mirrors/signal-desktop
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 2 Wiki Activity Actions

Another step forward

Browse source
This commit is contained in:
Matt Corallo 2014-05-02 11:59:01 -04:00
parent d9e7e59c3a
commit 87c19c0c94
2 changed files with 202 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

114
js/helpers.js
View file

@ -575,17 +575,19 @@ var crypto_tests = {};
var decryptAESCTR = function(ciphertext, key, counter) {
//TODO: Waaayyyy less type conversion here (probably just means replacing CryptoJS)
var iv = String.fromCharCode(counter & 0xff000000) + String.fromCharCode(counter & 0xff0000) + String.fromCharCode(counter & 0xff00) + String.fromCharCode(counter & 0xff);
return CryptoJS.AES.decrypt(btoa(getString(ciphertext)),
CryptoJS.enc.Latin1.parse(getString(key)),
{mode: CryptoJS.mode.CTR, iv: CryptoJS.enc.Latin1.parse(""), padding: CryptoJS.pad.NoPadding})
{mode: CryptoJS.mode.CTR, iv: CryptoJS.enc.Latin1.parse(iv), padding: CryptoJS.pad.NoPadding})
.toString(CryptoJS.enc.Latin1);
}
var encryptAESCTR = function(plaintext, key, counter) {
//TODO: Waaayyyy less type conversion here (probably just means replacing CryptoJS)
var iv = String.fromCharCode(counter & 0xff000000) + String.fromCharCode(counter & 0xff0000) + String.fromCharCode(counter & 0xff00) + String.fromCharCode(counter & 0xff);
return CryptoJS.AES.encrypt(CryptoJS.enc.Latin1.parse(getString(plaintext)),
CryptoJS.enc.Latin1.parse(getString(key)),
{mode: CryptoJS.mode.CTR, iv: CryptoJS.enc.Latin1.parse(""), padding: CryptoJS.pad.NoPadding})
{mode: CryptoJS.mode.CTR, iv: CryptoJS.enc.Latin1.parse(iv), padding: CryptoJS.pad.NoPadding})
.ciphertext.toString(CryptoJS.enc.Latin1);
}
@ -610,6 +612,20 @@ var crypto_tests = {};
/******************************
*** Ratchet implementation ***
******************************/
var calculateRatchet = function(session, remoteKey, sending, callback) {
var ratchet = session.currentRatchet;
ECDHE(remoteKey, ratchet.ephemeralKeyPair.privKey, function(sharedSecret) {
var masterKey = HKDF(sharedSecret, ratchet.rootKey, "WhisperRatchet");
if (sending)
session[getString(ratchet.ephemeralKeyPair.pubKey)] = { messageKeys: {}, chainKey: { counter: -1, key: masterKey[1] } };
else
session[getString(remoteKey)] = { messageKeys: {}, chainKey: { counter: -1, key: masterKey[1] } };
ratchet.rootKey = masterKey[0];
callback();
});
}
var initSession = function(isInitiator, ourEphemeralKey, encodedNumber, theirIdentityPubKey, theirEphemeralPubKey, callback) {
var ourIdentityPrivKey = crypto_storage.getIdentityPrivKey();
@ -622,16 +638,19 @@ var crypto_tests = {};
sharedSecret += getString(ecRes);
var masterKey = HKDF(sharedSecret, '', "WhisperText");
var session = {currentRatchet: { rootKey: masterKey[0], ephemeralKeyPair: ourEphemeralKey,
lastRemoteEphemeralKey: theirEphemeralPubKey },
oldRatchetList: []
};
session[getString(ourEphemeralKey.pubKey)] = { messageKeys: {}, chainKey: { counter: -1, key: masterKey[1] } };
// This isnt an actual ratchet, its just here to make maybeStepRatchet work
session[getString(theirEphemeralPubKey)] = { messageKeys: {}, chainKey: { counter: 0xffffffff, key: '' } };
crypto_storage.saveSession(encodedNumber, session);
// Create new ephemeral key for sending
createNewKeyPair(false, function(ourSendingEphemeralKey) {
var session = {currentRatchet: { rootKey: masterKey[0], ephemeralKeyPair: ourSendingEphemeralKey,
lastRemoteEphemeralKey: theirEphemeralPubKey },
oldRatchetList: []
};
callback();
calculateRatchet(session, theirEphemeralPubKey, true, function() {
crypto_storage.saveSession(encodedNumber, session);
callback();
});
});
});
}
@ -662,6 +681,9 @@ var crypto_tests = {};
}
var fillMessageKeys = function(chain, counter) {
if (chain.chainKey.counter + 1000 < counter)
return; // Stalker, much?
