sender_key_state *create_test_sender_key_state(int id, int iteration)
{
int result = 0;
sender_key_state *state = 0;
axolotl_buffer *buffer = 0;
sender_chain_key *chain_key = 0;
ec_key_pair *key_pair = 0;
result = axolotl_key_helper_generate_sender_key(&buffer, global_context);
ck_assert_int_eq(result, 0);
result = sender_chain_key_create(&chain_key, iteration, buffer, global_context);
ck_assert_int_eq(result, 0);
result = axolotl_key_helper_generate_sender_signing_key(&key_pair, global_context);
ck_assert_int_eq(result, 0);
result = sender_key_state_create(&state, id, chain_key,
ec_key_pair_get_public(key_pair), ec_key_pair_get_private(key_pair), global_context);
ck_assert_int_eq(result, 0);
/* Cleanup */
axolotl_buffer_free(buffer);
AXOLOTL_UNREF(chain_key);
AXOLOTL_UNREF(key_pair);
return state;
}
END_TEST
START_TEST(test_unique_signatures)
{
int result;
size_t i;
size_t r;
ec_key_pair *key_pair = 0;
uint8_t *message = 0;
signal_buffer *signature = 0;
signal_buffer *vrf_output = 0;
result = curve_generate_key_pair(global_context, &key_pair);
ck_assert_int_eq(result, 0);
message = malloc(256);
ck_assert_ptr_ne(message, 0);
for(i = 1; i <= 256; i++) {
result = signal_crypto_random(global_context, message, i);
ck_assert_int_eq(result, 0);
result = curve_calculate_vrf_signature(global_context, &signature,
ec_key_pair_get_private(key_pair), message, i);
ck_assert_int_eq(result, 0);
result = curve_verify_vrf_signature(global_context, &vrf_output,
ec_key_pair_get_public(key_pair), message, i,
signal_buffer_data(signature), signal_buffer_len(signature));
ck_assert_int_eq(result, 0);
result = curve_verify_signature(
ec_key_pair_get_public(key_pair), message, i,
signal_buffer_data(signature), signal_buffer_len(signature));
ck_assert_int_ne(result, 0);
signal_buffer_free(vrf_output);
result = signal_crypto_random(global_context, (uint8_t *)&r, sizeof(size_t));
ck_assert_int_eq(result, 0);
message[r % i] ^= 0x01;
result = curve_verify_vrf_signature(global_context, &vrf_output,
ec_key_pair_get_public(key_pair), message, i,
signal_buffer_data(signature), signal_buffer_len(signature));
ck_assert_int_eq(result, SG_ERR_VRF_SIG_VERIF_FAILED);
signal_buffer_free(signature);
}
/* Cleanup */
SIGNAL_UNREF(key_pair);
if(message) {
free(message);
}
}
END_TEST
START_TEST(test_serialize_sender_key_message)
{
int result = 0;
sender_key_message *message = 0;
sender_key_message *result_message = 0;
static const char ciphertext[] = "WhisperCipherText";
ec_key_pair *signature_key_pair = 0;
result = curve_generate_key_pair(global_context, &signature_key_pair);
ck_assert_int_eq(result, 0);
result = sender_key_message_create(&message,
10, /* key_id */
1, /* iteration */
(uint8_t *)ciphertext, sizeof(ciphertext) - 1,
ec_key_pair_get_private(signature_key_pair),
global_context);
ck_assert_int_eq(result, 0);
result = sender_key_message_verify_signature(message, ec_key_pair_get_public(signature_key_pair));
ck_assert_int_eq(result, 0);
signal_buffer *serialized = ciphertext_message_get_serialized((ciphertext_message *)message);
ck_assert_ptr_ne(serialized, 0);
result = sender_key_message_deserialize(&result_message,
signal_buffer_data(serialized),
signal_buffer_len(serialized),
global_context);
ck_assert_int_eq(result, 0);
result = sender_key_message_verify_signature(result_message, ec_key_pair_get_public(signature_key_pair));
ck_assert_int_eq(result, 0);
int key_id1 = sender_key_message_get_key_id(message);
int key_id2 = sender_key_message_get_key_id(result_message);
ck_assert_int_eq(key_id1, key_id2);
int iteration1 = sender_key_message_get_iteration(message);
int iteration2 = sender_key_message_get_iteration(result_message);
ck_assert_int_eq(iteration1, iteration2);
signal_buffer *ciphertext1 = sender_key_message_get_ciphertext(message);
signal_buffer *ciphertext2 = sender_key_message_get_ciphertext(result_message);
ck_assert_int_eq(signal_buffer_compare(ciphertext1, ciphertext2), 0);
