private (ArraySegment <byte> initializationNonce, ArraySegment <byte> remoteEcdhForInit) ReceiveInitializationRequest(State state, byte[] data)
{
if (!(state is ServerState serverState))
{
throw new InvalidOperationException("Only the server can receive an init request.");
}
// nonce(16), pubkey(32), ecdh(32), pading(...), signature(64), mac(12)
var messageSize = data.Length;
var macOffset = messageSize - MacSize;
var initializationNonce = new ArraySegment <byte>(data, 0, InitializationNonceSize);
CheckNonce(initializationNonce);
// decrypt the message
var cipher = new AesCtrMode(AesFactory.GetAes(true, Configuration.ApplicationKey), initializationNonce);
var decryptedPayload = cipher.Process(data, InitializationNonceSize, macOffset - InitializationNonceSize);
Array.Copy(decryptedPayload, 0, data, InitializationNonceSize, decryptedPayload.Length);
var clientPublicKeyOffset = InitializationNonceSize;
var remoteEcdhOffset = InitializationNonceSize + EcNumSize;
var clientPublicKey = new ArraySegment <byte>(data, clientPublicKeyOffset, EcNumSize);
var remoteEcdhForInit = new ArraySegment <byte>(data, remoteEcdhOffset, EcNumSize);
var signedMessage = new ArraySegment <byte>(data, 0, macOffset);
if (serverState.ClientPublicKey != null)
{
if (!serverState.ClientPublicKey.Matches(clientPublicKey))
{
throw new InvalidOperationException("The server was initialized before with a different public key");
}
else if (serverState.ClientInitializationNonce != null && initializationNonce.Matches(serverState.ClientInitializationNonce))
{
throw new InvalidOperationException("The server was initialized before with the same nonce");
}
else
{
// the client wants to reinitialize. Reset state.
serverState.RootKey = null;
serverState.FirstSendHeaderKey = null;
serverState.FirstReceiveHeaderKey = null;
serverState.LocalEcdhRatchetStep0 = null;
serverState.LocalEcdhRatchetStep1 = null;
serverState.Ratchets.Clear();
}
}
serverState.ClientInitializationNonce = initializationNonce.ToArray();
IVerifier verifier = VerifierFactory.Create(clientPublicKey);
if (!verifier.VerifySignedMessage(Digest, signedMessage))
{
throw new InvalidOperationException("The signature was invalid");
}
serverState.ClientPublicKey = clientPublicKey.ToArray();
return(initializationNonce, remoteEcdhForInit);
}
private byte[] SendInitializationRequest(State state)
{
// message format:
// nonce(16), pubkey(32), ecdh(32), padding(...), signature(64), mac(12)
if (!(state is ClientState clientState))
{
throw new InvalidOperationException("Only the client can send init request.");
}
// 16 bytes nonce
clientState.InitializationNonce = RandomNumberGenerator.Generate(InitializationNonceSize);
// get the public key
var pubkey = Signature.GetPublicKey();
// generate new ECDH keypair for init message and root key
IKeyAgreement clientEcdh = KeyAgreementFactory.GenerateNew();
clientState.LocalEcdhForInit = clientEcdh;
// nonce(16), <pubkey(32), ecdh(32), signature(64)>, mac(12)
var initializationMessageSize = InitializationNonceSize + EcNumSize * 4 + MacSize;
var messageSize = Math.Max(Configuration.MinimumMessageSize, initializationMessageSize);
var initializationMessageSizeWithSignature = messageSize - MacSize;
var initializationMessageSizeWithoutSignature = messageSize - MacSize - SignatureSize;
var signatureOffset = messageSize - MacSize - SignatureSize;
var message = new byte[messageSize];
Array.Copy(clientState.InitializationNonce, 0, message, 0, InitializationNonceSize);
Array.Copy(pubkey, 0, message, InitializationNonceSize, EcNumSize);
