2018-09-24 20:07:34 +02:00
|
|
|
package chat
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/ecdsa"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
2018-11-28 12:34:39 +01:00
|
|
|
"io/ioutil"
|
2018-09-24 20:07:34 +02:00
|
|
|
"math/rand"
|
|
|
|
"os"
|
|
|
|
"reflect"
|
|
|
|
"sync"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/ethereum/go-ethereum/crypto"
|
2019-06-26 20:17:41 +02:00
|
|
|
"github.com/status-im/status-go/messaging/chat/protobuf"
|
2019-07-03 21:13:11 +02:00
|
|
|
"github.com/status-im/status-go/messaging/multidevice"
|
|
|
|
"github.com/status-im/status-go/messaging/sharedsecret"
|
2018-09-24 20:07:34 +02:00
|
|
|
"github.com/stretchr/testify/suite"
|
|
|
|
)
|
|
|
|
|
|
|
|
var cleartext = []byte("hello")
|
|
|
|
var aliceInstallationID = "1"
|
|
|
|
var bobInstallationID = "2"
|
2019-02-19 13:58:42 +01:00
|
|
|
var defaultMessageID = []byte("default")
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
func TestEncryptionServiceTestSuite(t *testing.T) {
|
|
|
|
suite.Run(t, new(EncryptionServiceTestSuite))
|
|
|
|
}
|
|
|
|
|
|
|
|
type EncryptionServiceTestSuite struct {
|
|
|
|
suite.Suite
|
2019-05-23 10:47:20 +02:00
|
|
|
alice *ProtocolService
|
|
|
|
bob *ProtocolService
|
2018-11-28 12:34:39 +01:00
|
|
|
aliceDBPath string
|
|
|
|
bobDBPath string
|
2018-09-24 20:07:34 +02:00
|
|
|
}
|
|
|
|
|
2018-11-28 12:34:39 +01:00
|
|
|
func (s *EncryptionServiceTestSuite) initDatabases(baseConfig *EncryptionServiceConfig) {
|
|
|
|
|
|
|
|
aliceDBFile, err := ioutil.TempFile(os.TempDir(), "alice")
|
|
|
|
s.Require().NoError(err)
|
|
|
|
aliceDBPath := aliceDBFile.Name()
|
|
|
|
|
|
|
|
bobDBFile, err := ioutil.TempFile(os.TempDir(), "bob")
|
|
|
|
s.Require().NoError(err)
|
|
|
|
bobDBPath := bobDBFile.Name()
|
|
|
|
|
|
|
|
s.aliceDBPath = aliceDBPath
|
|
|
|
s.bobDBPath = bobDBPath
|
|
|
|
|
|
|
|
if baseConfig == nil {
|
|
|
|
config := DefaultEncryptionServiceConfig(aliceInstallationID)
|
|
|
|
baseConfig = &config
|
|
|
|
}
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
const (
|
2018-11-28 12:34:39 +01:00
|
|
|
aliceDBKey = "alice"
|
|
|
|
bobDBKey = "bob"
|
2018-09-24 20:07:34 +02:00
|
|
|
)
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceMultideviceConfig := &multidevice.Config{
|
|
|
|
MaxInstallations: 3,
|
|
|
|
InstallationID: aliceInstallationID,
|
|
|
|
ProtocolVersion: 1,
|
|
|
|
}
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
alicePersistence, err := NewSQLLitePersistence(aliceDBPath, aliceDBKey)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
baseConfig.InstallationID = aliceInstallationID
|
|
|
|
aliceEncryptionService := NewEncryptionService(alicePersistence, *baseConfig)
|
|
|
|
|
|
|
|
aliceSharedSecretService := sharedsecret.NewService(alicePersistence.GetSharedSecretStorage())
|
|
|
|
aliceMultideviceService := multidevice.New(aliceMultideviceConfig, alicePersistence.GetMultideviceStorage())
|
|
|
|
|
|
|
|
s.alice = NewProtocolService(
|
|
|
|
aliceEncryptionService,
|
|
|
|
aliceSharedSecretService,
|
|
|
|
aliceMultideviceService,
|
2019-06-26 11:32:59 +02:00
|
|
|
func(s []*multidevice.Installation) {},
|
2019-05-23 10:47:20 +02:00
|
|
|
func(s []*sharedsecret.Secret) {},
|
|
|
|
)
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
bobPersistence, err := NewSQLLitePersistence(bobDBPath, bobDBKey)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMultideviceConfig := &multidevice.Config{
|
|
|
|
MaxInstallations: 3,
|
|
|
|
InstallationID: bobInstallationID,
|
|
|
|
ProtocolVersion: 1,
|
|
|
|
}
|
|
|
|
|
|
|
|
bobMultideviceService := multidevice.New(bobMultideviceConfig, bobPersistence.GetMultideviceStorage())
|
|
|
|
|
|
|
|
bobSharedSecretService := sharedsecret.NewService(bobPersistence.GetSharedSecretStorage())
|
2018-11-28 12:34:39 +01:00
|
|
|
|
|
|
|
baseConfig.InstallationID = bobInstallationID
|
2019-05-23 10:47:20 +02:00
|
|
|