/* Cleanup */
SIGNAL_UNREF(message);
SIGNAL_UNREF(result_message);
SIGNAL_UNREF(signature_key_pair);
}
END_TEST
START_TEST(test_curve25519_large_signatures)
{
int result;
ec_key_pair *keys = 0;
result = curve_generate_key_pair(global_context, &keys);
ck_assert_int_eq(result, 0);
uint8_t message[1048576];
memset(message, 0, sizeof(message));
signal_buffer *signature = 0;
result = curve_calculate_signature(global_context, &signature,
ec_key_pair_get_private(keys), message, sizeof(message));
ck_assert_int_eq(result, 0);
uint8_t *data = signal_buffer_data(signature);
size_t len = signal_buffer_len(signature);
result = curve_verify_signature(ec_key_pair_get_public(keys),
message, sizeof(message), data, len);
ck_assert_int_eq(result, 1);
data[0] ^= 0x01;
result = curve_verify_signature(ec_key_pair_get_public(keys),
message, sizeof(message), data, len);
ck_assert_int_eq(result, 0);
/* Cleanup */
SIGNAL_UNREF(keys);
if(signature) {
signal_buffer_free(signature);
}
}
static int session_cipher_get_or_create_chain_key(session_cipher *cipher,
ratchet_chain_key **chain_key,
session_state *state, ec_public_key *their_ephemeral)
{
int result = 0;
ratchet_chain_key *result_key = 0;
ratchet_root_key *receiver_root_key = 0;
ratchet_chain_key *receiver_chain_key = 0;
ratchet_root_key *sender_root_key = 0;
ratchet_chain_key *sender_chain_key = 0;
ec_key_pair *our_new_ephemeral = 0;
ratchet_root_key *root_key = 0;
ec_key_pair *our_ephemeral = 0;
ratchet_chain_key *previous_sender_chain_key = 0;
uint32_t index = 0;
result_key = session_state_get_receiver_chain_key(state, their_ephemeral);
if(result_key) {
SIGNAL_REF(result_key);
goto complete;
}
root_key = session_state_get_root_key(state);
if(!root_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
our_ephemeral = session_state_get_sender_ratchet_key_pair(state);
if(!our_ephemeral) {
result = SG_ERR_UNKNOWN;
goto complete;
}
result = ratchet_root_key_create_chain(root_key,
&receiver_root_key, &receiver_chain_key,
their_ephemeral, ec_key_pair_get_private(our_ephemeral));
if(result < 0) {
goto complete;
}
result = curve_generate_key_pair(cipher->global_context, &our_new_ephemeral);
if(result < 0) {
goto complete;
}
result = ratchet_root_key_create_chain(receiver_root_key,
&sender_root_key, &sender_chain_key,
their_ephemeral, ec_key_pair_get_private(our_new_ephemeral));
if(result < 0) {
goto complete;
}
session_state_set_root_key(state, sender_root_key);
result = session_state_add_receiver_chain(state, their_ephemeral, receiver_chain_key);
if(result < 0) {
goto complete;
}
previous_sender_chain_key = session_state_get_sender_chain_key(state);
if(!previous_sender_chain_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
index = ratchet_chain_key_get_index(previous_sender_chain_key);
if(index > 0) { --index; }
session_state_set_previous_counter(state, index);
session_state_set_sender_chain(state, our_new_ephemeral, sender_chain_key);
result_key = receiver_chain_key;
SIGNAL_REF(result_key);
complete:
SIGNAL_UNREF(receiver_root_key);
SIGNAL_UNREF(receiver_chain_key);
SIGNAL_UNREF(sender_root_key);
SIGNAL_UNREF(sender_chain_key);
SIGNAL_UNREF(our_new_ephemeral);
if(result >= 0) {
*chain_key = result_key;
}
else {
SIGNAL_UNREF(result_key);
}
return result;
}
int device_consistency_message_create_from_pair(device_consistency_message **message,
device_consistency_commitment *commitment,
ec_key_pair *identity_key_pair,
signal_context *global_context)
{
int result = 0;
device_consistency_message *result_message = 0;
signal_buffer *commitment_buffer = 0;
signal_buffer *signature_buffer = 0;
signal_buffer *vrf_output_buffer = 0;
signal_buffer *serialized_signature_buffer = 0;
Textsecure__DeviceConsistencyCodeMessage message_structure = TEXTSECURE__DEVICE_CONSISTENCY_CODE_MESSAGE__INIT;
size_t len = 0;
uint8_t *data = 0;
size_t result_size = 0;
/* Create message instance */
result = device_consistency_message_create(&result_message);
