Skip to content
Browse files

Migrate to Curve25519.

1) Generate a Curve25519 identity key.

2) Use Curve25519 ephemerals and identities for v2 3DHE agreements.

3) Initiate v2 key exchange messages.

4) Accept v1 key exchange messages.

5) TOFU Curve25519 identities.
  • Loading branch information...
1 parent 95b8a10 commit c3c6fd2d4fc62c8a3690712eef623a0255169fd6 @moxie0 moxie0 committed Nov 10, 2013
Showing with 2,194 additions and 495 deletions.
  1. +2 −0 .gitignore
  2. +2 −1 library/build.gradle
  3. +17 −0 library/jni/Android.mk
  4. +70 −0 library/jni/curve25519-donna-jni.c
  5. +734 −0 library/jni/curve25519-donna.c
  6. +6 −0 library/jni/curve25519-donna.h
  7. BIN library/libs/armeabi.jar
  8. BIN library/libs/libphonenumber-5.3.jar
  9. BIN library/libs/protobuf-java-2.4.1.jar
  10. BIN library/libs/sc-light-jdk15on-1.47.0.2.jar
  11. BIN library/libs/thoughtcrimegson-2.1.jar
  12. +28 −26 library/src/org/whispersystems/textsecure/crypto/IdentityKey.java
  13. +4 −4 library/src/org/whispersystems/textsecure/crypto/IdentityKeyPair.java
  14. +19 −22 library/src/org/whispersystems/textsecure/crypto/KeyPair.java
  15. +12 −92 library/src/org/whispersystems/textsecure/crypto/KeyUtil.java
  16. +17 −18 library/src/org/whispersystems/textsecure/crypto/MasterCipher.java
  17. +8 −11 library/src/org/whispersystems/textsecure/crypto/MessageCipher.java
  18. +30 −17 library/src/org/whispersystems/textsecure/crypto/PreKeyPair.java
  19. +30 −6 library/src/org/whispersystems/textsecure/crypto/PreKeyPublic.java
  20. +22 −3 library/src/org/whispersystems/textsecure/crypto/PreKeyUtil.java
  21. +24 −18 library/src/org/whispersystems/textsecure/crypto/PublicKey.java
  22. +37 −41 library/src/org/whispersystems/textsecure/crypto/SessionCipher.java
  23. +39 −37 library/src/org/whispersystems/textsecure/crypto/SharedSecretCalculator.java
  24. +85 −0 library/src/org/whispersystems/textsecure/crypto/ecc/Curve.java
  25. +75 −0 library/src/org/whispersystems/textsecure/crypto/ecc/Curve25519.java
  26. +122 −0 library/src/org/whispersystems/textsecure/crypto/ecc/CurveP256.java
  27. +41 −0 library/src/org/whispersystems/textsecure/crypto/ecc/DjbECPrivateKey.java
  28. +66 −0 library/src/org/whispersystems/textsecure/crypto/ecc/DjbECPublicKey.java
  29. +38 −0 library/src/org/whispersystems/textsecure/crypto/ecc/ECKeyPair.java
  30. +23 −0 library/src/org/whispersystems/textsecure/crypto/ecc/ECPrivateKey.java
  31. +27 −0 library/src/org/whispersystems/textsecure/crypto/ecc/ECPublicKey.java
  32. +43 −0 library/src/org/whispersystems/textsecure/crypto/ecc/NistECPrivateKey.java
  33. +63 −0 library/src/org/whispersystems/textsecure/crypto/ecc/NistECPublicKey.java
  34. +17 −0 library/src/org/whispersystems/textsecure/crypto/kdf/DerivedSecrets.java
  35. +18 −1 library/src/org/whispersystems/textsecure/crypto/kdf/HKDF.java
  36. +29 −17 library/src/org/whispersystems/textsecure/crypto/kdf/KDF.java
  37. +19 −3 library/src/org/whispersystems/textsecure/crypto/kdf/NKDF.java
  38. +3 −2 library/src/org/whispersystems/textsecure/crypto/protocol/CiphertextMessage.java
  39. +3 −1 library/src/org/whispersystems/textsecure/crypto/protocol/PreKeyBundleMessage.java
  40. +4 −1 library/src/org/whispersystems/textsecure/push/PushServiceSocket.java
  41. +6 −2 library/src/org/whispersystems/textsecure/storage/LocalKeyRecord.java
  42. +33 −5 src/org/thoughtcrime/securesms/DatabaseUpgradeActivity.java
  43. +23 −8 src/org/thoughtcrime/securesms/VerifyIdentityActivity.java
  44. +6 −2 src/org/thoughtcrime/securesms/ViewLocalIdentityActivity.java
  45. +46 −43 src/org/thoughtcrime/securesms/crypto/AsymmetricMasterCipher.java
  46. +32 −14 src/org/thoughtcrime/securesms/crypto/AsymmetricMasterSecret.java
  47. +6 −3 src/org/thoughtcrime/securesms/crypto/DecryptingQueue.java
  48. +106 −44 src/org/thoughtcrime/securesms/crypto/IdentityKeyUtil.java
  49. +4 −2 src/org/thoughtcrime/securesms/crypto/KeyExchangeInitiator.java
  50. +4 −7 src/org/thoughtcrime/securesms/crypto/KeyExchangeProcessor.java
  51. +57 −22 src/org/thoughtcrime/securesms/crypto/MasterSecretUtil.java
  52. +15 −11 src/org/thoughtcrime/securesms/crypto/protocol/KeyExchangeMessage.java
  53. +11 −3 src/org/thoughtcrime/securesms/database/IdentityDatabase.java
  54. +3 −1 src/org/thoughtcrime/securesms/service/RegistrationService.java
  55. +20 −1 src/org/thoughtcrime/securesms/transport/MmsTransport.java
  56. +21 −3 src/org/thoughtcrime/securesms/transport/PushTransport.java
  57. +24 −3 src/org/thoughtcrime/securesms/transport/SmsTransport.java
View
2 .gitignore
@@ -20,3 +20,5 @@ signing.properties
gradle
gradlew
gradlew.bat
+library/lib/
+library/obj/
View
3 library/build.gradle
@@ -22,7 +22,8 @@ dependencies {
compile 'com.google.protobuf:protobuf-java:2.4.1'
compile 'com.madgag:sc-light-jdk15on:1.47.0.2'
compile 'com.googlecode.libphonenumber:libphonenumber:5.3'
- compile 'org.whispersystems:gson:2.1'
+ compile 'org.whispersystems:gson:2.2.4'
+ compile fileTree(dir: 'libs', include: 'armeabi.jar')
}
android {
View
17 library/jni/Android.mk
@@ -0,0 +1,17 @@
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := libcurve25519-donna
+LOCAL_SRC_FILES := curve25519-donna.c
+
+include $(BUILD_STATIC_LIBRARY)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := libcurve25519
+LOCAL_SRC_FILES := curve25519-donna-jni.c
+
+LOCAL_STATIC_LIBRARIES := libcurve25519-donna
+
+include $(BUILD_SHARED_LIBRARY)
View
70 library/jni/curve25519-donna-jni.c
@@ -0,0 +1,70 @@
+/**
+ * Copyright (C) 2013 Open Whisper Systems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <string.h>
+#include <stdint.h>
+
+#include <jni.h>
+#include "curve25519-donna.h"
+
+JNIEXPORT jbyteArray JNICALL Java_org_whispersystems_textsecure_crypto_ecc_Curve25519_generatePrivateKey
+ (JNIEnv *env, jclass clazz, jbyteArray random)
+{
+ uint8_t* privateKey = (uint8_t*)(*env)->GetByteArrayElements(env, random, 0);
+
+ privateKey[0] &= 248;
+ privateKey[31] &= 127;
+ privateKey[31] |= 64;
+
+ (*env)->ReleaseByteArrayElements(env, random, privateKey, 0);
+
+ return random;
+}
+
+JNIEXPORT jbyteArray JNICALL Java_org_whispersystems_textsecure_crypto_ecc_Curve25519_generatePublicKey
+ (JNIEnv *env, jclass clazz, jbyteArray privateKey)
+{
+ static const uint8_t basepoint[32] = {9};
+
+ jbyteArray publicKey = (*env)->NewByteArray(env, 32);
+ uint8_t* publicKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, publicKey, 0);
+ uint8_t* privateKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, privateKey, 0);
+
+ curve25519_donna(publicKeyBytes, privateKeyBytes, basepoint);
+
+ (*env)->ReleaseByteArrayElements(env, publicKey, publicKeyBytes, 0);
+ (*env)->ReleaseByteArrayElements(env, privateKey, privateKeyBytes, 0);
+
+ return publicKey;
+}
+
+JNIEXPORT jbyteArray JNICALL Java_org_whispersystems_textsecure_crypto_ecc_Curve25519_calculateAgreement
+ (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey)
+{
+ jbyteArray sharedKey = (*env)->NewByteArray(env, 32);
+ uint8_t* sharedKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, sharedKey, 0);
+ uint8_t* privateKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, privateKey, 0);
+ uint8_t* publicKeyBytes = (uint8_t*)(*env)->GetByteArrayElements(env, publicKey, 0);
+
+ curve25519_donna(sharedKeyBytes, privateKeyBytes, publicKeyBytes);
+
+ (*env)->ReleaseByteArrayElements(env, sharedKey, sharedKeyBytes, 0);
+ (*env)->ReleaseByteArrayElements(env, publicKey, publicKeyBytes, 0);
+ (*env)->ReleaseByteArrayElements(env, privateKey, privateKeyBytes, 0);
+
+ return sharedKey;
+}
View
734 library/jni/curve25519-donna.c
@@ -0,0 +1,734 @@
+/* Copyright 2008, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * curve25519-donna: Curve25519 elliptic curve, public key function
+ *
+ * http://code.google.com/p/curve25519-donna/
+ *
+ * Adam Langley <agl@imperialviolet.org>
+ *
+ * Derived from public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
+ *
+ * More information about curve25519 can be found here
+ * http://cr.yp.to/ecdh.html
+ *
+ * djb's sample implementation of curve25519 is written in a special assembly
+ * language called qhasm and uses the floating point registers.
+ *
+ * This is, almost, a clean room reimplementation from the curve25519 paper. It
+ * uses many of the tricks described therein. Only the crecip function is taken
+ * from the sample implementation.
+ */
+
+#include <string.h>
+#include <stdint.h>
+
+#ifdef _MSC_VER
+#define inline __inline
+#endif
+
+typedef uint8_t u8;
+typedef int32_t s32;
+typedef int64_t limb;
+
+/* Field element representation:
+ *
+ * Field elements are written as an array of signed, 64-bit limbs, least
+ * significant first. The value of the field element is:
+ * x[0] + 2^26·x[1] + x^51·x[2] + 2^102·x[3] + ...
