5 files changed, 497 insertions, 0 deletions

diff --git a/include/axolotl/axolotl.hh b/include/axolotl/axolotl.hh
new file mode 100644
index 0000000..9d7ff9a
--- /dev/null
+++ b/include/axolotl/axolotl.hh
@@ -0,0 +1,167 @@
+/* Copyright 2015 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "axolotl/crypto.hh"
+#include "axolotl/list.hh"
+
+namespace axolotl {
+
+typedef std::uint8_t SharedKey[32];
+
+
+struct ChainKey {
+    std::uint32_t index;
+    SharedKey key;
+};
+
+
+struct MessageKey {
+    std::uint32_t index;
+    Aes256Key cipher_key;
+    SharedKey mac_key;
+    Aes256Iv iv;
+};
+
+
+struct SenderChain {
+    Curve25519KeyPair ratchet_key;
+    ChainKey chain_key;
+};
+
+
+struct ReceiverChain {
+    Curve25519PublicKey ratchet_key;
+    ChainKey chain_key;
+};
+
+
+struct SkippedMessageKey {
+    Curve25519PublicKey ratchet_key;
+    MessageKey message_key;
+};
+
+
+enum struct ErrorCode {
+    SUCCESS = 0, /*!< There wasn't an error */
+    NOT_ENOUGH_RANDOM = 1,  /*!< Not enough entropy was supplied */
+    OUTPUT_BUFFER_TOO_SMALL = 2, /*!< Supplied output buffer is too small */
+    BAD_MESSAGE_VERSION = 3,  /*!< The message version is unsupported */
+    BAD_MESSAGE_FORMAT = 4, /*!< The message couldn't be decoded */
+    BAD_MESSAGE_MAC = 5, /*!< The message couldn't be decrypted */
+};
+
+
+static std::size_t const MAX_RECEIVER_CHAINS = 5;
+static std::size_t const MAX_SKIPPED_MESSAGE_KEYS = 40;
+
+
+struct KdfInfo {
+    std::uint8_t const * root_info;
+    std::size_t root_info_length;
+    std::uint8_t const * ratchet_info;
+    std::size_t ratchet_info_length;
+    std::uint8_t const * message_info;
+    std::size_t message_info_length;
+};
+
+
+struct Session {
+
+    Session(
+        KdfInfo const & kdf_info
+    );
+
+    /** A some strings identifing the application to feed into the KDF. */
+    KdfInfo kdf_info;
+
+    /** The last error that happened encypting or decrypting a message. */
+    ErrorCode last_error;
+
+    /** The root key is used to generate chain keys from the ephemeral keys.
+     * A new root_key derived each time a chain key is derived. */
+    SharedKey root_key;
+
+    /** The sender chain is used to send messages. Each time a new ephemeral
+     * key is received from the remote server we generate a new sender chain
+     * with a new empheral key when we next send a message. */
+    List<SenderChain, 1> sender_chain;
+
+    /** The receiver chain is used to decrypt recieved messages. We store the
+     * last few chains so we can decrypt any out of order messages we haven't
+     * received yet. */
+    List<ReceiverChain, MAX_RECEIVER_CHAINS> receiver_chains;
+
+    /** List of message keys we've skipped over when advancing the receiver
+     * chain. */
+    List<SkippedMessageKey, MAX_SKIPPED_MESSAGE_KEYS> skipped_message_keys;
+
+    /** Initialise the session using a shared secret and the public part of the
+     * remote's first ratchet key */
+    void initialise_as_bob(
+        std::uint8_t const * shared_secret, std::size_t shared_secret_length,
+        Curve25519PublicKey const & their_ratchet_key
+    );
+
+    /** Intialise the session using a shared secret and the public/private key
+     * pair for the first ratchet key */
+    void initialise_as_alice(
+        std::uint8_t const * shared_secret, std::size_t shared_secret_length,
+        Curve25519KeyPair const & our_ratchet_key
+    );
+
+    /** The maximum number of bytes of output the encrypt method will write for
+     * a given message length. */
+    std::size_t encrypt_max_output_length(
+        std::size_t plaintext_length
+    );
+
+    /** The number of bytes of random data the encrypt method will need to
+     * encrypt a message. This will be 32 bytes if the session needs to
+     * generate a new ephemeral key, or will be 0 bytes otherwise.*/
+    std::size_t encrypt_random_length();
+
+    /** Encrypt some plaintext. Returns the length of the encrypted message
+     * or std::size_t(-1) on failure. On failure last_error will be set with
+     * an error code. The last_error will be NOT_ENOUGH_RANDOM if the number
+     * of random bytes is too small. The last_error will be
+     * OUTPUT_BUFFER_TOO_SMALL if the output buffer is too small. */
+    std::size_t encrypt(
+        std::uint8_t const * plaintext, std::size_t plaintext_length,
+        std::uint8_t const * random, std::size_t random_length,
+        std::uint8_t * output, std::size_t max_output_length
+    );
+
+    /** An upper bound on the number of bytes of plaintext the decrypt method
+     * will write for a given input message length. */