Array.Copy(clientEcdh.GetPublicKey(), 0, message, InitializationNonceSize + EcNumSize, EcNumSize);
// sign the message
var digest = Digest.ComputeDigest(message, 0, initializationMessageSizeWithoutSignature);
Array.Copy(Signature.Sign(digest), 0, message, signatureOffset, SignatureSize);
// encrypt the message with the application key
var cipher = new AesCtrMode(AesFactory.GetAes(true, Configuration.ApplicationKey), clientState.InitializationNonce);
var encryptedPayload = cipher.Process(message, InitializationNonceSize, initializationMessageSizeWithSignature - InitializationNonceSize);
Array.Copy(encryptedPayload, 0, message, InitializationNonceSize, initializationMessageSizeWithSignature - InitializationNonceSize);
// calculate mac
var Mac = new Poly(AesFactory);
Mac.Init(Configuration.ApplicationKey, clientState.InitializationNonce, MacSize);
Mac.Process(message, 0, initializationMessageSizeWithSignature);
var mac = Mac.Compute();
Array.Copy(mac, 0, message, initializationMessageSizeWithSignature, MacSize);
return(message);
}
private byte[] DeconstructMessage(State state, byte[] payload, byte[] headerKey, EcdhRatchetStep ratchetUsed, bool usedNextHeaderKey)
{
if (state == null)
{
throw new ArgumentNullException(nameof(state));
}
if (payload == null)
{
throw new ArgumentNullException(nameof(payload));
}
if (headerKey == null)
{
throw new ArgumentNullException(nameof(headerKey));
}
var messageSize = payload.Length;
var encryptedNonce = new ArraySegment <byte>(payload, 0, NonceSize);
// decrypt the nonce
var headerEncryptionNonce = new ArraySegment <byte>(payload, payload.Length - MacSize - HeaderIVSize, HeaderIVSize);
var hcipher = new AesCtrMode(GetHeaderKeyCipher(headerKey), headerEncryptionNonce);
var decryptedNonce = hcipher.Process(encryptedNonce);
CheckNonce(headerEncryptionNonce);
// get the ecdh bit
var hasEcdh = (decryptedNonce[0] & 0b1000_0000) != 0;
decryptedNonce[0] &= 0b0111_1111;
// extract ecdh if needed
var step = BigEndianBitConverter.ToInt32(decryptedNonce);
if (hasEcdh)
{
var clientEcdhPublic = new ArraySegment <byte>(hcipher.Process(new ArraySegment <byte>(payload, NonceSize, EcNumSize)));
if (ratchetUsed == null)
{
// an override header key was used.
// this means we have to initialize the ratchet
if (!(state is ServerState serverState))
{
throw new InvalidOperationException("Only the server can initialize a ratchet.");
}
ratchetUsed = EcdhRatchetStep.InitializeServer(KeyDerivation, Digest,
serverState.LocalEcdhRatchetStep0,
serverState.RootKey, clientEcdhPublic,
serverState.LocalEcdhRatchetStep1,
serverState.FirstReceiveHeaderKey,
serverState.FirstSendHeaderKey);
serverState.Ratchets.Add(ratchetUsed);
}
else
{
if (usedNextHeaderKey)
{
// perform ecdh ratchet
IKeyAgreement newEcdh = KeyAgreementFactory.GenerateNew();
// this is the hottest line in the deconstruct process:
EcdhRatchetStep newRatchet = ratchetUsed.Ratchet(KeyDerivation, Digest, clientEcdhPublic, newEcdh);
state.Ratchets.Add(newRatchet);
ratchetUsed = newRatchet;
}
}
}
// get the inner payload key from the receive chain
if (ratchetUsed == null)
{
throw new InvalidOperationException("An override header key was used but the message did not contain ECDH parameters");
}
(var key, var _) = ratchetUsed.ReceivingChain.RatchetForReceiving(KeyDerivation, step);
CheckNonce(key);
// get the encrypted payload
var payloadOffset = hasEcdh ? NonceSize + EcNumSize : NonceSize;
var encryptedPayload = new ArraySegment <byte>(payload, payloadOffset, messageSize - payloadOffset - MacSize);
