libsignal-skyzopedia 1.0.0

package/src/base_key_type.js

@@ -0,0 +1,7 @@
+
+const BaseKeyType = {
+  OURS: 1,
+  THEIRS: 2
+};
+
+module.exports = BaseKeyType;

package/src/chain_type.js

@@ -0,0 +1,6 @@
+const ChainType = {
+    SENDING: 1,
+    RECEIVING: 2
+};
+
+module.exports = ChainType;

package/src/crypto.js

@@ -0,0 +1,98 @@
+// vim: ts=4:sw=4
+
+'use strict';
+
+const nodeCrypto = require('crypto');
+const assert = require('assert');
+
+
+function assertBuffer(value) {
+    if (!(value instanceof Buffer)) {
+        throw TypeError(`Expected Buffer instead of: ${value.constructor.name}`);
+    }
+    return value;
+}
+
+
+function encrypt(key, data, iv) {
+    assertBuffer(key);
+    assertBuffer(data);
+    assertBuffer(iv);
+    const cipher = nodeCrypto.createCipheriv('aes-256-cbc', key, iv);
+    return Buffer.concat([cipher.update(data), cipher.final()]);
+}
+
+
+function decrypt(key, data, iv) {
+    assertBuffer(key);
+    assertBuffer(data);
+    assertBuffer(iv);
+    const decipher = nodeCrypto.createDecipheriv('aes-256-cbc', key, iv);
+    return Buffer.concat([decipher.update(data), decipher.final()]);
+}
+
+
+function calculateMAC(key, data) {
+    assertBuffer(key);
+    assertBuffer(data);
+    const hmac = nodeCrypto.createHmac('sha256', key);
+    hmac.update(data);
+    return Buffer.from(hmac.digest());
+}
+
+
+function hash(data) {
+    assertBuffer(data);
+    const sha512 = nodeCrypto.createHash('sha512');
+    sha512.update(data);
+    return sha512.digest();
+}
+
+
+// Salts always end up being 32 bytes
+function deriveSecrets(input, salt, info, chunks) {
+    // Specific implementation of RFC 5869 that only returns the first 3 32-byte chunks
+    assertBuffer(input);
+    assertBuffer(salt);
+    assertBuffer(info);
+    if (salt.byteLength != 32) {
+        throw new Error("Got salt of incorrect length");
+    }
+    chunks = chunks || 3;
+    assert(chunks >= 1 && chunks <= 3);
+    const PRK = calculateMAC(salt, input);
+    const infoArray = new Uint8Array(info.byteLength + 1 + 32);
+    infoArray.set(info, 32);
+    infoArray[infoArray.length - 1] = 1;
+    const signed = [calculateMAC(PRK, Buffer.from(infoArray.slice(32)))];
+    if (chunks > 1) {
+        infoArray.set(signed[signed.length - 1]);
+        infoArray[infoArray.length - 1] = 2;
+        signed.push(calculateMAC(PRK, Buffer.from(infoArray)));
+    }
+    if (chunks > 2) {
+        infoArray.set(signed[signed.length - 1]);
+        infoArray[infoArray.length - 1] = 3;
+        signed.push(calculateMAC(PRK, Buffer.from(infoArray)));
+    }
+    return signed;
+}
+
+function verifyMAC(data, key, mac, length) {
+    const calculatedMac = calculateMAC(key, data).slice(0, length);
+    if (mac.length !== length || calculatedMac.length !== length) {
+        throw new Error("Bad MAC length");
+    }
+    if (!mac.equals(calculatedMac)) {
+        throw new Error("Bad MAC");
+    }
+}
+
+module.exports = {
+    deriveSecrets,
+    decrypt,
+    encrypt,
+    hash,
+    calculateMAC,
+    verifyMAC
+};

