sender_key_state *create_test_sender_key_state(int id, int iteration) { int result = 0; sender_key_state *state = 0; axolotl_buffer *buffer = 0; sender_chain_key *chain_key = 0; ec_key_pair *key_pair = 0; result = axolotl_key_helper_generate_sender_key(&buffer, global_context); ck_assert_int_eq(result, 0); result = sender_chain_key_create(&chain_key, iteration, buffer, global_context); ck_assert_int_eq(result, 0); result = axolotl_key_helper_generate_sender_signing_key(&key_pair, global_context); ck_assert_int_eq(result, 0); result = sender_key_state_create(&state, id, chain_key, ec_key_pair_get_public(key_pair), ec_key_pair_get_private(key_pair), global_context); ck_assert_int_eq(result, 0); /* Cleanup */ axolotl_buffer_free(buffer); AXOLOTL_UNREF(chain_key); AXOLOTL_UNREF(key_pair); return state; }
END_TEST START_TEST(test_unique_signatures) { int result; size_t i; size_t r; ec_key_pair *key_pair = 0; uint8_t *message = 0; signal_buffer *signature = 0; signal_buffer *vrf_output = 0; result = curve_generate_key_pair(global_context, &key_pair); ck_assert_int_eq(result, 0); message = malloc(256); ck_assert_ptr_ne(message, 0); for(i = 1; i <= 256; i++) { result = signal_crypto_random(global_context, message, i); ck_assert_int_eq(result, 0); result = curve_calculate_vrf_signature(global_context, &signature, ec_key_pair_get_private(key_pair), message, i); ck_assert_int_eq(result, 0); result = curve_verify_vrf_signature(global_context, &vrf_output, ec_key_pair_get_public(key_pair), message, i, signal_buffer_data(signature), signal_buffer_len(signature)); ck_assert_int_eq(result, 0); result = curve_verify_signature( ec_key_pair_get_public(key_pair), message, i, signal_buffer_data(signature), signal_buffer_len(signature)); ck_assert_int_ne(result, 0); signal_buffer_free(vrf_output); result = signal_crypto_random(global_context, (uint8_t *)&r, sizeof(size_t)); ck_assert_int_eq(result, 0); message[r % i] ^= 0x01; result = curve_verify_vrf_signature(global_context, &vrf_output, ec_key_pair_get_public(key_pair), message, i, signal_buffer_data(signature), signal_buffer_len(signature)); ck_assert_int_eq(result, SG_ERR_VRF_SIG_VERIF_FAILED); signal_buffer_free(signature); } /* Cleanup */ SIGNAL_UNREF(key_pair); if(message) { free(message); } }
END_TEST START_TEST(test_serialize_sender_key_message) { int result = 0; sender_key_message *message = 0; sender_key_message *result_message = 0; static const char ciphertext[] = "WhisperCipherText"; ec_key_pair *signature_key_pair = 0; result = curve_generate_key_pair(global_context, &signature_key_pair); ck_assert_int_eq(result, 0); result = sender_key_message_create(&message, 10, /* key_id */ 1, /* iteration */ (uint8_t *)ciphertext, sizeof(ciphertext) - 1, ec_key_pair_get_private(signature_key_pair), global_context); ck_assert_int_eq(result, 0); result = sender_key_message_verify_signature(message, ec_key_pair_get_public(signature_key_pair)); ck_assert_int_eq(result, 0); signal_buffer *serialized = ciphertext_message_get_serialized((ciphertext_message *)message); ck_assert_ptr_ne(serialized, 0); result = sender_key_message_deserialize(&result_message, signal_buffer_data(serialized), signal_buffer_len(serialized), global_context); ck_assert_int_eq(result, 0); result = sender_key_message_verify_signature(result_message, ec_key_pair_get_public(signature_key_pair)); ck_assert_int_eq(result, 0); int key_id1 = sender_key_message_get_key_id(message); int key_id2 = sender_key_message_get_key_id(result_message); ck_assert_int_eq(key_id1, key_id2); int iteration1 = sender_key_message_get_iteration(message); int iteration2 = sender_key_message_get_iteration(result_message); ck_assert_int_eq(iteration1, iteration2); signal_buffer *ciphertext1 = sender_key_message_get_ciphertext(message); signal_buffer *ciphertext2 = sender_key_message_get_ciphertext(result_message); ck_assert_int_eq(signal_buffer_compare(ciphertext1, ciphertext2), 0); /* Cleanup */ SIGNAL_UNREF(message); SIGNAL_UNREF(result_message); SIGNAL_UNREF(signature_key_pair); }