bobEncryptionService := NewEncryptionService(bobPersistence, *baseConfig)
|
|
|
|
|
|
|
|
s.bob = NewProtocolService(
|
|
|
|
bobEncryptionService,
|
|
|
|
bobSharedSecretService,
|
|
|
|
bobMultideviceService,
|
2019-06-26 11:32:59 +02:00
|
|
|
func(s []*multidevice.Installation) {},
|
2019-05-23 10:47:20 +02:00
|
|
|
func(s []*sharedsecret.Secret) {},
|
|
|
|
)
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *EncryptionServiceTestSuite) SetupTest() {
|
2018-11-28 12:34:39 +01:00
|
|
|
s.initDatabases(nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *EncryptionServiceTestSuite) TearDownTest() {
|
|
|
|
os.Remove(s.aliceDBPath)
|
|
|
|
os.Remove(s.bobDBPath)
|
2018-09-24 20:07:34 +02:00
|
|
|
}
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
func (s *EncryptionServiceTestSuite) TestGetBundle() {
|
2018-09-24 20:07:34 +02:00
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle1, err := s.alice.GetBundle(aliceKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.NotNil(aliceBundle1, "It creates a bundle")
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle2, err := s.alice.GetBundle(aliceKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.Equal(aliceBundle1, aliceBundle2, "It returns the same bundle")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Alice sends Bob an encrypted message with DH using an ephemeral key
|
|
|
|
// and Bob's identity key.
|
|
|
|
// Bob is able to decrypt it.
|
|
|
|
// Alice does not re-use the symmetric key
|
|
|
|
func (s *EncryptionServiceTestSuite) TestEncryptPayloadNoBundle() {
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
response1, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, cleartext)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
encryptionResponse1 := response1.Message.GetDirectMessage()
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
installationResponse1 := encryptionResponse1["none"]
|
|
|
|
// That's for any device
|
|
|
|
s.Require().NotNil(installationResponse1)
|
|
|
|
|
|
|
|
cyphertext1 := installationResponse1.Payload
|
|
|
|
ephemeralKey1 := installationResponse1.GetDHHeader().GetKey()
|
|
|
|
s.NotNil(ephemeralKey1, "It generates an ephemeral key for DH exchange")
|
|
|
|
s.NotNil(cyphertext1, "It generates an encrypted payload")
|
|
|
|
s.NotEqual(cyphertext1, cleartext, "It encrypts the payload correctly")
|
|
|
|
|
|
|
|
// On the receiver side, we should be able to decrypt using our private key and the ephemeral just sent
|
2019-05-23 10:47:20 +02:00
|
|
|
decryptedPayload1, err := s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, response1.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.Equal(cleartext, decryptedPayload1, "It correctly decrypts the payload using DH")
|
|
|
|
|
|
|
|
// The next message will not be re-using the same key
|
2019-05-23 10:47:20 +02:00
|
|
|
response2, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, cleartext)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
encryptionResponse2 := response2.Message.GetDirectMessage()
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
installationResponse2 := encryptionResponse2[aliceInstallationID]
|
|
|
|
|
|
|
|
cyphertext2 := installationResponse2.GetPayload()
|
|
|
|
ephemeralKey2 := installationResponse2.GetDHHeader().GetKey()
|
|
|
|
s.NotEqual(cyphertext1, cyphertext2, "It does not re-use the symmetric key")
|
|
|
|
s.NotEqual(ephemeralKey1, ephemeralKey2, "It does not re-use the ephemeral key")
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
decryptedPayload2, err := s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, response2.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.Equal(cleartext, decryptedPayload2, "It correctly decrypts the payload using DH")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Alice has Bob's bundle
|
|
|
|
// Alice sends Bob an encrypted message with X3DH and DR using an ephemeral key
|
|
|
|
// and Bob's bundle.