package/src/curve.js

@@ -0,0 +1,120 @@
+
+'use strict';
+
+const curveJs = require('curve25519-js');
+const nodeCrypto = require('crypto');
+// from: https://github.com/digitalbazaar/x25519-key-agreement-key-2019/blob/master/lib/crypto.js
+const PUBLIC_KEY_DER_PREFIX = Buffer.from([
+    48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0
+]);
+  
+const PRIVATE_KEY_DER_PREFIX = Buffer.from([
+    48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 110, 4, 34, 4, 32
+]);
+
+function validatePrivKey(privKey) {
+    if (privKey === undefined) {
+        throw new Error("Undefined private key");
+    }
+    if (!(privKey instanceof Buffer)) {
+        throw new Error(`Invalid private key type: ${privKey.constructor.name}`);
+    }
+    if (privKey.byteLength != 32) {
+        throw new Error(`Incorrect private key length: ${privKey.byteLength}`);
+    }
+}
+
+function scrubPubKeyFormat(pubKey) {
+    if (!(pubKey instanceof Buffer)) {
+        throw new Error(`Invalid public key type: ${pubKey.constructor.name}`);
+    }
+    if (pubKey === undefined || ((pubKey.byteLength != 33 || pubKey[0] != 5) && pubKey.byteLength != 32)) {
+        throw new Error("Invalid public key");
+    }
+    if (pubKey.byteLength == 33) {
+        return pubKey.slice(1);
+    } else {
+        console.error("WARNING: Expected pubkey of length 33, please report the ST and client that generated the pubkey");
+        return pubKey;
+    }
+}
+
+exports.generateKeyPair = function() {
+    if(typeof nodeCrypto.generateKeyPairSync === 'function') {
+        const {publicKey: publicDerBytes, privateKey: privateDerBytes} = nodeCrypto.generateKeyPairSync(
+            'x25519',
+            {
+                publicKeyEncoding: { format: 'der', type: 'spki' },
+                privateKeyEncoding: { format: 'der', type: 'pkcs8' }
+            }
+        );
+        // 33 bytes
+        // first byte = 5 (version byte)
+        const pubKey = publicDerBytes.slice(PUBLIC_KEY_DER_PREFIX.length-1, PUBLIC_KEY_DER_PREFIX.length + 32);
+        pubKey[0] = 5;
+    
+        const privKey = privateDerBytes.slice(PRIVATE_KEY_DER_PREFIX.length, PRIVATE_KEY_DER_PREFIX.length + 32);
+    
+        return {
+            pubKey,
+            privKey
+        };
+    } else {
+        const keyPair = curveJs.generateKeyPair(nodeCrypto.randomBytes(32));
+        return {
+            privKey: Buffer.from(keyPair.private),
+            pubKey: Buffer.from(keyPair.public),
+        };
+    }
+};
+
+exports.calculateAgreement = function(pubKey, privKey) {
+    pubKey = scrubPubKeyFormat(pubKey);
+    validatePrivKey(privKey);
+    if (!pubKey || pubKey.byteLength != 32) {
+        throw new Error("Invalid public key");
+    }
+
+    if(typeof nodeCrypto.diffieHellman === 'function') {
+        const nodePrivateKey = nodeCrypto.createPrivateKey({
+            key: Buffer.concat([PRIVATE_KEY_DER_PREFIX, privKey]),
+            format: 'der',
+            type: 'pkcs8'
+        });
+        const nodePublicKey = nodeCrypto.createPublicKey({
+            key: Buffer.concat([PUBLIC_KEY_DER_PREFIX, pubKey]),
+            format: 'der',
+            type: 'spki'
+        });
+        
+        return nodeCrypto.diffieHellman({
+            privateKey: nodePrivateKey,
+            publicKey: nodePublicKey,
+        });
+    } else {
+        const secret = curveJs.sharedKey(privKey, pubKey);
+        return Buffer.from(secret);
+    }
+};
+
+exports.calculateSignature = function(privKey, message) {
+    validatePrivKey(privKey);
+    if (!message) {
+        throw new Error("Invalid message");
+    }
+    return Buffer.from(curveJs.sign(privKey, message));
+};
+
+exports.verifySignature = function(pubKey, msg, sig) {
+    pubKey = scrubPubKeyFormat(pubKey);
+    if (!pubKey || pubKey.byteLength != 32) {
+        throw new Error("Invalid public key");
+    }
+    if (!msg) {
+        throw new Error("Invalid message");
+    }
+    if (!sig || sig.byteLength != 64) {
+        throw new Error("Invalid signature");
+    }
+    return curveJs.verify(pubKey, msg, sig);
+};