// decrypt the inner payload
var icipher = new AesCtrMode(AesFactory.GetAes(true, key), decryptedNonce);
var decryptedInnerPayload = icipher.Process(encryptedPayload);
return(decryptedInnerPayload);
}
private byte[] ConstructMessage(ArraySegment <byte> message, bool includeEcdh, EcdhRatchetStep step)
{
if (message == null)
{
throw new ArgumentNullException(nameof(message));
}
// message format:
// <nonce (4)>, <payload, padding>, mac(12)
// <nonce (4), ecdh (32)>, <payload, padding>, mac(12)
// get the payload key and nonce
(var payloadKey, var messageNumber) = step.SendingChain.RatchetForSending(KeyDerivation);
var nonce = BigEndianBitConverter.GetBytes(messageNumber);
// make sure the first bit is not set as we use that bit to indicate
// the presence of new ECDH parameters
if ((nonce[0] & 0b1000_0000) != 0)
{
throw new InvalidOperationException($"The message number is too big. Cannot encrypt more than {((uint)1 << 31) - 1} messages without exchanging keys");
}
// calculate some sizes
var headerSize = NonceSize + (includeEcdh ? EcNumSize : 0);
var overhead = headerSize + MacSize;
var messageSize = message.Count;
var maxMessageSize = Configuration.MaximumMessageSize - overhead;
var minPayloadSize = Configuration.MinimumMessageSize - overhead;
// build the payload: <payload, padding>
ArraySegment <byte> payload;
if (messageSize < minPayloadSize)
{
payload = new ArraySegment <byte>(new byte[minPayloadSize]);
Array.Copy(message.Array, message.Offset, payload.Array, 0, message.Count);
}
else if (messageSize > maxMessageSize)
{
throw new InvalidOperationException("The message doesn't fit inside the MTU");
}
else
{
payload = message;
}
// encrypt the payload
var icipher = new AesCtrMode(AesFactory.GetAes(true, payloadKey), nonce);
var encryptedPayload = icipher.Process(payload);
// build the header: <nonce(4), ecdh(32)?>
var header = new byte[headerSize];
Array.Copy(nonce, header, NonceSize);
if (includeEcdh)
{
var ratchetPublicKey = step.GetPublicKey();
Array.Copy(ratchetPublicKey, 0, header, nonce.Length, ratchetPublicKey.Length);
// set the has ecdh bit
header[0] |= 0b1000_0000;
}
else
{
// clear the has ecdh bit
header[0] &= 0b0111_1111;
}
// encrypt the header using the header key and using the
// last 16 bytes of the message as the nonce.
var headerEncryptionNonce = new ArraySegment <byte>(encryptedPayload, encryptedPayload.Length - HeaderIVSize, HeaderIVSize);
var hcipher = new AesCtrMode(GetHeaderKeyCipher(step.SendHeaderKey), headerEncryptionNonce);
var encryptedHeader = hcipher.Process(header);
// mac the message: <header>, <payload>, mac(12)
// the mac uses the header encryption derived key (all 32 bytes)
var Mac = new Poly(AesFactory);
var maciv = new byte[16];
var epl = encryptedPayload.Length;
var ehl = encryptedHeader.Length;
if (ehl < maciv.Length)
{
Array.Copy(encryptedHeader, maciv, ehl);
Array.Copy(encryptedPayload, 0, maciv, ehl, 16 - ehl);
}
else
{
Array.Copy(encryptedHeader, maciv, maciv.Length);
}
Mac.Init(step.SendHeaderKey, maciv, MacSize);
Mac.Process(encryptedHeader);
Mac.Process(encryptedPayload);
var mac = Mac.Compute();
// construct the resulting message
var result = new byte[ehl + epl + mac.Length];
Array.Copy(encryptedHeader, 0, result, 0, ehl);
Array.Copy(encryptedPayload, 0, result, ehl, epl);
Array.Copy(mac, 0, result, ehl + epl, mac.Length);
return(result);
}
private void ReceiveInitializationResponse(State state, byte[] data)
{
if (!(state is ClientState clientState))
{
