mirror of https://github.com/oxen-io/session-ios
				
				
				
			
			You cannot select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
	
	
		
			289 lines
		
	
	
		
			15 KiB
		
	
	
	
		
			Swift
		
	
			
		
		
	
	
			289 lines
		
	
	
		
			15 KiB
		
	
	
	
		
			Swift
		
	
| // Copyright © 2022 Rangeproof Pty Ltd. All rights reserved.
 | |
| 
 | |
| import Foundation
 | |
| import Clibsodium
 | |
| import Sodium
 | |
| import Curve25519Kit
 | |
| import SessionUtilitiesKit
 | |
| 
 | |
| /// These extenion methods are used to generate a sign "blinded" messages
 | |
| ///
 | |
| /// According to the Swift engineers the only situation when `UnsafeRawBufferPointer.baseAddress` is nil is when it's an
 | |
| /// empty collection; as such our guard cases wihch return `-1` when unwrapping this value should never be hit and we can ignore
 | |
| /// them as possible results.
 | |
| ///
 | |
| /// For more information see:
 | |
| /// https://forums.swift.org/t/when-is-unsafemutablebufferpointer-baseaddress-nil/32136/5
 | |
| /// https://github.com/apple/swift-evolution/blob/master/proposals/0055-optional-unsafe-pointers.md#unsafebufferpointer
 | |
| extension Sodium {
 | |
|     private static let scalarLength: Int = Int(crypto_core_ed25519_scalarbytes())   // 32
 | |
|     private static let noClampLength: Int = Int(Sodium.lib_crypto_scalarmult_ed25519_bytes())  // 32
 | |
|     private static let scalarMultLength: Int = Int(crypto_scalarmult_bytes())       // 32
 | |
|     private static let publicKeyLength: Int = Int(crypto_scalarmult_bytes())        // 32
 | |
|     private static let secretKeyLength: Int = Int(crypto_sign_secretkeybytes())     // 64
 | |
|     
 | |
|     /// 64-byte blake2b hash then reduce to get the blinding factor
 | |
|     public func generateBlindingFactor(serverPublicKey: String, genericHash: GenericHashType) -> Bytes? {
 | |
|         /// k = salt.crypto_core_ed25519_scalar_reduce(blake2b(server_pk, digest_size=64).digest())
 | |
|         let serverPubKeyData: Data = Data(hex: serverPublicKey)
 | |
|         
 | |
|         guard !serverPubKeyData.isEmpty, let serverPublicKeyHashBytes: Bytes = genericHash.hash(message: [UInt8](serverPubKeyData), outputLength: 64) else {
 | |
|             return nil
 | |
|         }
 | |
|         
 | |
|         /// Reduce the server public key into an ed25519 scalar (`k`)
 | |
|         let kPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
 | |
|         
 | |
|         _ = serverPublicKeyHashBytes.withUnsafeBytes { (serverPublicKeyHashPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|             guard let serverPublicKeyHashBaseAddress: UnsafePointer<UInt8> = serverPublicKeyHashPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                 return -1   // Impossible case (refer to comments at top of extension)
 | |
|             }
 | |
|             
 | |
|             Sodium.lib_crypto_core_ed25519_scalar_reduce(kPtr, serverPublicKeyHashBaseAddress)
 | |
|             return 0
 | |
|         }
 | |
|         
 | |
|         return Data(bytes: kPtr, count: Sodium.scalarLength).bytes
 | |
|     }
 | |
|     
 | |
|     /// Calculate k*a.  To get 'a' (the Ed25519 private key scalar) we call the sodium function to
 | |
|     /// convert to an *x* secret key, which seems wrong--but isn't because converted keys use the
 | |
|     /// same secret scalar secret (and so this is just the most convenient way to get 'a' out of
 | |
|     /// a sodium Ed25519 secret key)
 | |
|     func generatePrivateKeyScalar(secretKey: Bytes) -> Bytes {
 | |
|         /// a = s.to_curve25519_private_key().encode()
 | |
|         let aPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarMultLength)
 | |
|         
 | |
|         /// Looks like the `crypto_sign_ed25519_sk_to_curve25519` function can't actually fail so no need to verify the result
 | |
|         /// See: https://github.com/jedisct1/libsodium/blob/master/src/libsodium/crypto_sign/ed25519/ref10/keypair.c#L70
 | |
|         _ = secretKey.withUnsafeBytes { (secretKeyPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|             guard let secretKeyBaseAddress: UnsafePointer<UInt8> = secretKeyPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                 return -1   // Impossible case (refer to comments at top of extension)
