keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dev
voice-calls-2
voice-calls
authentication
2.5.0
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.2
2.3.1
2.3.0
2.2.14
2.2.13
2.2.12
2.2.11
2.2.10
2.2.9
2.2.6
2.2.4
2.2.2
2.2.1
2.2.0
2.1.1
2.0.3
2.0.2
2.0.1
2.0.0
1.0.0-alpha.1
audit-2
audit
2.8.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7.0
2.6.3
2.6.2
2.6.1
2.6.0
2.2.8
2.2.7
2.2.5
2.2.3
2.1.0
1.9.7
1.9.6
1.9.5
1.9.4
1.9.3
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.0
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1-beta
1.5.0-beta
1.5.0
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.0-beta
1.4.0
1.3.0-alpha.1
1.3.0
1.2.6
1.2.5
1.2.4
1.2.3
1.2.1
1.2.0-alpha.2
1.2.0-alpha.1
1.2.0
1.13.0
1.12.9
1.12.8
1.12.7
1.12.6
1.12.5
1.12.4
1.12.2
1.12.1
1.11.9
1.11.8
1.11.7
1.11.6
1.11.5
1.11.4
1.11.3
1.11.24
1.11.23
1.11.22
1.11.21
1.11.20
1.11.2
1.11.19
1.11.18
1.11.17
1.11.16
1.11.15
1.11.14
1.11.13
1.11.12
1.11.11
1.11.10
1.11.1
1.11.0
1.10.2
1.10.1
1.10.0
1.1.0-alpha.4
1.1.0-alpha.3
1.1.0-alpha.2
1.1.0-alpha.1
1.1.0
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0-alpha.3
1.0.0-alpha.2
1.0.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f696e0e0bb'
${ noResults }
session-ios/SessionProtocolKit/Signal/SessionCipher.m

529 lines
22 KiB
Objective-C
Raw Blame History

//
// Copyright (c) 2018 Open Whisper Systems. All rights reserved.
//
#import "SessionCipher.h"
#import "AES-CBC.h"
#import "AxolotlExceptions.h"
#import "AxolotlParameters.h"
#import "ChainKey.h"
#import "MessageKeys.h"
#import "NSData+keyVersionByte.h"
#import "PreKeyStore.h"
#import "RootKey.h"
#import "SessionBuilder.h"
#import "SessionState.h"
#import "SessionStore.h"
#import "SignedPreKeyStore.h"
#import "WhisperMessage.h"
#import <Curve25519Kit/Curve25519.h>
#import <Curve25519Kit/Ed25519.h>
#import <HKDFKit/HKDFKit.h>
#import <SignalCoreKit/SCKExceptionWrapper.h>
#import <SignalCoreKit/SignalCoreKit.h>
#import <SignalCoreKit/OWSAsserts.h>
NS_ASSUME_NONNULL_BEGIN
@interface SessionCipher ()
@property (nonatomic, readonly) NSString *recipientId;
@property (nonatomic, readonly) int deviceId;
@property (nonatomic, readonly) id<IdentityKeyStore> identityKeyStore;
@property (nonatomic, readonly) id<SessionStore> sessionStore;
@property (nonatomic, readonly) SessionBuilder *sessionBuilder;
@property (nonatomic, readonly) id<PreKeyStore> prekeyStore;
@end
#pragma mark -
@implementation SessionCipher
- (instancetype)initWithAxolotlStore:(id<AxolotlStore>)sessionStore recipientId:(NSString*)recipientId deviceId:(int)deviceId{
OWSAssert(sessionStore);
OWSAssert(recipientId);
return [self initWithSessionStore:sessionStore
preKeyStore:sessionStore
signedPreKeyStore:sessionStore
identityKeyStore:sessionStore
recipientId:recipientId
deviceId:deviceId];
}
- (instancetype)initWithSessionStore:(id<SessionStore>)sessionStore
preKeyStore:(id<PreKeyStore>)preKeyStore
signedPreKeyStore:(id<SignedPreKeyStore>)signedPreKeyStore
identityKeyStore:(id<IdentityKeyStore>)identityKeyStore
recipientId:(NSString*)recipientId
deviceId:(int)deviceId{
OWSAssert(sessionStore);
OWSAssert(preKeyStore);
OWSAssert(signedPreKeyStore);
OWSAssert(identityKeyStore);
OWSAssert(recipientId);
self = [super init];
if (self){
_recipientId = recipientId;
_deviceId = deviceId;
_sessionStore = sessionStore;
_identityKeyStore = identityKeyStore;
_prekeyStore = preKeyStore;
_sessionBuilder = [[SessionBuilder alloc] initWithSessionStore:sessionStore
preKeyStore:preKeyStore
signedPreKeyStore:signedPreKeyStore
identityKeyStore:identityKeyStore