|
|
|
|
func (s *EncryptionServiceTestSuite) TestEncryptPayloadBundle() {
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We send a message using the bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
response1, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, cleartext)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
encryptionResponse1 := response1.Message.GetDirectMessage()
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
installationResponse1 := encryptionResponse1[bobInstallationID]
|
|
|
|
s.Require().NotNil(installationResponse1)
|
|
|
|
|
|
|
|
cyphertext1 := installationResponse1.GetPayload()
|
|
|
|
x3dhHeader := installationResponse1.GetX3DHHeader()
|
|
|
|
drHeader := installationResponse1.GetDRHeader()
|
|
|
|
|
|
|
|
s.NotNil(cyphertext1, "It generates an encrypted payload")
|
|
|
|
s.NotEqual(cyphertext1, cleartext, "It encrypts the payload correctly")
|
|
|
|
|
|
|
|
// Check X3DH Header
|
|
|
|
bundleID := bobBundle.GetSignedPreKeys()[bobInstallationID].GetSignedPreKey()
|
|
|
|
|
|
|
|
s.NotNil(x3dhHeader, "It adds an x3dh header")
|
|
|
|
s.NotNil(x3dhHeader.GetKey(), "It adds an ephemeral key")
|
|
|
|
s.Equal(x3dhHeader.GetId(), bundleID, "It sets the bundle id")
|
|
|
|
|
|
|
|
// Check DR Header
|
|
|
|
s.NotNil(drHeader, "It adds a DR header")
|
|
|
|
s.NotNil(drHeader.GetKey(), "It adds a key to the DR header")
|
|
|
|
s.Equal(bundleID, drHeader.GetId(), "It adds the bundle id")
|
|
|
|
s.Equal(uint32(0), drHeader.GetN(), "It adds the correct message number")
|
|
|
|
s.Equal(uint32(0), drHeader.GetPn(), "It adds the correct length of the message chain")
|
|
|
|
|
|
|
|
// Bob is able to decrypt it using the bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
decryptedPayload1, err := s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, response1.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.Equal(cleartext, decryptedPayload1, "It correctly decrypts the payload using X3DH")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Alice has Bob's bundle
|
|
|
|
// Alice sends Bob 2 encrypted messages with X3DH and DR using an ephemeral key
|
|
|
|
// and Bob's bundle.