package/src/errors.js

@@ -0,0 +1,33 @@
+// vim: ts=4:sw=4:expandtab
+
+exports.SignalError = class SignalError extends Error {};
+
+exports.UntrustedIdentityKeyError = class UntrustedIdentityKeyError extends exports.SignalError {
+    constructor(addr, identityKey) {
+        super();
+        this.name = 'UntrustedIdentityKeyError';
+        this.addr = addr;
+        this.identityKey = identityKey;
+    }
+};
+
+exports.SessionError = class SessionError extends exports.SignalError {
+    constructor(message) {
+        super(message);
+        this.name = 'SessionError';
+    }
+};
+
+exports.MessageCounterError = class MessageCounterError extends exports.SessionError {
+    constructor(message) {
+        super(message);
+        this.name = 'MessageCounterError';
+    }
+};
+
+exports.PreKeyError = class PreKeyError extends exports.SessionError {
+    constructor(message) {
+        super(message);
+        this.name = 'PreKeyError';
+    }
+};

package/src/keyhelper.js

@@ -0,0 +1,45 @@
+// vim: ts=4:sw=4:expandtab
+
+const curve = require('./curve');
+const nodeCrypto = require('crypto');
+
+function isNonNegativeInteger(n) {
+    return (typeof n === 'number' && (n % 1) === 0  && n >= 0);
+}
+
+exports.generateIdentityKeyPair = curve.generateKeyPair;
+
+exports.generateRegistrationId = function() {
+    var registrationId = Uint16Array.from(nodeCrypto.randomBytes(2))[0];
+    return registrationId & 0x3fff;
+};
+
+exports.generateSignedPreKey = function(identityKeyPair, signedKeyId) {
+    if (!(identityKeyPair.privKey instanceof Buffer) ||
+        identityKeyPair.privKey.byteLength != 32 ||
+        !(identityKeyPair.pubKey instanceof Buffer) ||
+        identityKeyPair.pubKey.byteLength != 33) {
+        throw new TypeError('Invalid argument for identityKeyPair');
+    }
+    if (!isNonNegativeInteger(signedKeyId)) {
+        throw new TypeError('Invalid argument for signedKeyId: ' + signedKeyId);
+    }
+    const keyPair = curve.generateKeyPair();
+    const sig = curve.calculateSignature(identityKeyPair.privKey, keyPair.pubKey);
+    return {
+        keyId: signedKeyId,
+        keyPair: keyPair,
+        signature: sig
+    };
+};
+
+exports.generatePreKey = function(keyId) {
+    if (!isNonNegativeInteger(keyId)) {
+        throw new TypeError('Invalid argument for keyId: ' + keyId);
+    }
+    const keyPair = curve.generateKeyPair();
+    return {
+        keyId,
+        keyPair
+    };
+};