 | |
|             }
 | |
|             
 | |
|             return crypto_sign_ed25519_sk_to_curve25519(aPtr, secretKeyBaseAddress)
 | |
|         }
 | |
|         
 | |
|         return Data(bytes: aPtr, count: Sodium.scalarMultLength).bytes
 | |
|     }
 | |
|     
 | |
|     /// Constructs a "blinded" key pair (`ka, kA`) based on an open group server `publicKey` and an ed25519 `keyPair`
 | |
|     public func blindedKeyPair(serverPublicKey: String, edKeyPair: Box.KeyPair, genericHash: GenericHashType) -> Box.KeyPair? {
 | |
|         guard edKeyPair.publicKey.count == Sodium.publicKeyLength && edKeyPair.secretKey.count == Sodium.secretKeyLength else {
 | |
|             return nil
 | |
|         }
 | |
|         guard let kBytes: Bytes = generateBlindingFactor(serverPublicKey: serverPublicKey, genericHash: genericHash) else {
 | |
|             return nil
 | |
|         }
 | |
|         let aBytes: Bytes = generatePrivateKeyScalar(secretKey: edKeyPair.secretKey)
 | |
|         
 | |
|         /// Generate the blinded key pair `ka`, `kA`
 | |
|         let kaPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.secretKeyLength)
 | |
|         let kAPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.publicKeyLength)
 | |
|         
 | |
|         _ = aBytes.withUnsafeBytes { (aPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|             return kBytes.withUnsafeBytes { (kPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|                 guard let kBaseAddress: UnsafePointer<UInt8> = kPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                     return -1   // Impossible case (refer to comments at top of extension)
 | |
|                 }
 | |
|                 guard let aBaseAddress: UnsafePointer<UInt8> = aPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                     return -1   // Impossible case (refer to comments at top of extension)
 | |
|                 }
 | |
|                 
 | |
|                 Sodium.lib_crypto_core_ed25519_scalar_mul(kaPtr, kBaseAddress, aBaseAddress)
 | |
|                 return 0
 | |
|             }
 | |
|         }
 | |
|         
 | |
|         guard crypto_scalarmult_ed25519_base_noclamp(kAPtr, kaPtr) == 0 else { return nil }
 | |
|         
 | |
|         return Box.KeyPair(
 | |
|             publicKey: Data(bytes: kAPtr, count: Sodium.publicKeyLength).bytes,
 | |
|             secretKey: Data(bytes: kaPtr, count: Sodium.secretKeyLength).bytes
 | |
|         )
 | |
|     }
 | |
|     
 | |
|     /// Constructs an Ed25519 signature from a root Ed25519 key and a blinded scalar/pubkey pair, with one tweak to the
 | |
|     /// construction: we add kA into the hashed value that yields r so that we have domain separation for different blinded
 | |
|     /// pubkeys (this doesn't affect verification at all)
 | |
|     public func sogsSignature(message: Bytes, secretKey: Bytes, blindedSecretKey ka: Bytes, blindedPublicKey kA: Bytes) -> Bytes? {
 | |
|         /// H_rh = sha512(s.encode()).digest()[32:]
 | |
|         let H_rh: Bytes = Bytes(secretKey.sha512().suffix(32))
 | |
| 
 | |
|         /// r = salt.crypto_core_ed25519_scalar_reduce(sha512_multipart(H_rh, kA, message_parts))
 | |
|         let combinedHashBytes: Bytes = (H_rh + kA + message).sha512()
 | |
|         let rPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
 | |
|         
 | |
|         _ = combinedHashBytes.withUnsafeBytes { (combinedHashPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|             guard let combinedHashBaseAddress: UnsafePointer<UInt8> = combinedHashPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                 return -1   // Impossible case (refer to comments at top of extension)
 | |
|             }
 | |
|             
 | |
|             Sodium.lib_crypto_core_ed25519_scalar_reduce(rPtr, combinedHashBaseAddress)
 | |
|             return 0
 | |
|         }
 | |
|         
 | |
|         /// sig_R = salt.crypto_scalarmult_ed25519_base_noclamp(r)
 | |
|         let sig_RPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.noClampLength)
 | |
|         guard crypto_scalarmult_ed25519_base_noclamp(sig_RPtr, rPtr) == 0 else { return nil }
 | |
|         
 | |
|         /// HRAM = salt.crypto_core_ed25519_scalar_reduce(sha512_multipart(sig_R, kA, message_parts))
