Omemo activated but not authorized. messages unencrypted.

[vanitasvitae]

Hi! Im using Conversations in my phone and have some accounts on my own ejabberd server. According to conversations, I activated all XEPs needed to use all functions.

Now I wanted to use OMEMO on my desktop as well and gave gajim omemo a try. When I start a chat with another OMEMO capable account on my server, there is a red shield next to the textbox that states that OMEMO is activated, but the chat is not authorized. On Conversations I get asked to verify the OMEMO key, but there is no popup etc. on gajim. Also messages from gajim to conversations appear to be unencrypted. Do I have to manually sync/check keys?

I'm using ejabberd 16.04 on my raspberry pi, Gajim from Debian Jessie stable and gajim OMEMO from gajims plugins.

Can you give me some tips to get this working?

[lovetox]

please try the version from my repo it will get merged soon

https://github.com/lovetox/gajim-omemo

there you have fingerprint button in the chat window, you have to trust the fingerprint, then check if checkbox OMEMO is checked, and in the Chat Window it should show "OMEMO is enabled"

[vanitasvitae]

Nice it works! Thank you! (There's just one bug: When you go to plugins -> omemo -> configure -> fingerprints and verify/untrust fingerprints there, the popup that asks whether you want to trust/untrust does not disappear automatically after the user clicked a button. Instead the popup has to be killed via alt+f4.)

[vanitasvitae]

@lovetox (Sorry, there is no issue section in your fork, so I don't know how to reach you) I tested your fork across multiple servers. It still seems not to work in all cases. Fingerprints are verified at all ends and omemo checkbox is activated, but sent messages are unencrypted...

[kalkin]

@vanitasvitae you are welcome to further discuss your issues in https://github.com/omemo/gajim-omemo/pull/61 :smile:

For now I will just copy paste your bug report.

EDIT: Wrong highlighted name.

[lovetox]

This is not an issue with the pull request, as he has the problem with the current HEAD also and its better to discuss this here than in the pull request.

@vanitasvitae

Without a full log from starting gajim to sending messages (-l gajim.plugin_system.omemo) i cant help you much. there could be many reasons why it doesnt work.

without a log my first guess would be the E2E function of Gajim

go to the extended settings and set enable_esessions = Disabled autonegotiate_esessions = Disabled

for all your accounts, start gajim again and see if the issue is still there.

you can provide a log to my email also forenjunkie@chello.at

[lovetox]

also your gajim version seems outdated, to some websites i found Debian Jessie is on Gajim 0.16.1 please install from the gajim.org website the current version

[vanitasvitae]

It was my old version of gajim. I installed gajim-nightly and now it works mostly fine. I do have the problem that on one account which I logged in from both conversations and gajim, messages sent from conversations do not appear in gajim, but otherwise its working fine now. (Seems also to disappear after enabling "Receive conversations from other ressources"

[lovetox]

if a message does not appear, that doesnt mean it didnt reach your computer. you should have an error in the debug log

and in gajim you have to activate "enable_carbon_messages" through the extended settings, could be the problem

[vanitasvitae]

I'm happy with gajim now :+1:

[kalkin]

@vanitasvitae So i can close this?

[vanitasvitae]

I guess. In some Servers where Conversations <-> Conversations does work, Conversations <-> Gajim fails though. I guess its causes by the server (openfire). Also I get some array out of range errors. Shall I provide logs or is this unrelated?

[lovetox]

if it doesnt work like it should then there is an issue.

1. please use the newest head from this repo (everything is now merged)
2. please provide the array out of range error
3. is your server openfire?! or is that the one of your contact
4. what exactly doesnt work, can you receive, can you send, are both devices online or not etc try to pin it down to one thing that doesnt work in a specific case
5. delete all logs, start new, try to force the error and provide a gajim log

[vanitasvitae]

1.: I get no more crashes in the logs now. Maybe it's fixed now. 2.: See 1 3.: My server is ejabebrd 16.04 (used with gajim), contacts server is openfire (conversations) 4.: I cannot start OMEMO chat with contact. 5.:

