aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/account.cpp9
-rw-r--r--src/crypto.cpp4
-rw-r--r--src/message.cpp22
-rw-r--r--src/ratchet.cpp95
-rw-r--r--src/session.cpp74
5 files changed, 182 insertions, 22 deletions
diff --git a/src/account.cpp b/src/account.cpp
index 43033c8..4fca953 100644
--- a/src/account.cpp
+++ b/src/account.cpp
@@ -1,4 +1,4 @@
-/* Copyright 2015 OpenMarket Ltd
+/* Copyright 2015, 2016 OpenMarket Ltd
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,9 +14,12 @@
*/
#include "olm/account.hh"
#include "olm/base64.hh"
+#include "olm/logging.hh"
#include "olm/pickle.hh"
#include "olm/memory.hh"
+static const char *LOG_CATEGORY = "olm::Account";
+
olm::Account::Account(
) : next_one_time_key_id(0),
last_error(olm::ErrorCode::SUCCESS) {
@@ -42,9 +45,11 @@ std::size_t olm::Account::remove_key(
if (olm::array_equal(i->key.public_key, public_key.public_key)) {
std::uint32_t id = i->id;
one_time_keys.erase(i);
+ olm::logf(olm::LOG_INFO, LOG_CATEGORY, "removed key id %i", id);
return id;
}
}
+ olm::logf(olm::LOG_WARNING, LOG_CATEGORY, "Couldn't find key to remove");
return std::size_t(-1);
}
@@ -64,6 +69,8 @@ std::size_t olm::Account::new_account(
random += KEY_LENGTH;
olm::curve25519_generate_key(random, identity_keys.curve25519_key);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Created new account");
+
return 0;
}
diff --git a/src/crypto.cpp b/src/crypto.cpp
index 8867688..3801e93 100644
--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -101,6 +101,10 @@ inline static void hmac_sha256_final(
} // namespace
+std::string olm::Curve25519PublicKey::to_string() const {
+ return olm::bytes_to_string(std::begin(public_key),
+ std::end(public_key));
+};
void olm::curve25519_generate_key(
std::uint8_t const * random_32_bytes,
diff --git a/src/message.cpp b/src/message.cpp
index 05f707f..30abd9c 100644
--- a/src/message.cpp
+++ b/src/message.cpp
@@ -14,8 +14,13 @@
*/
#include "olm/message.hh"
+#include "olm/logging.hh"
+#include "olm/memory.hh"
+
namespace {
+static const char *LOG_CATEGORY = "olm::Message";
+
template<typename T>
static std::size_t varint_length(
T value
@@ -234,6 +239,13 @@ void olm::decode_message(
}
unknown = pos;
}
+ olm::logf(olm::LOG_TRACE, LOG_CATEGORY,
+ "Decoded message ver=%i ratchet_key=%s chain_idx=%i ciphertext=%s",
+ reader.version,
+ olm::bytes_to_string(reader.ratchet_key, reader.ratchet_key_length).c_str(),
+ reader.has_counter ? reader.counter : -1,
+ olm::bytes_to_string(reader.ciphertext, reader.ciphertext_length).c_str()
+ );
}
@@ -322,4 +334,14 @@ void olm::decode_one_time_key_message(
}
unknown = pos;
}
+
+ olm::logf(olm::LOG_TRACE, LOG_CATEGORY,
+ "Decoded pre-key message ver=%i one_time_key[Eb]=%s "
+ "base_key[Ea]=%s identity_key[Ia]=%s message=%s",
+ reader.version,
+ olm::bytes_to_string(reader.one_time_key, reader.one_time_key_length).c_str(),
+ olm::bytes_to_string(reader.base_key, reader.base_key_length).c_str(),
+ olm::bytes_to_string(reader.identity_key, reader.identity_key_length).c_str(),
+ olm::bytes_to_string(reader.message, reader.message_length).c_str()
+ );
}
diff --git a/src/ratchet.cpp b/src/ratchet.cpp
index 5ef1e56..03a0478 100644
--- a/src/ratchet.cpp
+++ b/src/ratchet.cpp
@@ -1,4 +1,4 @@
-/* Copyright 2015 OpenMarket Ltd
+/* Copyright 2015, 2016 OpenMarket Ltd
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,17 +17,31 @@
#include "olm/memory.hh"
#include "olm/cipher.hh"
#include "olm/pickle.hh"
-
+#include "olm/logging.hh"
#include <cstring>
namespace {
+static const char *LOG_CATEGORY = "olm::Ratchet";
+
static const std::uint8_t PROTOCOL_VERSION = 3;
static const std::uint8_t MESSAGE_KEY_SEED[1] = {0x01};
static const std::uint8_t CHAIN_KEY_SEED[1] = {0x02};
static const std::size_t MAX_MESSAGE_GAP = 2000;
+
+/**
+ * Advance the root key, creating a new message chain.