recipientId:recipientId
deviceId:deviceId];
}
return self;
}
- (nullable id<CipherMessage>)encryptMessage:(NSData *)paddedMessage
protocolContext:(nullable id)protocolContext
error:(NSError **)outError
{
__block id<CipherMessage> result;
[SCKExceptionWrapper
tryBlock:^{
result = [self throws_encryptMessage:paddedMessage protocolContext:protocolContext];
}
error:outError];
return result;
}
- (id<CipherMessage>)throws_encryptMessage:(NSData *)paddedMessage protocolContext:(nullable id)protocolContext
{
OWSAssert(paddedMessage);
SessionRecord *sessionRecord =
[self.sessionStore loadSession:self.recipientId deviceId:self.deviceId protocolContext:protocolContext];
SessionState *sessionState = sessionRecord.sessionState;
ChainKey *chainKey = sessionState.senderChainKey;
MessageKeys *messageKeys = [chainKey throws_messageKeys];
NSData *senderRatchetKey = sessionState.senderRatchetKey;
int previousCounter = sessionState.previousCounter;
int sessionVersion = sessionState.version;
if (![self.identityKeyStore isTrustedIdentityKey:sessionState.remoteIdentityKey
recipientId:self.recipientId
direction:TSMessageDirectionOutgoing
protocolContext:protocolContext]) {
DDLogWarn(
@"%@ Previously known identity key for while encrypting for recipient: %@", self.tag, self.recipientId);
@throw [NSException exceptionWithName:UntrustedIdentityKeyException
reason:@"There is a previously known identity key."
userInfo:@{}];
}
[self.identityKeyStore saveRemoteIdentity:sessionState.remoteIdentityKey
recipientId:self.recipientId
protocolContext:protocolContext];
NSData *ciphertextBody =
[AES_CBC throws_encryptCBCMode:paddedMessage withKey:messageKeys.cipherKey withIV:messageKeys.iv];
id<CipherMessage> cipherMessage =
[[WhisperMessage alloc] init_throws_withVersion:sessionVersion
macKey:messageKeys.macKey
senderRatchetKey:senderRatchetKey.prependKeyType
counter:chainKey.index
previousCounter:previousCounter
cipherText:ciphertextBody
senderIdentityKey:sessionState.localIdentityKey.prependKeyType
receiverIdentityKey:sessionState.remoteIdentityKey.prependKeyType];
if ([sessionState hasUnacknowledgedPreKeyMessage]) {
PendingPreKey *items = [sessionState unacknowledgedPreKeyMessageItems];
int localRegistrationId = [sessionState localRegistrationId];
DDLogInfo(@"Building PreKeyWhisperMessage for: %@ with preKeyId: %d", self.recipientId, items.preKeyId);
cipherMessage =
[[PreKeyWhisperMessage alloc] init_throws_withWhisperMessage:cipherMessage
registrationId:localRegistrationId
prekeyId:items.preKeyId
signedPrekeyId:items.signedPreKeyId
baseKey:items.baseKey.prependKeyType
identityKey:sessionState.localIdentityKey.prependKeyType];
}
[sessionState setSenderChainKey:[chainKey nextChainKey]];
[self.sessionStore storeSession:self.recipientId
deviceId:self.deviceId
session:sessionRecord
protocolContext:protocolContext];
return cipherMessage;
}
- (nullable NSData *)decrypt:(id<CipherMessage>)whisperMessage
protocolContext:(nullable id)protocolContext
error:(NSError **)outError
{
__block NSData *_Nullable result;
[SCKExceptionWrapper
tryBlock:^{
result = [self throws_decrypt:whisperMessage protocolContext:protocolContext];
}
error:outError];
return result;
}
- (NSData *)throws_decrypt:(id<CipherMessage>)whisperMessage protocolContext:(nullable id)protocolContext
{
OWSAssert(whisperMessage);
switch (whisperMessage.cipherMessageType) {
case CipherMessageType_Whisper:
if (![whisperMessage isKindOfClass:[WhisperMessage class]]) {
OWSFail(@"Unexpected message type: %@", [whisperMessage class]);
return nil;
}