+    std::size_t decrypt_max_plaintext_length(
+        std::size_t input_length
+    );
+
+    /** Decrypt a message. Returns the length of the decrypted plaintext or
+     * std::size_t(-1) on failure. On failure last_error will be set with an
+     * error code. The last_error will be OUTPUT_BUFFER_TOO_SMALL if the
+     * plaintext buffer is too small. The last_error will be
+     * BAD_MESSAGE_VERSION if the message was encrypted with an unsupported
+     * version of the protocol. The last_error will be BAD_MESSAGE_FORMAT if
+     * the message headers could not be decoded. The last_error will be
+     * BAD_MESSAGE_MAC if the message could not be verified */
+    std::size_t decrypt(
+        std::uint8_t const * input, std::size_t input_length,
+        std::uint8_t * plaintext, std::size_t max_plaintext_length
+    );
+};
+
+
+} // namespace axolotl
diff --git a/include/axolotl/crypto.hh b/include/axolotl/crypto.hh
new file mode 100644
index 0000000..162099f
--- /dev/null
+++ b/include/axolotl/crypto.hh
@@ -0,0 +1,123 @@
+/* Copyright 2015 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <cstdint>
+#include <cstddef>
+
+namespace axolotl {
+
+
+struct Curve25519PublicKey {
+    static const int LENGTH = 32;
+    std::uint8_t public_key[32];
+};
+
+
+struct Curve25519KeyPair : public Curve25519PublicKey {
+    std::uint8_t private_key[32];
+};
+
+
+/** Generate a curve25519 key pair from 32 random bytes. */
+void generate_key(
+    std::uint8_t const * random_32_bytes,
+    Curve25519KeyPair & key_pair
+);
+
+
+const std::size_t CURVE25519_SHARED_SECRET_LENGTH = 32;
+
+
+/** Create a shared secret using our private key and their public key.
+ * The output buffer must be at least 32 bytes long. */
+void curve25519_shared_secret(
+    Curve25519KeyPair const & our_key,
+    Curve25519PublicKey const & their_key,
+    std::uint8_t * output
+);
+
+
+struct Aes256Key {
+    static const int LENGTH = 32;
+    std::uint8_t key[32];
+};
+
+
+struct Aes256Iv {
+    static const int LENGTH = 16;
+    std::uint8_t iv[16];
+};
+
+
+/** The length of output the aes_encrypt_cbc function will write */
+std::size_t aes_encrypt_cbc_length(
+    std::size_t input_length
+);
+
+
+/** Encrypts the input using AES256 in CBC mode with PKCS#7 padding.
+ * The output buffer must be big enough to hold the output including padding */
+void aes_encrypt_cbc(
+    Aes256Key const & key,
+    Aes256Iv const & iv,
+    std::uint8_t const * input, std::size_t input_length,
+    std::uint8_t * output
+);
+
+
+/** Decrypts the input using AES256 in CBC mode. The output buffer must be at
+ * least the same size as the input buffer. Returns the length of the plaintext
+ * without padding on success or std::size_t(-1) if the padding is invalid.
+ */
+std::size_t aes_decrypt_cbc(
+    Aes256Key const & key,
+    Aes256Iv const & iv,
+    std::uint8_t const * input, std::size_t input_length,
+    std::uint8_t * output
+);
+
+
+/** Computes SHA-256 of the input. The output buffer must be a least 32
+ * bytes long. */
+void sha256(
+    std::uint8_t const * input, std::size_t input_length,
+    std::uint8_t * output
+);
+
+
+const std::size_t HMAC_SHA256_OUTPUT_LENGTH = 32;
+
+
+/** HMAC: Keyed-Hashing for Message Authentication
+ * http://tools.ietf.org/html/rfc2104
+ * Computes HMAC-SHA-256 of the input for the key. The output buffer must
+ * be at least 32 bytes long. */
+void hmac_sha256(
+    std::uint8_t const * key, std::size_t key_length,
+    std::uint8_t const * input, std::size_t input_length,
+    std::uint8_t * output
+);
+
+
+/** HMAC-based Key Derivation Function (HKDF)
+ * https://tools.ietf.org/html/rfc5869
+ * Derives key material from the input bytes. */
+void hkdf_sha256(
+    std::uint8_t const * input, std::size_t input_length,
+    std::uint8_t const * info, std::size_t info_length,
+    std::uint8_t const * salt, std::size_t salt_length,
+    std::uint8_t * output, std::size_t output_length
+);
+
+} // namespace axolotl
diff --git a/include/axolotl/list.hh b/include/axolotl/list.hh
new file mode 100644
index 0000000..d1407b8
--- /dev/null
+++ b/include/axolotl/list.hh
@@ -0,0 +1,114 @@
+/* Copyright 2015 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <cstddef>
+
+namespace axolotl {
+
+template<typename T, std::size_t max_size>
+class List {
+public:
+    List() : _end(_data) {}
+
+    typedef T * iterator;
+    typedef T const * const_iterator;
+
+    T * begin() { return _data; }
+    T * end() { return _end; }
+    T const * begin() const { return _data; }
+    T const * end() const { return _end; }
+
+    /**
+     * Is the list empty?