if(result < 0) {
goto complete;
}
/* Calculate VRF signature */
commitment_buffer = device_consistency_commitment_get_serialized(commitment);
result = curve_calculate_vrf_signature(global_context, &signature_buffer,
ec_key_pair_get_private(identity_key_pair),
signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer));
if(result < 0) {
goto complete;
}
/* Verify VRF signature */
result = curve_verify_vrf_signature(global_context, &vrf_output_buffer,
ec_key_pair_get_public(identity_key_pair),
signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer),
signal_buffer_data(signature_buffer), signal_buffer_len(signature_buffer));
if(result < 0) {
goto complete;
}
result_message->generation = device_consistency_commitment_get_generation(commitment);
/* Create and assign the signature */
result = device_consistency_signature_create(&result_message->signature,
signal_buffer_data(signature_buffer), signal_buffer_len(signature_buffer),
signal_buffer_data(vrf_output_buffer), signal_buffer_len(vrf_output_buffer));
if(result < 0) {
goto complete;
}
serialized_signature_buffer = device_consistency_signature_get_signature(result_message->signature);
/* Serialize the message */
message_structure.generation = device_consistency_commitment_get_generation(commitment);
message_structure.has_generation = 1;
message_structure.signature.data = signal_buffer_data(serialized_signature_buffer);
message_structure.signature.len = signal_buffer_len(serialized_signature_buffer);
message_structure.has_signature = 1;
len = textsecure__device_consistency_code_message__get_packed_size(&message_structure);
result_message->serialized = signal_buffer_alloc(len);
if(!result_message->serialized) {
result = SG_ERR_NOMEM;
goto complete;
}
data = signal_buffer_data(result_message->serialized);
result_size = textsecure__device_consistency_code_message__pack(&message_structure, data);
if(result_size != len) {
result = SG_ERR_INVALID_PROTO_BUF;
goto complete;
}
complete:
signal_buffer_free(signature_buffer);
signal_buffer_free(vrf_output_buffer);
if(result >= 0) {
*message = result_message;
}
else {
SIGNAL_UNREF(result_message);
}
if(result == SG_ERR_INVALID_KEY || result == SG_ERR_VRF_SIG_VERIF_FAILED) {
result = SG_ERR_UNKNOWN;
}
return result;
}
END_TEST
START_TEST(test_curve25519_random_agreements)
{
int result;
int i;
ec_key_pair *alice_key_pair = 0;
ec_public_key *alice_public_key = 0;
ec_private_key *alice_private_key = 0;
ec_key_pair *bob_key_pair = 0;
ec_public_key *bob_public_key = 0;
ec_private_key *bob_private_key = 0;
uint8_t *shared_alice = 0;
uint8_t *shared_bob = 0;
signal_context *context;
signal_context_create(&context, 0);
setup_test_crypto_provider(context);
for(i = 0; i < 50; i++) {
/* Generate Alice's key pair */
result = curve_generate_key_pair(context, &alice_key_pair);
ck_assert_int_eq(result, 0);
alice_public_key = ec_key_pair_get_public(alice_key_pair);
alice_private_key = ec_key_pair_get_private(alice_key_pair);
ck_assert_ptr_ne(alice_public_key, 0);
ck_assert_ptr_ne(alice_private_key, 0);
/* Generate Bob's key pair */
result = curve_generate_key_pair(context, &bob_key_pair);
ck_assert_int_eq(result, 0);
bob_public_key = ec_key_pair_get_public(bob_key_pair);
bob_private_key = ec_key_pair_get_private(bob_key_pair);
ck_assert_ptr_ne(bob_public_key, 0);
ck_assert_ptr_ne(bob_private_key, 0);
/* Calculate Alice's key agreement */
result = curve_calculate_agreement(&shared_alice, bob_public_key, alice_private_key);
ck_assert_int_eq(result, 32);
ck_assert_ptr_ne(shared_alice, 0);
/* Calculate Bob's key agreement */
result = curve_calculate_agreement(&shared_bob, alice_public_key, bob_private_key);
ck_assert_int_eq(result, 32);
ck_assert_ptr_ne(shared_bob, 0);
/* Assert that key agreements match */
ck_assert_int_eq(memcmp(shared_alice, shared_bob, 32), 0);
/* Cleanup */
if(shared_alice) { free(shared_alice); }
if(shared_bob) { free(shared_bob); }
SIGNAL_UNREF(alice_key_pair);