+ *
+ * @param root_key previous root key R(n-1)
+ * @param our_key our new ratchet key T(n)
+ * @param their_key their most recent ratchet key T(n-1)
+ * @param info table of constants for the ratchet function
+ * @param new_root_key[out] returns the new root key R(n)
+ * @param new_chain_key[out] returns the first chain key in the new chain
+ * C(n,0)
+ */
static void create_chain_key(
olm::SharedKey const & root_key,
olm::Curve25519KeyPair const & our_key,
@@ -55,6 +69,7 @@ static void create_chain_key(
static void advance_chain_key(
+ std::uint32_t chain_index,
olm::ChainKey const & chain_key,
olm::ChainKey & new_chain_key
) {
@@ -64,20 +79,24 @@ static void advance_chain_key(
new_chain_key.key
);
new_chain_key.index = chain_key.index + 1;
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Derived chain key C(%i,%i)",
+ chain_index, new_chain_key.index);
}
static void create_message_keys(
+ std::uint32_t chain_index,
olm::ChainKey const & chain_key,
olm::KdfInfo const & info,
- olm::MessageKey & message_key
-) {
+ olm::MessageKey & message_key) {
olm::hmac_sha256(
chain_key.key, sizeof(chain_key.key),
MESSAGE_KEY_SEED, sizeof(MESSAGE_KEY_SEED),
message_key.key
);
message_key.index = chain_key.index;
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Created message key with chain key C(%i,%i)",
+ chain_index, message_key.index);
}
@@ -98,6 +117,7 @@ static std::size_t verify_mac_and_decrypt(
static std::size_t verify_mac_and_decrypt_for_existing_chain(
olm::Ratchet const & session,
+ std::uint32_t chain_index,
olm::ChainKey const & chain,
olm::MessageReader const & reader,
std::uint8_t * plaintext, std::size_t max_plaintext_length
@@ -114,11 +134,11 @@ static std::size_t verify_mac_and_decrypt_for_existing_chain(
olm::ChainKey new_chain = chain;
while (new_chain.index < reader.counter) {
- advance_chain_key(new_chain, new_chain);
+ advance_chain_key(chain_index, new_chain, new_chain);
}
olm::MessageKey message_key;
- create_message_keys(new_chain, session.kdf_info, message_key);
+ create_message_keys(chain_index, new_chain, session.kdf_info, message_key);
std::size_t result = verify_mac_and_decrypt(
session.ratchet_cipher, message_key, reader,
@@ -150,14 +170,17 @@ static std::size_t verify_mac_and_decrypt_for_new_chain(
}
olm::load_array(new_chain.ratchet_key.public_key, reader.ratchet_key);
+ std::uint32_t chain_index = session.chain_index + 1;
create_chain_key(
session.root_key, session.sender_chain[0].ratchet_key,
new_chain.ratchet_key, session.kdf_info,
new_root_key, new_chain.chain_key
);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Calculated new receiver chain R(%i)",
+ chain_index);
std::size_t result = verify_mac_and_decrypt_for_existing_chain(
- session, new_chain.chain_key, reader,
+ session, chain_index, new_chain.chain_key, reader,
plaintext, max_plaintext_length
);
olm::unset(new_root_key);
@@ -194,7 +217,9 @@ void olm::Ratchet::initialise_as_bob(
pos = olm::load_array(root_key, pos);
pos = olm::load_array(receiver_chains[0].chain_key.key, pos);
receiver_chains[0].ratchet_key = their_ratchet_key;
+ chain_index = 0;
olm::unset(derived_secrets);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Initialised receiver chain R(0)");
}
@@ -215,7 +240,9 @@ void olm::Ratchet::initialise_as_alice(
pos = olm::load_array(root_key, pos);
pos = olm::load_array(sender_chain[0].chain_key.key, pos);
sender_chain[0].ratchet_key = our_ratchet_key;
+ chain_index = 0;
olm::unset(derived_secrets);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Initialised sender chain R(0)");
}
namespace olm {
@@ -353,6 +380,7 @@ std::size_t olm::pickle_length(
length += olm::pickle_length(value.sender_chain);
length += olm::pickle_length(value.receiver_chains);