 | |
|         let sig_RBytes: Bytes = Data(bytes: sig_RPtr, count: Sodium.noClampLength).bytes
 | |
|         let HRAMHashBytes: Bytes = (sig_RBytes + kA + message).sha512()
 | |
|         let HRAMPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
 | |
|         
 | |
|         _ = HRAMHashBytes.withUnsafeBytes { (HRAMHashPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|             guard let HRAMHashBaseAddress: UnsafePointer<UInt8> = HRAMHashPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                 return -1   // Impossible case (refer to comments at top of extension)
 | |
|             }
 | |
|             
 | |
|             Sodium.lib_crypto_core_ed25519_scalar_reduce(HRAMPtr, HRAMHashBaseAddress)
 | |
|             return 0
 | |
|         }
 | |
|         
 | |
|         /// sig_s = salt.crypto_core_ed25519_scalar_add(r, salt.crypto_core_ed25519_scalar_mul(HRAM, ka))
 | |
|         let sig_sMulPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
 | |
|         let sig_sPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.scalarLength)
 | |
|         
 | |
|         _ = ka.withUnsafeBytes { (kaPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|             guard let kaBaseAddress: UnsafePointer<UInt8> = kaPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                 return -1   // Impossible case (refer to comments at top of extension)
 | |
|             }
 | |
|             
 | |
|             Sodium.lib_crypto_core_ed25519_scalar_mul(sig_sMulPtr, HRAMPtr, kaBaseAddress)
 | |
|             Sodium.lib_crypto_core_ed25519_scalar_add(sig_sPtr, rPtr, sig_sMulPtr)
 | |
|             return 0
 | |
|         }
 | |
|         
 | |
|         /// full_sig = sig_R + sig_s
 | |
|         return (Data(bytes: sig_RPtr, count: Sodium.noClampLength).bytes + Data(bytes: sig_sPtr, count: Sodium.scalarLength).bytes)
 | |
|     }
 | |
|     
 | |
|     /// Combines two keys (`kA`)
 | |
|     public func combineKeys(lhsKeyBytes: Bytes, rhsKeyBytes: Bytes) -> Bytes? {
 | |
|         let combinedPtr: UnsafeMutablePointer<UInt8> = UnsafeMutablePointer<UInt8>.allocate(capacity: Sodium.noClampLength)
 | |
|         
 | |
|         let result = rhsKeyBytes.withUnsafeBytes { (rhsKeyBytesPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|             return lhsKeyBytes.withUnsafeBytes { (lhsKeyBytesPtr: UnsafeRawBufferPointer) -> Int32 in
 | |
|                 guard let lhsKeyBytesBaseAddress: UnsafePointer<UInt8> = lhsKeyBytesPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                     return -1   // Impossible case (refer to comments at top of extension)
 | |
|                 }
 | |
|                 guard let rhsKeyBytesBaseAddress: UnsafePointer<UInt8> = rhsKeyBytesPtr.baseAddress?.assumingMemoryBound(to: UInt8.self) else {
 | |
|                     return -1   // Impossible case (refer to comments at top of extension)
 | |
|                 }
 | |
|                 
 | |
|                 return Sodium.lib_crypto_scalarmult_ed25519_noclamp(combinedPtr, lhsKeyBytesBaseAddress, rhsKeyBytesBaseAddress)
 | |
|             }
 | |
|         }
 | |
|         
 | |
|         /// Ensure the above worked
 | |
|         guard result == 0 else { return nil }
 | |
|         
 | |
|         return Data(bytes: combinedPtr, count: Sodium.noClampLength).bytes
 | |
|     }
 | |
|     
 | |
|     /// Calculate a shared secret for a message from A to B:
 | |
|     ///
 | |
|     /// BLAKE2b(a kB || kA || kB)
 | |
|     ///
 | |
|     /// The receiver can calulate the same value via:
 | |
|     ///
 | |
|     /// BLAKE2b(b kA || kA || kB)
 | |
|     public func sharedBlindedEncryptionKey(secretKey: Bytes, otherBlindedPublicKey: Bytes, fromBlindedPublicKey kA: Bytes, toBlindedPublicKey kB: Bytes, genericHash: GenericHashType) -> Bytes? {
 | |
|         let aBytes: Bytes = generatePrivateKeyScalar(secretKey: secretKey)
 | |
|         
 | |
|         guard let combinedKeyBytes: Bytes = combineKeys(lhsKeyBytes: aBytes, rhsKeyBytes: otherBlindedPublicKey) else {
 | |
|             return nil
 | |
|         }
 | |
|         
 | |
|         return genericHash.hash(message: (combinedKeyBytes + kA + kB), outputLength: 32)
 | |
|     }
 | |
|     
 | |