package/src/numeric_fingerprint.js

@@ -0,0 +1,72 @@
+
+const crypto = require('./crypto.js');
+
+var VERSION = 0;
+
+
+async function iterateHash(data, key, count) {
+    const combined = (new Uint8Array(Buffer.concat([data, key]))).buffer;
+    const result = crypto.hash(combined);
+    if (--count === 0) {
+        return result;
+    } else {
+        return iterateHash(result, key, count);
+    }
+}
+
+
+function shortToArrayBuffer(number) {
+    return new Uint16Array([number]).buffer;
+}
+
+function getEncodedChunk(hash, offset) {
+    var chunk = ( hash[offset]   * Math.pow(2,32) +
+                  hash[offset+1] * Math.pow(2,24) +
+                  hash[offset+2] * Math.pow(2,16) +
+                  hash[offset+3] * Math.pow(2,8) +
+                  hash[offset+4] ) % 100000;
+    var s = chunk.toString();
+    while (s.length < 5) {
+        s = '0' + s;
+    }
+    return s;
+}
+
+async function getDisplayStringFor(identifier, key, iterations) {
+    const bytes = Buffer.concat([
+        shortToArrayBuffer(VERSION),
+        key,
+        identifier
+    ]);
+    const arraybuf = (new Uint8Array(bytes)).buffer;
+    const output = new Uint8Array(await iterateHash(arraybuf, key, iterations));
+    return getEncodedChunk(output, 0) +
+        getEncodedChunk(output, 5) +
+        getEncodedChunk(output, 10) +
+        getEncodedChunk(output, 15) +
+        getEncodedChunk(output, 20) +
+        getEncodedChunk(output, 25);
+}
+
+exports.FingerprintGenerator = function(iterations) {
+    this.iterations = iterations;
+};
+
+exports.FingerprintGenerator.prototype = {
+    createFor: function(localIdentifier, localIdentityKey,
+                        remoteIdentifier, remoteIdentityKey) {
+        if (typeof localIdentifier !== 'string' ||
+            typeof remoteIdentifier !== 'string' ||
+            !(localIdentityKey instanceof ArrayBuffer) ||
+            !(remoteIdentityKey instanceof ArrayBuffer)) {
+          throw new Error('Invalid arguments');
+        }
+
+        return Promise.all([
+            getDisplayStringFor(localIdentifier, localIdentityKey, this.iterations),
+            getDisplayStringFor(remoteIdentifier, remoteIdentityKey, this.iterations)
+        ]).then(function(fingerprints) {
+            return fingerprints.sort().join('');
+        });
+    }
+};

package/src/protobufs.js

@@ -0,0 +1,10 @@
+'use strict';
+
+const {
+    textsecure: {
+        WhisperMessage,
+        PreKeyWhisperMessage
+    }
+} = require('./WhisperTextProtocol.js');
+
+module.exports = { WhisperMessage, PreKeyWhisperMessage };

package/src/protocol_address.js

@@ -0,0 +1,40 @@
+// vim: ts=4:sw=4:expandtab
+
+
+class ProtocolAddress {
+
+    static from(encodedAddress) {
+        if (typeof encodedAddress !== 'string' || !encodedAddress.match(/.*\.\d+/)) {
+            throw new Error('Invalid address encoding');
+        }
+        const parts = encodedAddress.split('.');
+        return new this(parts[0], parseInt(parts[1]));
+    }
+
+    constructor(id, deviceId) {
+        if (typeof id !== 'string') {
+            throw new TypeError('id required for addr');
+        }
+        if (id.indexOf('.') !== -1) {
+            throw new TypeError('encoded addr detected');
+        }
+        this.id = id;
+        if (typeof deviceId !== 'number') {
+            throw new TypeError('number required for deviceId');
+        }
+        this.deviceId = deviceId;
+    }
+
+    toString() {
+        return `${this.id}.${this.deviceId}`;
+    }
+
+    is(other) {
+        if (!(other instanceof ProtocolAddress)) {
+            return false;
+        }
+        return other.id === this.id && other.deviceId === this.deviceId;
+    }
+}
+
+module.exports = ProtocolAddress;

package/src/queue_job.js

@@ -0,0 +1,69 @@
+// vim: ts=4:sw=4:expandtab
+ 
+ /*
+  * jobQueue manages multiple queues indexed by device to serialize
+  * session io ops on the database.
+  */
+'use strict';
+
+
+const _queueAsyncBuckets = new Map();
+const _gcLimit = 10000;
+
+async function _asyncQueueExecutor(queue, cleanup) {
+    let offt = 0;
+    while (true) {
+        let limit = Math.min(queue.length, _gcLimit); // Break up thundering hurds for GC duty.
+        for (let i = offt; i < limit; i++) {
+            const job = queue[i];
+            try {
+                job.resolve(await job.awaitable());
+            } catch(e) {
+                job.reject(e);
+            }
+        }
+        if (limit < queue.length) {
+            /* Perform lazy GC of queue for faster iteration. */
+            if (limit >= _gcLimit) {
+                queue.splice(0, limit);
+                offt = 0;
+            } else {
+                offt = limit;
+            }
+        } else {
+            break;
+        }
+    }
+    cleanup();
+}
+
+module.exports = function(bucket, awaitable) {
+    /* Run the async awaitable only when all other async calls registered
+     * here have completed (or thrown).  The bucket argument is a hashable
+     * key representing the task queue to use. */
+    if (!awaitable.name) {
+        // Make debuging easier by adding a name to this function.
+        Object.defineProperty(awaitable, 'name', {writable: true});
+        if (typeof bucket === 'string') {
+            awaitable.name = bucket;
+        } else {
+            console.warn("Unhandled bucket type (for naming):", typeof bucket, bucket);
+        }
+    }
+    let inactive;
+    if (!_queueAsyncBuckets.has(bucket)) {
+        _queueAsyncBuckets.set(bucket, []);
+        inactive = true;
+    }
+    const queue = _queueAsyncBuckets.get(bucket);
+    const job = new Promise((resolve, reject) => queue.push({
+        awaitable,
+        resolve,
+        reject
+    }));
+    if (inactive) {
+        /* An executor is not currently active; Start one now. */
+        _asyncQueueExecutor(queue, () => _queueAsyncBuckets.delete(bucket));
+    }
+    return job;
+};

