keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dev
master
voice-calls-2
voice-calls
authentication
2.5.0
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.2
2.3.1
2.3.0
2.2.14
2.2.13
2.2.12
2.2.11
2.2.10
2.2.9
2.2.6
2.2.4
2.2.2
2.2.1
2.2.0
2.1.1
2.0.3
2.0.2
2.0.1
2.0.0
1.0.0-alpha.1
audit-2
audit
2.6.2
2.6.1
2.6.0
2.2.8
2.2.7
2.2.5
2.2.3
2.1.0
1.9.7
1.9.6
1.9.5
1.9.4
1.9.3
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.0
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1-beta
1.5.0-beta
1.5.0
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.0-beta
1.4.0
1.3.0-alpha.1
1.3.0
1.2.6
1.2.5
1.2.4
1.2.3
1.2.1
1.2.0-alpha.2
1.2.0-alpha.1
1.2.0
1.13.0
1.12.9
1.12.8
1.12.7
1.12.6
1.12.5
1.12.4
1.12.2
1.12.1
1.11.9
1.11.8
1.11.7
1.11.6
1.11.5
1.11.4
1.11.3
1.11.24
1.11.23
1.11.22
1.11.21
1.11.20
1.11.2
1.11.19
1.11.18
1.11.17
1.11.16
1.11.15
1.11.14
1.11.13
1.11.12
1.11.11
1.11.10
1.11.1
1.11.0
1.10.2
1.10.1
1.10.0
1.1.0-alpha.4
1.1.0-alpha.3
1.1.0-alpha.2
1.1.0-alpha.1
1.1.0
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0-alpha.3
1.0.0-alpha.2
1.0.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'faa8918cd4'
${ noResults }
session-ios/SessionMessagingKit/Utilities/Sodium+Utilities.swift

221 lines
10 KiB
Swift
Raw Normal View History Unescape Escape

Add X25519 conversion to Sodium
4 years ago
import Clibsodium
import Sodium
extension Sign {
/**
Converts an Ed25519 public key to an X25519 public key.
- Parameter ed25519PublicKey: The Ed25519 public key to convert.
- Returns: The X25519 public key if conversion is successful.
*/
public func toX25519(ed25519PublicKey: PublicKey) -> PublicKey? {
var x25519PublicKey = PublicKey(repeating: 0, count: 32)
// FIXME: It'd be nice to check the exit code here, but all the properties of the object
// returned by the call below are internal.
let _ = crypto_sign_ed25519_pk_to_curve25519 (
&x25519PublicKey,
ed25519PublicKey
)
Additional encryption work on id blinding Got the updated blinding logic working (at least when authenticating a request - still need to deal with message signing and verification) Storing the server capabilities in the database now so we can correctly blind requests based on them Renamed the remaining 'v2' functions and classes to just be 'OpenGroup' since there isn't a 'V2' anymore Cleaned up a few TODOs and functions
2 years ago
Add X25519 conversion to Sodium
4 years ago
return x25519PublicKey
}
/**
Converts an Ed25519 secret key to an X25519 secret key.
- Parameter ed25519SecretKey: The Ed25519 secret key to convert.
- Returns: The X25519 secret key if conversion is successful.
*/
public func toX25519(ed25519SecretKey: SecretKey) -> SecretKey? {
var x25519SecretKey = SecretKey(repeating: 0, count: 32)
// FIXME: It'd be nice to check the exit code here, but all the properties of the object
// returned by the call below are internal.
let _ = crypto_sign_ed25519_sk_to_curve25519 (
&x25519SecretKey,
ed25519SecretKey
)
return x25519SecretKey
}
}
Added code to support generating a derived key for id blinding
2 years ago
extension Sodium {
Additional encryption work on id blinding Got the updated blinding logic working (at least when authenticating a request - still need to deal with message signing and verification) Storing the server capabilities in the database now so we can correctly blind requests based on them Renamed the remaining 'v2' functions and classes to just be 'OpenGroup' since there isn't a 'V2' anymore Cleaned up a few TODOs and functions
2 years ago
private static let scalarLength: Int = Int(crypto_core_ed25519_scalarbytes()) // 32
private static let noClampLength: Int = Int(crypto_scalarmult_ed25519_bytes()) // 32
private static let scalarMultLength: Int = Int(crypto_scalarmult_bytes()) // 32
private static let publicKeyLength: Int = Int(crypto_scalarmult_bytes()) // 32
private static let secretKeyLength: Int = Int(crypto_sign_secretkeybytes()) // 64
Updated to the latest blinding behaviour Added a couple more dependencies for unit testing injection Updated the MessageSender to set the sender of the message to the appropriate blinded/unblinded key Updated the OpenGroup Message to handle verification of both blinded and unblinded messages Updated the MessageSender to use dependency injection for it's sendToOpenGroupDestination method Updated the JSONDecoder to support getting dependencies (for signature verification) Fixed tests broken by updating the signing logic
2 years ago
/// Constructs a "blinded" key pair (`ka, kA`) based on an open group server `publicKey` and an ed25519 `keyPair`
Additional encryption work on id blinding Got the updated blinding logic working (at least when authenticating a request - still need to deal with message signing and verification) Storing the server capabilities in the database now so we can correctly blind requests based on them Renamed the remaining 'v2' functions and classes to just be 'OpenGroup' since there isn't a 'V2' anymore Cleaned up a few TODOs and functions