+ *
+ * i.e. the limbs are 26, 25, 26, 25, ... bits wide.
+ */
+
+/* Sum two numbers: output += in */
+static void fsum(limb *output, const limb *in) {
+ unsigned i;
+ for (i = 0; i < 10; i += 2) {
+ output[0+i] = (output[0+i] + in[0+i]);
+ output[1+i] = (output[1+i] + in[1+i]);
+ }
+}
+
+/* Find the difference of two numbers: output = in - output
+ * (note the order of the arguments!)
+ */
+static void fdifference(limb *output, const limb *in) {
+ unsigned i;
+ for (i = 0; i < 10; ++i) {
+ output[i] = (in[i] - output[i]);
+ }
+}
+
+/* Multiply a number by a scalar: output = in * scalar */
+static void fscalar_product(limb *output, const limb *in, const limb scalar) {
+ unsigned i;
+ for (i = 0; i < 10; ++i) {
+ output[i] = in[i] * scalar;
+ }
+}
+
+/* Multiply two numbers: output = in2 * in
+ *
+ * output must be distinct to both inputs. The inputs are reduced coefficient
+ * form, the output is not.
+ */
+static void fproduct(limb *output, const limb *in2, const limb *in) {
+ output[0] = ((limb) ((s32) in2[0])) * ((s32) in[0]);
+ output[1] = ((limb) ((s32) in2[0])) * ((s32) in[1]) +
+ ((limb) ((s32) in2[1])) * ((s32) in[0]);
+ output[2] = 2 * ((limb) ((s32) in2[1])) * ((s32) in[1]) +
+ ((limb) ((s32) in2[0])) * ((s32) in[2]) +
+ ((limb) ((s32) in2[2])) * ((s32) in[0]);
+ output[3] = ((limb) ((s32) in2[1])) * ((s32) in[2]) +
+ ((limb) ((s32) in2[2])) * ((s32) in[1]) +
+ ((limb) ((s32) in2[0])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[3])) * ((s32) in[0]);
+ output[4] = ((limb) ((s32) in2[2])) * ((s32) in[2]) +
+ 2 * (((limb) ((s32) in2[1])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[3])) * ((s32) in[1])) +
+ ((limb) ((s32) in2[0])) * ((s32) in[4]) +
+ ((limb) ((s32) in2[4])) * ((s32) in[0]);
+ output[5] = ((limb) ((s32) in2[2])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[3])) * ((s32) in[2]) +
+ ((limb) ((s32) in2[1])) * ((s32) in[4]) +
+ ((limb) ((s32) in2[4])) * ((s32) in[1]) +
+ ((limb) ((s32) in2[0])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[5])) * ((s32) in[0]);
+ output[6] = 2 * (((limb) ((s32) in2[3])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[1])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[5])) * ((s32) in[1])) +
+ ((limb) ((s32) in2[2])) * ((s32) in[4]) +
+ ((limb) ((s32) in2[4])) * ((s32) in[2]) +
+ ((limb) ((s32) in2[0])) * ((s32) in[6]) +
+ ((limb) ((s32) in2[6])) * ((s32) in[0]);
+ output[7] = ((limb) ((s32) in2[3])) * ((s32) in[4]) +
+ ((limb) ((s32) in2[4])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[2])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[5])) * ((s32) in[2]) +
+ ((limb) ((s32) in2[1])) * ((s32) in[6]) +
+ ((limb) ((s32) in2[6])) * ((s32) in[1]) +
+ ((limb) ((s32) in2[0])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[7])) * ((s32) in[0]);
+ output[8] = ((limb) ((s32) in2[4])) * ((s32) in[4]) +
+ 2 * (((limb) ((s32) in2[3])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[5])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[1])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[7])) * ((s32) in[1])) +
+ ((limb) ((s32) in2[2])) * ((s32) in[6]) +
+ ((limb) ((s32) in2[6])) * ((s32) in[2]) +
+ ((limb) ((s32) in2[0])) * ((s32) in[8]) +
+ ((limb) ((s32) in2[8])) * ((s32) in[0]);
+ output[9] = ((limb) ((s32) in2[4])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[5])) * ((s32) in[4]) +
+ ((limb) ((s32) in2[3])) * ((s32) in[6]) +
+ ((limb) ((s32) in2[6])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[2])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[7])) * ((s32) in[2]) +
+ ((limb) ((s32) in2[1])) * ((s32) in[8]) +
+ ((limb) ((s32) in2[8])) * ((s32) in[1]) +
+ ((limb) ((s32) in2[0])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[0]);
+ output[10] = 2 * (((limb) ((s32) in2[5])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[3])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[7])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[1])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[1])) +
+ ((limb) ((s32) in2[4])) * ((s32) in[6]) +
+ ((limb) ((s32) in2[6])) * ((s32) in[4]) +
+ ((limb) ((s32) in2[2])) * ((s32) in[8]) +
+ ((limb) ((s32) in2[8])) * ((s32) in[2]);
+ output[11] = ((limb) ((s32) in2[5])) * ((s32) in[6]) +
+ ((limb) ((s32) in2[6])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[4])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[7])) * ((s32) in[4]) +
+ ((limb) ((s32) in2[3])) * ((s32) in[8]) +
+ ((limb) ((s32) in2[8])) * ((s32) in[3]) +
+ ((limb) ((s32) in2[2])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[2]);
+ output[12] = ((limb) ((s32) in2[6])) * ((s32) in[6]) +
+ 2 * (((limb) ((s32) in2[5])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[7])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[3])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[3])) +
+ ((limb) ((s32) in2[4])) * ((s32) in[8]) +
+ ((limb) ((s32) in2[8])) * ((s32) in[4]);
+ output[13] = ((limb) ((s32) in2[6])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[7])) * ((s32) in[6]) +
+ ((limb) ((s32) in2[5])) * ((s32) in[8]) +
+ ((limb) ((s32) in2[8])) * ((s32) in[5]) +
+ ((limb) ((s32) in2[4])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[4]);
+ output[14] = 2 * (((limb) ((s32) in2[7])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[5])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[5])) +
+ ((limb) ((s32) in2[6])) * ((s32) in[8]) +
+ ((limb) ((s32) in2[8])) * ((s32) in[6]);
+ output[15] = ((limb) ((s32) in2[7])) * ((s32) in[8]) +
+ ((limb) ((s32) in2[8])) * ((s32) in[7]) +
+ ((limb) ((s32) in2[6])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[6]);
+ output[16] = ((limb) ((s32) in2[8])) * ((s32) in[8]) +
+ 2 * (((limb) ((s32) in2[7])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[7]));
+ output[17] = ((limb) ((s32) in2[8])) * ((s32) in[9]) +
+ ((limb) ((s32) in2[9])) * ((s32) in[8]);
+ output[18] = 2 * ((limb) ((s32) in2[9])) * ((s32) in[9]);
+}
+
+/* Reduce a long form to a short form by taking the input mod 2^255 - 19. */
+static void freduce_degree(limb *output) {
+ /* Each of these shifts and adds ends up multiplying the value by 19. */
+ output[8] += output[18] << 4;
+ output[8] += output[18] << 1;
+ output[8] += output[18];
+ output[7] += output[17] << 4;
+ output[7] += output[17] << 1;
+ output[7] += output[17];
+ output[6] += output[16] << 4;
+ output[6] += output[16] << 1;
+ output[6] += output[16];
+ output[5] += output[15] << 4;
+ output[5] += output[15] << 1;
+ output[5] += output[15];
+ output[4] += output[14] << 4;
+ output[4] += output[14] << 1;
+ output[4] += output[14];
+ output[3] += output[13] << 4;
+ output[3] += output[13] << 1;
+ output[3] += output[13];
+ output[2] += output[12] << 4;
+ output[2] += output[12] << 1;
+ output[2] += output[12];
+ output[1] += output[11] << 4;
+ output[1] += output[11] << 1;
+ output[1] += output[11];
+ output[0] += output[10] << 4;
+ output[0] += output[10] << 1;
+ output[0] += output[10];
+}
+
+#if (-1 & 3) != 3
+#error "This code only works on a two's complement system"
+#endif
+
+/* return v / 2^26, using only shifts and adds. */
+static inline limb
+div_by_2_26(const limb v)
+{
+ /* High word of v; no shift needed*/
+ const uint32_t highword = (uint32_t) (((uint64_t) v) >> 32);
+ /* Set to all 1s if v was negative; else set to 0s. */
+ const int32_t sign = ((int32_t) highword) >> 31;
+ /* Set to 0x3ffffff if v was negative; else set to 0. */
+ const int32_t roundoff = ((uint32_t) sign) >> 6;
+ /* Should return v / (1<<26) */
+ return (v + roundoff) >> 26;
+}
+
+/* return v / (2^25), using only shifts and adds. */
+static inline limb
+div_by_2_25(const limb v)
+{
+ /* High word of v; no shift needed*/
+ const uint32_t highword = (uint32_t) (((uint64_t) v) >> 32);
+ /* Set to all 1s if v was negative; else set to 0s. */
+ const int32_t sign = ((int32_t) highword) >> 31;
+ /* Set to 0x1ffffff if v was negative; else set to 0. */
+ const int32_t roundoff = ((uint32_t) sign) >> 7;
+ /* Should return v / (1<<25) */
+ return (v + roundoff) >> 25;
+}
+
+static inline s32
+div_s32_by_2_25(const s32 v)
+{
+ const s32 roundoff = ((uint32_t)(v >> 31)) >> 7;
+ return (v + roundoff) >> 25;
+}
+
+/* Reduce all coefficients of the short form input so that |x| < 2^26.
+ *
+ * On entry: |output[i]| < 2^62
+ */
+static void freduce_coefficients(limb *output) {
+ unsigned i;
+
+ output[10] = 0;
+
+ for (i = 0; i < 10; i += 2) {
+ limb over = div_by_2_26(output[i]);
+ output[i] -= over << 26;
+ output[i+1] += over;
+
+ over = div_by_2_25(output[i+1]);
+ output[i+1] -= over << 25;
+ output[i+2] += over;
+ }
+ /* Now |output[10]| < 2 ^ 38 and all other coefficients are reduced. */
+ output[0] += output[10] << 4;
+ output[0] += output[10] << 1;
+ output[0] += output[10];
+
+ output[10] = 0;
+
+ /* Now output[1..9] are reduced, and |output[0]| < 2^26 + 19 * 2^38
+ * So |over| will be no more than 77825 */
+ {
+ limb over = div_by_2_26(output[0]);
+ output[0] -= over << 26;
+ output[1] += over;
+ }
+
+ /* Now output[0,2..9] are reduced, and |output[1]| < 2^25 + 77825
+ * So |over| will be no more than 1. */
+ {
+ /* output[1] fits in 32 bits, so we can use div_s32_by_2_25 here. */
+ s32 over32 = div_s32_by_2_25((s32) output[1]);
+ output[1] -= over32 << 25;
+ output[2] += over32;
+ }
+
+ /* Finally, output[0,1,3..9] are reduced, and output[2] is "nearly reduced":
+ * we have |output[2]| <= 2^26. This is good enough for all of our math,
+ * but it will require an extra freduce_coefficients before fcontract. */
+}
+
+/* A helpful wrapper around fproduct: output = in * in2.