var messageKeys = chain.messageKeys;
var key = chain.chainKey.key;
for (var i = chain.chainKey.counter; i < counter; i++) {
@ -673,34 +695,30 @@ var crypto_tests = {};
}
var maybeStepRatchet = function(session, remoteKey, previousCounter, callback) {
if (session[getString(remoteKey)] !== undefined) { //TODO: null???
callback();//TODO: This is happening in tests as alice (when bob is checking), probably shouldn't?
if (session[getString(remoteKey)] !== undefined) {
callback();
return;
}
var ratchet = session.currentRatchet;
var previousRatchet = session[getString(ratchet.lastRemoteEphemeralKey)];
fillMessageKeys(previousRatchet, previousCounter);
if (!objectContainsKeys(previousRatchet.messageKeys))
delete session[getString(ratchet.lastRemoteEphemeralKey)];
else
session.oldRatchetList[session.oldRatchetList.length] = { added: new Date().getTime(), ephemeralKey: ratchet.lastRemoteEphemeralKey };
if (previousRatchet !== undefined) {
fillMessageKeys(previousRatchet, previousCounter);
if (!objectContainsKeys(previousRatchet.messageKeys))
delete session[getString(ratchet.lastRemoteEphemeralKey)];
else
session.oldRatchetList[session.oldRatchetList.length] = { added: new Date().getTime(), ephemeralKey: ratchet.lastRemoteEphemeralKey };
}
delete session[ratchet.ephemeralKeyPair.pubKey];
ECDHE(remoteKey, ratchet.ephemeralKeyPair.privKey, function(sharedSecret) {
var masterKey = HKDF(sharedSecret, ratchet.rootKey, "WhisperRatchet");
session[getString(remoteKey)] = { messageKeys: {}, chainKey: { counter: -1, key: masterKey[1] } };
calculateRatchet(session, remoteKey, false, function() {
// Now swap the ephemeral key and calculate the new sending chain
ratchet.previousCounter = session[getString(ratchet.ephemeralKeyPair.pubKey)].chainKey.counter;
delete session[getString(ratchet.ephemeralKeyPair.pubKey)];
createNewKeyPair(false, function(keyPair) {
ratchet.ephemeralKeyPair = keyPair;
ECDHE(remoteKey, ratchet.ephemeralKeyPair.privKey, function(sharedSecret) {
masterKey = HKDF(sharedSecret, masterKey[0], "WhisperRatchet");
ratchet.rootKey = masterKey[0];
session[getString(ratchet.ephemeralKeyPair.pubKey)] = { messageKeys: {}, chainKey: { counter: -1, key: masterKey[1] } };
calculateRatchet(session, remoteKey, true, function() {
ratchet.lastRemoteEphemeralKey = remoteKey;
callback();
});
@ -733,6 +751,7 @@ var crypto_tests = {};
var plaintext = decryptAESCTR(message.ciphertext, keys[0], message.counter);
//TODO: removeOldChains(session);
delete session['pendingPreKey'];
crypto_storage.saveSession(encodedNumber, session);
callback(decodePushMessageContentProtobuf(plaintext));
@ -796,15 +815,14 @@ var crypto_tests = {};
msg.ephemeralKey = toArrayBuffer(session.currentRatchet.ephemeralKeyPair.pubKey);
var chain = session[getString(msg.ephemeralKey)];
fillMessageKeys(chain, chain.counter + 1);
var keys = HKDF(chain.messageKeys[chain.counter], '', "WhisperMessageKeys");
delete chain.messageKeys[chain.counter];
