-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathratchet.ts
More file actions
243 lines (208 loc) · 7.3 KB
/
ratchet.ts
File metadata and controls
243 lines (208 loc) · 7.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
import { generateKeyPair, exportPublicKey, importPublicKey, deriveSharedSecret } from './ecdh'
import { encrypt, decrypt, importAesKey } from './encrypt'
import { hkdfDerive, kdfRatchetStep } from './kdf'
import { toBase64Url, fromBase64Url } from './keys'
import type { RatchetState } from '@/types'
import type { MessageHeader } from '@/ws/protocol'
import { MAX_SKIPPED_KEYS } from '@/constants'
const RATCHET_INFO = new TextEncoder().encode('yapgone-ratchet')
export async function initCreator(
dhKeyPair: CryptoKeyPair,
rootKey: Uint8Array,
): Promise<RatchetState> {
const derived = await hkdfDerive(rootKey, rootKey, RATCHET_INFO, 64)
const newRootKey = derived.slice(0, 32)
const sendChainKey = derived.slice(32, 64)
return {
dhKeyPair,
remotePubKey: null,
rootKey: newRootKey,
sendChainKey,
sendMessageNumber: 0,
recvChainKey: null,
recvMessageNumber: 0,
prevSendChainLength: 0,
skippedMessageKeys: new Map(),
}
}
export async function initJoiner(
dhKeyPair: CryptoKeyPair,
remotePubKey: CryptoKey,
rootKey: Uint8Array,
): Promise<RatchetState> {
// Derive recv chain from initial root key
const recvDerived = await hkdfDerive(rootKey, rootKey, RATCHET_INFO, 64)
const intermediateRootKey = recvDerived.slice(0, 32)
const recvChainKey = recvDerived.slice(32, 64)
// DH ratchet step for send chain
const dhOutput = await deriveSharedSecret(dhKeyPair.privateKey, remotePubKey)
const sendDerived = await hkdfDerive(dhOutput, intermediateRootKey, RATCHET_INFO, 64)
const newRootKey = sendDerived.slice(0, 32)
const sendChainKey = sendDerived.slice(32, 64)
return {
dhKeyPair,
remotePubKey,
rootKey: newRootKey,
sendChainKey,
sendMessageNumber: 0,
recvChainKey,
recvMessageNumber: 0,
prevSendChainLength: 0,
skippedMessageKeys: new Map(),
}
}
function serializeHeader(header: MessageHeader): Uint8Array {
const json = JSON.stringify({ pubkey: header.pubkey, n: header.n, pn: header.pn })
return new TextEncoder().encode(json)
}
export async function ratchetEncrypt(
state: RatchetState,
plaintext: Uint8Array,
): Promise<{ state: RatchetState; header: MessageHeader; iv: Uint8Array; ciphertext: Uint8Array }> {
const { nextChainKey, messageKey } = await kdfRatchetStep(state.sendChainKey)
const pubKeyRaw = await exportPublicKey(state.dhKeyPair.publicKey)
const header: MessageHeader = {
pubkey: toBase64Url(pubKeyRaw),
n: state.sendMessageNumber,
pn: state.prevSendChainLength,
}
const aad = serializeHeader(header)
const aesKey = await importAesKey(messageKey)
const { iv, ciphertext } = await encrypt(plaintext, aesKey, aad)
const newState: RatchetState = {
...state,
sendChainKey: nextChainKey,
sendMessageNumber: state.sendMessageNumber + 1,
}
return { state: newState, header, iv, ciphertext }
}
export async function ratchetDecrypt(
state: RatchetState,
header: MessageHeader,
iv: Uint8Array,
ciphertext: Uint8Array,
): Promise<{ state: RatchetState; plaintext: Uint8Array }> {
// Try skipped message keys first
const skippedResult = await trySkippedMessageKey(state, header, iv, ciphertext)
if (skippedResult) {
return skippedResult
}
let currentState = { ...state, skippedMessageKeys: new Map(state.skippedMessageKeys) }
// Check if we need a DH ratchet step
const headerPubKeyRaw = fromBase64Url(header.pubkey)
let currentPubKeyB64: string | null = null
if (currentState.remotePubKey) {
const currentRaw = await exportPublicKey(currentState.remotePubKey)