2 years ago
public func blindedKeyPair(serverPublicKey: String, edKeyPair: Box.KeyPair, genericHash: GenericHashType) -> Box.KeyPair? {
guard edKeyPair.publicKey.count == Sodium.publicKeyLength && edKeyPair.secretKey.count == Sodium.secretKeyLength else {
return nil
}
/// 64-byte blake2b hash then reduce to get the blinding factor:
/// k = salt.crypto_core_ed25519_scalar_reduce(blake2b(server_pk, digest_size=64).digest())
guard let serverPubKeyData: Data = serverPublicKey.dataFromHex() else { return nil }
guard let serverPublicKeyHashBytes: Bytes = genericHash.hash(message: [UInt8](serverPubKeyData), outputLength: 64) else {
return nil
}
/// Reduce the server public key into an ed25519 scalar (`k`)
let kPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
let kResult = serverPublicKeyHashBytes.withUnsafeBytes { (serverPublicKeyHashPtr: UnsafeRawBufferPointer) -> Int32 in
guard let serverPublicKeyHashBaseAddress: UnsafePointer<UInt8> = serverPublicKeyHashPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
return -1
}
crypto_core_ed25519_scalar_reduce(kPtr, serverPublicKeyHashBaseAddress)
return 0
}
/// Ensure the above worked
guard kResult == 0 else { return nil }
/// Calculate k*a. To get 'a' (the Ed25519 private key scalar) we call the sodium function to
/// convert to an *x* secret key, which seems wrong--but isn't because converted keys use the
/// same secret scalar secret. (And so this is just the most convenient way to get 'a' out of
/// a sodium Ed25519 secret key).
/// a = s.to_curve25519_private_key().encode()
let secretKeyBytes: Bytes = [UInt8](edKeyPair.secretKey)
let aPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarMultLength)
let aResult = secretKeyBytes.withUnsafeBytes { (secretKeyPtr: UnsafeRawBufferPointer) -> Int32 in
guard let secretKeyBaseAddress: UnsafePointer<UInt8> = secretKeyPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
return -1
}
return crypto_sign_ed25519_sk_to_curve25519(aPtr, secretKeyBaseAddress)
}
/// Ensure the above worked
guard aResult == 0 else { return nil }
/// Generate the blinded key pair `ka`, `kA`
let kaPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.secretKeyLength)
let kAPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.publicKeyLength)
crypto_core_ed25519_scalar_mul(kaPtr, kPtr, aPtr)
guard crypto_scalarmult_ed25519_base_noclamp(kAPtr, kaPtr) == 0 else { return nil }
return Box.KeyPair(
publicKey: Data(bytes: kAPtr, count: Sodium.publicKeyLength).bytes,
secretKey: Data(bytes: kaPtr, count: Sodium.secretKeyLength).bytes
)
}
/// Constructs an Ed25519 signature from a root Ed25519 key and a blinded scalar/pubkey pair, with one tweak to the
/// construction: we add kA into the hashed value that yields r so that we have domain separation for different blinded
/// pubkeys (This doesn't affect verification at all).
public func sogsSignature(message: Bytes, secretKey: Bytes, blindedSecretKey ka: Bytes, blindedPublicKey kA: Bytes) -> Bytes? {
/// H_rh = sha512(s.encode()).digest()[32:]
let H_rh: Bytes = Bytes(secretKey.sha512().suffix(32))
/// r = salt.crypto_core_ed25519_scalar_reduce(sha512_multipart(H_rh, kA, message_parts))
let combinedHashBytes: Bytes = (H_rh + kA + message).sha512()
let rPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
let rResult = combinedHashBytes.withUnsafeBytes { (combinedHashPtr: UnsafeRawBufferPointer) -> Int32 in
guard let combinedHashBaseAddress: UnsafePointer<UInt8> = combinedHashPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
return -1
}
crypto_core_ed25519_scalar_reduce(rPtr, combinedHashBaseAddress)
return 0
}
/// Ensure the above worked
guard rResult == 0 else { return nil }
/// sig_R = salt.crypto_scalarmult_ed25519_base_noclamp(r)
let sig_RPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.noClampLength)
guard crypto_scalarmult_ed25519_base_noclamp(sig_RPtr, rPtr) == 0 else { return nil }
/// HRAM = salt.crypto_core_ed25519_scalar_reduce(sha512_multipart(sig_R, kA, message_parts))
let sig_RBytes: Bytes = Data(bytes: sig_RPtr, count: Sodium.noClampLength).bytes
let HRAMHashBytes: Bytes = (sig_RBytes + kA + message).sha512()
let HRAMPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
let HRAMResult = HRAMHashBytes.withUnsafeBytes { (HRAMHashPtr: UnsafeRawBufferPointer) -> Int32 in
guard let HRAMHashBaseAddress: UnsafePointer<UInt8> = HRAMHashPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
return -1
}
crypto_core_ed25519_scalar_reduce(HRAMPtr, HRAMHashBaseAddress)
return 0
}
/// Ensure the above worked
guard HRAMResult == 0 else { return nil }
/// sig_s = salt.crypto_core_ed25519_scalar_add(r, salt.crypto_core_ed25519_scalar_mul(HRAM, ka))
let sig_sMulPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