throw new InvalidOperationException("Only the client can receive an init response.");
}
var messageSize = data.Length;
var macOffset = messageSize - MacSize;
var headerIvOffset = macOffset - HeaderIVSize;
var headerSize = InitializationNonceSize + EcNumSize;
var payloadSize = messageSize - headerSize - MacSize;
// decrypt header
var cipher = new AesCtrMode(AesFactory.GetAes(true, Configuration.ApplicationKey), data, headerIvOffset, HeaderIVSize);
var decryptedHeader = cipher.Process(data, 0, headerSize);
Array.Copy(decryptedHeader, 0, data, 0, headerSize);
// new nonce(16), ecdh pubkey(32), <nonce(16), server pubkey(32),
// new ecdh pubkey(32) x2, signature(64)>, mac(12)
var nonce = new ArraySegment <byte>(data, 0, InitializationNonceSize);
var rootEcdhKey = new ArraySegment <byte>(data, InitializationNonceSize, EcNumSize);
var encryptedPayload = new ArraySegment <byte>(data, headerSize, payloadSize);
CheckNonce(nonce);
// decrypt payload
IKeyAgreement rootEcdh = clientState.LocalEcdhForInit;
var rootPreKey = rootEcdh.DeriveKey(rootEcdhKey);
rootPreKey = Digest.ComputeDigest(rootPreKey);
cipher = new AesCtrMode(AesFactory.GetAes(true, rootPreKey), nonce);
var decryptedPayload = cipher.Process(encryptedPayload);
Array.Copy(decryptedPayload, 0, data, headerSize, payloadSize);
// extract some goodies
var oldNonce = new ArraySegment <byte>(data, headerSize, InitializationNonceSize);
var serverPubKey = new ArraySegment <byte>(data, headerSize + InitializationNonceSize, EcNumSize);
var remoteRatchetEcdh0 = new ArraySegment <byte>(data, headerSize + InitializationNonceSize + EcNumSize, EcNumSize);
var remoteRatchetEcdh1 = new ArraySegment <byte>(data, headerSize + InitializationNonceSize + EcNumSize * 2, EcNumSize);
// make sure the nonce sent back by the server (which is encrypted and signed)
// matches the nonce we sent previously
if (!oldNonce.Matches(clientState.InitializationNonce))
{
throw new InvalidOperationException("Nonce did not match");
}
// verify that the signature matches
IVerifier verifier = VerifierFactory.Create(serverPubKey);
if (!verifier.VerifySignedMessage(Digest, new ArraySegment <byte>(data, 0, payloadSize + headerSize)))
{
throw new InvalidOperationException("The signature was invalid");
}
// keep the server public key around
clientState.ServerPublicKey = serverPubKey.ToArray();
// store the new nonce we got from the server
clientState.InitializationNonce = nonce.ToArray();
Log.Verbose($"storing iniitlizaionta nonce: {Log.ShowBytes(nonce)}");
// we now have enough information to construct our double ratchet
IKeyAgreement localStep0EcdhRatchet = KeyAgreementFactory.GenerateNew();
IKeyAgreement localStep1EcdhRatchet = KeyAgreementFactory.GenerateNew();
// initialize client root key and ecdh ratchet
var genKeys = KeyDerivation.GenerateKeys(rootPreKey, clientState.InitializationNonce, 3, 32);
var rootKey = genKeys[0];
var receiveHeaderKey = genKeys[1];
var sendHeaderKey = genKeys[2];
clientState.Ratchets.Add(EcdhRatchetStep.InitializeClient(KeyDerivation, Digest, rootKey,
remoteRatchetEcdh0, remoteRatchetEcdh1, localStep0EcdhRatchet,
receiveHeaderKey, sendHeaderKey,
localStep1EcdhRatchet));
clientState.LocalEcdhForInit = null;
}
private byte[] SendInitializationResponse(State state, ArraySegment <byte> initializationNonce, ArraySegment <byte> remoteEcdhForInit)
{
// message format:
// new nonce(16), ecdh pubkey(32),
// <nonce from init request(16), server pubkey(32),
// new ecdh pubkey(32) x2, Padding(...), signature(64)>, mac(12) = 236 bytes
