Add more pieces of the DAKE

Author: olabini

Gopkg.lock

@@ -6,6 +6,8 @@ const (
 
 const (
 	messageTypeIdentityMessage = uint8(0x35)
+	messageTypeAuthRMessage    = uint8(0x36)
+	messageTypeAuthIMessage    = uint8(0x37)
 )
 
 const (

constants.go

@@ -2,6 +2,7 @@ package gotra
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 
 	"github.com/coyim/gotrax"
@@ -11,6 +12,14 @@ type conversation struct {
 	r                io.Reader
 	longTerm         *gotrax.Keypair
 	otherInstanceTag uint32
+
+	im  *identityMessage
+	imp *identityMessagePrivate
+	ar  *authRMessage
+	arp *authRMessagePrivate
+	ai  *authIMessage
+
+	state convState
 }
 
 // TODO: for all these functions, if we're currently in OTRv3 we should fall back to an otr3 conversation
@@ -41,12 +50,21 @@ func isIdentityMessage(m ValidMessage) bool {
 	return bytes.HasPrefix(m, append(gotrax.AppendShort(nil, version), messageTypeIdentityMessage))
 }
 
+func isAuthRMessage(m ValidMessage) bool {
+	// TODO: make this work correctly
+	return bytes.HasPrefix(m, append(gotrax.AppendShort(nil, version), messageTypeAuthRMessage))
+}
+
+func isAuthIMessage(m ValidMessage) bool {
+	// TODO: make this work correctly
+	return bytes.HasPrefix(m, append(gotrax.AppendShort(nil, version), messageTypeAuthIMessage))
+}
+
 func (c *conversation) processQueryMessage(m ValidMessage) (plain MessagePlaintext, toSend []ValidMessage, err error) {
 	// TODO:
 	// if the message is 4 and we allow 4
-	//    transition to waitingAuthR
-	//    return an identity message
 
+	c.state = stateWaitingAuthR{}
 	return nil, []ValidMessage{c.createIdentityMessage()}, nil
 }
 
@@ -74,9 +92,85 @@ func (c *conversation) processIdentityMessage(m ValidMessage) (plain MessagePlai
 
 	c.fixInstanceTag(im.senderInstanceTag)
 
-	// Transition to the WAITING_AUTH_I state.
+	c.im = im
+
+	c.state = stateWaitingAuthI{}
 
-	return nil, []ValidMessage{c.createAuthRMessage(im)}, nil
+	return nil, []ValidMessage{c.createAuthRMessage()}, nil
+}
+
+func (c *conversation) processAuthRMessage(m ValidMessage) (plain MessagePlaintext, toSend []ValidMessage, err error) {
+	// TODO:
+	// - If the state is WAITING_AUTH_R:
+	//   - If the receiver's instance tag in the message is not the sender's instance tag you are currently using, ignore the message.
+	//   - Validate the Auth-R message.
+	//   - If validation fails:
+	//     - Ignore the message.
+	//     - Stay in state WAITING_AUTH_R.
+	//   - If validation succeeds:
+	//     - Reply with an Auth-I message, as defined in Sending an Auth-I Message section.
+	// - If the state is ENCRYPTED_MESSAGES:
+	//   - If this Auth-R message is the same one you received earlier:
+	//     - Retransmit your Auth-I Message.
+	//   - Otherwise:
+	//     - Ignore the message.
+	// - If the state is not WAITING_AUTH_R:
+	//   - Ignore this message.
+
+	arm := &authRMessage{}
+	_, ok := arm.deserialize(m)
+	if !ok {
+		// Ignore the message
+		return nil, nil, nil
+	}
+
+	verr := arm.validate(c.getInstanceTag())
+	if verr != nil {
+		// Ignore the message
+		return nil, nil, nil
+	}
+
+	c.ar = arm
+	c.state = stateWaitingDakeDataMessage{}
+
+	return nil, []ValidMessage{c.createAuthIMessage()}, nil
+}
+
+func (c *conversation) processAuthIMessage(m ValidMessage) (plain MessagePlaintext, toSend []ValidMessage, err error) {
+	// TODO:
+	// 	If the state is WAITING_AUTH_I:
+	//    If the receiver's instance tag in the message is not the sender's instance tag you are currently using, ignore this message.
+	//    Validate the Auth-I message.
+	//      If validation fails:
+	//        Ignore the message.
+	//        Stay in state WAITING_AUTH_I.
+	//      If validation succeeds:
+	//        Transition to state ENCRYPTED_MESSAGES.
+	//        Initialize the double ratcheting, as defined in the Interactive DAKE Overview section.
+	//        Send a regular Data Message. If a plaintext message is waiting to be sent, this can be used. Otherwise an empty heartbeat message should be sent. This data message is called "DAKE Data Message".
+	//        If there are stored Data Messages, remove them from storage - there is no way these messages can be valid for the current DAKE.
+	// 	If the state is not WAITING_AUTH_I:
+	//   - Ignore this message.
+
+	aim := &authIMessage{}
+	_, ok := aim.deserialize(m)
+	if !ok {
+		// Ignore the message
+		return nil, nil, nil
+	}
+
+	verr := aim.validate(c.getInstanceTag())
+	if verr != nil {
+		// Ignore the message
+		return nil, nil, nil
+	}
+
+	c.ai = aim
+
+	// TODO: initialize double ratchet here
+	c.state = stateEncrypted{}
+
+	return nil, []ValidMessage{c.createHeartbeatDataMessage()}, nil
 }
 
