* Remove encryted header version
* Return error from DH & Encrypt
* Use slices instead of fixed array for keys
In order to support multiple types of curves, this commits changes the
type of `Key` from `[32]byte` to `[]byte`. This is useful as most of the
eliptic keys have a size of a compressed key of `33 bytes` instead of
`32 bytes`, which the default implemetation uses (curve25519).
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
1. Renamed state to session, created state and included it in session
2. Removed AssociatedData type
3. Implemented message header encoding and decoding
4. Added a paragraph about header encryption into README.md
5. Added PublicKeyer interface
6. Added chain structs
7. Added NewWithRK constructor
Andrea Maria Piana
Pedro Pombeiro
Ivan Tomilov