+ *
+ * output must be distinct to both inputs. The output is reduced degree and
+ * reduced coefficient.
+ */
+static void
+fmul(limb *output, const limb *in, const limb *in2) {
+ limb t[19];
+ fproduct(t, in, in2);
+ freduce_degree(t);
+ freduce_coefficients(t);
+ memcpy(output, t, sizeof(limb) * 10);
+}
+
+static void fsquare_inner(limb *output, const limb *in) {
+ output[0] = ((limb) ((s32) in[0])) * ((s32) in[0]);
+ output[1] = 2 * ((limb) ((s32) in[0])) * ((s32) in[1]);
+ output[2] = 2 * (((limb) ((s32) in[1])) * ((s32) in[1]) +
+ ((limb) ((s32) in[0])) * ((s32) in[2]));
+ output[3] = 2 * (((limb) ((s32) in[1])) * ((s32) in[2]) +
+ ((limb) ((s32) in[0])) * ((s32) in[3]));
+ output[4] = ((limb) ((s32) in[2])) * ((s32) in[2]) +
+ 4 * ((limb) ((s32) in[1])) * ((s32) in[3]) +
+ 2 * ((limb) ((s32) in[0])) * ((s32) in[4]);
+ output[5] = 2 * (((limb) ((s32) in[2])) * ((s32) in[3]) +
+ ((limb) ((s32) in[1])) * ((s32) in[4]) +
+ ((limb) ((s32) in[0])) * ((s32) in[5]));
+ output[6] = 2 * (((limb) ((s32) in[3])) * ((s32) in[3]) +
+ ((limb) ((s32) in[2])) * ((s32) in[4]) +
+ ((limb) ((s32) in[0])) * ((s32) in[6]) +
+ 2 * ((limb) ((s32) in[1])) * ((s32) in[5]));
+ output[7] = 2 * (((limb) ((s32) in[3])) * ((s32) in[4]) +
+ ((limb) ((s32) in[2])) * ((s32) in[5]) +
+ ((limb) ((s32) in[1])) * ((s32) in[6]) +
+ ((limb) ((s32) in[0])) * ((s32) in[7]));
+ output[8] = ((limb) ((s32) in[4])) * ((s32) in[4]) +
+ 2 * (((limb) ((s32) in[2])) * ((s32) in[6]) +
+ ((limb) ((s32) in[0])) * ((s32) in[8]) +
+ 2 * (((limb) ((s32) in[1])) * ((s32) in[7]) +
+ ((limb) ((s32) in[3])) * ((s32) in[5])));
+ output[9] = 2 * (((limb) ((s32) in[4])) * ((s32) in[5]) +
+ ((limb) ((s32) in[3])) * ((s32) in[6]) +
+ ((limb) ((s32) in[2])) * ((s32) in[7]) +
+ ((limb) ((s32) in[1])) * ((s32) in[8]) +
+ ((limb) ((s32) in[0])) * ((s32) in[9]));
+ output[10] = 2 * (((limb) ((s32) in[5])) * ((s32) in[5]) +
+ ((limb) ((s32) in[4])) * ((s32) in[6]) +
+ ((limb) ((s32) in[2])) * ((s32) in[8]) +
+ 2 * (((limb) ((s32) in[3])) * ((s32) in[7]) +
+ ((limb) ((s32) in[1])) * ((s32) in[9])));
+ output[11] = 2 * (((limb) ((s32) in[5])) * ((s32) in[6]) +
+ ((limb) ((s32) in[4])) * ((s32) in[7]) +
+ ((limb) ((s32) in[3])) * ((s32) in[8]) +
+ ((limb) ((s32) in[2])) * ((s32) in[9]));
+ output[12] = ((limb) ((s32) in[6])) * ((s32) in[6]) +
+ 2 * (((limb) ((s32) in[4])) * ((s32) in[8]) +
+ 2 * (((limb) ((s32) in[5])) * ((s32) in[7]) +
+ ((limb) ((s32) in[3])) * ((s32) in[9])));
+ output[13] = 2 * (((limb) ((s32) in[6])) * ((s32) in[7]) +
+ ((limb) ((s32) in[5])) * ((s32) in[8]) +
+ ((limb) ((s32) in[4])) * ((s32) in[9]));
+ output[14] = 2 * (((limb) ((s32) in[7])) * ((s32) in[7]) +
+ ((limb) ((s32) in[6])) * ((s32) in[8]) +
+ 2 * ((limb) ((s32) in[5])) * ((s32) in[9]));
+ output[15] = 2 * (((limb) ((s32) in[7])) * ((s32) in[8]) +
+ ((limb) ((s32) in[6])) * ((s32) in[9]));
+ output[16] = ((limb) ((s32) in[8])) * ((s32) in[8]) +
+ 4 * ((limb) ((s32) in[7])) * ((s32) in[9]);
+ output[17] = 2 * ((limb) ((s32) in[8])) * ((s32) in[9]);
+ output[18] = 2 * ((limb) ((s32) in[9])) * ((s32) in[9]);
+}
+
+static void
+fsquare(limb *output, const limb *in) {
+ limb t[19];
+ fsquare_inner(t, in);
+ freduce_degree(t);
+ freduce_coefficients(t);
+ memcpy(output, t, sizeof(limb) * 10);
+}
+
+/* Take a little-endian, 32-byte number and expand it into polynomial form */
+static void
+fexpand(limb *output, const u8 *input) {
+#define F(n,start,shift,mask) \
+ output[n] = ((((limb) input[start + 0]) | \
+ ((limb) input[start + 1]) << 8 | \
+ ((limb) input[start + 2]) << 16 | \
+ ((limb) input[start + 3]) << 24) >> shift) & mask;
+ F(0, 0, 0, 0x3ffffff);
+ F(1, 3, 2, 0x1ffffff);
+ F(2, 6, 3, 0x3ffffff);
+ F(3, 9, 5, 0x1ffffff);
+ F(4, 12, 6, 0x3ffffff);
+ F(5, 16, 0, 0x1ffffff);
+ F(6, 19, 1, 0x3ffffff);
+ F(7, 22, 3, 0x1ffffff);
+ F(8, 25, 4, 0x3ffffff);
+ F(9, 28, 6, 0x3ffffff);
+#undef F
+}
+
+#if (-32 >> 1) != -16
+#error "This code only works when >> does sign-extension on negative numbers"
+#endif
+
+/* Take a fully reduced polynomial form number and contract it into a
+ * little-endian, 32-byte array
+ */
+static void
+fcontract(u8 *output, limb *input) {
+ int i;
+ int j;
+
+ for (j = 0; j < 2; ++j) {
+ for (i = 0; i < 9; ++i) {
+ if ((i & 1) == 1) {
+ /* This calculation is a time-invariant way to make input[i] positive
+ by borrowing from the next-larger limb.
+ */
+ const s32 mask = (s32)(input[i]) >> 31;
+ const s32 carry = -(((s32)(input[i]) & mask) >> 25);
+ input[i] = (s32)(input[i]) + (carry << 25);
+ input[i+1] = (s32)(input[i+1]) - carry;
+ } else {
+ const s32 mask = (s32)(input[i]) >> 31;
+ const s32 carry = -(((s32)(input[i]) & mask) >> 26);
+ input[i] = (s32)(input[i]) + (carry << 26);
+ input[i+1] = (s32)(input[i+1]) - carry;
+ }
+ }
+ {
+ const s32 mask = (s32)(input[9]) >> 31;
+ const s32 carry = -(((s32)(input[9]) & mask) >> 25);
+ input[9] = (s32)(input[9]) + (carry << 25);
+ input[0] = (s32)(input[0]) - (carry * 19);
+ }
+ }
+
+ /* The first borrow-propagation pass above ended with every limb
+ except (possibly) input[0] non-negative.
+
+ Since each input limb except input[0] is decreased by at most 1
+ by a borrow-propagation pass, the second borrow-propagation pass
+ could only have wrapped around to decrease input[0] again if the
+ first pass left input[0] negative *and* input[1] through input[9]
+ were all zero. In that case, input[1] is now 2^25 - 1, and this
+ last borrow-propagation step will leave input[1] non-negative.
+ */
+ {
+ const s32 mask = (s32)(input[0]) >> 31;
+ const s32 carry = -(((s32)(input[0]) & mask) >> 26);
+ input[0] = (s32)(input[0]) + (carry << 26);
+ input[1] = (s32)(input[1]) - carry;
+ }
+
+ /* Both passes through the above loop, plus the last 0-to-1 step, are
+ necessary: if input[9] is -1 and input[0] through input[8] are 0,
+ negative values will remain in the array until the end.