length += olm::pickle_length(value.skipped_message_keys);
+ length += olm::pickle_length(value.chain_index);
return length;
}
@@ -364,6 +392,7 @@ std::uint8_t * olm::pickle(
pos = pickle(pos, value.sender_chain);
pos = pickle(pos, value.receiver_chains);
pos = pickle(pos, value.skipped_message_keys);
+ pos = pickle(pos, value.chain_index);
return pos;
}
@@ -376,6 +405,7 @@ std::uint8_t const * olm::unpickle(
pos = unpickle(pos, end, value.sender_chain);
pos = unpickle(pos, end, value.receiver_chains);
pos = unpickle(pos, end, value.skipped_message_keys);
+ pos = unpickle(pos, end, value.chain_index);
return pos;
}
@@ -420,6 +450,9 @@ std::size_t olm::Ratchet::encrypt(
if (sender_chain.empty()) {
sender_chain.insert();
olm::curve25519_generate_key(random, sender_chain[0].ratchet_key);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Created new ratchet key T(%i) %s",
+ chain_index + 1,
+ sender_chain[0].ratchet_key.to_string().c_str());
create_chain_key(
root_key,
sender_chain[0].ratchet_key,
@@ -427,11 +460,14 @@ std::size_t olm::Ratchet::encrypt(
kdf_info,
root_key, sender_chain[0].chain_key
);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Initialised new sender chain R(%i)",
+ chain_index + 1);
+ chain_index++;
}
MessageKey keys;
- create_message_keys(sender_chain[0].chain_key, kdf_info, keys);
- advance_chain_key(sender_chain[0].chain_key, sender_chain[0].chain_key);
+ create_message_keys(chain_index, sender_chain[0].chain_key, kdf_info, keys);
+ advance_chain_key(chain_index, sender_chain[0].chain_key, sender_chain[0].chain_key);
std::size_t ciphertext_length = ratchet_cipher.encrypt_ciphertext_length(
plaintext_length
@@ -455,6 +491,14 @@ std::size_t olm::Ratchet::encrypt(
output, output_length
);
+ olm::logf(olm::LOG_TRACE, LOG_CATEGORY,
+ "Encoded message ver=%i ratchet_key=%s chain_idx=%i ciphertext=%s",
+ PROTOCOL_VERSION,
+ olm::bytes_to_string(writer.ratchet_key, olm::KEY_LENGTH).c_str(),
+ counter,
+ olm::bytes_to_string(writer.ciphertext, ciphertext_length).c_str()
+ );
+
olm::unset(keys);
return output_length;
}
@@ -481,6 +525,10 @@ std::size_t olm::Ratchet::decrypt(
std::uint8_t const * input, std::size_t input_length,
std::uint8_t * plaintext, std::size_t max_plaintext_length
) {
+ olm::logf(olm::LOG_TRACE, LOG_CATEGORY,
+ "Decrypting message %s",
+ olm::bytes_to_string(input, input_length).c_str());
+
olm::MessageReader reader;
olm::decode_message(
reader, input, input_length, ratchet_cipher.mac_length()
@@ -511,6 +559,13 @@ std::size_t olm::Ratchet::decrypt(
}
ReceiverChain * chain = nullptr;
+ auto receiver_chain_index = chain_index;
+ if (!sender_chain.empty()) {
+ // we've already advanced to the next (sender) chain; decrement to
+ // get back to the receiver chains
+ receiver_chain_index --;
+ }
+
for (olm::ReceiverChain & receiver_chain : receiver_chains) {
if (0 == std::memcmp(
receiver_chain.ratchet_key.public_key, reader.ratchet_key,
@@ -519,11 +574,14 @@ std::size_t olm::Ratchet::decrypt(
chain = &receiver_chain;
break;
}
+ receiver_chain_index -= 2;
}
std::size_t result = std::size_t(-1);
if (!chain) {
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY,
+ "Sender ratchet key does not match known chain; starting new one");
result = verify_mac_and_decrypt_for_new_chain(
*this, reader, plaintext, max_plaintext_length
);
@@ -555,7 +613,8 @@ std::size_t olm::Ratchet::decrypt(
}
} else {
result = verify_mac_and_decrypt_for_existing_chain(
- *this, chain->chain_key, reader, plaintext, max_plaintext_length
+ *this, receiver_chain_index, chain->chain_key,
+ reader, plaintext, max_plaintext_length
);
}
@@ -565,28 +624,36 @@ std::size_t olm::Ratchet::decrypt(
}
if (!chain) {
- /* They have started using a new empheral ratchet key.
