1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
package protocol
import (
"crypto/hmac"
"crypto/sha256"
"fmt"
"strconv"
"go.mau.fi/libsignal/ecc"
"go.mau.fi/libsignal/keys/identity"
"go.mau.fi/libsignal/logger"
"go.mau.fi/libsignal/signalerror"
"go.mau.fi/libsignal/util/bytehelper"
)
const MacLength int = 8
// SignalMessageSerializer is an interface for serializing and deserializing
// SignalMessages into bytes. An implementation of this interface should be
// used to encode/decode the object into JSON, Protobuffers, etc.
type SignalMessageSerializer interface {
Serialize(signalMessage *SignalMessageStructure) []byte
Deserialize(serialized []byte) (*SignalMessageStructure, error)
}
// NewSignalMessageFromBytes will return a Signal Ciphertext message from the given
// bytes using the given serializer.
func NewSignalMessageFromBytes(serialized []byte, serializer SignalMessageSerializer) (*SignalMessage, error) {
// Use the given serializer to decode the signal message.
signalMessageStructure, err := serializer.Deserialize(serialized)
if err != nil {
return nil, err
}
return NewSignalMessageFromStruct(signalMessageStructure, serializer)
}
// NewSignalMessageFromStruct returns a Signal Ciphertext message from the
// given serializable structure.
func NewSignalMessageFromStruct(structure *SignalMessageStructure, serializer SignalMessageSerializer) (*SignalMessage, error) {
// Throw an error if the given message structure is an unsupported version.
if structure.Version <= UnsupportedVersion {
return nil, fmt.Errorf("%w %d (normal message)", signalerror.ErrOldMessageVersion, structure.Version)
}
// Throw an error if the given message structure is a future version.
if structure.Version > CurrentVersion {
return nil, fmt.Errorf("%w %d (normal message)", signalerror.ErrUnknownMessageVersion, structure.Version)
}
// Throw an error if the structure is missing critical fields.
if structure.CipherText == nil || structure.RatchetKey == nil {
return nil, fmt.Errorf("%w (normal message)", signalerror.ErrIncompleteMessage)
}
// Create the signal message object from the structure.
whisperMessage := &SignalMessage{structure: *structure, serializer: serializer}
// Generate the ECC key from bytes.
var err error
whisperMessage.senderRatchetKey, err = ecc.DecodePoint(structure.RatchetKey, 0)
if err != nil {
return nil, err
}
return whisperMessage, nil
}
// NewSignalMessage returns a Signal Ciphertext message.
func NewSignalMessage(messageVersion int, counter, previousCounter uint32, macKey []byte,
senderRatchetKey ecc.ECPublicKeyable, ciphertext []byte, senderIdentityKey,
receiverIdentityKey *identity.Key, serializer SignalMessageSerializer) (*SignalMessage, error) {
version := []byte(strconv.Itoa(messageVersion))
// Build the signal message structure with the given data.
structure := &SignalMessageStructure{
Counter: counter,
PreviousCounter: previousCounter,
RatchetKey: senderRatchetKey.Serialize(),
CipherText: ciphertext,
}
serialized := append(version, serializer.Serialize(structure)...)
// Get the message authentication code from the serialized structure.
mac, err := getMac(
messageVersion, senderIdentityKey, receiverIdentityKey,
macKey, serialized,
)
if err != nil {
return nil, err
}
structure.Mac = mac
structure.Version = messageVersion
// Generate a SignalMessage with the structure.
whisperMessage, err := NewSignalMessageFromStruct(structure, serializer)
if err != nil {
return nil, err
}
return whisperMessage, nil
}
// SignalMessageStructure is a serializeable structure of a signal message
// object.
type SignalMessageStructure struct {
RatchetKey []byte
Counter uint32
PreviousCounter uint32
CipherText []byte
Version int
Mac []byte
}
// SignalMessage is a cipher message that contains a message encrypted
// with the Signal protocol.
type SignalMessage struct {
structure SignalMessageStructure
senderRatchetKey ecc.ECPublicKeyable
serializer SignalMessageSerializer
}
// SenderRatchetKey returns the SignalMessage's sender ratchet key. This
// key is used for ratcheting the chain forward to negotiate a new shared
// secret that cannot be derived from previous chains.
func (s *SignalMessage) SenderRatchetKey() ecc.ECPublicKeyable {
return s.senderRatchetKey
}
// MessageVersion returns the message version this SignalMessage supports.
func (s *SignalMessage) MessageVersion() int {
return s.structure.Version
}
// Counter will return the SignalMessage counter.
func (s *SignalMessage) Counter() uint32 {
return s.structure.Counter
}
// Body will return the SignalMessage's ciphertext in bytes.
func (s *SignalMessage) Body() []byte {
return s.structure.CipherText
}
// VerifyMac will return an error if the message's message authentication code
// is invalid. This should be used on SignalMessages that have been constructed
// from a sent message.
func (s *SignalMessage) VerifyMac(messageVersion int, senderIdentityKey,
receiverIdentityKey *identity.Key, macKey []byte) error {
// Create a copy of the message without the mac. We'll use this to calculate
// the message authentication code.
structure := s.structure
signalMessage, err := NewSignalMessageFromStruct(&structure, s.serializer)
if err != nil {
return err
}
signalMessage.structure.Mac = nil
signalMessage.structure.Version = 0
version := []byte(strconv.Itoa(s.MessageVersion()))
serialized := append(version, signalMessage.Serialize()...)
// Calculate the message authentication code from the serialized structure.
ourMac, err := getMac(
messageVersion,
senderIdentityKey,
receiverIdentityKey,
macKey,
serialized,
)
if err != nil {
logger.Error(err)
return err
}
// Get the message authentication code that was sent to us as part of
// the signal message structure.
theirMac := s.structure.Mac
logger.Debug("Verifying macs...")
logger.Debug(" Our MAC: ", ourMac)
logger.Debug(" Their MAC: ", theirMac)
// Return an error if our calculated mac doesn't match the mac sent to us.
if !hmac.Equal(ourMac, theirMac) {
return signalerror.ErrBadMAC
}
return nil
}
// Serialize will return the Signal Message as bytes.
func (s *SignalMessage) Serialize() []byte {
return s.serializer.Serialize(&s.structure)
}
// Structure will return a serializeable structure of the Signal Message.
func (s *SignalMessage) Structure() *SignalMessageStructure {
structure := s.structure
return &structure
}
// Type will return the type of Signal Message this is.
func (s *SignalMessage) Type() uint32 {
return WHISPER_TYPE
}
// getMac will calculate the mac using the given message version, identity
// keys, macKey and SignalMessageStructure. The MAC key is a private key held
// by both parties that is concatenated with the message and hashed.
func getMac(messageVersion int, senderIdentityKey, receiverIdentityKey *identity.Key,
macKey, serialized []byte) ([]byte, error) {
mac := hmac.New(sha256.New, macKey[:])
if messageVersion >= 3 {
mac.Write(senderIdentityKey.PublicKey().Serialize())
mac.Write(receiverIdentityKey.PublicKey().Serialize())
}
mac.Write(serialized)
fullMac := mac.Sum(nil)
return bytehelper.Trim(fullMac, MacLength), nil
}
|