END_TEST START_TEST(test_curve25519_large_signatures) { int result; ec_key_pair *keys = 0; result = curve_generate_key_pair(global_context, &keys); ck_assert_int_eq(result, 0); uint8_t message[1048576]; memset(message, 0, sizeof(message)); signal_buffer *signature = 0; result = curve_calculate_signature(global_context, &signature, ec_key_pair_get_private(keys), message, sizeof(message)); ck_assert_int_eq(result, 0); uint8_t *data = signal_buffer_data(signature); size_t len = signal_buffer_len(signature); result = curve_verify_signature(ec_key_pair_get_public(keys), message, sizeof(message), data, len); ck_assert_int_eq(result, 1); data[0] ^= 0x01; result = curve_verify_signature(ec_key_pair_get_public(keys), message, sizeof(message), data, len); ck_assert_int_eq(result, 0); /* Cleanup */ SIGNAL_UNREF(keys); if(signature) { signal_buffer_free(signature); } }
static int session_cipher_get_or_create_chain_key(session_cipher *cipher, ratchet_chain_key **chain_key, session_state *state, ec_public_key *their_ephemeral) { int result = 0; ratchet_chain_key *result_key = 0; ratchet_root_key *receiver_root_key = 0; ratchet_chain_key *receiver_chain_key = 0; ratchet_root_key *sender_root_key = 0; ratchet_chain_key *sender_chain_key = 0; ec_key_pair *our_new_ephemeral = 0; ratchet_root_key *root_key = 0; ec_key_pair *our_ephemeral = 0; ratchet_chain_key *previous_sender_chain_key = 0; uint32_t index = 0; result_key = session_state_get_receiver_chain_key(state, their_ephemeral); if(result_key) { SIGNAL_REF(result_key); goto complete; } root_key = session_state_get_root_key(state); if(!root_key) { result = SG_ERR_UNKNOWN; goto complete; } our_ephemeral = session_state_get_sender_ratchet_key_pair(state); if(!our_ephemeral) { result = SG_ERR_UNKNOWN; goto complete; } result = ratchet_root_key_create_chain(root_key, &receiver_root_key, &receiver_chain_key, their_ephemeral, ec_key_pair_get_private(our_ephemeral)); if(result < 0) { goto complete; } result = curve_generate_key_pair(cipher->global_context, &our_new_ephemeral); if(result < 0) { goto complete; } result = ratchet_root_key_create_chain(receiver_root_key, &sender_root_key, &sender_chain_key, their_ephemeral, ec_key_pair_get_private(our_new_ephemeral)); if(result < 0) { goto complete; } session_state_set_root_key(state, sender_root_key); result = session_state_add_receiver_chain(state, their_ephemeral, receiver_chain_key); if(result < 0) { goto complete; } previous_sender_chain_key = session_state_get_sender_chain_key(state); if(!previous_sender_chain_key) { result = SG_ERR_UNKNOWN; goto complete; } index = ratchet_chain_key_get_index(previous_sender_chain_key); if(index > 0) { --index; } session_state_set_previous_counter(state, index); session_state_set_sender_chain(state, our_new_ephemeral, sender_chain_key); result_key = receiver_chain_key; SIGNAL_REF(result_key); complete: SIGNAL_UNREF(receiver_root_key); SIGNAL_UNREF(receiver_chain_key); SIGNAL_UNREF(sender_root_key); SIGNAL_UNREF(sender_chain_key); SIGNAL_UNREF(our_new_ephemeral); if(result >= 0) { *chain_key = result_key; } else { SIGNAL_UNREF(result_key); } return result; }
int device_consistency_message_create_from_pair(device_consistency_message **message, device_consistency_commitment *commitment, ec_key_pair *identity_key_pair, signal_context *global_context) { int result = 0; device_consistency_message *result_message = 0; signal_buffer *commitment_buffer = 0; signal_buffer *signature_buffer = 0; signal_buffer *vrf_output_buffer = 0; signal_buffer *serialized_signature_buffer = 0; Textsecure__DeviceConsistencyCodeMessage message_structure = TEXTSECURE__DEVICE_CONSISTENCY_CODE_MESSAGE__INIT; size_t len = 0; uint8_t *data = 0; size_t result_size = 0; /* Create message instance */ result = device_consistency_message_create(&result_message); if(result < 0) { goto complete; } /* Calculate VRF signature */ commitment_buffer = device_consistency_commitment_get_serialized(commitment); result = curve_calculate_vrf_signature(global_context, &signature_buffer, ec_key_pair_get_private(identity_key_pair), signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer)); if(result < 0) { goto complete; } /* Verify VRF signature */ result = curve_verify_vrf_signature(global_context, &vrf_output_buffer, ec_key_pair_get_public(identity_key_pair), signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer), signal_buffer_data(signature_buffer), signal_buffer_len(signature_buffer)); if(result < 0) { goto complete; } result_message->generation = device_consistency_commitment_get_generation(commitment); /* Create and assign the signature */ result = device_consistency_signature_create(&result_message->signature, signal_buffer_data(signature_buffer), signal_buffer_len(signature_buffer), signal_buffer_data(vrf_output_buffer), signal_buffer_len(vrf_output_buffer)); if(result < 0) { goto complete; } serialized_signature_buffer = device_consistency_signature_get_signature(result_message->signature); /* Serialize the message */ message_structure.generation = device_consistency_commitment_get_generation(commitment); message_structure.has_generation = 1; message_structure.signature.data = signal_buffer_data(serialized_signature_buffer); message_structure.signature.len = signal_buffer_len(serialized_signature_buffer); message_structure.has_signature = 1; len = textsecure__device_consistency_code_message__get_packed_size(&message_structure); result_message->serialized = signal_buffer_alloc(len); if(!result_message->serialized) { result = SG_ERR_NOMEM; goto complete; } data = signal_buffer_data(result_message->serialized); result_size = textsecure__device_consistency_code_message__pack(&message_structure, data); if(result_size != len) { result = SG_ERR_INVALID_PROTO_BUF; goto complete; } complete: signal_buffer_free(signature_buffer); signal_buffer_free(vrf_output_buffer); if(result >= 0) { *message = result_message; } else { SIGNAL_UNREF(result_message); } if(result == SG_ERR_INVALID_KEY || result == SG_ERR_VRF_SIG_VERIF_FAILED) { result = SG_ERR_UNKNOWN; } return result; }
END_TEST START_TEST(test_curve25519_random_agreements) { int result; int i; ec_key_pair *alice_key_pair = 0; ec_public_key *alice_public_key = 0; ec_private_key *alice_private_key = 0; ec_key_pair *bob_key_pair = 0; ec_public_key *bob_public_key = 0; ec_private_key *bob_private_key = 0; uint8_t *shared_alice = 0; uint8_t *shared_bob = 0; signal_context *context; signal_context_create(&context, 0); setup_test_crypto_provider(context); for(i = 0; i < 50; i++) { /* Generate Alice's key pair */ result = curve_generate_key_pair(context, &alice_key_pair); ck_assert_int_eq(result, 0); alice_public_key = ec_key_pair_get_public(alice_key_pair); alice_private_key = ec_key_pair_get_private(alice_key_pair); ck_assert_ptr_ne(alice_public_key, 0); ck_assert_ptr_ne(alice_private_key, 0); /* Generate Bob's key pair */ result = curve_generate_key_pair(context, &bob_key_pair); ck_assert_int_eq(result, 0); bob_public_key = ec_key_pair_get_public(bob_key_pair); bob_private_key = ec_key_pair_get_private(bob_key_pair); ck_assert_ptr_ne(bob_public_key, 0); ck_assert_ptr_ne(bob_private_key, 0); /* Calculate Alice's key agreement */ result = curve_calculate_agreement(&shared_alice, bob_public_key, alice_private_key); ck_assert_int_eq(result, 32); ck_assert_ptr_ne(shared_alice, 0); /* Calculate Bob's key agreement */ result = curve_calculate_agreement(&shared_bob, alice_public_key, bob_private_key); ck_assert_int_eq(result, 32); ck_assert_ptr_ne(shared_bob, 0); /* Assert that key agreements match */ ck_assert_int_eq(memcmp(shared_alice, shared_bob, 32), 0); /* Cleanup */ if(shared_alice) { free(shared_alice); } if(shared_bob) { free(shared_bob); } SIGNAL_UNREF(alice_key_pair); SIGNAL_UNREF(bob_key_pair); alice_key_pair = 0; bob_key_pair = 0; alice_public_key = 0; alice_private_key = 0; bob_public_key = 0; bob_private_key = 0; shared_alice = 0; shared_bob = 0; } signal_context_destroy(context); }
