedKeys,
-      );
-      expect(true, false);
-    } catch (_) {
-      // NOOP
-    }
+    // Now the acks reach us
+    await aliceSession.ratchetAcknowledged(bobJid, await bobSession.getDeviceId());
+    await bobSession.ratchetAcknowledged(aliceJid, await aliceSession.getDeviceId());
 
+    // Alice sends another message
     final msg3 = await aliceSession.encryptToJid(
       bobJid,
-      'Are you okay?',
+      "You read the message, didn't you?",
     );
-    final result = await bobSession.decryptMessage(
+    expect(msg3.encryptedKeys.first.kex, false);
+
+    await bobSession.decryptMessage(
       msg3.ciphertext,
       aliceJid,
       await aliceSession.getDeviceId(),
       msg3.encryptedKeys,
+      getTimestamp(),
     );
 
-    expect(result, 'Are you okay?');
+    for (var i = 0; i < 100; i++) {
+      final messageText = 'Test Message #$i';
+      // Bob responds to Alice
+      final bobResponseMessage = await bobSession.encryptToJid(
+        aliceJid,
+        messageText,
+      );
+
+      // Bob sends the message to Alice
+      // ...
+
+      // Alice decrypts it
+      final aliceReceivedMessage = await aliceSession.decryptMessage(
+        bobResponseMessage.ciphertext,
+        bobJid,
+        await bobSession.getDeviceId(),
+        bobResponseMessage.encryptedKeys,
+        0,
+      );
+      expect(messageText, aliceReceivedMessage);
+    }
   });
 }

test/serialisation_test.dart

@@ -62,6 +62,7 @@ void main() {
       aliceJid,
       await aliceSession.getDeviceId(),
       aliceMessage.encryptedKeys,
+      getTimestamp(),
     );
     final aliceOld = aliceSession.getRatchet(bobJid, await bobSession.getDeviceId());
     final aliceSerialised = jsonify(await aliceOld.toJson());