+ */
+
+ input[1] <<= 2;
+ input[2] <<= 3;
+ input[3] <<= 5;
+ input[4] <<= 6;
+ input[6] <<= 1;
+ input[7] <<= 3;
+ input[8] <<= 4;
+ input[9] <<= 6;
+#define F(i, s) \
+ output[s+0] |= input[i] & 0xff; \
+ output[s+1] = (input[i] >> 8) & 0xff; \
+ output[s+2] = (input[i] >> 16) & 0xff; \
+ output[s+3] = (input[i] >> 24) & 0xff;
+ output[0] = 0;
+ output[16] = 0;
+ F(0,0);
+ F(1,3);
+ F(2,6);
+ F(3,9);
+ F(4,12);
+ F(5,16);
+ F(6,19);
+ F(7,22);
+ F(8,25);
+ F(9,28);
+#undef F
+}
+
+/* Input: Q, Q', Q-Q'
+ * Output: 2Q, Q+Q'
+ *
+ * x2 z3: long form
+ * x3 z3: long form
+ * x z: short form, destroyed
+ * xprime zprime: short form, destroyed
+ * qmqp: short form, preserved
+ */
+static void fmonty(limb *x2, limb *z2, /* output 2Q */
+ limb *x3, limb *z3, /* output Q + Q' */
+ limb *x, limb *z, /* input Q */
+ limb *xprime, limb *zprime, /* input Q' */
+ const limb *qmqp /* input Q - Q' */) {
+ limb origx[10], origxprime[10], zzz[19], xx[19], zz[19], xxprime[19],
+ zzprime[19], zzzprime[19], xxxprime[19];
+
+ memcpy(origx, x, 10 * sizeof(limb));
+ fsum(x, z);
+ fdifference(z, origx); // does x - z
+
+ memcpy(origxprime, xprime, sizeof(limb) * 10);
+ fsum(xprime, zprime);
+ fdifference(zprime, origxprime);
+ fproduct(xxprime, xprime, z);
+ fproduct(zzprime, x, zprime);
+ freduce_degree(xxprime);
+ freduce_coefficients(xxprime);
+ freduce_degree(zzprime);
+ freduce_coefficients(zzprime);
+ memcpy(origxprime, xxprime, sizeof(limb) * 10);
+ fsum(xxprime, zzprime);
+ fdifference(zzprime, origxprime);
+ fsquare(xxxprime, xxprime);
+ fsquare(zzzprime, zzprime);
+ fproduct(zzprime, zzzprime, qmqp);
+ freduce_degree(zzprime);
+ freduce_coefficients(zzprime);
+ memcpy(x3, xxxprime, sizeof(limb) * 10);
+ memcpy(z3, zzprime, sizeof(limb) * 10);
+
+ fsquare(xx, x);
+ fsquare(zz, z);
+ fproduct(x2, xx, zz);
+ freduce_degree(x2);
+ freduce_coefficients(x2);
+ fdifference(zz, xx); // does zz = xx - zz
+ memset(zzz + 10, 0, sizeof(limb) * 9);
+ fscalar_product(zzz, zz, 121665);
+ /* No need to call freduce_degree here:
+ fscalar_product doesn't increase the degree of its input. */
+ freduce_coefficients(zzz);
+ fsum(zzz, xx);
+ fproduct(z2, zz, zzz);
+ freduce_degree(z2);
+ freduce_coefficients(z2);
+}
+
+/* Conditionally swap two reduced-form limb arrays if 'iswap' is 1, but leave
+ * them unchanged if 'iswap' is 0. Runs in data-invariant time to avoid
+ * side-channel attacks.
+ *
+ * NOTE that this function requires that 'iswap' be 1 or 0; other values give
+ * wrong results. Also, the two limb arrays must be in reduced-coefficient,
+ * reduced-degree form: the values in a[10..19] or b[10..19] aren't swapped,
+ * and all all values in a[0..9],b[0..9] must have magnitude less than
+ * INT32_MAX.
+ */
+static void
+swap_conditional(limb a[19], limb b[19], limb iswap) {
+ unsigned i;
+ const s32 swap = (s32) -iswap;
+
+ for (i = 0; i < 10; ++i) {
+ const s32 x = swap & ( ((s32)a[i]) ^ ((s32)b[i]) );
+ a[i] = ((s32)a[i]) ^ x;
+ b[i] = ((s32)b[i]) ^ x;
+ }
+}
+
+/* Calculates nQ where Q is the x-coordinate of a point on the curve
+ *
+ * resultx/resultz: the x coordinate of the resulting curve point (short form)
+ * n: a little endian, 32-byte number
+ * q: a point of the curve (short form)
+ */
+static void
+cmult(limb *resultx, limb *resultz, const u8 *n, const limb *q) {
+ limb a[19] = {0}, b[19] = {1}, c[19] = {1}, d[19] = {0};
+ limb *nqpqx = a, *nqpqz = b, *nqx = c, *nqz = d, *t;
+ limb e[19] = {0}, f[19] = {1}, g[19] = {0}, h[19] = {1};
+ limb *nqpqx2 = e, *nqpqz2 = f, *nqx2 = g, *nqz2 = h;
+
+ unsigned i, j;
+
+ memcpy(nqpqx, q, sizeof(limb) * 10);
+
+ for (i = 0; i < 32; ++i) {
+ u8 byte = n[31 - i];
+ for (j = 0; j < 8; ++j) {
+ const limb bit = byte >> 7;
+
+ swap_conditional(nqx, nqpqx, bit);
+ swap_conditional(nqz, nqpqz, bit);
+ fmonty(nqx2, nqz2,
+ nqpqx2, nqpqz2,
+ nqx, nqz,
+ nqpqx, nqpqz,
+ q);
+ swap_conditional(nqx2, nqpqx2, bit);
+ swap_conditional(nqz2, nqpqz2, bit);
+
+ t = nqx;
+ nqx = nqx2;
+ nqx2 = t;
+ t = nqz;
+ nqz = nqz2;
+ nqz2 = t;
+ t = nqpqx;
+ nqpqx = nqpqx2;
+ nqpqx2 = t;
+ t = nqpqz;
+ nqpqz = nqpqz2;
+ nqpqz2 = t;
+
+ byte <<= 1;
+ }
+ }
+
+ memcpy(resultx, nqx, sizeof(limb) * 10);
+ memcpy(resultz, nqz, sizeof(limb) * 10);
+}
+
+// -----------------------------------------------------------------------------
+// Shamelessly copied from djb's code
+// -----------------------------------------------------------------------------
+static void
+crecip(limb *out, const limb *z) {
+ limb z2[10];
+ limb z9[10];
+ limb z11[10];
+ limb z2_5_0[10];
+ limb z2_10_0[10];
+ limb z2_20_0[10];
+ limb z2_50_0[10];
+ limb z2_100_0[10];
+ limb t0[10];
+ limb t1[10];
+ int i;
+
+ /* 2 */ fsquare(z2,z);
+ /* 4 */ fsquare(t1,z2);
+ /* 8 */ fsquare(t0,t1);
+ /* 9 */ fmul(z9,t0,z);
+ /* 11 */ fmul(z11,z9,z2);
+ /* 22 */ fsquare(t0,z11);
+ /* 2^5 - 2^0 = 31 */ fmul(z2_5_0,t0,z9);
+
+ /* 2^6 - 2^1 */ fsquare(t0,z2_5_0);
+ /* 2^7 - 2^2 */ fsquare(t1,t0);
+ /* 2^8 - 2^3 */ fsquare(t0,t1);
+ /* 2^9 - 2^4 */ fsquare(t1,t0);
+ /* 2^10 - 2^5 */ fsquare(t0,t1);
+ /* 2^10 - 2^0 */ fmul(z2_10_0,t0,z2_5_0);
+
+ /* 2^11 - 2^1 */ fsquare(t0,z2_10_0);
+ /* 2^12 - 2^2 */ fsquare(t1,t0);
+ /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fsquare(t0,t1); fsquare(t1,t0); }
+ /* 2^20 - 2^0 */ fmul(z2_20_0,t1,z2_10_0);
+
+ /* 2^21 - 2^1 */ fsquare(t0,z2_20_0);
+ /* 2^22 - 2^2 */ fsquare(t1,t0);
+ /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fsquare(t0,t1); fsquare(t1,t0); }
+ /* 2^40 - 2^0 */ fmul(t0,t1,z2_20_0);
+
+ /* 2^41 - 2^1 */ fsquare(t1,t0);
+ /* 2^42 - 2^2 */ fsquare(t0,t1);
+ /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fsquare(t1,t0); fsquare(t0,t1); }
+ /* 2^50 - 2^0 */ fmul(z2_50_0,t0,z2_10_0);
+
+ /* 2^51 - 2^1 */ fsquare(t0,z2_50_0);
+ /* 2^52 - 2^2 */ fsquare(t1,t0);
+ /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fsquare(t0,t1); fsquare(t1,t0); }
+ /* 2^100 - 2^0 */ fmul(z2_100_0,t1,z2_50_0);
+
+ /* 2^101 - 2^1 */ fsquare(t1,z2_100_0);
+ /* 2^102 - 2^2 */ fsquare(t0,t1);
+ /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fsquare(t1,t0); fsquare(t0,t1); }
+ /* 2^200 - 2^0 */ fmul(t1,t0,z2_100_0);
+
+ /* 2^201 - 2^1 */ fsquare(t0,t1);
+ /* 2^202 - 2^2 */ fsquare(t1,t0);
+ /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fsquare(t0,t1); fsquare(t1,t0); }
+ /* 2^250 - 2^0 */ fmul(t0,t1,z2_50_0);
+
+ /* 2^251 - 2^1 */ fsquare(t1,t0);
+ /* 2^252 - 2^2 */ fsquare(t0,t1);
+ /* 2^253 - 2^3 */ fsquare(t1,t0);
+ /* 2^254 - 2^4 */ fsquare(t0,t1);
+ /* 2^255 - 2^5 */ fsquare(t1,t0);
+ /* 2^255 - 21 */ fmul(out,t1,z11);
+}
+
+int curve25519_donna(u8 *, const u8 *, const u8 *);
+
+int
+curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
+ limb bp[10], x[10], z[11], zmone[10];
+ uint8_t e[32];
+ int i;
+
+ for (i = 0; i < 32; ++i) e[i] = secret[i];
+ e[0] &= 248;
+ e[31] &= 127;
+ e[31] |= 64;
+
+ fexpand(bp, basepoint);
+ cmult(x, z, e, bp);
+ crecip(zmone, z);
+ fmul(z, x, zmone);
+ freduce_coefficients(z);
+ fcontract(mypublic, z);
+ return 0;
+}
View
6 library/jni/curve25519-donna.h
@@ -0,0 +1,6 @@
+#ifndef CURVE25519_DONNA_H
+#define CURVE25519_DONNA_H
+
+extern int curve25519_donna(uint8_t *, const uint8_t *, const uint8_t *);
+
+#endif
View
BIN library/libs/armeabi.jar
Binary file not shown.
View
BIN library/libs/libphonenumber-5.3.jar
Binary file not shown.
View
BIN library/libs/protobuf-java-2.4.1.jar
Binary file not shown.
View
BIN library/libs/sc-light-jdk15on-1.47.0.2.jar
Binary file not shown.
View
BIN library/libs/thoughtcrimegson-2.1.jar
Binary file not shown.
View
54 library/src/org/whispersystems/textsecure/crypto/IdentityKey.java
@@ -1,5 +1,6 @@
/**
* Copyright (C) 2011 Whisper Systems
+ * Copyright (C) 2013 Open Whisper Systems
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -19,8 +20,10 @@
import android.os.Parcel;
import android.os.Parcelable;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
+import org.whispersystems.textsecure.crypto.ecc.Curve;
+import org.whispersystems.textsecure.crypto.ecc.ECPublicKey;
import org.whispersystems.textsecure.util.Hex;
+import org.whispersystems.textsecure.util.Util;
/**
* A class for representing an identity key.
