Fix bug caused by 1mod8 compatibility issue.

In the switch from v3, we bind identities in the message MAC instead of doing the 1mod8 trick. Since identity keys were never set as 1mod8, it seemed like we could just remove it. However, PreKeys are durable. If an old client upgrades to v3, it has a bunch of keys that *were* set to 1mod8 floating around. The Curve25519 donna code re-sets the private key bits on every operation, which results in a different key, and breaks the output of an agreement. So now we don't intentionally generate keys with 1mod8, but we have to remove the donna code to honor existing 1mod8 keys for the rest of time. Trevor is squarely to blame. // FREEBIE
signalapp · Oct 24, 2014 · e7b6a85 · e7b6a85
1 parent 9dfaf19
commit e7b6a85
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 29 deletions.
diff --git a/libaxolotl/jni/curve25519-donna.c b/libaxolotl/jni/curve25519-donna.c
@@ -857,9 +857,9 @@ curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
   int i;
 
   for (i = 0; i < 32; ++i) e[i] = secret[i];
-  e[0] &= 248;
-  e[31] &= 127;
-  e[31] |= 64;
+//  e[0] &= 248;
+//  e[31] &= 127;
+//  e[31] |= 64;
 
   fexpand(bp, basepoint);
   cmult(x, z, e, bp);

diff --git a/libaxolotl/libs/armeabi-v7a/libcurve25519.so b/libaxolotl/libs/armeabi-v7a/libcurve25519.so
diff --git a/libaxolotl/libs/armeabi/libcurve25519.so b/libaxolotl/libs/armeabi/libcurve25519.so
diff --git a/libaxolotl/libs/mips/libcurve25519.so b/libaxolotl/libs/mips/libcurve25519.so
diff --git a/libaxolotl/libs/x86/libcurve25519.so b/libaxolotl/libs/x86/libcurve25519.so
diff --git a/libaxolotl/src/androidTest/java/org/whispersystems/test/ratchet/RatchetingSessionTest.java b/libaxolotl/src/androidTest/java/org/whispersystems/test/ratchet/RatchetingSessionTest.java
@@ -90,12 +90,13 @@ public void testRatchetingSessionAsBob() throws InvalidKeyException {
                                     (byte) 0xee, (byte) 0xfc, (byte) 0xb4, (byte) 0x2b,
                                     (byte) 0x4a};
 
-    byte[] senderChain = {(byte)0x33, (byte)0xe9, (byte)0x46, (byte)0x5e, (byte)0x88, (byte)0x92,
-                          (byte)0x2b, (byte)0x51, (byte)0xa6, (byte)0x76, (byte)0xaf, (byte)0xba,
-                          (byte)0x03, (byte)0xf2, (byte)0x27, (byte)0x58, (byte)0xee, (byte)0xe1,
-                          (byte)0xef, (byte)0x15, (byte)0xb0, (byte)0x28, (byte)0x39, (byte)0x0d,
-                          (byte)0x70, (byte)0x76, (byte)0xc7, (byte)0xc7, (byte)0x09, (byte)0xef,
-                          (byte)0x5d, (byte)0x8b};
+    byte[] senderChain           = {(byte)0xd2, (byte)0x2f, (byte)0xd5, (byte)0x6d, (byte)0x3f,
+                                    (byte)0xec, (byte)0x81, (byte)0x9c, (byte)0xf4, (byte)0xc3,
+                                    (byte)0xd5, (byte)0x0c, (byte)0x56, (byte)0xed, (byte)0xfb,
+                                    (byte)0x1c, (byte)0x28, (byte)0x0a, (byte)0x1b, (byte)0x31,
+                                    (byte)0x96, (byte)0x45, (byte)0x37, (byte)0xf1, (byte)0xd1,
+                                    (byte)0x61, (byte)0xe1, (byte)0xc9, (byte)0x31, (byte)0x48,
+                                    (byte)0xe3, (byte)0x6b};
 
     IdentityKey     bobIdentityKeyPublic   = new IdentityKey(bobIdentityPublic, 0);
     ECPrivateKey    bobIdentityKeyPrivate  = Curve.decodePrivatePoint(bobIdentityPrivate);
@@ -192,12 +193,13 @@ public void testRatchetingSessionAsAlice() throws InvalidKeyException {
                                     (byte) 0xeb, (byte) 0x0a, (byte) 0x6f, (byte) 0x4f, (byte) 0x5f,
                                     (byte) 0x8f, (byte) 0x58};
 
