#16537: TextSecure libpurple support
Reporter: onny | Owner: EionRobb
Type: defect | Status: new
Milestone: | Component: unclassified
Version: 2.10.11 | Keywords:
somone is working on a Go library for the WhisperSystem TextSecure secure
mobile messaging protocol https://github.com/janimo/textsecure The original Android program can be found here
So someone with good C skills could now easily write a libpurple protocol,
I might give it a try but I'm not that good in such things ...
The protocol is known as Axolotl. There's a link to its specification
It's superior to OTR in the sense that it's a self-contained protocol
rather than a protocol-agnostic layer. This makes things like file and
media transfer easier. OTR is generally considered pretty bulletproof in
terms of pure security, though. I think the difference between the two
might be less than you think because Text^^Secure offers lots of nice
features that no common OTR-supporting client does.
My main question is how much the Pidgin version would be able to interact
with Text^^Secure proper. With the official client you need to register
your phone number with SMS verification, right? Where would people be
getting their accounts, and who could they chat with?
I agree that it would be interesting, but I don't think anyone's working
on it. If there's an appropriately licensed and stable C library for
Axolotl, it might be easy. If you have any ideas, please share.
IIUC, we wouldn't be able to use a Python implementation (or any non-C
implementation) until GObjectification (#35) is complete. There's also a
Golang implementation, which I'd be more apt to trust because static
languages are generally far safer for crypto. My two cents.
It could presumably work with LibreSSL as well. That may not be GPL-
compatible either due to 4-clause BSD licensed parts. However, maybe the
fact that it's dependent on a multiply implemented API (OpenSSL's) rather
than a specific library changes things.
looks like libaxolotl-c has a ssl layer in it (struct
axolotl_crypto_provider) to be able to specify ssl implementations, so
that it doesn't have to rely on one crypto lib (libpurple has a similar
thing with ssl backends)
Unfortunately, it requires implementations of hmac-sha256, sha512 and aes,
of which libpurple only has ciphers for hmac-sha256