+     */
+    bool empty() const { return _end == _data; }
+
+    /**
+     * The number of items in the list.
+     */
+    std::size_t size() const { return _end - _data; }
+
+    T & operator[](std::size_t index) { return _data[index]; }
+
+    T const & operator[](std::size_t index) const { return _data[index]; }
+
+    /**
+     * Erase the item from the list at the given position.
+     */
+    void erase(T * pos) {
+        --_end;
+        while (pos != _end) {
+            *pos = *(pos + 1);
+            ++pos;
+        }
+    }
+
+    /**
+     * Make space for an item in the list at a given position.
+     * If inserting the item makes the list longer than max_size then
+     * the end of the list is discarded.
+     * Returns the where the item is inserted.
+     */
+    T * insert(T * pos) {
+        if (_end != _data + max_size) {
+            ++_end;
+        } else if (pos == _end) {
+            --pos;
+        }
+        T * tmp = pos;
+        while (tmp != _end - 1) {
+            *(tmp + 1) = *tmp;
+            ++tmp;
+        }
+        return pos;
+    }
+
+    /**
+     * Make space for an item in the list at the start of the list
+     */
+    T * insert() { return insert(begin()); }
+
+    /**
+     * Insert an item into the list at a given position.
+     * If inserting the item makes the list longer than max_size then
+     * the end of the list is discarded.
+     * Returns the where the item is inserted.
+     */
+    T * insert(T * pos, T const & value) {
+        pos = insert(pos);
+        *pos = value;
+        return pos;
+    }
+
+    List<T, max_size> & operator=(List<T, max_size> const & other) {
+        if (this = &other) {
+            return *this;
+        }
+        T * this_pos = _data;
+        T * const other_pos = other._data;
+        while (other_pos != other._end) {
+            *this_pos = *other;
+            ++this_pos;
+            ++other_pos;
+        }
+        _end = this_pos;
+        return *this;
+    }
+
+private:
+    T * _end;
+    T _data[max_size];
+};
+
+} // namespace axolotl
diff --git a/include/axolotl/memory.hh b/include/axolotl/memory.hh
new file mode 100644
index 0000000..7749c54
--- /dev/null
+++ b/include/axolotl/memory.hh
@@ -0,0 +1,17 @@
+#include <cstddef>
+
+namespace axolotl {
+
+/** Clear the memory held in the buffer */
+void unset(
+    volatile void * buffer, std::size_t buffer_length
+);
+
+/** Clear the memory backing an object */
+template<typename T>
+void unset(T & value) {
+    unset(reinterpret_cast<volatile void *>(&value), sizeof(T));
+}
+
+
+} // namespace axolotl
diff --git a/include/axolotl/message.hh b/include/axolotl/message.hh
new file mode 100644
index 0000000..5cd4211
--- /dev/null
+++ b/include/axolotl/message.hh
@@ -0,0 +1,76 @@
+/* Copyright 2015 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <cstddef>
+#include <cstdint>
+
+
+namespace axolotl {
+
+/**
+ * The length of the buffer needed to hold a message.
+ */
+std::size_t encode_message_length(
+    std::uint32_t counter,
+    std::size_t ratchet_key_length,
+    std::size_t ciphertext_length,
+    std::size_t mac_length
+);
+
+
+struct MessageWriter {
+    std::size_t body_length;
+    std::uint8_t * ratchet_key;
+    std::uint8_t * ciphertext;
+    std::uint8_t * mac;
+};
+
+
+struct MessageReader {
+    std::size_t body_length;
+    std::uint8_t version;
+    std::uint32_t counter;
+    std::size_t ratchet_key_length;
+    std::size_t ciphertext_length;
+    std::uint8_t const * ratchet_key;
+    std::uint8_t const * ciphertext;
+    std::uint8_t const * mac;
+};
+
+
+/**
+ * Writes the message headers into the output buffer.
+ * Returns a writer struct populated with pointers into the output buffer.
+ */
+MessageWriter encode_message(
+    std::uint8_t version,
+    std::uint32_t counter,
+    std::size_t ratchet_key_length,
+    std::size_t ciphertext_length,
+    std::uint8_t * output
+);
+
+
+/**
+ * Reads the message headers from the input buffer.
+ * Returns a reader struct populated with pointers into the input buffer.
+ * On failure the returned body_length will be 0.
+ */
+MessageReader decode_message(
+    std::uint8_t const * input, std::size_t input_length,
+    std::size_t mac_length
+);
+
+
+} // namespace axolotl