2015-02-26 17:56:25 +01:00
|
|
|
/* Copyright 2015 OpenMarket Ltd
|
|
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
2015-02-25 18:33:23 +01:00
|
|
|
|
2015-02-26 17:30:19 +01:00
|
|
|
#include "axolotl/crypto.hh"
|
|
|
|
|
#include "axolotl/list.hh"
|
2015-02-25 18:33:23 +01:00
|
|
|
|
|
|
|
|
namespace axolotl {
|
|
|
|
|
|
2015-06-11 15:20:35 +02:00
|
|
|
class Cipher;
|
|
|
|
|
|
2015-02-25 18:33:23 +01:00
|
|
|
typedef std::uint8_t SharedKey[32];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct ChainKey {
|
|
|
|
|
std::uint32_t index;
|
|
|
|
|
SharedKey key;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct MessageKey {
|
|
|
|
|
std::uint32_t index;
|
2015-06-11 15:20:35 +02:00
|
|
|
SharedKey key;
|
2015-02-25 18:33:23 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct SenderChain {
|
|
|
|
|
Curve25519KeyPair ratchet_key;
|
|
|
|
|
ChainKey chain_key;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct ReceiverChain {
|
|
|
|
|
Curve25519PublicKey ratchet_key;
|
|
|
|
|
ChainKey chain_key;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct SkippedMessageKey {
|
|
|
|
|
Curve25519PublicKey ratchet_key;
|
|
|
|
|
MessageKey message_key;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
enum struct ErrorCode {
|
|
|
|
|
SUCCESS = 0, /*!< There wasn't an error */
|
|
|
|
|
NOT_ENOUGH_RANDOM = 1, /*!< Not enough entropy was supplied */
|
|
|
|
|
OUTPUT_BUFFER_TOO_SMALL = 2, /*!< Supplied output buffer is too small */
|
|
|
|
|
BAD_MESSAGE_VERSION = 3, /*!< The message version is unsupported */
|
|
|
|
|
BAD_MESSAGE_FORMAT = 4, /*!< The message couldn't be decoded */
|
|
|
|
|
BAD_MESSAGE_MAC = 5, /*!< The message couldn't be decrypted */
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static std::size_t const MAX_RECEIVER_CHAINS = 5;
|
|
|
|
|
static std::size_t const MAX_SKIPPED_MESSAGE_KEYS = 40;
|
|
|
|
|
|
2015-02-26 17:30:19 +01:00
|
|
|
|
2015-02-25 18:33:23 +01:00
|
|
|
struct KdfInfo {
|
2015-02-26 17:30:19 +01:00
|
|
|
std::uint8_t const * root_info;
|
|
|
|
|
std::size_t root_info_length;
|
2015-02-25 18:33:23 +01:00
|
|
|
std::uint8_t const * ratchet_info;
|
|
|
|
|
std::size_t ratchet_info_length;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct Session {
|
2015-02-26 17:30:19 +01:00
|
|
|
|
|
|
|
|
Session(
|
2015-06-11 15:20:35 +02:00
|
|
|
KdfInfo const & kdf_info,
|
|
|
|
|
Cipher const & ratchet_cipher
|
2015-02-26 17:30:19 +01:00
|
|
|
);
|
|
|
|
|
|
2015-06-11 15:20:35 +02:00
|
|
|
/** A some strings identifying the application to feed into the KDF. */
|
|
|
|
|
KdfInfo const & kdf_info;
|
|
|
|
|
|
|
|
|
|
/** The AEAD cipher to use for encrypting messages. */
|
|
|
|
|
Cipher const & ratchet_cipher;
|
2015-02-27 16:07:45 +01:00
|
|
|
|
2015-06-11 15:20:35 +02:00
|
|
|
/** The last error that happened encrypting or decrypting a message. */
|
2015-02-25 18:33:23 +01:00
|
|
|
ErrorCode last_error;
|
2015-02-27 16:07:45 +01:00
|
|
|
|
|
|
|
|
/** The root key is used to generate chain keys from the ephemeral keys.