@@ -44,15 +47,15 @@ public IdentityKey createFromParcel(Parcel in) {
}
};
- public static final int SIZE = 1 + KeyUtil.POINT_SIZE;
- private static final int VERSION = 1;
-
- private ECPublicKeyParameters publicKey;
-
- public IdentityKey(ECPublicKeyParameters publicKey) {
+ public static final int SIZE = 1 + ECPublicKey.KEY_SIZE;
+ private static final int CURRENT_VESION = 1;
+
+ private ECPublicKey publicKey;
+
+ public IdentityKey(ECPublicKey publicKey) {
this.publicKey = publicKey;
}
-
+
public IdentityKey(Parcel in) throws InvalidKeyException {
int length = in.readInt();
byte[] serialized = new byte[length];
@@ -64,43 +67,42 @@ public IdentityKey(Parcel in) throws InvalidKeyException {
public IdentityKey(byte[] bytes, int offset) throws InvalidKeyException {
initializeFromSerialized(bytes, offset);
}
-
- public ECPublicKeyParameters getPublicKeyParameters() {
- return this.publicKey;
+
+ public ECPublicKey getPublicKey() {
+ return publicKey;
}
-
+
private void initializeFromSerialized(byte[] bytes, int offset) throws InvalidKeyException {
- int version = bytes[offset] & 0xff;
+ int version = bytes[offset] & 0xff;
- if (version > VERSION)
+ if (version > CURRENT_VESION)
throw new InvalidKeyException("Unsupported key version: " + version);
- this.publicKey = KeyUtil.decodePoint(bytes, offset+1);
+ this.publicKey = Curve.decodePoint(bytes, offset + 1);
}
public byte[] serialize() {
- byte[] encodedKey = KeyUtil.encodePoint(publicKey.getQ());
- byte[] combined = new byte[1 + encodedKey.length];
-
- combined[0] = (byte)VERSION;
- System.arraycopy(encodedKey, 0, combined, 1, encodedKey.length);
-
- return combined;
+ byte[] versionBytes = {(byte)CURRENT_VESION};
+ byte[] encodedKey = publicKey.serialize();
+
+ return Util.combine(versionBytes, encodedKey);
}
-
+
public String getFingerprint() {
- return Hex.toString(serialize());
+ return Hex.toString(publicKey.serialize());
}
@Override
public boolean equals(Object other) {
+ if (other == null) return false;
if (!(other instanceof IdentityKey)) return false;
- return publicKey.getQ().equals(((IdentityKey)other).publicKey.getQ());
+
+ return publicKey.equals(((IdentityKey) other).getPublicKey());
}
@Override
public int hashCode() {
- return publicKey.getQ().hashCode();
+ return publicKey.hashCode();
}
public int describeContents() {
View
8 library/src/org/whispersystems/textsecure/crypto/IdentityKeyPair.java
@@ -16,7 +16,7 @@
*/
package org.whispersystems.textsecure.crypto;
-import org.spongycastle.crypto.params.ECPrivateKeyParameters;
+import org.whispersystems.textsecure.crypto.ecc.ECPrivateKey;
/**
* Holder for public and private identity key pair.
@@ -26,9 +26,9 @@
public class IdentityKeyPair {
private final IdentityKey publicKey;
- private final ECPrivateKeyParameters privateKey;
+ private final ECPrivateKey privateKey;
- public IdentityKeyPair(IdentityKey publicKey, ECPrivateKeyParameters privateKey) {
+ public IdentityKeyPair(IdentityKey publicKey, ECPrivateKey privateKey) {
this.publicKey = publicKey;
this.privateKey = privateKey;
}
@@ -37,7 +37,7 @@ public IdentityKey getPublicKey() {
return publicKey;
}
- public ECPrivateKeyParameters getPrivateKey() {
+ public ECPrivateKey getPrivateKey() {
return privateKey;
}
}
View
41 library/src/org/whispersystems/textsecure/crypto/KeyPair.java
@@ -1,5 +1,6 @@
/**
* Copyright (C) 2011 Whisper Systems
+ * Copyright (C) 2013 Open Whisper Systems
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -16,13 +17,13 @@
*/
package org.whispersystems.textsecure.crypto;
-import org.spongycastle.crypto.AsymmetricCipherKeyPair;
-import org.spongycastle.crypto.params.ECPrivateKeyParameters;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
-import org.whispersystems.textsecure.util.Hex;
-
import android.util.Log;
+import org.whispersystems.textsecure.crypto.ecc.ECKeyPair;
+import org.whispersystems.textsecure.crypto.ecc.ECPrivateKey;
+import org.whispersystems.textsecure.util.Hex;
+import org.whispersystems.textsecure.util.Util;
+
/**
* Represents a session's active KeyPair.
*
@@ -31,15 +32,15 @@
public class KeyPair {
- private ECPrivateKeyParameters privateKey;
- private PublicKey publicKey;
-
+ private PublicKey publicKey;
+ private ECPrivateKey privateKey;
+
private final MasterCipher masterCipher;
- public KeyPair(int keyPairId, AsymmetricCipherKeyPair keyPair, MasterSecret masterSecret) {
+ public KeyPair(int keyPairId, ECKeyPair keyPair, MasterSecret masterSecret) {
this.masterCipher = new MasterCipher(masterSecret);
- this.publicKey = new PublicKey(keyPairId, (ECPublicKeyParameters)keyPair.getPublic());
- this.privateKey = (ECPrivateKeyParameters)keyPair.getPrivate();
+ this.publicKey = new PublicKey(keyPairId, keyPair.getPublicKey());
+ this.privateKey = keyPair.getPrivateKey();
}
public KeyPair(byte[] bytes, MasterCipher masterCipher) throws InvalidKeyException {
@@ -54,11 +55,11 @@ public int getId() {
public PublicKey getPublicKey() {
return publicKey;
}
-
- public AsymmetricCipherKeyPair getKeyPair() {
- return new AsymmetricCipherKeyPair(publicKey.getKey(), privateKey);
+
+ public ECPrivateKey getPrivateKey() {
+ return privateKey;
}
-
+
public byte[] toBytes() {
return serialize();
}
@@ -67,18 +68,14 @@ private void deserialize(byte[] bytes) throws InvalidKeyException {
this.publicKey = new PublicKey(bytes);
byte[] privateKeyBytes = new byte[bytes.length - PublicKey.KEY_SIZE];
System.arraycopy(bytes, PublicKey.KEY_SIZE, privateKeyBytes, 0, privateKeyBytes.length);
- this.privateKey = masterCipher.decryptKey(privateKeyBytes);
+ this.privateKey = masterCipher.decryptKey(this.publicKey.getType(), privateKeyBytes);
}
public byte[] serialize() {
byte[] publicKeyBytes = publicKey.serialize();
Log.w("KeyPair", "Serialized public key bytes: " + Hex.toString(publicKeyBytes));
- byte[] privateKeyBytes = masterCipher.encryptKey(privateKey);
- byte[] combined = new byte[publicKeyBytes.length + privateKeyBytes.length];
- System.arraycopy(publicKeyBytes, 0, combined, 0, publicKeyBytes.length);
- System.arraycopy(privateKeyBytes, 0, combined, publicKeyBytes.length, privateKeyBytes.length);
-
- return combined;
+ byte[] privateKeyBytes = masterCipher.encryptKey(privateKey);
+ return Util.combine(publicKeyBytes, privateKeyBytes);
}
}
View
104 library/src/org/whispersystems/textsecure/crypto/KeyUtil.java
@@ -1,5 +1,5 @@
/**
- * Copyright (C) 2011 Whisper Systems
+ * Copyright (C) 2013 Open Whisper Systems
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -16,26 +16,17 @@
*/
package org.whispersystems.textsecure.crypto;
-import java.math.BigInteger;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
+import android.content.Context;
+import android.util.Log;
-import org.spongycastle.crypto.AsymmetricCipherKeyPair;
-import org.spongycastle.crypto.agreement.ECDHBasicAgreement;
-import org.spongycastle.crypto.generators.ECKeyPairGenerator;
-import org.spongycastle.crypto.params.ECDomainParameters;
-import org.spongycastle.crypto.params.ECKeyGenerationParameters;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
-import org.spongycastle.math.ec.ECCurve;
-import org.spongycastle.math.ec.ECFieldElement;
-import org.spongycastle.math.ec.ECPoint;
+import org.whispersystems.textsecure.crypto.ecc.Curve;
import org.whispersystems.textsecure.storage.CanonicalRecipientAddress;
import org.whispersystems.textsecure.storage.LocalKeyRecord;
import org.whispersystems.textsecure.storage.RemoteKeyRecord;
import org.whispersystems.textsecure.storage.SessionRecord;
-import android.content.Context;
-import android.util.Log;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
/**
* Helper class for generating key pairs and calculating ECDH agreements.
@@ -45,52 +36,6 @@
public class KeyUtil {
- public static final BigInteger q = new BigInteger("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", 16);
- private static final BigInteger a = new BigInteger("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", 16);
- private static final BigInteger b = new BigInteger("5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", 16);
- private static final BigInteger n = new BigInteger("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 16);
-
- private static final ECFieldElement x = new ECFieldElement.Fp(q, new BigInteger("6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", 16));
- private static final ECFieldElement y = new ECFieldElement.Fp(q, new BigInteger("4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", 16));
-
- private static final ECCurve curve = new ECCurve.Fp(q, a, b);
- private static final ECPoint g = new ECPoint.Fp(curve, x, y, true);
-
- public static final int POINT_SIZE = 33;
-
- public static final ECDomainParameters domainParameters = new ECDomainParameters(curve, g, n);
-
- public static byte[] encodePoint(ECPoint point) {
- synchronized (curve) {
- return point.getEncoded();
- }
- }
-
- public static ECPublicKeyParameters decodePoint(byte[] encoded, int offset)
- throws InvalidKeyException
- {
- byte[] pointBytes = new byte[POINT_SIZE];
- System.arraycopy(encoded, offset, pointBytes, 0, pointBytes.length);
-
- synchronized (curve) {
- ECPoint Q;
-
- try {
- Q = curve.decodePoint(pointBytes);
- } catch (RuntimeException re) {
- throw new InvalidKeyException(re);
- }
-
- return new ECPublicKeyParameters(Q, KeyUtil.domainParameters);
- }
- }
-
- public static BigInteger calculateAgreement(ECDHBasicAgreement agreement, ECPublicKeyParameters remoteKey) {
- synchronized (curve) {
- return agreement.calculateAgreement(remoteKey);
- }
- }
-
public static void abortSessionFor(Context context, CanonicalRecipientAddress recipient) {
//XXX Obviously we should probably do something more thorough here eventually.