msg.counter = chain.counter;
fillMessageKeys(chain, chain.chainKey.counter + 1);
var keys = HKDF(chain.messageKeys[chain.chainKey.counter], '', "WhisperMessageKeys");
//TODO
msg.previousCounter = 1;
delete chain.messageKeys[chain.chainKey.counter];
msg.counter = chain.chainKey.counter;
msg.previousCounter = session.currentRatchet.previousCounter;
msg.ciphertext = toArrayBuffer(encryptAESCTR(plaintext, keys[0], chain.counter));
msg.ciphertext = toArrayBuffer(encryptAESCTR(plaintext, keys[0], chain.chainKey.counter));
var encodedMsg = getString(msg.encode());
var mac = calculateMACWithVersionByte(encodedMsg, keys[1], (2 << 4) | 2);
@ -814,16 +832,18 @@ var crypto_tests = {};
callback(result);
}
var preKeyMsg = new PreKeyWhisperMessageProtobuf();
preKeyMsg.identityKey = toArrayBuffer(crypto_storage.getStoredPubKey("identityKey"));
preKeyMsg.preKeyId = deviceObject.preKeyId;
preKeyMsg.registrationId = deviceObject.registrationId;
if (session === undefined) {
var preKeyMsg = new PreKeyWhisperMessageProtobuf();
preKeyMsg.identityKey = toArrayBuffer(crypto_storage.getStoredPubKey("identityKey"));
createNewKeyPair(false, function(baseKey) {
preKeyMsg.baseKey = toArrayBuffer(baseKey.pubKey);
preKeyMsg.preKeyId = deviceObject.preKeyId;
initSession(true, baseKey, deviceObject.encodedNumber, deviceObject.identityKey, deviceObject.publicKey, function() {
//TODO: Delete preKey info now?
//TODO: Delete preKey info on first message received back
session = crypto_storage.getSession(deviceObject.encodedNumber);
//TODO: We need to step ratchet here, I think
session.pendingPreKey = baseKey.pubKey;
doEncryptPushMessageContent(function(message) {
preKeyMsg.message = toArrayBuffer(message);
var result = String.fromCharCode((2 << 4) | 2) + getString(preKeyMsg.encode());
@ -833,7 +853,13 @@ var crypto_tests = {};
});
} else
doEncryptPushMessageContent(function(message) {
callback({type: 1, body: getString(message)});
if (session.pendingPreKey !== undefined) {
preKeyMsg.baseKey = toArrayBuffer(session.pendingPreKey);
preKeyMsg.message = toArrayBuffer(message);
var result = String.fromCharCode((2 << 4) | 2) + getString(preKeyMsg.encode());
callback({type: 3, body: result});
} else
callback({type: 1, body: getString(message)});
});
}
@ -956,7 +982,8 @@ function getKeysForNumber(number, success_callback, error_callback) {
encodedNumber: number + "." + response[i].deviceId,
identityKey: response[i].identityKey,
publicKey: response[i].publicKey,
preKeyId: response[i].keyId
preKeyId: response[i].keyId,
registrationId: response[i].registrationId
});
} catch (e) {
error_callback(e);
@ -991,6 +1018,7 @@ function sendMessageToDevices(number, deviceObjectList, message, success_callbac
jsonData[i] = {
type: encryptedMsg.type,
destination: deviceObjectList[i].encodedNumber,
destinationRegistrationId: deviceObjectList[i].registrationId,
body: encryptedMsg.body,
timestamp: new Date().getTime()
};