|
|
|
|
// Alice sends another message. This message should be using a DR
|
|
|
|
// and should include the initial x3dh message
|
|
|
|
// Bob receives only the last one, he should be able to decrypt it
|
|
|
|
// nolint: megacheck
|
|
|
|
func (s *EncryptionServiceTestSuite) TestConsequentMessagesBundle() {
|
|
|
|
cleartext1 := []byte("message 1")
|
|
|
|
cleartext2 := []byte("message 2")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We send a message using the bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, cleartext1)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We send another message using the bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
response, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, cleartext2)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
2019-05-23 10:47:20 +02:00
|
|
|
encryptionResponse := response.Message.GetDirectMessage()
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
installationResponse := encryptionResponse[bobInstallationID]
|
|
|
|
s.Require().NotNil(installationResponse)
|
|
|
|
|
|
|
|
cyphertext1 := installationResponse.GetPayload()
|
|
|
|
x3dhHeader := installationResponse.GetX3DHHeader()
|
|
|
|
drHeader := installationResponse.GetDRHeader()
|
|
|
|
|
|
|
|
s.NotNil(cyphertext1, "It generates an encrypted payload")
|
|
|
|
s.NotEqual(cyphertext1, cleartext2, "It encrypts the payload correctly")
|
|
|
|
|
|
|
|
// Check X3DH Header
|
|
|
|
bundleID := bobBundle.GetSignedPreKeys()[bobInstallationID].GetSignedPreKey()
|
|
|
|
|
|
|
|
s.NotNil(x3dhHeader, "It adds an x3dh header")
|
|
|
|
s.NotNil(x3dhHeader.GetKey(), "It adds an ephemeral key")
|
|
|
|
s.Equal(x3dhHeader.GetId(), bundleID, "It sets the bundle id")
|
|
|
|
|
|
|
|
// Check DR Header
|
|
|
|
s.NotNil(drHeader, "It adds a DR header")
|
|
|
|
s.NotNil(drHeader.GetKey(), "It adds a key to the DR header")
|
|
|
|
s.Equal(bundleID, drHeader.GetId(), "It adds the bundle id")
|
|
|
|
|
|
|
|
s.Equal(uint32(1), drHeader.GetN(), "It adds the correct message number")
|
|
|
|
s.Equal(uint32(0), drHeader.GetPn(), "It adds the correct length of the message chain")
|
|
|
|
|
|
|
|
// Bob is able to decrypt it using the bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
decryptedPayload1, err := s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, response.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
s.Equal(cleartext2, decryptedPayload1, "It correctly decrypts the payload using X3DH")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Alice has Bob's bundle
|
|
|
|
// Alice sends Bob an encrypted message with X3DH using an ephemeral key
|
|
|
|
// and Bob's bundle.
|
|
|
|
// Bob's receives the message
|
|
|
|
// Bob replies to the message
|
|
|
|
// Alice replies to the message
|
|
|
|
|
|
|
|
func (s *EncryptionServiceTestSuite) TestConversation() {
|
|
|
|
cleartext1 := []byte("message 1")
|
|
|
|
cleartext2 := []byte("message 2")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle, err := s.alice.GetBundle(aliceKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add alice bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.bob.ProcessPublicBundle(bobKey, aliceBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
response, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, cleartext1)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob receives the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, response.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob replies to the message
|
2019-05-23 10:47:20 +02:00
|
|
|
response, err = s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, cleartext1)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, response.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We send another message using the bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
response, err = s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, cleartext2)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
2019-05-23 10:47:20 +02:00
|
|
|
encryptionResponse := response.Message.GetDirectMessage()
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
installationResponse := encryptionResponse[bobInstallationID]
|
|
|
|
s.Require().NotNil(installationResponse)
|
|
|
|
|
|
|
|
cyphertext1 := installationResponse.GetPayload()
|
|
|
|
x3dhHeader := installationResponse.GetX3DHHeader()
|
|
|
|
drHeader := installationResponse.GetDRHeader()
|
|
|
|
|
|
|
|
s.NotNil(cyphertext1, "It generates an encrypted payload")
|
|
|
|
s.NotEqual(cyphertext1, cleartext2, "It encrypts the payload correctly")
|
|
|
|
|
|
|
|
// It does not send the x3dh bundle
|
|
|
|
s.Nil(x3dhHeader, "It does not add an x3dh header")
|
|
|
|
|
|
|
|
// Check DR Header
|
|
|
|
bundleID := bobBundle.GetSignedPreKeys()[bobInstallationID].GetSignedPreKey()
|
|
|
|
|
|
|
|
s.NotNil(drHeader, "It adds a DR header")
|
|
|
|
s.NotNil(drHeader.GetKey(), "It adds a key to the DR header")
|
|
|
|
s.Equal(bundleID, drHeader.GetId(), "It adds the bundle id")
|
|
|
|
|
|
|
|
s.Equal(uint32(0), drHeader.GetN(), "It adds the correct message number")
|
|
|
|
s.Equal(uint32(1), drHeader.GetPn(), "It adds the correct length of the message chain")
|
|
|
|
|
|
|
|
// Bob is able to decrypt it using the bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
decryptedPayload1, err := s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, response.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
s.Equal(cleartext2, decryptedPayload1, "It correctly decrypts the payload using X3DH")
|
|
|
|
}
|
|
|
|
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
// Previous implementation allowed max maxSkip keys in the same receiving chain
|
|
|
|
// leading to a problem whereby dropped messages would accumulate and eventually
|
|
|
|
// we would not be able to decrypt any new message anymore.
