From 7186f28019cacafcf00f01b5cc5416a702a38e80 Mon Sep 17 00:00:00 2001
From: sachaaaaa <sacha@loki.network>
Date: Thu, 7 Feb 2019 17:58:24 +1100
Subject: [PATCH 1/3] Ensure a session is always initiated using the prekey
 assigned to the contact

---
 libloki/storage.js                | 29 +++++++++++++++++++++++++++++
 libtextsecure/message_receiver.js | 15 ++++++++++++---
 libtextsecure/protobufs.js        |  1 +
 protos/WhisperTextProtocol.proto  | 28 ++++++++++++++++++++++++++++
 4 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100644 protos/WhisperTextProtocol.proto

diff --git a/libloki/storage.js b/libloki/storage.js
index e8870795c..8d61881bd 100644
--- a/libloki/storage.js
+++ b/libloki/storage.js
@@ -85,10 +85,39 @@
     ]);
   }
 
+  async function verifyFriendRequestAcceptPreKey(pubKey, buffer) {
+    const storedPreKey = await textsecure.storage.protocol.loadPreKeyForContact(
+      pubKey
+    );
+    if (!storedPreKey) {
+      throw new Error(
+        'Received a friend request from a pubkey for which no prekey bundle was created'
+      );
+    }
+    // need to pop the version
+    // eslint-disable-next-line no-unused-vars
+    const version = buffer.readUint8();
+    const preKeyProto = window.textsecure.protobuf.PreKeyWhisperMessage.decode(
+      buffer
+    );
+    if (!preKeyProto) {
+      throw new Error(
+        'Could not decode PreKeyWhisperMessage while attempting to match the preKeyId'
+      );
+    }
+    const { preKeyId } = preKeyProto;
+    if (storedPreKey.keyId !== preKeyId) {
+      throw new Error(
+        'Received a preKeyWhisperMessage (friend request accept) from an unknown source'
+      );
+    }
+  }
+
   window.libloki.storage = {
     getPreKeyBundleForContact,
     saveContactPreKeyBundle,
     removeContactPreKeyBundle,
+    verifyFriendRequestAcceptPreKey,
   };
 
   // Libloki protocol store
diff --git a/libtextsecure/message_receiver.js b/libtextsecure/message_receiver.js
index e0f308750..2e8bb94e4 100644
--- a/libtextsecure/message_receiver.js
+++ b/libtextsecure/message_receiver.js
@@ -730,9 +730,18 @@ MessageReceiver.prototype.extend({
       case textsecure.protobuf.Envelope.Type.PREKEY_BUNDLE:
         window.log.info('prekey message from', this.getEnvelopeId(envelope));
         promise = captureActiveSession(sessionCipher)
-          .then(() =>
-            this.decryptPreKeyWhisperMessage(ciphertext, sessionCipher, address)
-          )
+          .then(async () => {
+            const buffer = dcodeIO.ByteBuffer.wrap(ciphertext);
+            await window.libloki.storage.verifyFriendRequestAcceptPreKey(
+              envelope.source,
+              buffer
+            );
+            return this.decryptPreKeyWhisperMessage(
+              ciphertext,
+              sessionCipher,
+              address
+            );
+          })
           .then(handleSessionReset);
         break;
       case textsecure.protobuf.Envelope.Type.UNIDENTIFIED_SENDER:
diff --git a/libtextsecure/protobufs.js b/libtextsecure/protobufs.js
index 80c91e9e5..3622ff467 100644
--- a/libtextsecure/protobufs.js
+++ b/libtextsecure/protobufs.js
@@ -35,6 +35,7 @@
   loadProtoBufs('SignalService.proto');
   loadProtoBufs('SubProtocol.proto');
   loadProtoBufs('DeviceMessages.proto');
+  loadProtoBufs('WhisperTextProtocol.proto');
 