int ratcheting_session_alice_initialize( session_state *state, alice_signal_protocol_parameters *parameters, signal_context *global_context) { int result = 0; uint8_t *agreement = 0; int agreement_len = 0; ec_key_pair *sending_ratchet_key = 0; ratchet_root_key *derived_root = 0; ratchet_chain_key *derived_chain = 0; ratchet_root_key *sending_chain_root = 0; ratchet_chain_key *sending_chain_key = 0; struct vpool vp; uint8_t *secret = 0; size_t secret_len = 0; uint8_t discontinuity_data[32]; assert(state); assert(parameters); assert(global_context); vpool_init(&vp, 1024, 0); result = curve_generate_key_pair(global_context, &sending_ratchet_key); if(result < 0) { goto complete; } memset(discontinuity_data, 0xFF, sizeof(discontinuity_data)); if(!vpool_insert(&vp, vpool_get_length(&vp), discontinuity_data, sizeof(discontinuity_data))) { result = SG_ERR_NOMEM; goto complete; } agreement_len = curve_calculate_agreement(&agreement, parameters->their_signed_pre_key, parameters->our_identity_key->private_key); if(agreement_len < 0) { result = agreement_len; goto complete; } if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) { free(agreement); agreement = 0; agreement_len = 0; } else { result = SG_ERR_NOMEM; goto complete; } agreement_len = curve_calculate_agreement(&agreement, parameters->their_identity_key, ec_key_pair_get_private(parameters->our_base_key)); if(agreement_len < 0) { result = agreement_len; goto complete; } if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) { free(agreement); agreement = 0; agreement_len = 0; } else { result = SG_ERR_NOMEM; goto complete; } agreement_len = curve_calculate_agreement(&agreement, parameters->their_signed_pre_key, ec_key_pair_get_private(parameters->our_base_key)); if(agreement_len < 0) { result = agreement_len; goto complete; } if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) { free(agreement); agreement = 0; agreement_len = 0; } else { result = SG_ERR_NOMEM; goto complete; } if(parameters->their_one_time_pre_key) { agreement_len = curve_calculate_agreement(&agreement, parameters->their_one_time_pre_key, ec_key_pair_get_private(parameters->our_base_key)); if(agreement_len < 0) { result = agreement_len; goto complete; } if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) { free(agreement); agreement = 0; agreement_len = 0; } else { result = SG_ERR_NOMEM; goto complete; } } if(vpool_is_empty(&vp)) { result = SG_ERR_UNKNOWN; goto complete; } secret = vpool_get_buf(&vp); secret_len = vpool_get_length(&vp); result = ratcheting_session_calculate_derived_keys(&derived_root, &derived_chain, secret, secret_len, global_context); if(result < 0) { goto complete; } result = ratchet_root_key_create_chain(derived_root, &sending_chain_root, &sending_chain_key, parameters->their_ratchet_key, ec_key_pair_get_private(sending_ratchet_key)); if(result < 0) { goto complete; } complete: if(result >= 0) { session_state_set_session_version(state, CIPHERTEXT_CURRENT_VERSION); session_state_set_remote_identity_key(state, parameters->their_identity_key); session_state_set_local_identity_key(state, parameters->our_identity_key->public_key); session_state_add_receiver_chain(state, parameters->their_ratchet_key, derived_chain); session_state_set_sender_chain(state, sending_ratchet_key, sending_chain_key); session_state_set_root_key(state, sending_chain_root); } vpool_final(&vp); if(agreement) { free(agreement); } if(sending_ratchet_key) { SIGNAL_UNREF(sending_ratchet_key); } if(derived_root) { SIGNAL_UNREF(derived_root); } if(derived_chain) { SIGNAL_UNREF(derived_chain); } if(sending_chain_root) { SIGNAL_UNREF(sending_chain_root); } if(sending_chain_key) { SIGNAL_UNREF(sending_chain_key); } return result; }