|
|
|
|
// Here we are testing that maxSkip only applies to *consecutive* messages, not
|
|
|
|
// overall.
|
|
|
|
func (s *EncryptionServiceTestSuite) TestMaxSkipKeys() {
|
|
|
|
bobText := []byte("text")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle, err := s.alice.GetBundle(aliceKey)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add alice bundle
|
|
|
|
_, err = s.bob.ProcessPublicBundle(bobKey, aliceBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob sends a message
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
for i := 0; i < s.alice.encryption.config.MaxSkip; i++ {
|
|
|
|
_, err = s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Bob sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMessage1, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage1.Message, defaultMessageID)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMessage2, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives the message, we should have maxSkip + 1 keys in the db, but
|
|
|
|
// we should not throw an error
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage2.Message, defaultMessageID)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Test that an error is thrown if max skip is reached
|
|
|
|
func (s *EncryptionServiceTestSuite) TestMaxSkipKeysError() {
|
|
|
|
bobText := []byte("text")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle, err := s.alice.GetBundle(aliceKey)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add alice bundle
|
|
|
|
_, err = s.bob.ProcessPublicBundle(bobKey, aliceBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob sends a message
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
for i := 0; i < s.alice.encryption.config.MaxSkip+1; i++ {
|
|
|
|
_, err = s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Bob sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMessage1, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage1.Message, defaultMessageID)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().Equal(errors.New("can't skip current chain message keys: too many messages"), err)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *EncryptionServiceTestSuite) TestMaxMessageKeysPerSession() {
|
2019-02-19 13:58:42 +01:00
|
|
|
config := DefaultEncryptionServiceConfig("none")
|
|
|
|
// Set MaxKeep and MaxSkip to an high value so it does not interfere
|
|
|
|
config.MaxKeep = 100000
|
|
|
|
config.MaxSkip = 100000
|
|
|
|
|
|
|
|
s.initDatabases(&config)
|
|
|
|
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
bobText := []byte("text")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle, err := s.alice.GetBundle(aliceKey)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add alice bundle
|
|
|
|
_, err = s.bob.ProcessPublicBundle(bobKey, aliceBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We create just enough messages so that the first key should be deleted
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
nMessages := s.alice.encryption.config.MaxMessageKeysPerSession
|
|
|
|
messages := make([]*protobuf.ProtocolMessage, nMessages)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
for i := 0; i < nMessages; i++ {
|
2019-05-23 10:47:20 +02:00
|
|
|
m, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
messages[i] = m.Message
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Another message to trigger the deletion
|
2019-05-23 10:47:20 +02:00
|
|
|
m, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, m.Message, defaultMessageID)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We decrypt the first message, and it should fail
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, messages[0], defaultMessageID)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().Equal(errors.New("can't skip current chain message keys: bad until: probably an out-of-order message that was deleted"), err)
|
|
|
|
|
|
|
|
// We decrypt the second message, and it should be decrypted
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, messages[1], defaultMessageID)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *EncryptionServiceTestSuite) TestMaxKeep() {
|
2019-02-19 13:58:42 +01:00
|
|
|
config := DefaultEncryptionServiceConfig("none")
|
|
|
|
// Set MaxMessageKeysPerSession to an high value so it does not interfere
|
|
|
|
config.MaxMessageKeysPerSession = 100000
|
|
|
|
|
|
|
|
s.initDatabases(&config)
|
|
|
|
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
bobText := []byte("text")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle, err := s.alice.GetBundle(aliceKey)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add alice bundle
|
|
|
|
_, err = s.bob.ProcessPublicBundle(bobKey, aliceBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We decrypt all messages but 1 & 2
|
2019-05-23 10:47:20 +02:00
|
|
|
messages := make([]*protobuf.ProtocolMessage, s.alice.encryption.config.MaxKeep)
|
|
|
|
for i := 0; i < s.alice.encryption.config.MaxKeep; i++ {
|
|
|
|
m, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText)
|
|
|
|
messages[i] = m.Message
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
if i != 0 && i != 1 {
|
2019-02-19 13:58:42 +01:00
|
|
|
messageID := []byte(fmt.Sprintf("%d", i))
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, m.Message, messageID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
err = s.alice.ConfirmMessagesProcessed([][]byte{messageID})
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// We decrypt the first message, and it should fail, as it should have been removed
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, messages[0], defaultMessageID)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().Equal(errors.New("can't skip current chain message keys: bad until: probably an out-of-order message that was deleted"), err)
|
|
|
|
|
|
|
|
// We decrypt the second message, and it should be decrypted
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, messages[1], defaultMessageID)
|
Change handling of skipped/deleted keys & add version (#1261)
- Skipped keys
The purpose of limiting the number of skipped keys generated is to avoid a dos
attack whereby an attacker would send a large N, forcing the device to
compute all the keys between currentN..N .