+ /* They have started using a new ephemeral ratchet key.
* We need to derive a new set of chain keys.
* We can discard our previous empheral ratchet key.
* We will generate a new key when we send the next message. */
+
chain = receiver_chains.insert();
olm::load_array(chain->ratchet_key.public_key, reader.ratchet_key);
+
+ // TODO: we've already done this once, in
+ // verify_mac_and_decrypt_for_new_chain(). we could reuse the result.
create_chain_key(
root_key, sender_chain[0].ratchet_key, chain->ratchet_key,
kdf_info, root_key, chain->chain_key
);
+
olm::unset(sender_chain[0]);
sender_chain.erase(sender_chain.begin());
+ receiver_chain_index = ++chain_index;
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Initialised new receiver chain R(%i)",
+ chain_index);
}
while (chain->chain_key.index < reader.counter) {
olm::SkippedMessageKey & key = *skipped_message_keys.insert();
- create_message_keys(chain->chain_key, kdf_info, key.message_key);
+ create_message_keys(receiver_chain_index, chain->chain_key, kdf_info, key.message_key);
key.ratchet_key = chain->ratchet_key;
- advance_chain_key(chain->chain_key, chain->chain_key);
+ advance_chain_key(receiver_chain_index, chain->chain_key, chain->chain_key);
}
- advance_chain_key(chain->chain_key, chain->chain_key);
+ advance_chain_key(receiver_chain_index, chain->chain_key, chain->chain_key);
return result;
}
diff --git a/src/session.cpp b/src/session.cpp
index 71c80e4..6a9bb7e 100644
--- a/src/session.cpp
+++ b/src/session.cpp
@@ -1,4 +1,4 @@
-/* Copyright 2015 OpenMarket Ltd
+/* Copyright 2015, 2016 OpenMarket Ltd
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
#include "olm/cipher.hh"
#include "olm/crypto.hh"
#include "olm/account.hh"
+#include "olm/logging.hh"
#include "olm/memory.hh"
#include "olm/message.hh"
#include "olm/pickle.hh"
@@ -24,6 +25,8 @@
namespace {
+static const char *LOG_CATEGORY = "olm::Session";
+
static const std::uint8_t PROTOCOL_VERSION = 0x3;
static const std::uint8_t ROOT_KDF_INFO[] = "OLM_ROOT";
@@ -65,11 +68,21 @@ std::size_t olm::Session::new_outbound_session(
return std::size_t(-1);
}
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY,
+ "Creating new outbound session to receiver identity IB %s, "
+ "receiver ephemeral EB %s", identity_key.to_string().c_str(),
+ one_time_key.to_string().c_str()
+ );
+
olm::Curve25519KeyPair base_key;
olm::curve25519_generate_key(random, base_key);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Created new ephemeral key EA %s",
+ base_key.to_string().c_str());
olm::Curve25519KeyPair ratchet_key;
olm::curve25519_generate_key(random + olm::KEY_LENGTH, ratchet_key);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Created new ratchet key T(0) %s",
+ ratchet_key.to_string().c_str());
olm::Curve25519KeyPair const & alice_identity_key_pair = (
local_account.identity_keys.curve25519_key
@@ -95,6 +108,7 @@ std::size_t olm::Session::new_outbound_session(
olm::unset(ratchet_key);
olm::unset(secret);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Initialised outbound session");
return std::size_t(0);
}
@@ -137,11 +151,29 @@ std::size_t olm::Session::new_inbound_session(
their_identity_key->public_key, reader.identity_key, olm::KEY_LENGTH
);
if (!same) {
+ olm::logf(olm::LOG_INFO, LOG_CATEGORY,
+ "Identity key on received message is incorrect "
+ "(expected %s, got %s)",
+ their_identity_key->to_string().c_str(),
+ olm::bytes_to_string(reader.identity_key,
+ reader.identity_key + olm::KEY_LENGTH)
+ .c_str());
last_error = olm::ErrorCode::BAD_MESSAGE_KEY_ID;
return std::size_t(-1);
}
}
+ olm::load_array(alice_identity_key.public_key, reader.identity_key);
+ olm::load_array(alice_base_key.public_key, reader.base_key);
+ olm::load_array(bob_one_time_key.public_key, reader.one_time_key);
+