 func (c *conversation) Receive(m ValidMessage) (plain MessagePlaintext, toSend []ValidMessage, err error) {
@@ -90,12 +184,19 @@ func (c *conversation) Receive(m ValidMessage) (plain MessagePlaintext, toSend [
 		return c.processIdentityMessage(m)
 	}
 
+	if isAuthRMessage(m) {
+		return c.processAuthRMessage(m)
+	}
+
+	if isAuthIMessage(m) {
+		return c.processAuthIMessage(m)
+	}
+
+	fmt.Printf("TODO: hit a place where we need to continue...\n")
+
 	// - plaintext without tag
 	// - plaintext with tag
 	// - error message
-	// - identity message
-	// - auth-r message
-	// - auth-i message
 	// - non-interactive auth message
 	// - dake data message
 	// - data message

conversation.go

@@ -2,23 +2,40 @@ package gotra
 
 import (
 	"github.com/coyim/gotrax"
+	"github.com/otrv4/ed448"
 )
 
 type identityMessage struct {
 	senderInstanceTag   uint32
 	receiverInstanceTag uint32
 	clientProfile       *gotrax.ClientProfile
-	y                   *gotrax.PublicKey
+	y                   ed448.Point
 	b                   *dhPublicKey
 }
 
+type identityMessagePrivate struct {
+	y *gotrax.Keypair
+	b *dhKeypair
+}
+
 type authRMessage struct {
 	senderInstanceTag   uint32
 	receiverInstanceTag uint32
 	clientProfile       *gotrax.ClientProfile
-	x                   *gotrax.PublicKey
+	x                   ed448.Point
 	a                   *dhPublicKey
-	// sigma
+	sigma               *gotrax.RingSignature
+}
+
+type authRMessagePrivate struct {
+	x *gotrax.Keypair
+	a *dhKeypair
+}
+
+type authIMessage struct {
+	senderInstanceTag   uint32
+	receiverInstanceTag uint32
+	sigma               *gotrax.RingSignature
 }
 
 func (c *conversation) createIdentityMessage() ValidMessage {
@@ -31,10 +48,12 @@ func (c *conversation) createIdentityMessage() ValidMessage {
 		senderInstanceTag:   itag,
 		receiverInstanceTag: uint32(0x00),
 		clientProfile:       cp,
-		y:                   ykp.Pub,
+		y:                   ykp.Pub.K(),
 		b:                   bkp.pub,
 	}
 
+	c.im = im
+	c.imp = &identityMessagePrivate{y: ykp, b: bkp}
 	return ValidMessage(im.serialize())
 }
 
@@ -47,6 +66,89 @@ func (m *identityMessage) validate(tag uint32) error {
 	return nil
 }
 