return [self throws_decryptWhisperMessage:(WhisperMessage *)whisperMessage protocolContext:protocolContext];
case CipherMessageType_Prekey:
if (![whisperMessage isKindOfClass:[PreKeyWhisperMessage class]]) {
OWSFail(@"Unexpected message type: %@", [whisperMessage class]);
return nil;
}
return [self throws_decryptPreKeyWhisperMessage:(PreKeyWhisperMessage *)whisperMessage
protocolContext:protocolContext];
default:
OWSFailDebug(@"Unexpected message type: %@", [whisperMessage class]);
return [NSData new];
}
}
- (NSData *)throws_decryptPreKeyWhisperMessage:(PreKeyWhisperMessage *)preKeyWhisperMessage
protocolContext:(nullable id)protocolContext
{
OWSAssert(preKeyWhisperMessage);
SessionRecord *sessionRecord =
[self.sessionStore loadSession:self.recipientId deviceId:self.deviceId protocolContext:protocolContext];
int unsignedPreKeyId = [self.sessionBuilder throws_processPrekeyWhisperMessage:preKeyWhisperMessage
withSession:sessionRecord
protocolContext:protocolContext];
NSData *plaintext = [self throws_decryptWithSessionRecord:sessionRecord
whisperMessage:preKeyWhisperMessage.message
protocolContext:protocolContext];
[self.sessionStore storeSession:self.recipientId
deviceId:self.deviceId
session:sessionRecord
protocolContext:protocolContext];
// If there was an unsigned PreKey
if (unsignedPreKeyId >= 0) {
[self.prekeyStore removePreKey:unsignedPreKeyId protocolContext:protocolContext];
}
return plaintext;
}
- (NSData *)throws_decryptWhisperMessage:(WhisperMessage *)whisperMessage protocolContext:(nullable id)protocolContext
{
OWSAssert(whisperMessage);
SessionRecord *sessionRecord =
[self.sessionStore loadSession:self.recipientId deviceId:self.deviceId protocolContext:protocolContext];
NSData *plaintext = [self throws_decryptWithSessionRecord:sessionRecord
whisperMessage:whisperMessage
protocolContext:protocolContext];
if (![self.identityKeyStore isTrustedIdentityKey:sessionRecord.sessionState.remoteIdentityKey
recipientId:self.recipientId
direction:TSMessageDirectionIncoming
protocolContext:protocolContext]) {
DDLogWarn(
@"%@ Previously known identity key for while decrypting from recipient: %@", self.tag, self.recipientId);
@throw [NSException exceptionWithName:UntrustedIdentityKeyException
reason:@"There is a previously known identity key."
userInfo:@{}];
}
[self.identityKeyStore saveRemoteIdentity:sessionRecord.sessionState.remoteIdentityKey
recipientId:self.recipientId
protocolContext:protocolContext];
[self.sessionStore storeSession:self.recipientId
deviceId:self.deviceId
session:sessionRecord
protocolContext:protocolContext];
return plaintext;
}
- (NSData *)throws_decryptWithSessionRecord:(SessionRecord *)sessionRecord
whisperMessage:(WhisperMessage *)whisperMessage
protocolContext:(nullable id)protocolContext
{
OWSAssert(sessionRecord);
OWSAssert(whisperMessage);
SessionState *sessionState = [sessionRecord sessionState];
NSMutableArray *exceptions = [NSMutableArray array];
@try {
NSData *decryptedData = [self throws_decryptWithSessionState:sessionState
whisperMessage:whisperMessage
protocolContext:protocolContext];
DDLogDebug(@"%@ successfully decrypted with current session state: %@", self.tag, sessionState);
return decryptedData;
}
@catch (NSException *exception) {
if ([exception.name isEqualToString:InvalidMessageException]) {
[exceptions addObject:exception];
} else {
@throw exception;
}
}
// If we can decrypt the message with an "old" session state, that means the sender is using an "old" session.
// In which case, we promote that session to "active" so as to converge on a single session for sending/receiving.