   // Just for encrypting device names
   loadProtoBufs('DeviceName.proto');
diff --git a/protos/WhisperTextProtocol.proto b/protos/WhisperTextProtocol.proto
new file mode 100644
index 000000000..1c3e97018
--- /dev/null
+++ b/protos/WhisperTextProtocol.proto
@@ -0,0 +1,28 @@
+package signalservice;
+
+option java_package = "org.whispersystems.libsignal.protocol";
+option java_outer_classname = "WhisperProtos";
+
+message WhisperMessage {
+  optional bytes  ephemeralKey    = 1;
+  optional uint32 counter         = 2;
+  optional uint32 previousCounter = 3;
+  optional bytes  ciphertext      = 4; // PushMessageContent
+}
+
+message PreKeyWhisperMessage {
+  optional uint32 registrationId = 5;
+  optional uint32 preKeyId       = 1;
+  optional uint32 signedPreKeyId = 6;
+  optional bytes  baseKey        = 2;
+  optional bytes  identityKey    = 3;
+  optional bytes  message        = 4; // WhisperMessage
+}
+
+message KeyExchangeMessage {
+  optional uint32 id               = 1;
+  optional bytes  baseKey          = 2;
+  optional bytes  ephemeralKey     = 3;
+  optional bytes  identityKey      = 4;
+  optional bytes  baseKeySignature = 5;
+}
\ No newline at end of file

From 2755ff06d89a5cff024d678f5a87534c6841a5d2 Mon Sep 17 00:00:00 2001
From: sachaaaaa <sacha@loki.network>
Date: Fri, 8 Feb 2019 14:21:44 +1100
Subject: [PATCH 2/3] remove messages from cache before throwing if the prekey
 id could not be verified

---
 libtextsecure/message_receiver.js | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/libtextsecure/message_receiver.js b/libtextsecure/message_receiver.js
index 2e8bb94e4..082f12b35 100644
--- a/libtextsecure/message_receiver.js
+++ b/libtextsecure/message_receiver.js
@@ -731,11 +731,16 @@ MessageReceiver.prototype.extend({
         window.log.info('prekey message from', this.getEnvelopeId(envelope));
         promise = captureActiveSession(sessionCipher)
           .then(async () => {
-            const buffer = dcodeIO.ByteBuffer.wrap(ciphertext);
-            await window.libloki.storage.verifyFriendRequestAcceptPreKey(
-              envelope.source,
-              buffer
-            );
+            try {
+              const buffer = dcodeIO.ByteBuffer.wrap(ciphertext);
+              await window.libloki.storage.verifyFriendRequestAcceptPreKey(
+                envelope.source,
+                buffer
+              );
+            } catch (e) {
+              await this.removeFromCache(envelope);
+              throw e;
+            }
             return this.decryptPreKeyWhisperMessage(
               ciphertext,
               sessionCipher,

From fdc51e88dd54c1671cd9ea31904a062b8b811f50 Mon Sep 17 00:00:00 2001
From: sachaaaaa <sacha@loki.network>
Date: Fri, 8 Feb 2019 16:36:33 +1100
Subject: [PATCH 3/3] only verify the prekey id when there is no current
 session active

---
 libtextsecure/message_receiver.js | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/libtextsecure/message_receiver.js b/libtextsecure/message_receiver.js
index 082f12b35..44d9081a5 100644
--- a/libtextsecure/message_receiver.js
+++ b/libtextsecure/message_receiver.js
@@ -731,15 +731,17 @@ MessageReceiver.prototype.extend({
         window.log.info('prekey message from', this.getEnvelopeId(envelope));
         promise = captureActiveSession(sessionCipher)
           .then(async () => {
-            try {
-              const buffer = dcodeIO.ByteBuffer.wrap(ciphertext);
-              await window.libloki.storage.verifyFriendRequestAcceptPreKey(
-                envelope.source,
-                buffer
-              );
-            } catch (e) {
-              await this.removeFromCache(envelope);
-              throw e;
+            if (!this.activeSessionBaseKey) {
+              try {
+                const buffer = dcodeIO.ByteBuffer.wrap(ciphertext);
+                await window.libloki.storage.verifyFriendRequestAcceptPreKey(
+                  envelope.source,
+                  buffer
+                );
+              } catch (e) {
+                await this.removeFromCache(envelope);
+                throw e;
+              }
             }
             return this.decryptPreKeyWhisperMessage(
               ciphertext,