let sig_sPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
let sig_sResult = ka.withUnsafeBytes { (kaPtr: UnsafeRawBufferPointer) -> Int32 in
guard let kaBaseAddress: UnsafePointer<UInt8> = kaPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
return -1
}
crypto_core_ed25519_scalar_mul(sig_sMulPtr, HRAMPtr, kaBaseAddress)
crypto_core_ed25519_scalar_add(sig_sPtr, rPtr, sig_sMulPtr)
return 0
}
guard sig_sResult == 0 else { return nil }
/// full_sig = sig_R + sig_s
return (Data(bytes: sig_RPtr, count: Sodium.noClampLength).bytes + Data(bytes: sig_sPtr, count: Sodium.scalarLength).bytes)
}
Updated to the latest blinding behaviour Added a couple more dependencies for unit testing injection Updated the MessageSender to set the sender of the message to the appropriate blinded/unblinded key Updated the OpenGroup Message to handle verification of both blinded and unblinded messages Updated the MessageSender to use dependency injection for it's sendToOpenGroupDestination method Updated the JSONDecoder to support getting dependencies (for signature verification) Fixed tests broken by updating the signing logic
2 years ago
// TODO: Determine if we still need this? (To generate the `kB` value for the `/inbox` API????)
public func sharedEdSecret(_ firstKeyBytes: [UInt8], _ secondKeyBytes: [UInt8]) -> Bytes? {
Additional encryption work on id blinding Got the updated blinding logic working (at least when authenticating a request - still need to deal with message signing and verification) Storing the server capabilities in the database now so we can correctly blind requests based on them Renamed the remaining 'v2' functions and classes to just be 'OpenGroup' since there isn't a 'V2' anymore Cleaned up a few TODOs and functions
2 years ago
let sharedSecretPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.noClampLength)
let result = secondKeyBytes.withUnsafeBytes { (secondKeyPtr: UnsafeRawBufferPointer) -> Int32 in
return firstKeyBytes.withUnsafeBytes { (firstKeyPtr: UnsafeRawBufferPointer) -> Int32 in
guard let firstKeyBaseAddress: UnsafePointer<UInt8> = firstKeyPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
return -1
}
guard let secondKeyBaseAddress: UnsafePointer<UInt8> = secondKeyPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
return -1
}
return crypto_scalarmult_ed25519_noclamp(sharedSecretPtr, firstKeyBaseAddress, secondKeyBaseAddress)
}
}
guard result == 0 else { return nil }
Updated to the latest blinding behaviour Added a couple more dependencies for unit testing injection Updated the MessageSender to set the sender of the message to the appropriate blinded/unblinded key Updated the OpenGroup Message to handle verification of both blinded and unblinded messages Updated the MessageSender to use dependency injection for it's sendToOpenGroupDestination method Updated the JSONDecoder to support getting dependencies (for signature verification) Fixed tests broken by updating the signing logic
2 years ago
return Data(bytes: sharedSecretPtr, count: Sodium.scalarMultLength).bytes
Added code to support generating a derived key for id blinding
2 years ago
}
}
Started work on updated SOGS support Split the OpenGroupAPIV2 into separate files Started working on the new auth and blinded-id approaches (new auth working with un-blinded id suggesting blinded-id code is incorrect) Updated the SOGS request/response types to use Codable Updated the SOGS Request type to use enums instead of strings for keys (to reduce likelihood of typos breaking things) Updated SessionMessagingKit to use Codable and JSONEncoder/JSONDecoder instead of the legacy JSONSerialization Cleaned up some naming conventions in the SessionMessagingKit (calling a URLRequest body 'parameters' is very confusing...) Removed the custom TSRequest class (just using standard URLRequest everywhere instead) Added a number of extension functions to enable some more functional-coding styles Added extensions to Sodium methods to allow scalar multiplication and the ability to hash providing a salt and a personalisation value (both needed for new SOGS auth) Fixed an issue where the legacy auth for SOGS could crash due to threading issues (multiple threads accessing the same variable) Fixed an issue where if you were in two rooms in a single SOGS and deleted one of them, the other room would stop getting updates as the server public key was getting removed
2 years ago
extension GenericHash {
public func hashSaltPersonal(
message: Bytes,
outputLength: Int,
key: Bytes? = nil,
salt: Bytes,
personal: Bytes
) -> Bytes? {
var output: [UInt8] = [UInt8](repeating: 0, count: outputLength)
let result = crypto_generichash_blake2b_salt_personal(
&output,
outputLength,
message,
UInt64(message.count),
key,
(key?.count ?? 0),
salt,
personal
)
guard result == 0 else { return nil }
return output
}
}