__block NSUInteger stateToPromoteIdx;
__block NSData *decryptedData;
[[sessionRecord previousSessionStates]
enumerateObjectsUsingBlock:^(SessionState *_Nonnull previousState, NSUInteger idx, BOOL *_Nonnull stop) {
@try {
decryptedData = [self throws_decryptWithSessionState:previousState
whisperMessage:whisperMessage
protocolContext:protocolContext];
DDLogInfo(@"%@ successfully decrypted with PREVIOUS session state: %@", self.tag, previousState);
OWSAssert(decryptedData != nil);
stateToPromoteIdx = idx;
*stop = YES;
} @catch (NSException *exception) {
[exceptions addObject:exception];
}
}];
if (decryptedData) {
SessionState *sessionStateToPromote = [sessionRecord previousSessionStates][stateToPromoteIdx];
OWSAssert(sessionStateToPromote != nil);
DDLogInfo(@"%@ promoting session: %@", self.tag, sessionStateToPromote);
[[sessionRecord previousSessionStates] removeObjectAtIndex:stateToPromoteIdx];
[sessionRecord promoteState:sessionStateToPromote];
return decryptedData;
}
BOOL containsActiveSession =
[self.sessionStore containsSession:self.recipientId deviceId:self.deviceId protocolContext:protocolContext];
DDLogError(@"%@ No valid session for recipient: %@ containsActiveSession: %@, previousStates: %lu",
self.tag,
self.recipientId,
(containsActiveSession ? @"YES" : @"NO"),
(unsigned long)sessionRecord.previousSessionStates.count);
if (containsActiveSession) {
@throw [NSException exceptionWithName:InvalidMessageException
reason:@"No valid sessions"
userInfo:@{
@"Exceptions" : exceptions
}];
} else {
@throw [NSException
exceptionWithName:NoSessionException
reason:[NSString stringWithFormat:@"No session for: %@, %d", self.recipientId, self.deviceId]
userInfo:nil];
}
}
- (NSData *)throws_decryptWithSessionState:(SessionState *)sessionState
whisperMessage:(WhisperMessage *)whisperMessage
protocolContext:(nullable id)protocolContext
{
OWSAssert(sessionState);
OWSAssert(whisperMessage);
if (![sessionState hasSenderChain]) {
@throw [NSException exceptionWithName:InvalidMessageException reason:@"Uninitialized session!" userInfo:nil];
}
if (whisperMessage.version != sessionState.version) {
@throw [NSException exceptionWithName:InvalidMessageException
reason:[NSString stringWithFormat:@"Got message version %d but was expecting %d",
whisperMessage.version,
sessionState.version]
userInfo:nil];
}
int messageVersion = whisperMessage.version;
NSData *theirEphemeral = whisperMessage.senderRatchetKey.throws_removeKeyType;
int counter = whisperMessage.counter;
ChainKey *chainKey = [self throws_getOrCreateChainKeys:sessionState theirEphemeral:theirEphemeral];
OWSAssert(chainKey);
MessageKeys *messageKeys = [self throws_getOrCreateMessageKeysForSession:sessionState
theirEphemeral:theirEphemeral
chainKey:chainKey
counter:counter];
OWSAssert(messageKeys);
[whisperMessage throws_verifyMacWithVersion:messageVersion
senderIdentityKey:sessionState.remoteIdentityKey
receiverIdentityKey:sessionState.localIdentityKey
macKey:messageKeys.macKey];
NSData *plaintext =
[AES_CBC throws_decryptCBCMode:whisperMessage.cipherText withKey:messageKeys.cipherKey withIV:messageKeys.iv];
[sessionState clearUnacknowledgedPreKeyMessage];
return plaintext;
}
- (ChainKey *)throws_getOrCreateChainKeys:(SessionState *)sessionState theirEphemeral:(NSData *)theirEphemeral
{
OWSAssert(sessionState);
OWSGuardWithException(theirEphemeral, InvalidMessageException);
OWSGuardWithException(theirEphemeral.length == 32, InvalidMessageException);
@try {
if ([sessionState hasReceiverChain:theirEphemeral]) {
DDLogInfo(@"%@ %@.%d has existing receiver chain.", self.tag, self.recipientId, self.deviceId);
return [sessionState receiverChainKey:theirEphemeral];
} else{
DDLogInfo(@"%@ %@.%d creating new chains.", self.tag, self.recipientId, self.deviceId);
RootKey *rootKey = [sessionState rootKey];
OWSAssert(rootKey.keyData.length == 32);
ECKeyPair *ourEphemeral = [sessionState senderRatchetKeyPair];
OWSAssert(ourEphemeral.publicKey.length == 32);
RKCK *receiverChain =
[rootKey throws_createChainWithTheirEphemeral:theirEphemeral ourEphemeral:ourEphemeral];
