/* Copyright 2015 OpenMarket Ltd * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "axolotl/crypto.hh" #include "axolotl/list.hh" namespace axolotl { typedef std::uint8_t SharedKey[32]; struct ChainKey { std::uint32_t index; SharedKey key; }; struct MessageKey { std::uint32_t index; Aes256Key cipher_key; SharedKey mac_key; Aes256Iv iv; }; struct SenderChain { Curve25519KeyPair ratchet_key; ChainKey chain_key; }; struct ReceiverChain { Curve25519PublicKey ratchet_key; ChainKey chain_key; }; struct SkippedMessageKey { Curve25519PublicKey ratchet_key; MessageKey message_key; }; enum struct ErrorCode { SUCCESS = 0, /*!< There wasn't an error */ NOT_ENOUGH_RANDOM = 1, /*!< Not enough entropy was supplied */ OUTPUT_BUFFER_TOO_SMALL = 2, /*!< Supplied output buffer is too small */ BAD_MESSAGE_VERSION = 3, /*!< The message version is unsupported */ BAD_MESSAGE_FORMAT = 4, /*!< The message couldn't be decoded */ BAD_MESSAGE_MAC = 5, /*!< The message couldn't be decrypted */ }; static std::size_t const MAX_RECEIVER_CHAINS = 5; static std::size_t const MAX_SKIPPED_MESSAGE_KEYS = 40; struct KdfInfo { std::uint8_t const * root_info; std::size_t root_info_length; std::uint8_t const * ratchet_info; std::size_t ratchet_info_length; std::uint8_t const * message_info; std::size_t message_info_length; }; struct Session { Session( KdfInfo const & kdf_info ); /** A some strings identifing the application to feed into the KDF. */ const KdfInfo &kdf_info; /** The last error that happened encypting or decrypting a message. */ ErrorCode last_error; /** The root key is used to generate chain keys from the ephemeral keys. * A new root_key derived each time a chain key is derived. */ SharedKey root_key; /** The sender chain is used to send messages. Each time a new ephemeral * key is received from the remote server we generate a new sender chain * with a new empheral key when we next send a message. */ List sender_chain; /** The receiver chain is used to decrypt recieved messages. We store the * last few chains so we can decrypt any out of order messages we haven't * received yet. */ List receiver_chains; /** List of message keys we've skipped over when advancing the receiver * chain. */ List skipped_message_keys; /** Initialise the session using a shared secret and the public part of the * remote's first ratchet key */ void initialise_as_bob( std::uint8_t const * shared_secret, std::size_t shared_secret_length, Curve25519PublicKey const & their_ratchet_key ); /** Intialise the session using a shared secret and the public/private key * pair for the first ratchet key */ void initialise_as_alice( std::uint8_t const * shared_secret, std::size_t shared_secret_length, Curve25519KeyPair const & our_ratchet_key ); /** The number of bytes needed to persist the current session. */ std::size_t pickle_max_output_length(); /** Persists a session as a sequence of bytes, encrypting using a key * Returns the number of output bytes used. */ std::size_t pickle( std::uint8_t const * key, std::size_t key_length, std::uint8_t * output, std::size_t max_output_length ); /** Loads a session from a sequence of bytes, decrypting using a key. * Returns 0 on success, or std::size_t(-1) on failure. The last_error * will be BAD_SESSION_KEY if the supplied key is incorrect. */ std::size_t unpickle( std::uint8_t const * key, std::size_t key_length, std::uint8_t * input, std::size_t input_length ); /** The maximum number of bytes of output the encrypt method will write for * a given message length. */ std::size_t encrypt_max_output_length( std::size_t plaintext_length ); /** The number of bytes of random data the encrypt method will need to * encrypt a message. This will be 32 bytes if the session needs to * generate a new ephemeral key, or will be 0 bytes otherwise.*/ std::size_t encrypt_random_length(); /** Encrypt some plaintext. Returns the length of the encrypted message * or std::size_t(-1) on failure. On failure last_error will be set with * an error code. The last_error will be NOT_ENOUGH_RANDOM if the number * of random bytes is too small. The last_error will be * OUTPUT_BUFFER_TOO_SMALL if the output buffer is too small. */ std::size_t encrypt( std::uint8_t const * plaintext, std::size_t plaintext_length, std::uint8_t const * random, std::size_t random_length, std::uint8_t * output, std::size_t max_output_length ); /** An upper bound on the number of bytes of plaintext the decrypt method * will write for a given input message length. */ std::size_t decrypt_max_plaintext_length( std::size_t input_length ); /** Decrypt a message. Returns the length of the decrypted plaintext or * std::size_t(-1) on failure. On failure last_error will be set with an * error code. The last_error will be OUTPUT_BUFFER_TOO_SMALL if the * plaintext buffer is too small. The last_error will be * BAD_MESSAGE_VERSION if the message was encrypted with an unsupported * version of the protocol. The last_error will be BAD_MESSAGE_FORMAT if * the message headers could not be decoded. The last_error will be * BAD_MESSAGE_MAC if the message could not be verified */ std::size_t decrypt( std::uint8_t const * input, std::size_t input_length, std::uint8_t * plaintext, std::size_t max_plaintext_length ); }; } // namespace axolotl