package/src/session_builder.js

@@ -0,0 +1,164 @@
+
+'use strict';
+
+const BaseKeyType = require('./base_key_type');
+const ChainType = require('./chain_type');
+const SessionRecord = require('./session_record');
+const crypto = require('./crypto');
+const curve = require('./curve');
+const errors = require('./errors');
+const queueJob = require('./queue_job');
+
+
+class SessionBuilder {
+
+    constructor(storage, protocolAddress) {
+        this.addr = protocolAddress;
+        this.storage = storage;
+    }
+
+    async initOutgoing(device) {
+        const fqAddr = this.addr.toString();
+        return await queueJob(fqAddr, async () => {
+            if (!await this.storage.isTrustedIdentity(this.addr.id, device.identityKey)) {
+                throw new errors.UntrustedIdentityKeyError(this.addr.id, device.identityKey);
+            }
+            curve.verifySignature(device.identityKey, device.signedPreKey.publicKey,
+                                  device.signedPreKey.signature);
+            const baseKey = curve.generateKeyPair();
+            const devicePreKey = device.preKey && device.preKey.publicKey;
+            const session = await this.initSession(true, baseKey, undefined, device.identityKey,
+                                                   devicePreKey, device.signedPreKey.publicKey,
+                                                   device.registrationId);
+            session.pendingPreKey = {
+                signedKeyId: device.signedPreKey.keyId,
+                baseKey: baseKey.pubKey
+            };
+            if (device.preKey) {
+                session.pendingPreKey.preKeyId = device.preKey.keyId;
+            }
+            let record = await this.storage.loadSession(fqAddr);
+            if (!record) {
+                record = new SessionRecord();
+            } else {
+                const openSession = record.getOpenSession();
+                if (openSession) {
+                    //console.warn("Closing stale open session for new outgoing prekey bundle");
+                    record.closeSession(openSession);
+                }
+            }
+            record.setSession(session);
+            await this.storage.storeSession(fqAddr, record);
+        });
+    }
+
+    async initIncoming(record, message) {
+        const fqAddr = this.addr.toString();
+        if (!await this.storage.isTrustedIdentity(fqAddr, message.identityKey)) {
+            throw new errors.UntrustedIdentityKeyError(this.addr.id, message.identityKey);
+        }
+        if (record.getSession(message.baseKey)) {
+            // This just means we haven't replied.
+            return;
+        }
+        const preKeyPair = await this.storage.loadPreKey(message.preKeyId);
+        if (message.preKeyId && !preKeyPair) {
+            throw new errors.PreKeyError('Invalid PreKey ID');
+        }   
+        const signedPreKeyPair = await this.storage.loadSignedPreKey(message.signedPreKeyId);
+        if (!signedPreKeyPair) { 
+            throw new errors.PreKeyError("Missing SignedPreKey");
+        }   
+        const existingOpenSession = record.getOpenSession();
+        if (existingOpenSession) {
+            //console.warn("Closing open session in favor of incoming prekey bundle");
+            record.closeSession(existingOpenSession);
+        }
+        record.setSession(await this.initSession(false, preKeyPair, signedPreKeyPair,
+                                                 message.identityKey, message.baseKey,
+                                                 undefined, message.registrationId));
+        return message.preKeyId;
+    }
+