13.06.2016 13:29:35 (D) gajim.plugin_system OmemoPlugin.connect_ui() 13.06.2016 13:29:35 (D) gajim.plugin_system OmemoPlugin.get_omemo_state() 13.06.2016 13:29:35 (D) gajim.plugin_system OmemoPlugin.get_omemo_state() 13.06.2016 13:29:35 (W) gajim.plugin_system.omemo my.ejabberd.server => No OMEMO dev_keys for conversationscontact@openfire.server 13.06.2016 13:29:35 (D) gajim.plugin_system OmemoPlugin.connect_ui() 13.06.2016 13:29:36 (D) gajim.c.ged stanza-received Args: (<common.connection_handlers_events.StanzaReceivedEvent object at 0x7fef2de8ad10>,) 13.06.2016 13:29:36 (D) gajim.c.p.bytestream IBBAllIqHandler called syn_id->66 13.06.2016 13:29:36 (D) gajim.c.ged raw-iq-received Args: (<common.nec.NetworkEvent object at 0x7fef2de8a050>,) 13.06.2016 13:29:36 (D) gajim.plugin_system OmemoPlugin.handle_iq_received() 13.06.2016 13:29:36 (D) gajim.plugin_system OmemoPlugin.handle_iq_received() 13.06.2016 13:29:36 (D) gajim.c.pubsub _PubsubErrorCB 13.06.2016 13:29:36 (D) gajim.c.connection_handlers ErrorCB 13.06.2016 13:29:36 (D) gajim.c.ged iq-error-received Args: (<common.connection_handlers_events.IqErrorReceivedEvent object at 0x7fef2de8a050>,) 13.06.2016 13:29:36 (D) gajim.c.ged stanza-received Args: (<common.connection_handlers_events.StanzaReceivedEvent object at 0x7fef2de8a110>,) 13.06.2016 13:29:36 (D) gajim.c.ged stanza-sent Args: (<common.connection_handlers_events.StanzaSentEvent object at 0x7fef2de8a110>,)

Also my contact does not appear in

13.06.2016 13:35:22 (D) gajim.plugin_system.omemo gajim@my.ejabberd.server: devices after boot:{...}

[lovetox]

so from this i guess you received no fingerprints for this contact, looks like he didnt publish his device IDs and key with PEP

you could check with the XML Console of Gajim:

When you go online look in the XML Console for something like this

<!-- In 13.06.2016 13:40:09 -->
<message from='conversationscontact@openfire.server' to='you/GajimWin' type='headline'>
<event xmlns='http://jabber.org/protocol/pubsub#event'>
<items node='eu.siacs.conversations.axolotl.devicelist'>
<item id='1'>
<list xmlns='eu.siacs.conversations.axolotl.devicelist'>
<device id='17213123123'/>
<device id='13991231230'/>
<device id='2081231234008'/>
</list>
</item>
</items>
</event>
</message>

if this never comes through for your contact, that means his pep is not working correctly

[lovetox]

oh i forgot, please check with gajim right click on the contact -> Manage Contact -> Abonnment

if you have the right to see his status, and he yours

[vanitasvitae]

you could check with the XML Console of Gajim:

There is no entry for my contacts account...

oh i forgot, please check with gajim right click on the contact -> Manage Contact -> Abonnment if you have the right to see his status, and he yours

The options 'Allow contact to see my status' and 'Ask to see contact status' are greyed out. Only the last option is available. That means that my contact can see my status right?

By the way, the contact with whom I cannot chat is one of my accounts, so I have control over it, just in case you need any logs from that endpoint as well..

[lovetox]

if your other account uses gajim, start wait a minute, then go to the config menu under Plugins, go to "Clear Devices" tab, and tell me if there are any device IDs listed

also: can you chat with anyone else from that openfire acc? (with omemo)

or even better provide a gajim log from that openfire acc

but please with -l gajim.plugin_system.omemo=DEBUG

[vanitasvitae]

I'm now logged in to Gajim with both Accounts. Let's name the account on ejabberd (The one which I think works correctly) A and the other account (the one on the openfire server which I cannot contact via OMEMO) B. On A there are two keys listed (I assume Gajim and conversations). On B are no keys listed.