|     /// This method should be used to check if a users standard sessionId matches a blinded one
 | |
|     public func sessionId(_ standardSessionId: String, matchesBlindedId blindedSessionId: String, serverPublicKey: String, genericHash: GenericHashType) -> Bool {
 | |
|         // Only support generating blinded keys for standard session ids
 | |
|         guard let sessionId: SessionId = SessionId(from: standardSessionId), sessionId.prefix == .standard else { return false }
 | |
|         guard let blindedId: SessionId = SessionId(from: blindedSessionId), blindedId.prefix == .blinded else { return false }
 | |
|         guard let kBytes: Bytes = generateBlindingFactor(serverPublicKey: serverPublicKey, genericHash: genericHash) else {
 | |
|             return false
 | |
|         }
 | |
| 
 | |
|         /// From the session id (ignoring 05 prefix) we have two possible ed25519 pubkeys; the first is the positive (which is what
 | |
|         /// Signal's XEd25519 conversion always uses)
 | |
|         ///
 | |
|         /// Note: The below method is code we have exposed from the `curve25519_verify` method within the Curve25519 library
 | |
|         /// rather than custom code we have written
 | |
|         guard let xEd25519Key: Data = try? Ed25519.publicKey(from: Data(hex: sessionId.publicKey)) else { return false }
 | |
|         
 | |
|         /// Blind the positive public key
 | |
|         guard let pk1: Bytes = combineKeys(lhsKeyBytes: kBytes, rhsKeyBytes: xEd25519Key.bytes) else { return false }
 | |
|         
 | |
|         /// For the negative, what we're going to get out of the above is simply the negative of pk1, so flip the sign bit to get pk2
 | |
|         ///     pk2 = pk1[0:31] + bytes([pk1[31] ^ 0b1000_0000])
 | |
|         let pk2: Bytes = (pk1[0..<31] + [(pk1[31] ^ 0b1000_0000)])
 | |
|         
 | |
|         return (
 | |
|             SessionId(.blinded, publicKey: pk1).publicKey == blindedId.publicKey ||
 | |
|             SessionId(.blinded, publicKey: pk2).publicKey == blindedId.publicKey
 | |
|         )
 | |
|     }
 | |
| }
 | |
| 
 | |
| extension GenericHash {
 | |
|     public func hashSaltPersonal(
 | |
|         message: Bytes,
 | |
|         outputLength: Int,
 | |
|         key: Bytes? = nil,
 | |
|         salt: Bytes,
 | |
|         personal: Bytes
 | |
|     ) -> Bytes? {
 | |
|         var output: [UInt8] = [UInt8](repeating: 0, count: outputLength)
 | |
|         
 | |
|         let result = crypto_generichash_blake2b_salt_personal(
 | |
|             &output,
 | |
|             outputLength,
 | |
|             message,
 | |
|             UInt64(message.count),
 | |
|             key,
 | |
|             (key?.count ?? 0),
 | |
|             salt,
 | |
|             personal
 | |
|         )
 | |
|         
 | |
|         guard result == 0 else { return nil }
 | |
|         
 | |
|         return output
 | |
|     }
 | |
| }
 | |
| 
 | |
| extension AeadXChaCha20Poly1305IetfType {
 | |
|     /// This method is the same as the standard AeadXChaCha20Poly1305IetfType `encrypt` method except it allows the
 | |
|     /// specification of a nonce which allows for deterministic behaviour with unit testing
 | |
|     public func encrypt(message: Bytes, secretKey: Bytes, nonce: Bytes, additionalData: Bytes? = nil) -> Bytes? {
 | |
|         guard secretKey.count == KeyBytes else { return nil }
 | |
| 
 | |
|         var authenticatedCipherText = Bytes(repeating: 0, count: message.count + ABytes)
 | |
|         var authenticatedCipherTextLen: UInt64 = 0
 | |
| 
 | |
|         let result = crypto_aead_xchacha20poly1305_ietf_encrypt(
 | |
|             &authenticatedCipherText, &authenticatedCipherTextLen,
 | |
|             message, UInt64(message.count),
 | |
|             additionalData, UInt64(additionalData?.count ?? 0),
 | |
|             nil, nonce, secretKey
 | |
|         )
 | |
|         
 | |
|         guard result == 0 else { return nil }
 | |
| 
 | |
|         return authenticatedCipherText
 | |
|     }
 | |
| }
 | |
| 
 | |
| extension Box.KeyPair: Equatable {
 | |
|     public static func == (lhs: Box.KeyPair, rhs: Box.KeyPair) -> Bool {
 | |
|         return (
 | |
|             lhs.publicKey == rhs.publicKey &&
 | |
|             lhs.secretKey == rhs.secretKey
 | |
|         )
 | |
|     }
 | |
| }
 |