Log.w("KeyUtil", "Aborting session, deleting keys...");
@@ -120,17 +65,18 @@ public static boolean isIdentityKeyFor(Context context,
new SessionRecord(context, masterSecret, recipient).getIdentityKey() != null;
}
- public static LocalKeyRecord initializeRecordFor(CanonicalRecipientAddress recipient,
- Context context,
- MasterSecret masterSecret)
+ public static LocalKeyRecord initializeRecordFor(Context context,
+ MasterSecret masterSecret,
+ CanonicalRecipientAddress recipient,
+ int sessionVersion)
{
Log.w("KeyUtil", "Initializing local key pairs...");
try {
SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
int initialId = secureRandom.nextInt(4094) + 1;
- KeyPair currentPair = new KeyPair(initialId, KeyUtil.generateKeyPair(), masterSecret);
- KeyPair nextPair = new KeyPair(initialId + 1, KeyUtil.generateKeyPair(), masterSecret);
+ KeyPair currentPair = new KeyPair(initialId, Curve.generateKeyPairForSession(sessionVersion), masterSecret);
+ KeyPair nextPair = new KeyPair(initialId + 1, Curve.generateKeyPairForSession(sessionVersion), masterSecret);
LocalKeyRecord record = new LocalKeyRecord(context, masterSecret, recipient);
record.setCurrentKeyPair(currentPair);
@@ -143,30 +89,4 @@ public static LocalKeyRecord initializeRecordFor(CanonicalRecipientAddress recip
}
}
- public static AsymmetricCipherKeyPair generateKeyPair() {
- try {
- synchronized (curve) {
- ECKeyGenerationParameters keyParamters = new ECKeyGenerationParameters(domainParameters, SecureRandom.getInstance("SHA1PRNG"));
- ECKeyPairGenerator generator = new ECKeyPairGenerator();
- generator.init(keyParamters);
-
- AsymmetricCipherKeyPair keyPair = generator.generateKeyPair();
-
- return cloneKeyPairWithPointCompression(keyPair);
- }
- } catch (NoSuchAlgorithmException nsae) {
- Log.w("keyutil", nsae);
- return null;
- }
- }
-
- // This is dumb, but the ECPublicKeys that the generator makes by default don't have point compression
- // turned on, and there's no setter. Great.
- private static AsymmetricCipherKeyPair cloneKeyPairWithPointCompression(AsymmetricCipherKeyPair keyPair) {
- ECPublicKeyParameters publicKey = (ECPublicKeyParameters)keyPair.getPublic();
- ECPoint q = publicKey.getQ();
-
- return new AsymmetricCipherKeyPair(new ECPublicKeyParameters(new ECPoint.Fp(q.getCurve(), q.getX(), q.getY(), true), publicKey.getParameters()), keyPair.getPrivate());
- }
-
}
View
35 library/src/org/whispersystems/textsecure/crypto/MasterCipher.java
@@ -1,5 +1,6 @@
/**
* Copyright (C) 2011 Whisper Systems
+ * Copyright (C) 2013 Open Whisper Systems
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -16,8 +17,14 @@
*/
package org.whispersystems.textsecure.crypto;
+import android.util.Log;
+
+import org.whispersystems.textsecure.crypto.ecc.Curve;
+import org.whispersystems.textsecure.crypto.ecc.ECPrivateKey;
+import org.whispersystems.textsecure.util.Base64;
+import org.whispersystems.textsecure.util.Hex;
+
import java.io.IOException;
-import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
@@ -32,12 +39,6 @@
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
-import org.spongycastle.crypto.params.ECPrivateKeyParameters;
-import org.whispersystems.textsecure.util.Base64;
-import org.whispersystems.textsecure.util.Hex;
-
-import android.util.Log;
-
/**
* Class that handles encryption for local storage.
*
@@ -69,13 +70,11 @@ public MasterCipher(MasterSecret masterSecret) {
throw new AssertionError(e);
}
}
-
- public byte[] encryptKey(ECPrivateKeyParameters params) {
- BigInteger d = params.getD();
- byte[] dBytes = d.toByteArray();
- return encryptBytes(dBytes);
+
+ public byte[] encryptKey(ECPrivateKey privateKey) {
+ return encryptBytes(privateKey.serialize());
}
-
+
public String encryptBody(String body) {
return encryptAndEncodeBytes(body.getBytes());
}
@@ -84,13 +83,13 @@ public String decryptBody(String body) throws InvalidMessageException {
return new String(decodeAndDecryptBytes(body));
}
- public ECPrivateKeyParameters decryptKey(byte[] key) {
+ public ECPrivateKey decryptKey(int type, byte[] key)
+ throws org.whispersystems.textsecure.crypto.InvalidKeyException
+ {
try {
- BigInteger d = new BigInteger(decryptBytes(key));
- return new ECPrivateKeyParameters(d, KeyUtil.domainParameters);
+ return Curve.decodePrivatePoint(type, decryptBytes(key));
} catch (InvalidMessageException ime) {
- Log.w("bodycipher", ime);
- return null; // XXX
+ throw new org.whispersystems.textsecure.crypto.InvalidKeyException(ime);
}
}
View
19 library/src/org/whispersystems/textsecure/crypto/MessageCipher.java
@@ -1,5 +1,6 @@
/**
* Copyright (C) 2011 Whisper Systems
+ * Copyright (C) 2013 Open Whisper Systems
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -57,14 +58,12 @@ public CiphertextMessage encrypt(CanonicalRecipientAddress recipient, byte[] pad
try {
CiphertextMessage message = new CiphertextMessage(ciphertext);
- int messageVersion = message.getCurrentVersion();
- int supportedVersion = message.getSupportedVersion();
- int negotiatedVersion = Math.min(supportedVersion, CiphertextMessage.SUPPORTED_VERSION);
- int senderKeyId = message.getSenderKeyId();
- int receiverKeyId = message.getReceiverKeyId();
- PublicKey nextRemoteKey = new PublicKey(message.getNextKeyBytes());
- int counter = message.getCounter();
- byte[] body = message.getBody();
+ int messageVersion = message.getCurrentVersion();
+ int senderKeyId = message.getSenderKeyId();
+ int receiverKeyId = message.getReceiverKeyId();
+ PublicKey nextRemoteKey = new PublicKey(message.getNextKeyBytes());
+ int counter = message.getCounter();
+ byte[] body = message.getBody();
SessionCipher sessionCipher = new SessionCipher();
SessionCipherContext sessionContext = sessionCipher.getDecryptionContext(context, masterSecret,
@@ -73,8 +72,7 @@ public CiphertextMessage encrypt(CanonicalRecipientAddress recipient, byte[] pad
receiverKeyId,
nextRemoteKey,
counter,
- messageVersion,
- negotiatedVersion);
+ messageVersion);
message.verifyMac(sessionContext);
@@ -84,5 +82,4 @@ public CiphertextMessage encrypt(CanonicalRecipientAddress recipient, byte[] pad
}
}
}
-
}
View
47 library/src/org/whispersystems/textsecure/crypto/PreKeyPair.java
@@ -1,40 +1,53 @@
+/**
+ * Copyright (C) 2013 Open Whisper Systems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
package org.whispersystems.textsecure.crypto;
-import org.spongycastle.crypto.AsymmetricCipherKeyPair;
-import org.spongycastle.crypto.params.ECPrivateKeyParameters;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
+import org.whispersystems.textsecure.crypto.ecc.ECKeyPair;
+import org.whispersystems.textsecure.crypto.ecc.ECPrivateKey;
import org.whispersystems.textsecure.util.Util;
public class PreKeyPair {
- private final MasterCipher masterCipher;
- private final ECPrivateKeyParameters privateKey;
- private final PreKeyPublic publicKey;
+ private final MasterCipher masterCipher;
+ private final PreKeyPublic publicKey;
+ private final ECPrivateKey privateKey;
- public PreKeyPair(MasterSecret masterSecret, AsymmetricCipherKeyPair keyPair) {
+ public PreKeyPair(MasterSecret masterSecret, ECKeyPair keyPair) {
this.masterCipher = new MasterCipher(masterSecret);
- this.publicKey = new PreKeyPublic((ECPublicKeyParameters)keyPair.getPublic());
- this.privateKey = (ECPrivateKeyParameters)keyPair.getPrivate();
+ this.publicKey = new PreKeyPublic(keyPair.getPublicKey());
+ this.privateKey = keyPair.getPrivateKey();
}
public PreKeyPair(MasterSecret masterSecret, byte[] serialized) throws InvalidKeyException {
- if (serialized.length < KeyUtil.POINT_SIZE + 1)
- throw new InvalidKeyException("Serialized length: " + serialized.length);
-
- byte[] privateKeyBytes = new byte[serialized.length - KeyUtil.POINT_SIZE];
- System.arraycopy(serialized, KeyUtil.POINT_SIZE, privateKeyBytes, 0, privateKeyBytes.length);
+ byte[] privateKeyBytes = new byte[serialized.length - PreKeyPublic.KEY_SIZE];
+ System.arraycopy(serialized, PreKeyPublic.KEY_SIZE, privateKeyBytes, 0, privateKeyBytes.length);
this.masterCipher = new MasterCipher(masterSecret);
this.publicKey = new PreKeyPublic(serialized, 0);
- this.privateKey = masterCipher.decryptKey(privateKeyBytes);
+ this.privateKey = masterCipher.decryptKey(this.publicKey.getType(), privateKeyBytes);
}
public PreKeyPublic getPublicKey() {
return publicKey;
}
- public AsymmetricCipherKeyPair getKeyPair() {
- return new AsymmetricCipherKeyPair(publicKey.getPublicKey(), privateKey);
+ public ECKeyPair getKeyPair() {
+ return new ECKeyPair(publicKey.getPublicKey(), privateKey);
}
public byte[] serialize() {
View
36 library/src/org/whispersystems/textsecure/crypto/PreKeyPublic.java
@@ -1,25 +1,49 @@
+/**
+ * Copyright (C) 2013 Open Whisper Systems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
package org.whispersystems.textsecure.crypto;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
+import org.whispersystems.textsecure.crypto.ecc.Curve;
+import org.whispersystems.textsecure.crypto.ecc.ECPublicKey;
+import org.whispersystems.textsecure.util.Util;
public class PreKeyPublic {
- private final ECPublicKeyParameters publicKey;
+ public static final int KEY_SIZE = ECPublicKey.KEY_SIZE;
+
+ private final ECPublicKey publicKey;
- public PreKeyPublic(ECPublicKeyParameters publicKey) {
+ public PreKeyPublic(ECPublicKey publicKey) {
this.publicKey = publicKey;
}
public PreKeyPublic(byte[] serialized, int offset) throws InvalidKeyException {
- this.publicKey = KeyUtil.decodePoint(serialized, offset);
+ this.publicKey = Curve.decodePoint(serialized, offset);