|
|
|
|
|
* A new root_key derived each time a chain key is derived. */
|
2015-02-25 18:33:23 +01:00
|
|
|
SharedKey root_key;
|
2015-02-27 16:07:45 +01:00
|
|
|
|
|
|
|
|
/** The sender chain is used to send messages. Each time a new ephemeral
|
|
|
|
|
* key is received from the remote server we generate a new sender chain
|
|
|
|
|
* with a new empheral key when we next send a message. */
|
2015-02-25 18:33:23 +01:00
|
|
|
List<SenderChain, 1> sender_chain;
|
2015-02-27 16:07:45 +01:00
|
|
|
|
2015-06-11 15:20:35 +02:00
|
|
|
/** The receiver chain is used to decrypt received messages. We store the
|
2015-02-27 16:07:45 +01:00
|
|
|
* last few chains so we can decrypt any out of order messages we haven't
|
|
|
|
|
* received yet. */
|
2015-02-26 17:30:19 +01:00
|
|
|
List<ReceiverChain, MAX_RECEIVER_CHAINS> receiver_chains;
|
2015-02-27 16:07:45 +01:00
|
|
|
|
|
|
|
|
/** List of message keys we've skipped over when advancing the receiver
|
|
|
|
|
* chain. */
|
2015-02-25 18:33:23 +01:00
|
|
|
List<SkippedMessageKey, MAX_SKIPPED_MESSAGE_KEYS> skipped_message_keys;
|
|
|
|
|
|
2015-02-27 16:07:45 +01:00
|
|
|
/** Initialise the session using a shared secret and the public part of the
|
|
|
|
|
* remote's first ratchet key */
|
2015-02-26 17:30:19 +01:00
|
|
|
void initialise_as_bob(
|
|
|
|
|
std::uint8_t const * shared_secret, std::size_t shared_secret_length,
|
|
|
|
|
Curve25519PublicKey const & their_ratchet_key
|
|
|
|
|
);
|
|
|
|
|
|
2015-06-11 15:20:35 +02:00
|
|
|
/** Initialise the session using a shared secret and the public/private key
|
2015-02-27 16:07:45 +01:00
|
|
|
* pair for the first ratchet key */
|
2015-02-26 17:30:19 +01:00
|
|
|
void initialise_as_alice(
|
|
|
|
|
std::uint8_t const * shared_secret, std::size_t shared_secret_length,
|
|
|
|
|
Curve25519KeyPair const & our_ratchet_key
|
|
|
|
|
);
|
|
|
|
|
|
2015-06-09 19:03:01 +02:00
|
|
|
/** The number of bytes needed to persist the current session. */
|
|
|
|
|
std::size_t pickle_max_output_length();
|
|
|
|
|
|
|
|
|
|
/** Persists a session as a sequence of bytes, encrypting using a key
|
|
|
|
|
* Returns the number of output bytes used. */
|
|
|
|
|
std::size_t pickle(
|
|
|
|
|
std::uint8_t const * key, std::size_t key_length,
|
|
|
|
|
std::uint8_t * output, std::size_t max_output_length
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
/** Loads a session from a sequence of bytes, decrypting using a key.
|
|
|
|
|
* Returns 0 on success, or std::size_t(-1) on failure. The last_error
|
|
|
|
|
* will be BAD_SESSION_KEY if the supplied key is incorrect. */
|
|
|
|
|
std::size_t unpickle(
|
|
|
|
|
std::uint8_t const * key, std::size_t key_length,
|
|
|
|
|
std::uint8_t * input, std::size_t input_length
|
|
|
|
|
);
|
|
|
|
|
|
2015-02-27 16:07:45 +01:00
|
|
|
/** The maximum number of bytes of output the encrypt method will write for
|
|
|
|
|
* a given message length. */
|
2015-02-25 18:33:23 +01:00
|
|
|
std::size_t encrypt_max_output_length(
|
|
|
|
|
std::size_t plaintext_length
|
|
|
|
|
);
|
|
|
|
|
|
2015-02-27 16:07:45 +01:00
|
|
|
/** The number of bytes of random data the encrypt method will need to
|
|
|
|
|
* encrypt a message. This will be 32 bytes if the session needs to
|
|
|
|
|
* generate a new ephemeral key, or will be 0 bytes otherwise.*/
|
2015-02-25 18:33:23 +01:00
|
|
|
std::size_t encrypt_random_length();
|
|
|
|
|
|
2015-06-11 15:20:35 +02:00
|
|
|
/** Encrypt some plain-text. Returns the length of the encrypted message
|
2015-02-27 16:07:45 +01:00
|
|
|
* or std::size_t(-1) on failure. On failure last_error will be set with
|
|
|
|
|
* an error code. The last_error will be NOT_ENOUGH_RANDOM if the number
|
|
|
|
|
* of random bytes is too small. The last_error will be
|
|
|
|
|
* OUTPUT_BUFFER_TOO_SMALL if the output buffer is too small. */
|
2015-02-25 18:33:23 +01:00
|
|
|
std::size_t encrypt(
|
|
|
|
|
std::uint8_t const * plaintext, std::size_t plaintext_length,
|
|
|
|
|
std::uint8_t const * random, std::size_t random_length,
|
|
|
|
|
std::uint8_t * output, std::size_t max_output_length
|
|
|
|
|
);
|
|
|
|
|
|
2015-06-11 15:20:35 +02:00
|
|
|
/** An upper bound on the number of bytes of plain-text the decrypt method
|
2015-02-27 16:07:45 +01:00
|
|
|
* will write for a given input message length. */
|
2015-02-25 18:33:23 +01:00
|
|
|
std::size_t decrypt_max_plaintext_length(
|
|
|
|
|
std::size_t input_length
|
|
|
|
|
);
|
|
|
|
|
|
2015-06-11 15:20:35 +02:00
|
|
|
/** Decrypt a message. Returns the length of the decrypted plain-text or
|
2015-02-27 16:07:45 +01:00
|
|
|
* std::size_t(-1) on failure. On failure last_error will be set with an
|
|
|
|
|
* error code. The last_error will be OUTPUT_BUFFER_TOO_SMALL if the
|
2015-06-11 15:20:35 +02:00
|
|
|
* plain-text buffer is too small. The last_error will be
|
2015-02-27 16:07:45 +01:00
|
|
|
* BAD_MESSAGE_VERSION if the message was encrypted with an unsupported
|
|
|
|
|
* version of the protocol. The last_error will be BAD_MESSAGE_FORMAT if
|
|
|
|
|
* the message headers could not be decoded. The last_error will be
|
|
|
|
|
* BAD_MESSAGE_MAC if the message could not be verified */
|
2015-02-25 18:33:23 +01:00
|
|
|
std::size_t decrypt(
|
|
|
|
|
std::uint8_t const * input, std::size_t input_length,
|
|
|
|
|
std::uint8_t * plaintext, std::size_t max_plaintext_length
|
|
|
|
|
);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2015-02-27 13:09:17 +01:00
|
|
|
} // namespace axolotl
|