Also I found this in the logs:

13.06.2016 14:39:53 (E) gajim.c.ged Error while running an even handler: <bound method OmemoPlugin.mam_message_received of <gajim-omemo.OmemoPlugin object at 0x7fa8efefd790>> Traceback (most recent call last): File "/usr/share/gajim/src/common/ged.py", line 93, in raise_event if handler(_args, _kwargs): File "/usr/share/gajim/src/plugins/helpers.py", line 107, in wrapper result = f(_args, _kwargs) File "/home/vanitas/.local/share/gajim/plugins/gajim-omemo/init.py", line 147, in mam_message_received plaintext = state.decrypt_msg(msg_dict) File "/home/vanitas/.local/share/gajim/plugins/gajim-omemo/omemo/state.py", line 178, in decrypt_msg encrypted_key) File "/home/vanitas/.local/share/gajim/plugins/gajim-omemo/omemo/state.py", line 341, in handlePreKeyWhisperMessage if self.isTrusted(sessionCipher) != UNTRUSTED: File "/home/vanitas/.local/share/gajim/plugins/gajim-omemo/omemo/state.py", line 265, in isTrusted self.key = self.state.getRemoteIdentityKey() File "/usr/lib/python2.7/dist-packages/axolotl/state/sessionstate.py", line 47, in getRemoteIdentityKey return IdentityKey(self.sessionStructure.remoteIdentityPublic, 0) File "/usr/lib/python2.7/dist-packages/axolotl/identitykey.py", line 7, in init self.publicKey = Curve.decodePoint(bytearray(ecPubKeyOrBytes), offset) File "/usr/lib/python2.7/dist-packages/axolotl/ecc/curve.py", line 31, in decodePoint type = _bytes[0] # byte appears to be automatically converted to an integer?? IndexError: bytearray index out of range

[lovetox]

puh this is an error in the axolotl lib, which is to be honest way beyond my abilities to understand, for now.

and i doubt it has to do something with your problem, cause thats an error to decrypt a message, and your problem seems to be not even getting to the point of exchanging messages.

lets leave this aside.

if you have no devices listed on B, that means your openfire server doesnt send you your own device list, at this point i have to say the server has a problem with pubsub/pep

if you run a gajim log you should have error messages about publishing device keys and bundles, which tells that the server doesnt let you publish anything.

but i dont have a clue about openfire, so i dont think i can help you there

[vanitasvitae]

Okay, then I will ask my university to fix their jabber server :D Anyway thank you for your support :)

[vanitasvitae]

Strangely enough, now I CAN send encrypted messages from Account B, but there are still no other devices listed. Conversations also does not list other device keys... Messages sent from B on Gajim arrive on A (conversations), but they do not arrive at B (conversations). Same the other way round (I enabled syncing though). I guess, both resources of B exist independently and A trusts both keys. I'll see, what the server admin of the openfire server has to say about this. For the record: OMEMO only requires XEP-0163 right? B's Server only supports XEP-0163 and XEP-0280 out of the XEPs that conversation lists.

[kalkin]

@vanitasvitae Have you tried to restart Conversations? Sometimes it doesn't pick up the new key

[lovetox]

theoretical it only needs 0163, but it will be not that great of an experience if you miss MAM and Message Carbons

If you say something arrives not on both devices you always have to also tell if these devices were online or not at the same time.

Message Carbons only gets the Messages to your online devices if you dont have MAM support on your server, then devices who are offline will not get any messages if another device received them.

[lovetox]

just post this into the gajim xml console

<iq xmlns="jabber:client" to="your@jid.jd" type="get" id="942504d6-889c-411a-8650-54ce236f03esa0">
<pubsub xmlns="http://jabber.org/protocol/pubsub">
<items node="eu.siacs.conversations.axolotl.devicelist" />
</pubsub>
</iq>

and you should get immediately a result with all your published devices

[vanitasvitae]

This came back: `

`

[lovetox]

yeah you have no published devices.

either your server doesnt let you publish devices, or he gives incorrect results back. either way you should talk to your server admin

[vanitasvitae]

I told my server admin about the issues and he replied that they are running an old version of openfire. He is not sure, whether the XEPs are fully implemented, but he read on the internet, that OMEMO does not work with recent versions of Openfire :/

I'm glad, that XMPP is federated, so I can use my own server :D