currentPubKeyB64 = toBase64Url(currentRaw)
}
if (header.pubkey !== currentPubKeyB64) {
// Skip any missed messages on the current recv chain
if (currentState.recvChainKey) {
currentState = await skipMessageKeys(currentState, header.pn)
}
currentState = await dhRatchetStep(currentState, await importPublicKey(headerPubKeyRaw))
}
// Skip missed messages on the new recv chain
currentState = await skipMessageKeys(currentState, header.n)
// Derive message key
if (!currentState.recvChainKey) {
throw new Error('No receive chain key available')
}
const { nextChainKey, messageKey } = await kdfRatchetStep(currentState.recvChainKey)
currentState.recvChainKey = nextChainKey
currentState.recvMessageNumber = header.n + 1
const aad = serializeHeader(header)
const aesKey = await importAesKey(messageKey)
const plaintext = await decrypt(ciphertext, iv, aesKey, aad)
return { state: currentState, plaintext }
}
async function dhRatchetStep(
state: RatchetState,
newRemotePubKey: CryptoKey,
): Promise<RatchetState> {
// Receive chain: DH with current key pair + new remote key
const dhRecv = await deriveSharedSecret(state.dhKeyPair.privateKey, newRemotePubKey)
const recvDerived = await hkdfDerive(dhRecv, state.rootKey, RATCHET_INFO, 64)
const intermediateRootKey = recvDerived.slice(0, 32)
const recvChainKey = recvDerived.slice(32, 64)
// Send chain: new key pair + DH with new remote key
const newKeyPair = await generateKeyPair()
const dhSend = await deriveSharedSecret(newKeyPair.privateKey, newRemotePubKey)
const sendDerived = await hkdfDerive(dhSend, intermediateRootKey, RATCHET_INFO, 64)
const newRootKey = sendDerived.slice(0, 32)
const sendChainKey = sendDerived.slice(32, 64)
return {
...state,
dhKeyPair: newKeyPair,
remotePubKey: newRemotePubKey,
rootKey: newRootKey,
sendChainKey,
sendMessageNumber: 0,
recvChainKey,
recvMessageNumber: 0,
prevSendChainLength: state.sendMessageNumber,
}
}
async function skipMessageKeys(
state: RatchetState,
until: number,
): Promise<RatchetState> {
if (!state.recvChainKey) {
return state
}
if (until - state.recvMessageNumber > MAX_SKIPPED_KEYS) {
throw new Error('Too many skipped messages')
}
let chainKey = state.recvChainKey
const skipped = new Map(state.skippedMessageKeys)
let remotePubKeyB64 = ''
if (state.remotePubKey) {
const raw = await exportPublicKey(state.remotePubKey)
remotePubKeyB64 = toBase64Url(raw)
}
for (let n = state.recvMessageNumber; n < until; n++) {
const { nextChainKey, messageKey } = await kdfRatchetStep(chainKey)
const key = `${remotePubKeyB64}:${n}`
skipped.set(key, messageKey)
chainKey = nextChainKey
}
return {
...state,
recvChainKey: chainKey,
recvMessageNumber: until,
skippedMessageKeys: skipped,
}
}
async function trySkippedMessageKey(
state: RatchetState,
header: MessageHeader,
iv: Uint8Array,
ciphertext: Uint8Array,
): Promise<{ state: RatchetState; plaintext: Uint8Array } | null> {
const key = `${header.pubkey}:${header.n}`
const messageKey = state.skippedMessageKeys.get(key)
if (!messageKey) {
return null
}
const aad = serializeHeader(header)
const aesKey = await importAesKey(messageKey)
const plaintext = await decrypt(ciphertext, iv, aesKey, aad)
const newSkipped = new Map(state.skippedMessageKeys)
newSkipped.delete(key)
return {
state: { ...state, skippedMessageKeys: newSkipped },
plaintext,
}
}
export function destroyState(state: RatchetState): void {
state.rootKey.fill(0)
state.sendChainKey.fill(0)
if (state.recvChainKey) {
state.recvChainKey.fill(0)
}
for (const [, key] of state.skippedMessageKeys) {
key.fill(0)
}
state.skippedMessageKeys.clear()
}
export { serializeHeader as _serializeHeader }