}
public byte[] serialize() {
- return KeyUtil.encodePoint(publicKey.getQ());
+ return publicKey.serialize();
}
- public ECPublicKeyParameters getPublicKey() {
+ public ECPublicKey getPublicKey() {
return publicKey;
}
+ public int getType() {
+ return this.publicKey.getType();
+ }
}
View
25 library/src/org/whispersystems/textsecure/crypto/PreKeyUtil.java
@@ -1,9 +1,28 @@
+/**
+ * Copyright (C) 2013 Open Whisper Systems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
package org.whispersystems.textsecure.crypto;
import android.content.Context;
import android.util.Log;
import com.google.thoughtcrimegson.Gson;
+
+import org.whispersystems.textsecure.crypto.ecc.Curve25519;
import org.whispersystems.textsecure.storage.InvalidKeyIdException;
import org.whispersystems.textsecure.storage.PreKeyRecord;
import org.whispersystems.textsecure.util.Medium;
@@ -21,15 +40,15 @@
public class PreKeyUtil {
- public static final int BATCH_SIZE = 70;
+ public static final int BATCH_SIZE = 20;
public static List<PreKeyRecord> generatePreKeys(Context context, MasterSecret masterSecret) {
List<PreKeyRecord> records = new LinkedList<PreKeyRecord>();
int preKeyIdOffset = getNextPreKeyId(context);
for (int i=0;i<BATCH_SIZE;i++) {
int preKeyId = (preKeyIdOffset + i) % Medium.MAX_VALUE;
- PreKeyPair keyPair = new PreKeyPair(masterSecret, KeyUtil.generateKeyPair());
+ PreKeyPair keyPair = new PreKeyPair(masterSecret, Curve25519.generateKeyPair());
PreKeyRecord record = new PreKeyRecord(context, masterSecret, preKeyId, keyPair);
record.save();
@@ -50,7 +69,7 @@ public static PreKeyRecord generateLastResortKey(Context context, MasterSecret m
}
}
- PreKeyPair keyPair = new PreKeyPair(masterSecret, KeyUtil.generateKeyPair());
+ PreKeyPair keyPair = new PreKeyPair(masterSecret, Curve25519.generateKeyPair());
PreKeyRecord record = new PreKeyRecord(context, masterSecret, Medium.MAX_VALUE, keyPair);
record.save();
View
42 library/src/org/whispersystems/textsecure/crypto/PublicKey.java
@@ -1,5 +1,6 @@
/**
* Copyright (C) 2011 Whisper Systems
+ * Copyright (C) 2013 Open Whisper Systems
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -18,17 +19,20 @@
import android.util.Log;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
-import org.whispersystems.textsecure.util.Hex;
+import org.whispersystems.textsecure.crypto.ecc.Curve;
+import org.whispersystems.textsecure.crypto.ecc.ECPublicKey;
import org.whispersystems.textsecure.util.Conversions;
+import org.whispersystems.textsecure.util.Hex;
+import org.whispersystems.textsecure.util.Util;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class PublicKey {
- public static final int KEY_SIZE = 3 + KeyUtil.POINT_SIZE;
-
- private final ECPublicKeyParameters publicKey;
+
+ public static final int KEY_SIZE = 3 + ECPublicKey.KEY_SIZE;
+
+ private final ECPublicKey publicKey;
private int id;
public PublicKey(PublicKey publicKey) {
@@ -38,7 +42,7 @@ public PublicKey(PublicKey publicKey) {
this.publicKey = publicKey.publicKey;
}
- public PublicKey(int id, ECPublicKeyParameters publicKey) {
+ public PublicKey(int id, ECPublicKey publicKey) {
this.publicKey = publicKey;
this.id = id;
}
@@ -50,16 +54,21 @@ public PublicKey(int preKeyId, PreKeyPublic publicKey) {
public PublicKey(byte[] bytes, int offset) throws InvalidKeyException {
Log.w("PublicKey", "PublicKey Length: " + (bytes.length - offset));
+
if ((bytes.length - offset) < KEY_SIZE)
throw new InvalidKeyException("Provided bytes are too short.");
-
+
this.id = Conversions.byteArrayToMedium(bytes, offset);
- this.publicKey = KeyUtil.decodePoint(bytes, offset + 3);
+ this.publicKey = Curve.decodePoint(bytes, offset + 3);
}
-
+
public PublicKey(byte[] bytes) throws InvalidKeyException {
this(bytes, 0);
}
+
+ public int getType() {
+ return publicKey.getType();
+ }
public void setId(int id) {
this.id = id;
@@ -69,7 +78,7 @@ public int getId() {
return id;
}
- public ECPublicKeyParameters getKey() {
+ public ECPublicKey getKey() {
return publicKey;
}
@@ -88,14 +97,11 @@ public String getFingerprint() {
}
public byte[] serialize() {
- byte[] complete = new byte[KEY_SIZE];
- byte[] serializedPoint = KeyUtil.encodePoint(publicKey.getQ());
+ byte[] keyIdBytes = Conversions.mediumToByteArray(id);
+ byte[] serializedPoint = publicKey.serialize();
Log.w("PublicKey", "Serializing public key point: " + Hex.toString(serializedPoint));
-
- Conversions.mediumToByteArray(complete, 0, id);
- System.arraycopy(serializedPoint, 0, complete, 3, serializedPoint.length);
-
- return complete;
- }
+
+ return Util.combine(keyIdBytes, serializedPoint);
+ }
}
View
78 library/src/org/whispersystems/textsecure/crypto/SessionCipher.java
@@ -1,5 +1,5 @@
/**
- * Copyright (C) 2011 Whisper Systems
+ * Copyright (C) 2013 Open Whisper Systems
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -19,7 +19,7 @@
import android.content.Context;
import android.util.Log;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
+import org.whispersystems.textsecure.crypto.ecc.ECPublicKey;
import org.whispersystems.textsecure.crypto.kdf.DerivedSecrets;
import org.whispersystems.textsecure.crypto.protocol.CiphertextMessage;
import org.whispersystems.textsecure.storage.CanonicalRecipientAddress;
@@ -30,17 +30,16 @@
import org.whispersystems.textsecure.storage.SessionRecord;
import org.whispersystems.textsecure.util.Conversions;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
-import java.math.BigInteger;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
/**
* This is where the session encryption magic happens. Implements a compressed version of the OTR protocol.
@@ -61,19 +60,21 @@ public SessionCipherContext getEncryptionContext(Context context,
CanonicalRecipientAddress recipient)
{
try {
- KeyRecords records = getKeyRecords(context, masterSecret, recipient);
- int localKeyId = records.getLocalKeyRecord().getCurrentKeyPair().getId();
- int remoteKeyId = records.getRemoteKeyRecord().getCurrentRemoteKey().getId();
- int negotiatedVersion = records.getSessionRecord().getSessionVersion();
- SessionKey sessionKey = getSessionKey(masterSecret, Cipher.ENCRYPT_MODE, negotiatedVersion, localIdentityKey, records, localKeyId, remoteKeyId);
- PublicKey nextKey = records.getLocalKeyRecord().getNextKeyPair().getPublicKey();
- int counter = records.getSessionRecord().getCounter();
+ KeyRecords records = getKeyRecords(context, masterSecret, recipient);
+ int localKeyId = records.getLocalKeyRecord().getCurrentKeyPair().getId();
+ int remoteKeyId = records.getRemoteKeyRecord().getCurrentRemoteKey().getId();
+ int sessionVersion = records.getSessionRecord().getSessionVersion();
+ SessionKey sessionKey = getSessionKey(masterSecret, Cipher.ENCRYPT_MODE, sessionVersion, localIdentityKey, records, localKeyId, remoteKeyId);
+ PublicKey nextKey = records.getLocalKeyRecord().getNextKeyPair().getPublicKey();
+ int counter = records.getSessionRecord().getCounter();
return new SessionCipherContext(records, sessionKey, localKeyId, remoteKeyId,
- nextKey, counter, negotiatedVersion, negotiatedVersion);
+ nextKey, counter, sessionVersion);
} catch (InvalidKeyIdException e) {
throw new IllegalArgumentException(e);
+ } catch (InvalidKeyException e) {
+ throw new IllegalArgumentException(e);
}
}
@@ -82,7 +83,7 @@ public SessionCipherContext getDecryptionContext(Context context, MasterSecret m
CanonicalRecipientAddress recipient,
int senderKeyId, int recipientKeyId,
PublicKey nextKey, int counter,
- int messageVersion, int negotiatedVersion)
+ int messageVersion)
throws InvalidMessageException
{
try {
@@ -94,12 +95,16 @@ public SessionCipherContext getDecryptionContext(Context context, MasterSecret m
records.getSessionRecord().getNegotiatedSessionVersion());
}
- SessionKey sessionKey = getSessionKey(masterSecret, Cipher.DECRYPT_MODE, messageVersion, localIdentityKey, records, recipientKeyId, senderKeyId);
+ SessionKey sessionKey = getSessionKey(masterSecret, Cipher.DECRYPT_MODE, messageVersion,
+ localIdentityKey, records, recipientKeyId, senderKeyId);
+
return new SessionCipherContext(records, sessionKey, senderKeyId,
recipientKeyId, nextKey, counter,
- messageVersion, negotiatedVersion);
+ messageVersion);
} catch (InvalidKeyIdException e) {
throw new InvalidMessageException(e);
+ } catch (InvalidKeyException e) {
+ throw new InvalidMessageException(e);
}
}
@@ -125,7 +130,9 @@ public SessionCipherContext getDecryptionContext(Context context, MasterSecret m
{
Log.w("SessionCipher", "Decrypting message...");
try {
- byte[] plaintextWithPadding = getPlaintext(decodedCiphertext, context.getSessionKey().getCipherKey(), context.getCounter());
+ byte[] plaintextWithPadding = getPlaintext(decodedCiphertext,
+ context.getSessionKey().getCipherKey(),
+ context.getCounter());
context.getRemoteKeyRecord().updateCurrentRemoteKey(context.getNextKey());
context.getRemoteKeyRecord().save();
@@ -134,7 +141,6 @@ public SessionCipherContext getDecryptionContext(Context context, MasterSecret m
context.getLocalKeyRecord().save();
context.getSessionRecord().setSessionKey(context.getSessionKey());
- context.getSessionRecord().setSessionVersion(context.getNegotiatedVersion());
context.getSessionRecord().setPrekeyBundleRequired(false);
context.getSessionRecord().save();
@@ -175,7 +181,7 @@ private Cipher getCipher(int mode, SecretKeySpec key, int counter) {
throw new IllegalArgumentException("AES Not Supported!");
} catch (NoSuchPaddingException e) {
throw new IllegalArgumentException("NoPadding Not Supported!");
- } catch (InvalidKeyException e) {