-    byte[] receiverChain = {(byte)0x68, (byte)0x4a, (byte)0xc5, (byte)0x15, (byte)0xc9, (byte)0x14,
-                            (byte)0x45, (byte)0xf7, (byte)0xa0, (byte)0xc9, (byte)0x3c, (byte)0x39,
-                            (byte)0xf7, (byte)0xe6, (byte)0xa1, (byte)0x7f, (byte)0xa0, (byte)0x8e,
-                            (byte)0x04, (byte)0x62, (byte)0xf1, (byte)0x50, (byte)0xe5, (byte)0xac,
-                            (byte)0x60, (byte)0x71, (byte)0x78, (byte)0xc1, (byte)0xa5, (byte)0xd2,
-                            (byte)0xc7, (byte)0xd6};
+    byte[] receiverChain         = {(byte) 0xd2, (byte) 0x2f, (byte) 0xd5, (byte) 0x6d, (byte) 0x3f,
+                                    (byte) 0xec, (byte) 0x81, (byte) 0x9c, (byte) 0xf4, (byte) 0xc3,
+                                    (byte) 0xd5, (byte) 0x0c, (byte) 0x56, (byte) 0xed, (byte) 0xfb,
+                                    (byte) 0x1c, (byte) 0x28, (byte) 0x0a, (byte) 0x1b, (byte) 0x31,
+                                    (byte) 0x96, (byte) 0x45, (byte) 0x37, (byte) 0xf1, (byte) 0xd1,
+                                    (byte) 0x61, (byte) 0xe1, (byte) 0xc9, (byte) 0x31, (byte) 0x48,
+                                    (byte) 0xe3, (byte) 0x6b};
 
     IdentityKey     bobIdentityKey           = new IdentityKey(bobIdentityPublic, 0);
     ECPublicKey     bobEphemeralPublicKey    = Curve.decodePoint(bobPublic, 0);

diff --git a/libaxolotl/src/androidTest/java/org/whispersystems/test/ratchet/RootKeyTest.java b/libaxolotl/src/androidTest/java/org/whispersystems/test/ratchet/RootKeyTest.java
@@ -50,21 +50,21 @@ public void testRootKeyDerivationV2() throws NoSuchAlgorithmException, InvalidKe
                            (byte) 0x95, (byte) 0x55, (byte) 0xe8, (byte) 0x47, (byte) 0x57,
                            (byte) 0x70, (byte) 0x8a, (byte) 0x30};
 
-    byte[] nextRoot = {(byte)0x67, (byte)0x46, (byte)0x77, (byte)0x65, (byte)0x21,
-                       (byte)0x04, (byte)0xe8, (byte)0x64, (byte)0xd0, (byte)0x7c,
-                       (byte)0x54, (byte)0x33, (byte)0xef, (byte)0xaa, (byte)0x59,
-                       (byte)0x25, (byte)0xed, (byte)0x43, (byte)0x67, (byte)0xd6,
-                       (byte)0xb2, (byte)0x5a, (byte)0xaf, (byte)0xe6, (byte)0x99,
-                       (byte)0x1d, (byte)0xef, (byte)0x5c, (byte)0x7f, (byte)0x0f,
-                       (byte)0xb8, (byte)0x6f};
+    byte[] nextRoot     = {(byte) 0xb1, (byte) 0x14, (byte) 0xf5, (byte) 0xde, (byte) 0x28,
+                           (byte) 0x01, (byte) 0x19, (byte) 0x85, (byte) 0xe6, (byte) 0xeb,
+                           (byte) 0xa2, (byte) 0x5d, (byte) 0x50, (byte) 0xe7, (byte) 0xec,
+                           (byte) 0x41, (byte) 0xa9, (byte) 0xb0, (byte) 0x2f, (byte) 0x56,
+                           (byte) 0x93, (byte) 0xc5, (byte) 0xc7, (byte) 0x88, (byte) 0xa6,
+                           (byte) 0x3a, (byte) 0x06, (byte) 0xd2, (byte) 0x12, (byte) 0xa2,
+                           (byte) 0xf7, (byte) 0x31};
 
-    byte[] nextChain = {(byte)0xfa, (byte)0xed, (byte)0x7f, (byte)0xb2, (byte)0xc3,
-                        (byte)0xe6, (byte)0xf6, (byte)0x06, (byte)0xfc, (byte)0xbf,
-                        (byte)0x26, (byte)0x64, (byte)0x6c, (byte)0xf2, (byte)0x68,
-                        (byte)0xad, (byte)0x49, (byte)0x58, (byte)0x9f, (byte)0xcb,
-                        (byte)0xde, (byte)0x01, (byte)0xc1, (byte)0x26, (byte)0x75,
-                        (byte)0xe5, (byte)0xe8, (byte)0x22, (byte)0xa7, (byte)0xe3,
-                        (byte)0x35, (byte)0xd1};
+    byte[] nextChain    = {(byte) 0x9d, (byte) 0x7d, (byte) 0x24, (byte) 0x69, (byte) 0xbc,
+                           (byte) 0x9a, (byte) 0xe5, (byte) 0x3e, (byte) 0xe9, (byte) 0x80,
+                           (byte) 0x5a, (byte) 0xa3, (byte) 0x26, (byte) 0x4d, (byte) 0x24,
+                           (byte) 0x99, (byte) 0xa3, (byte) 0xac, (byte) 0xe8, (byte) 0x0f,
+                           (byte) 0x4c, (byte) 0xca, (byte) 0xe2, (byte) 0xda, (byte) 0x13,
+                           (byte) 0x43, (byte) 0x0c, (byte) 0x5c, (byte) 0x55, (byte) 0xb5,
+                           (byte) 0xca, (byte) 0x5f};
 
     ECPublicKey  alicePublicKey  = Curve.decodePoint(alicePublic, 0);
     ECPrivateKey alicePrivateKey = Curve.decodePrivatePoint(alicePrivate);