+    async initSession(isInitiator, ourEphemeralKey, ourSignedKey, theirIdentityPubKey,
+                      theirEphemeralPubKey, theirSignedPubKey, registrationId) {
+        if (isInitiator) {
+            if (ourSignedKey) {
+                throw new Error("Invalid call to initSession");
+            }
+            ourSignedKey = ourEphemeralKey;
+        } else {
+            if (theirSignedPubKey) {
+                throw new Error("Invalid call to initSession");
+            }
+            theirSignedPubKey = theirEphemeralPubKey;
+        }
+        let sharedSecret;
+        if (!ourEphemeralKey || !theirEphemeralPubKey) {
+            sharedSecret = new Uint8Array(32 * 4);
+        } else {
+            sharedSecret = new Uint8Array(32 * 5);
+        }
+        for (var i = 0; i < 32; i++) {
+            sharedSecret[i] = 0xff;
+        }
+        const ourIdentityKey = await this.storage.getOurIdentity();
+        const a1 = curve.calculateAgreement(theirSignedPubKey, ourIdentityKey.privKey);
+        const a2 = curve.calculateAgreement(theirIdentityPubKey, ourSignedKey.privKey);
+        const a3 = curve.calculateAgreement(theirSignedPubKey, ourSignedKey.privKey);
+        if (isInitiator) {
+            sharedSecret.set(new Uint8Array(a1), 32);
+            sharedSecret.set(new Uint8Array(a2), 32 * 2);
+        } else {
+            sharedSecret.set(new Uint8Array(a1), 32 * 2);
+            sharedSecret.set(new Uint8Array(a2), 32);
+        }
+        sharedSecret.set(new Uint8Array(a3), 32 * 3);
+        if (ourEphemeralKey && theirEphemeralPubKey) {
+            const a4 = curve.calculateAgreement(theirEphemeralPubKey, ourEphemeralKey.privKey);
+            sharedSecret.set(new Uint8Array(a4), 32 * 4);
+        }
+        const masterKey = crypto.deriveSecrets(Buffer.from(sharedSecret), Buffer.alloc(32),
+                                               Buffer.from("WhisperText"));
+        const session = SessionRecord.createEntry();
+        session.registrationId = registrationId;
+        session.currentRatchet = {
+            rootKey: masterKey[0],
+            ephemeralKeyPair: isInitiator ? curve.generateKeyPair() : ourSignedKey,
+            lastRemoteEphemeralKey: theirSignedPubKey,
+            previousCounter: 0
+        };
+        session.indexInfo = {
+            created: Date.now(),
+            used: Date.now(),
+            remoteIdentityKey: theirIdentityPubKey,
+            baseKey: isInitiator ? ourEphemeralKey.pubKey : theirEphemeralPubKey,
+            baseKeyType: isInitiator ? BaseKeyType.OURS : BaseKeyType.THEIRS,
+            closed: -1
+        };
+        if (isInitiator) {
+            // If we're initiating we go ahead and set our first sending ephemeral key now,
+            // otherwise we figure it out when we first maybeStepRatchet with the remote's
+            // ephemeral key
+            this.calculateSendingRatchet(session, theirSignedPubKey);
+        }
+        return session;
+    }
+
+    calculateSendingRatchet(session, remoteKey) {
+        const ratchet = session.currentRatchet;
+        const sharedSecret = curve.calculateAgreement(remoteKey, ratchet.ephemeralKeyPair.privKey);
+        const masterKey = crypto.deriveSecrets(sharedSecret, ratchet.rootKey, Buffer.from("WhisperRatchet"));
+        session.addChain(ratchet.ephemeralKeyPair.pubKey, {
+            messageKeys: {},
+            chainKey: {
+                counter: -1,
+                key: masterKey[1]
+            },
+            chainType: ChainType.SENDING
+        });
+        ratchet.rootKey = masterKey[0];
+    }
+}
+
+module.exports = SessionBuilder;