+ } catch (java.security.InvalidKeyException e) {
Log.w("SessionCipher", e);
throw new IllegalArgumentException("Invaid Key?");
} catch (InvalidAlgorithmParameterException e) {
@@ -189,7 +195,7 @@ private SessionKey getSessionKey(MasterSecret masterSecret, int mode,
IdentityKeyPair localIdentityKey,
KeyRecords records,
int localKeyId, int remoteKeyId)
- throws InvalidKeyIdException
+ throws InvalidKeyIdException, InvalidKeyException
{
Log.w("SessionCipher", "Getting session key for local: " + localKeyId + " remote: " + remoteKeyId);
SessionKey sessionKey = records.getSessionRecord().getSessionKey(mode, localKeyId, remoteKeyId);
@@ -208,12 +214,12 @@ private DerivedSecrets calculateSharedSecret(int messageVersion, int mode,
IdentityKeyPair localIdentityKey,
KeyRecords records,
int localKeyId, int remoteKeyId)
- throws InvalidKeyIdException
+ throws InvalidKeyIdException, InvalidKeyException
{
- KeyPair localKeyPair = records.getLocalKeyRecord().getKeyPairForId(localKeyId);
- ECPublicKeyParameters remoteKey = records.getRemoteKeyRecord().getKeyForId(remoteKeyId).getKey();
- IdentityKey remoteIdentityKey = records.getSessionRecord().getIdentityKey();
- boolean isLowEnd = isLowEnd(records, localKeyId, remoteKeyId);
+ KeyPair localKeyPair = records.getLocalKeyRecord().getKeyPairForId(localKeyId);
+ ECPublicKey remoteKey = records.getRemoteKeyRecord().getKeyForId(remoteKeyId).getKey();
+ IdentityKey remoteIdentityKey = records.getSessionRecord().getIdentityKey();
+ boolean isLowEnd = isLowEnd(records, localKeyId, remoteKeyId);
isLowEnd = (mode == Cipher.ENCRYPT_MODE ? isLowEnd : !isLowEnd);
@@ -233,13 +239,10 @@ private DerivedSecrets calculateSharedSecret(int messageVersion, int mode,
private boolean isLowEnd(KeyRecords records, int localKeyId, int remoteKeyId)
throws InvalidKeyIdException
{
- ECPublicKeyParameters localPublic = records.getLocalKeyRecord().getKeyPairForId(localKeyId).getPublicKey().getKey();
- ECPublicKeyParameters remotePublic = records.getRemoteKeyRecord().getKeyForId(remoteKeyId).getKey();
-
- BigInteger local = localPublic.getQ().getX().toBigInteger();
- BigInteger remote = remotePublic.getQ().getX().toBigInteger();
+ ECPublicKey localPublic = records.getLocalKeyRecord().getKeyPairForId(localKeyId).getPublicKey().getKey();
+ ECPublicKey remotePublic = records.getRemoteKeyRecord().getKeyForId(remoteKeyId).getKey();
- return local.compareTo(remote) < 0;
+ return localPublic.compareTo(remotePublic) < 0;
}
private boolean isInitiallyExchangedKeys(KeyRecords records, int localKeyId, int remoteKeyId)
@@ -297,16 +300,14 @@ private SessionRecord getSessionRecord() {
private final PublicKey nextKey;
private final int counter;
private final int messageVersion;
- private final int negotiatedVersion;
public SessionCipherContext(KeyRecords records,
SessionKey sessionKey,
int senderKeyId,
int receiverKeyId,
PublicKey nextKey,
int counter,
- int messageVersion,
- int negotiatedVersion)
+ int messageVersion)
{
this.localKeyRecord = records.getLocalKeyRecord();
this.remoteKeyRecord = records.getRemoteKeyRecord();
@@ -317,7 +318,6 @@ public SessionCipherContext(KeyRecords records,
this.nextKey = nextKey;
this.counter = counter;
this.messageVersion = messageVersion;
- this.negotiatedVersion = negotiatedVersion;
}
public LocalKeyRecord getLocalKeyRecord() {
@@ -352,10 +352,6 @@ public int getRecipientKeyId() {
return recipientKeyId;
}
- public int getNegotiatedVersion() {
- return negotiatedVersion;
- }
-
public int getMessageVersion() {
return messageVersion;
}
View
76 library/src/org/whispersystems/textsecure/crypto/SharedSecretCalculator.java
@@ -1,18 +1,33 @@
+/**
+ * Copyright (C) 2013 Open Whisper Systems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
package org.whispersystems.textsecure.crypto;
import android.util.Log;
-import org.spongycastle.crypto.CipherParameters;
-import org.spongycastle.crypto.agreement.ECDHBasicAgreement;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
+import org.whispersystems.textsecure.crypto.ecc.Curve;
+import org.whispersystems.textsecure.crypto.ecc.ECPublicKey;
import org.whispersystems.textsecure.crypto.kdf.DerivedSecrets;
import org.whispersystems.textsecure.crypto.kdf.HKDF;
import org.whispersystems.textsecure.crypto.kdf.KDF;
import org.whispersystems.textsecure.crypto.kdf.NKDF;
import org.whispersystems.textsecure.crypto.protocol.CiphertextMessage;
import org.whispersystems.textsecure.util.Conversions;
-import java.math.BigInteger;
import java.util.LinkedList;
import java.util.List;
@@ -21,34 +36,34 @@
public static DerivedSecrets calculateSharedSecret(boolean isLowEnd, KeyPair localKeyPair,
int localKeyId,
IdentityKeyPair localIdentityKeyPair,
- ECPublicKeyParameters remoteKey,
+ ECPublicKey remoteKey,
int remoteKeyId,
IdentityKey remoteIdentityKey)
+ throws InvalidKeyException
{
- Log.w("SharedSecretCalculator", "Calculating shared secret with cradle agreement...");
- KDF kdf = new HKDF();
- List<BigInteger> results = new LinkedList<BigInteger>();
+ Log.w("SharedSecretCalculator", "Calculating shared secret with 3DHE agreement...");
+ KDF kdf = new HKDF();
+ List<byte[]> results = new LinkedList<byte[]>();
if (isSmaller(localKeyPair.getPublicKey().getKey(), remoteKey)) {
- results.add(calculateAgreement(localIdentityKeyPair.getPrivateKey(), remoteKey));
-
- results.add(calculateAgreement(localKeyPair.getKeyPair().getPrivate(),
- remoteIdentityKey.getPublicKeyParameters()));
+ results.add(Curve.calculateAgreement(remoteKey, localIdentityKeyPair.getPrivateKey()));
+ results.add(Curve.calculateAgreement(remoteIdentityKey.getPublicKey(),
+ localKeyPair.getPrivateKey()));
} else {
- results.add(calculateAgreement(localKeyPair.getKeyPair().getPrivate(),
- remoteIdentityKey.getPublicKeyParameters()));
-
- results.add(calculateAgreement(localIdentityKeyPair.getPrivateKey(), remoteKey));
+ results.add(Curve.calculateAgreement(remoteIdentityKey.getPublicKey(),
+ localKeyPair.getPrivateKey()));
+ results.add(Curve.calculateAgreement(remoteKey, localIdentityKeyPair.getPrivateKey()));
}
- results.add(calculateAgreement(localKeyPair.getKeyPair().getPrivate(), remoteKey));
+ results.add(Curve.calculateAgreement(remoteKey, localKeyPair.getPrivateKey()));
- return kdf.deriveSecrets(results, isLowEnd, getInfo(localKeyId,remoteKeyId));
+ return kdf.deriveSecrets(results, isLowEnd, getInfo(localKeyId, remoteKeyId));
}
public static DerivedSecrets calculateSharedSecret(int messageVersion, boolean isLowEnd,
KeyPair localKeyPair, int localKeyId,
- ECPublicKeyParameters remoteKey, int remoteKeyId)
+ ECPublicKey remoteKey, int remoteKeyId)
+ throws InvalidKeyException
{
Log.w("SharedSecretCalculator", "Calculating shared secret with standard agreement...");
KDF kdf;
@@ -58,8 +73,8 @@ public static DerivedSecrets calculateSharedSecret(int messageVersion, boolean i
Log.w("SharedSecretCalculator", "Using kdf: " + kdf);
- List<BigInteger> results = new LinkedList<BigInteger>();
- results.add(calculateAgreement(localKeyPair.getKeyPair().getPrivate(), remoteKey));
+ List<byte[]> results = new LinkedList<byte[]>();
+ results.add(Curve.calculateAgreement(remoteKey, localKeyPair.getPrivateKey()));
return kdf.deriveSecrets(results, isLowEnd, getInfo(localKeyId, remoteKeyId));
}
@@ -78,23 +93,10 @@ public static DerivedSecrets calculateSharedSecret(int messageVersion, boolean i
return info;
}
- private static BigInteger calculateAgreement(CipherParameters privateKey,
- ECPublicKeyParameters publicKey)
- {
- ECDHBasicAgreement agreement = new ECDHBasicAgreement();
- agreement.init(privateKey);
-
- return KeyUtil.calculateAgreement(agreement, publicKey);
- }
-
-
- private static boolean isSmaller(ECPublicKeyParameters localPublic,
- ECPublicKeyParameters remotePublic)
+ private static boolean isSmaller(ECPublicKey localPublic,
+ ECPublicKey remotePublic)
{
- BigInteger local = localPublic.getQ().getX().toBigInteger();
- BigInteger remote = remotePublic.getQ().getX().toBigInteger();
-
- return local.compareTo(remote) < 0;
+ return localPublic.compareTo(remotePublic) < 0;
}
}
View
85 library/src/org/whispersystems/textsecure/crypto/ecc/Curve.java
@@ -0,0 +1,85 @@
+/**
+ * Copyright (C) 2013 Open Whisper Systems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.whispersystems.textsecure.crypto.ecc;
+
+import org.whispersystems.textsecure.crypto.InvalidKeyException;
+import org.whispersystems.textsecure.crypto.protocol.CiphertextMessage;
+
+public class Curve {
+
+ public static final int NIST_TYPE = 0x02;
+ private static final int NIST_TYPE2 = 0x03;
+ public static final int DJB_TYPE = 0x04;
+
+ public static ECKeyPair generateKeyPairForType(int keyType) {
+ if (keyType == DJB_TYPE) {
+ return Curve25519.generateKeyPair();
+ } else if (keyType == NIST_TYPE || keyType == NIST_TYPE2) {
+ return CurveP256.generateKeyPair();
+ } else {
+ throw new AssertionError("Bad key type: " + keyType);
+ }
+ }
+
+ public static ECKeyPair generateKeyPairForSession(int messageVersion) {
+ if (messageVersion >= CiphertextMessage.CURVE25519_INTRODUCED_VERSION) {
+ return generateKeyPairForType(DJB_TYPE);
+ } else {
+ return generateKeyPairForType(NIST_TYPE);
+ }
+ }
+
+ public static ECPublicKey decodePoint(byte[] bytes, int offset)
+ throws InvalidKeyException
+ {
+ int type = bytes[offset];
+
+ if (type == DJB_TYPE) {
+ return Curve25519.decodePoint(bytes, offset);
+ } else if (type == NIST_TYPE || type == NIST_TYPE2) {
+ return CurveP256.decodePoint(bytes, offset);
+ } else {
+ throw new InvalidKeyException("Unknown key type: " + type);