ECKeyPair *ourNewEphemeral = [Curve25519 generateKeyPair];
OWSAssert(ourNewEphemeral.publicKey.length == 32);
RKCK *senderChain = [receiverChain.rootKey throws_createChainWithTheirEphemeral:theirEphemeral
ourEphemeral:ourNewEphemeral];
OWSAssert(senderChain.rootKey.keyData.length == 32);
[sessionState setRootKey:senderChain.rootKey];
OWSAssert(receiverChain.chainKey.key.length == 32);
[sessionState addReceiverChain:theirEphemeral chainKey:receiverChain.chainKey];
int previousCounter;
ows_sub_overflow(sessionState.senderChainKey.index, 1, &previousCounter);
[sessionState setPreviousCounter:MAX(previousCounter, 0)];
[sessionState setSenderChain:ourNewEphemeral chainKey:senderChain.chainKey];
return receiverChain.chainKey;
}
}
@catch (NSException *exception) {
@throw [NSException exceptionWithName:InvalidMessageException reason:@"Chainkeys couldn't be derived" userInfo:nil];
}
}
- (MessageKeys *)throws_getOrCreateMessageKeysForSession:(SessionState *)sessionState
theirEphemeral:(NSData *)theirEphemeral
chainKey:(ChainKey *)chainKey
counter:(int)counter
{
OWSAssert(sessionState);
OWSGuardWithException(theirEphemeral, InvalidMessageException);
OWSGuardWithException(theirEphemeral.length == 32, InvalidMessageException);
OWSAssert(chainKey);
if (chainKey.index > counter) {
if ([sessionState hasMessageKeys:theirEphemeral counter:counter]) {
return [sessionState removeMessageKeys:theirEphemeral counter:counter];
} else {
OWSLogInfo(
@"%@ %@.%d Duplicate message for counter: %d", self.tag, self.recipientId, self.deviceId, counter);
OWSLogFlush();
@throw [NSException exceptionWithName:DuplicateMessageException reason:@"Received message with old counter!" userInfo:@{}];
}
}
NSUInteger kCounterLimit = 2000;
int counterOffset;
if (__builtin_sub_overflow(counter, chainKey.index, &counterOffset)) {
OWSFailDebug(@"Overflow while calculating counter offset");
OWSRaiseException(InvalidMessageException, @"Overflow while calculating counter offset");
}
if (counterOffset > kCounterLimit) {
OWSLogError(@"%@ %@.%d Exceeded future message limit: %lu, index: %d, counter: %d)",
self.tag,
self.recipientId,
self.deviceId,
(unsigned long)kCounterLimit,
chainKey.index,
counter);
OWSLogFlush();
@throw [NSException exceptionWithName:InvalidMessageException
reason:@"Exceeded message keys chain length limit"
userInfo:@{}];
}
while (chainKey.index < counter) {
MessageKeys *messageKeys = [chainKey throws_messageKeys];
[sessionState setMessageKeys:theirEphemeral messageKeys:messageKeys];
chainKey = chainKey.nextChainKey;
}
[sessionState setReceiverChainKey:theirEphemeral chainKey:[chainKey nextChainKey]];
return [chainKey throws_messageKeys];
}
/**
* The current version data. First 4 bits are the current version and the last 4 ones are the lowest version we support.
*
* @return Current version data
*/
+ (NSData*)currentProtocolVersion{
NSUInteger index = 0b00100010;
NSData *versionByte = [NSData dataWithBytes:&index length:1];
return versionByte;
}
- (int)throws_remoteRegistrationId:(nullable id)protocolContext
{
SessionRecord *_Nullable record =
[self.sessionStore loadSession:self.recipientId deviceId:_deviceId protocolContext:protocolContext];
if (!record) {
@throw [NSException exceptionWithName:NoSessionException reason:@"Trying to get registration Id of a non-existing session." userInfo:nil];
}
return record.sessionState.remoteRegistrationId;
}
- (int)throws_sessionVersion:(nullable id)protocolContext
{
SessionRecord *_Nullable record =
[self.sessionStore loadSession:self.recipientId deviceId:_deviceId protocolContext:protocolContext];
if (!record) {
@throw [NSException exceptionWithName:NoSessionException reason:@"Trying to get the version of a non-existing session." userInfo:nil];
}
return record.sessionState.version;
}
#pragma mark - Logging
+ (NSString *)tag
{
return [NSString stringWithFormat:@"[%@]", self.class];
}
- (NSString *)tag
{
return self.class.tag;
}
@end
NS_ASSUME_NONNULL_END
Reference in New Issue View Git Blame Copy Permalink