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY,
+ "Creating new inbound session from sender identity IA %s, "
+ "sender ephemeral EA %s, our ephemeral EB %s",
+ alice_identity_key.to_string().c_str(),
+ alice_base_key.to_string().c_str(),
+ bob_one_time_key.to_string().c_str());
+
olm::MessageReader message_reader;
decode_message(
message_reader, reader.message, reader.message_length,
@@ -154,17 +186,20 @@ std::size_t olm::Session::new_inbound_session(
return std::size_t(-1);
}
- olm::load_array(alice_identity_key.public_key, reader.identity_key);
- olm::load_array(alice_base_key.public_key, reader.base_key);
- olm::load_array(bob_one_time_key.public_key, reader.one_time_key);
olm::Curve25519PublicKey ratchet_key;
olm::load_array(ratchet_key.public_key, message_reader.ratchet_key);
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY,
+ "Received ratchet key T(0) %s", ratchet_key.to_string().c_str());
+
olm::OneTimeKey const * our_one_time_key = local_account.lookup_key(
bob_one_time_key
);
if (!our_one_time_key) {
+ olm::logf(olm::LOG_INFO, LOG_CATEGORY,
+ "Session uses unknown ephemeral key %s",
+ bob_one_time_key.to_string().c_str());
last_error = olm::ErrorCode::BAD_MESSAGE_KEY_ID;
return std::size_t(-1);
}
@@ -185,6 +220,8 @@ std::size_t olm::Session::new_inbound_session(
ratchet.initialise_as_bob(secret, sizeof(secret), ratchet_key);
olm::unset(secret);
+
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Initialised inbound session");
return std::size_t(0);
}
@@ -283,6 +320,9 @@ std::size_t olm::Session::encrypt(
std::uint8_t const * random, std::size_t random_length,
std::uint8_t * message, std::size_t message_length
) {
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Encrypting '%.*s'",
+ (int)plaintext_length, plaintext);
+
if (message_length < encrypt_message_length(plaintext_length)) {
last_error = olm::ErrorCode::OUTPUT_BUFFER_TOO_SMALL;
return std::size_t(-1);
@@ -309,6 +349,16 @@ std::size_t olm::Session::encrypt(
olm::store_array(writer.identity_key, alice_identity_key.public_key);
olm::store_array(writer.base_key, alice_base_key.public_key);
message_body = writer.message;
+
+
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY,
+ "Encoded pre-key message ver=%i one_time_key[Eb]=%s "
+ "base_key[Ea]=%s identity_key[Ia]=%s",
+ PROTOCOL_VERSION,
+ olm::bytes_to_string(writer.one_time_key, olm::KEY_LENGTH).c_str(),
+ olm::bytes_to_string(writer.base_key, olm::KEY_LENGTH).c_str(),
+ olm::bytes_to_string(writer.identity_key, olm::KEY_LENGTH).c_str()
+ );
}
std::size_t result = ratchet.encrypt(
@@ -320,7 +370,12 @@ std::size_t olm::Session::encrypt(
if (result == std::size_t(-1)) {
last_error = ratchet.last_error;
ratchet.last_error = olm::ErrorCode::SUCCESS;
+ return result;
}
+
+ olm::logf(olm::LOG_TRACE, LOG_CATEGORY, "Encrypted message %s",
+ olm::bytes_to_string(message_body, result).c_str());
+
return result;
}
@@ -362,6 +417,9 @@ std::size_t olm::Session::decrypt(
std::uint8_t const * message, std::size_t message_length,
std::uint8_t * plaintext, std::size_t max_plaintext_length
) {
+ olm::logf(olm::LOG_TRACE, LOG_CATEGORY, "Decrypting %smessage",
+ message_type == olm::MessageType::MESSAGE ? "" : "pre-key ");
+
std::uint8_t const * message_body;
std::size_t message_body_length;
if (message_type == olm::MessageType::MESSAGE) {
@@ -385,9 +443,12 @@ std::size_t olm::Session::decrypt(
if (result == std::size_t(-1)) {
last_error = ratchet.last_error;
ratchet.last_error = olm::ErrorCode::SUCCESS;
- } else {
- received_message = true;
+ return result;
}
+
+ received_message = true;
+ olm::logf(olm::LOG_DEBUG, LOG_CATEGORY, "Decrypted '%.*s'",
+ (int)result, plaintext);
return result;
}
@@ -440,4 +501,3 @@ std::uint8_t const * olm::unpickle(
pos = olm::unpickle(pos, end, value.ratchet);
return pos;
}
-