if (!(state is ServerState serverState))
{
throw new InvalidOperationException("Only the server can send init response.");
}
// generate a nonce and new ecdh parms
var serverNonce = RandomNumberGenerator.Generate(InitializationNonceSize);
serverState.NextInitializationNonce = serverNonce;
IKeyAgreement rootPreEcdh = KeyAgreementFactory.GenerateNew();
var rootPreEcdhPubkey = rootPreEcdh.GetPublicKey();
// generate server ECDH for root key and root key
var rootPreKey = rootPreEcdh.DeriveKey(remoteEcdhForInit);
rootPreKey = Digest.ComputeDigest(rootPreKey);
var genKeys = KeyDerivation.GenerateKeys(rootPreKey, serverNonce, 3, EcNumSize);
serverState.RootKey = genKeys[0];
serverState.FirstSendHeaderKey = genKeys[1];
serverState.FirstReceiveHeaderKey = genKeys[2];
// generate two server ECDH. One for ratchet 0 sending key and one for the next
// this is enough for the server to generate a receiving chain key and sending
// chain key as soon as the client sends a sending chain key
IKeyAgreement serverEcdhRatchet0 = KeyAgreementFactory.GenerateNew();
serverState.LocalEcdhRatchetStep0 = serverEcdhRatchet0;
IKeyAgreement serverEcdhRatchet1 = KeyAgreementFactory.GenerateNew();
serverState.LocalEcdhRatchetStep1 = serverEcdhRatchet1;
var minimumMessageSize = InitializationNonceSize * 2 + EcNumSize * 6 + MacSize;
var entireMessageSize = Math.Max(Configuration.MinimumMessageSize, minimumMessageSize);
var macOffset = entireMessageSize - MacSize;
var entireMessageWithoutMacOrSignatureSize = macOffset - SignatureSize;
var encryptedPayloadOffset = InitializationNonceSize + EcNumSize;
var encryptedPayloadSize = macOffset - encryptedPayloadOffset;
// construct the message
var message = new byte[entireMessageSize];
Array.Copy(serverNonce, 0, message, 0, InitializationNonceSize);
Array.Copy(rootPreEcdhPubkey, 0, message, InitializationNonceSize, EcNumSize);
// construct the to-be-encrypted part
var rre0 = serverEcdhRatchet0.GetPublicKey();
var rre1 = serverEcdhRatchet1.GetPublicKey();
Array.Copy(initializationNonce.Array, initializationNonce.Offset, message, encryptedPayloadOffset, InitializationNonceSize);
Array.Copy(Signature.GetPublicKey(), 0, message, encryptedPayloadOffset + InitializationNonceSize, EcNumSize);
Array.Copy(rre0, 0, message, encryptedPayloadOffset + InitializationNonceSize + EcNumSize, EcNumSize);
Array.Copy(rre1, 0, message, encryptedPayloadOffset + InitializationNonceSize + EcNumSize * 2, EcNumSize);
// sign the message
var digest = Digest.ComputeDigest(message, 0, entireMessageWithoutMacOrSignatureSize);
Array.Copy(Signature.Sign(digest), 0, message, entireMessageWithoutMacOrSignatureSize, SignatureSize);
// encrypt the message
var cipher = new AesCtrMode(AesFactory.GetAes(true, rootPreKey), serverNonce);
var encryptedPayload = cipher.Process(message, encryptedPayloadOffset, encryptedPayloadSize);
Array.Copy(encryptedPayload, 0, message, encryptedPayloadOffset, encryptedPayloadSize);
// encrypt the header
cipher = new AesCtrMode(AesFactory.GetAes(true, Configuration.ApplicationKey), encryptedPayload, encryptedPayloadSize - HeaderIVSize, HeaderIVSize);
var encryptedHeader = cipher.Process(message, 0, encryptedPayloadOffset);
Array.Copy(encryptedHeader, 0, message, 0, encryptedPayloadOffset);
// calculate mac
var Mac = new Poly(AesFactory);
Mac.Init(Configuration.ApplicationKey, encryptedHeader, 0, InitializationNonceSize, MacSize);
Mac.Process(message, 0, macOffset);
var mac = Mac.Compute();
Array.Copy(mac, 0, message, macOffset, MacSize);
return(message);
}