olm/include/olm/ratchet.hh
2016-04-26 17:55:26 +01:00

186 lines
5.8 KiB
C++

/* Copyright 2015 OpenMarket Ltd
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "olm/crypto.hh"
#include "olm/list.hh"
#include "olm/error.hh"
namespace olm {
class Cipher;
typedef std::uint8_t SharedKey[olm::KEY_LENGTH];
struct ChainKey {
std::uint32_t index;
SharedKey key;
};
struct MessageKey {
std::uint32_t index;
SharedKey key;
};
struct SenderChain {
Curve25519KeyPair ratchet_key;
ChainKey chain_key;
};
struct ReceiverChain {
Curve25519PublicKey ratchet_key;
ChainKey chain_key;
};
struct SkippedMessageKey {
Curve25519PublicKey ratchet_key;
MessageKey message_key;
};
static std::size_t const MAX_RECEIVER_CHAINS = 5;
static std::size_t const MAX_SKIPPED_MESSAGE_KEYS = 40;
struct KdfInfo {
std::uint8_t const * root_info;
std::size_t root_info_length;
std::uint8_t const * ratchet_info;
std::size_t ratchet_info_length;
};
struct Ratchet {
Ratchet(
KdfInfo const & kdf_info,
Cipher const & ratchet_cipher
);
/** A some strings identifying the application to feed into the KDF. */
KdfInfo const & kdf_info;
/** The AEAD cipher to use for encrypting messages. */
Cipher const & ratchet_cipher;
/** The last error that happened encrypting or decrypting a message. */
ErrorCode last_error;
/**
* A count of the number of times the root key has been advanced; this is
* maintained purely for diagnostics.
*
* If sender_chain is empty, this will be the index of the current receiver
* chain (odd for Alice, even for Bob); otherwise, the index of the current
* sender chain (even for Alice, odd for Bob).
*/
std::uint32_t chain_index;
/** The root key is used to generate chain keys from the ephemeral keys.
* A new root_key derived each time a new chain is started. */
SharedKey root_key;
/** The sender chain is used to send messages. Each time a new ephemeral
* key is received from the remote server we generate a new sender chain
* with a new empheral key when we next send a message. */
List<SenderChain, 1> sender_chain;
/** The receiver chain is used to decrypt received messages. We store the
* last few chains so we can decrypt any out of order messages we haven't
* received yet. */
List<ReceiverChain, MAX_RECEIVER_CHAINS> receiver_chains;
/** List of message keys we've skipped over when advancing the receiver
* chain. */
List<SkippedMessageKey, MAX_SKIPPED_MESSAGE_KEYS> skipped_message_keys;
/** Initialise the session using a shared secret and the public part of the
* remote's first ratchet key */
void initialise_as_bob(
std::uint8_t const * shared_secret, std::size_t shared_secret_length,
Curve25519PublicKey const & their_ratchet_key
);
/** Initialise the session using a shared secret and the public/private key
* pair for the first ratchet key */
void initialise_as_alice(
std::uint8_t const * shared_secret, std::size_t shared_secret_length,
Curve25519KeyPair const & our_ratchet_key
);
/** The number of bytes of output the encrypt method will write for
* a given message length. */
std::size_t encrypt_output_length(
std::size_t plaintext_length
);
/** The number of bytes of random data the encrypt method will need to
* encrypt a message. This will be 32 bytes if the session needs to
* generate a new ephemeral key, or will be 0 bytes otherwise.*/
std::size_t encrypt_random_length();
/** Encrypt some plain-text. Returns the length of the encrypted message
* or std::size_t(-1) on failure. On failure last_error will be set with
* an error code. The last_error will be NOT_ENOUGH_RANDOM if the number
* of random bytes is too small. The last_error will be
* OUTPUT_BUFFER_TOO_SMALL if the output buffer is too small. */
std::size_t encrypt(
std::uint8_t const * plaintext, std::size_t plaintext_length,
std::uint8_t const * random, std::size_t random_length,
std::uint8_t * output, std::size_t max_output_length
);
/** An upper bound on the number of bytes of plain-text the decrypt method
* will write for a given input message length. */
std::size_t decrypt_max_plaintext_length(
std::uint8_t const * input, std::size_t input_length
);
/** Decrypt a message. Returns the length of the decrypted plain-text or
* std::size_t(-1) on failure. On failure last_error will be set with an
* error code. The last_error will be OUTPUT_BUFFER_TOO_SMALL if the
* plain-text buffer is too small. The last_error will be
* BAD_MESSAGE_VERSION if the message was encrypted with an unsupported
* version of the protocol. The last_error will be BAD_MESSAGE_FORMAT if
* the message headers could not be decoded. The last_error will be
* BAD_MESSAGE_MAC if the message could not be verified */
std::size_t decrypt(
std::uint8_t const * input, std::size_t input_length,
std::uint8_t * plaintext, std::size_t max_plaintext_length
);
};
std::size_t pickle_length(
Ratchet const & value
);
std::uint8_t * pickle(
std::uint8_t * pos,
Ratchet const & value
);
std::uint8_t const * unpickle(
std::uint8_t const * pos, std::uint8_t const * end,
Ratchet & value
);
} // namespace olm