SIGNAL_UNREF(bob_key_pair);
alice_key_pair = 0;
bob_key_pair = 0;
alice_public_key = 0;
alice_private_key = 0;
bob_public_key = 0;
bob_private_key = 0;
shared_alice = 0;
shared_bob = 0;
}
signal_context_destroy(context);
}
int ratcheting_session_alice_initialize(
session_state *state,
alice_signal_protocol_parameters *parameters,
signal_context *global_context)
{
int result = 0;
uint8_t *agreement = 0;
int agreement_len = 0;
ec_key_pair *sending_ratchet_key = 0;
ratchet_root_key *derived_root = 0;
ratchet_chain_key *derived_chain = 0;
ratchet_root_key *sending_chain_root = 0;
ratchet_chain_key *sending_chain_key = 0;
struct vpool vp;
uint8_t *secret = 0;
size_t secret_len = 0;
uint8_t discontinuity_data[32];
assert(state);
assert(parameters);
assert(global_context);
vpool_init(&vp, 1024, 0);
result = curve_generate_key_pair(global_context, &sending_ratchet_key);
if(result < 0) {
goto complete;
}
memset(discontinuity_data, 0xFF, sizeof(discontinuity_data));
if(!vpool_insert(&vp, vpool_get_length(&vp), discontinuity_data, sizeof(discontinuity_data))) {
result = SG_ERR_NOMEM;
goto complete;
}
agreement_len = curve_calculate_agreement(&agreement,
parameters->their_signed_pre_key, parameters->our_identity_key->private_key);
if(agreement_len < 0) {
result = agreement_len;
goto complete;
}
if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) {
free(agreement); agreement = 0; agreement_len = 0;
}
else {
result = SG_ERR_NOMEM;
goto complete;
}
agreement_len = curve_calculate_agreement(&agreement,
parameters->their_identity_key, ec_key_pair_get_private(parameters->our_base_key));
if(agreement_len < 0) {
result = agreement_len;
goto complete;
}
if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) {
free(agreement); agreement = 0; agreement_len = 0;
}
else {
result = SG_ERR_NOMEM;
goto complete;
}
agreement_len = curve_calculate_agreement(&agreement,
parameters->their_signed_pre_key, ec_key_pair_get_private(parameters->our_base_key));
if(agreement_len < 0) {
result = agreement_len;
goto complete;
}
if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) {
free(agreement); agreement = 0; agreement_len = 0;
}
else {
result = SG_ERR_NOMEM;
goto complete;
}
if(parameters->their_one_time_pre_key) {
agreement_len = curve_calculate_agreement(&agreement,
parameters->their_one_time_pre_key, ec_key_pair_get_private(parameters->our_base_key));
if(agreement_len < 0) {
result = agreement_len;
goto complete;
}
if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) {
free(agreement); agreement = 0; agreement_len = 0;
}
else {
result = SG_ERR_NOMEM;
goto complete;
}
}
if(vpool_is_empty(&vp)) {
result = SG_ERR_UNKNOWN;
goto complete;
}
secret = vpool_get_buf(&vp);
secret_len = vpool_get_length(&vp);
result = ratcheting_session_calculate_derived_keys(&derived_root, &derived_chain, secret, secret_len, global_context);
if(result < 0) {
goto complete;
}
result = ratchet_root_key_create_chain(derived_root,
&sending_chain_root, &sending_chain_key,
parameters->their_ratchet_key,
ec_key_pair_get_private(sending_ratchet_key));
if(result < 0) {
goto complete;
}
complete:
if(result >= 0) {
session_state_set_session_version(state, CIPHERTEXT_CURRENT_VERSION);
session_state_set_remote_identity_key(state, parameters->their_identity_key);
session_state_set_local_identity_key(state, parameters->our_identity_key->public_key);
session_state_add_receiver_chain(state, parameters->their_ratchet_key, derived_chain);
session_state_set_sender_chain(state, sending_ratchet_key, sending_chain_key);
session_state_set_root_key(state, sending_chain_root);
}
vpool_final(&vp);
if(agreement) {
free(agreement);
}
if(sending_ratchet_key) {
SIGNAL_UNREF(sending_ratchet_key);
}
if(derived_root) {
SIGNAL_UNREF(derived_root);
}
if(derived_chain) {
SIGNAL_UNREF(derived_chain);
}
if(sending_chain_root) {
SIGNAL_UNREF(sending_chain_root);
}
if(sending_chain_key) {
SIGNAL_UNREF(sending_chain_key);
}
return result;
}