-func (c *conversation) createAuthRMessage(im *identityMessage) ValidMessage {
+func (c *conversation) createAuthRMessage() ValidMessage {
+	cp := c.getValidClientProfile()
+	itag := c.getInstanceTag()
+	xkp := gotrax.GenerateKeypair(c)
+	akp, _ := generateDHKeypair(c)
+
+	ar := &authRMessage{
+		senderInstanceTag:   itag,
+		receiverInstanceTag: c.im.senderInstanceTag,
+		clientProfile:       cp,
+		x:                   xkp.Pub.K(),
+		a:                   akp.pub,
+	}
+
+	// TODO: figure out a real phi
+	phi := []byte{}
+
+	t := []byte{0x00}
+	t = append(t, gotrax.Kdf(usageAuthRBobClientProfile, 64, c.im.clientProfile.Serialize())...)
+	t = append(t, gotrax.Kdf(usageAuthRAliceClientProfile, 64, cp.Serialize())...)
+	t = append(t, gotrax.SerializePoint(c.im.y)...)
+	t = append(t, xkp.Pub.Serialize()...)
+	t = append(t, c.im.b.serialize()...)
+	t = append(t, akp.pub.serialize()...)
+	t = append(t, gotrax.Kdf(usageAuthRPhi, 64, phi)...)
+
+	longTerm := c.getKeypair()
+	yk := gotrax.CreatePublicKey(c.im.y, gotrax.Ed448Key)
+
+	// TODO: don't ignore this error
+	ar.sigma, _ = gotrax.GenerateSignature(c, longTerm.Priv, longTerm.Pub, c.im.clientProfile.PublicKey, longTerm.Pub, yk, t, gotrax.Kdf, usageAuth)
+
+	c.ar = ar
+	c.arp = &authRMessagePrivate{x: xkp, a: akp}
+	return ValidMessage(ar.serialize())
+}
+
+func (m *authRMessage) validate(tag uint32) error {
+	// TODO: implement
+	// Check that the receiver's instance tag matches your sender's instance tag.
+	// Validate the Client Profile as defined in Validating a Client Profile section. Extract H_a from it.
+	// Verify that the point X received is on curve Ed448. See Verifying that a point is on the curve section for details.
+	// Verify that the DH public key A is from the correct group. See Verifying that an integer is in the DH group section for details.
+	// Compute t = 0x0 || KDF_1(usageAuthRBobClientProfile || Bob_Client_Profile, 64) || KDF_1(usageAuthRAliceClientProfile || Alice_Client_Profile, 64) || Y || X || B || A || KDF_1(usageAuthRPhi || phi, 64). phi is the shared session state as mention in its section.
+	// Verify the sigma as defined in Ring Signature Authentication.
+
+	return nil
+}
+
+func (c *conversation) createAuthIMessage() ValidMessage {
+	cp := c.getValidClientProfile()
+	itag := c.getInstanceTag()
+
+	ai := &authIMessage{
+		senderInstanceTag:   itag,
+		receiverInstanceTag: c.ar.senderInstanceTag,
+	}
+
+	// TODO: figure out a real phi
+	phi := []byte{}
+
+	t := []byte{0x01}
+	t = append(t, gotrax.Kdf(usageAuthIBobClientProfile, 64, cp.Serialize())...)
+	t = append(t, gotrax.Kdf(usageAuthIAliceClientProfile, 64, c.ar.clientProfile.Serialize())...)
+	t = append(t, gotrax.SerializePoint(c.im.y)...)
+	t = append(t, gotrax.SerializePoint(c.ar.x)...)
+	t = append(t, c.im.b.serialize()...)
+	t = append(t, c.ar.a.serialize()...)
+	t = append(t, gotrax.Kdf(usageAuthIPhi, 64, phi)...)
+
+	longTerm := c.getKeypair()
+
+	// TODO: don't ignore this error
+	ai.sigma, _ = gotrax.GenerateSignature(c, longTerm.Priv, longTerm.Pub, longTerm.Pub, c.ar.clientProfile.PublicKey, gotrax.CreatePublicKey(c.ar.x, gotrax.Ed448Key), t, gotrax.Kdf, usageAuth)
+
+	c.ai = ai
+	return ValidMessage(ai.serialize())
+}
+
+func (m *authIMessage) validate(tag uint32) error {
+	// TODO: implement
+	// Check that the receiver's instance tag matches your sender's instance tag.
+	// Compute t = 0x1 || KDF_1(usageAuthIBobClientProfile || Bobs_Client_Profile, 64) || KDF_1(usageAuthIAliceClientProfile || Alices_Client_Profile, 64) || Y || X || B || A || KDF_1(usageAuthIPhi || phi, 64). phi is the shared session state as mention in its section.
+	// Verify the sigma as defined in Ring Signature Authentication.
 	return nil
 }