Previously the logic for handling skipped keys was:
- If in the current receiving chain there are more than maxSkip keys,
throw an error
This is problematic as in long-lived session dropped/unreceived messages starts
piling up, eventually reaching the threshold (1000 dropped/unreceived
messages).
This logic has been changed to be more inline with signals spec, and now
it is:
- If N is > currentN + maxSkip, throw an error
The purpose of limiting the number of skipped keys stored is to avoid a dos
attack whereby an attacker would force us to store a large number of
keys, filling up our storage.
Previously the logic for handling old keys was:
- Once you have maxKeep ratchet steps, delete any key from
currentRatchet - maxKeep.
This, in combination with the maxSkip implementation, capped the number of stored keys to
maxSkip * maxKeep.
The logic has been changed to:
- Keep a maximum of MaxMessageKeysPerSession
and additionally we delete any key that has a sequence number <
currentSeqNum - maxKeep
- Version
We check now the version of the bundle so that when we get a bundle from
the same installationID with a higher version, we mark the previous
bundle as expired and use the new bundle the next time a message is sent
2018-11-05 20:00:04 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
}
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
// Alice has Bob's bundle
|
|
|
|
// Bob has Alice's bundle
|
|
|
|
// Bob sends a message to alice
|
|
|
|
// Alice sends a message to Bob
|
|
|
|
// Bob receives alice message
|
|
|
|
// Alice receives Bob message
|
|
|
|
// Bob sends another message to alice and viceversa
|
|
|
|
|
|
|
|
func (s *EncryptionServiceTestSuite) TestConcurrentBundles() {
|
|
|
|
bobText1 := []byte("bob text 1")
|
|
|
|
bobText2 := []byte("bob text 2")
|
|
|
|
aliceText1 := []byte("alice text 1")
|
|
|
|
aliceText2 := []byte("alice text 2")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle, err := s.alice.GetBundle(aliceKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add alice bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.bob.ProcessPublicBundle(bobKey, aliceBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceMessage1, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, aliceText1)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMessage1, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText1)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob receives the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, aliceMessage1.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage1.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob replies to the message
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMessage2, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText2)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceMessage2, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, aliceText2)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage2.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob receives the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, aliceMessage2.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
func publisher(
|
2019-05-23 10:47:20 +02:00
|
|
|
e *ProtocolService,
|
2018-09-24 20:07:34 +02:00
|
|
|
privateKey *ecdsa.PrivateKey,
|
|
|
|
publicKey *ecdsa.PublicKey,
|
|
|
|
errChan chan error,
|
2019-05-23 10:47:20 +02:00
|
|
|
output chan *protobuf.ProtocolMessage,
|
2018-09-24 20:07:34 +02:00
|
|
|
) {
|
|
|
|
var wg sync.WaitGroup
|
|
|
|
|
|
|
|
for i := 0; i < 200; i++ {
|
|
|
|
|
|
|
|
// Simulate 5% of the messages dropped
|
|
|
|
if rand.Intn(100) <= 95 {
|
|
|
|
wg.Add(1)
|
|
|
|
// Simulate out of order messages
|
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
time.Sleep(time.Duration(rand.Intn(50)) * time.Millisecond)
|
2019-05-23 10:47:20 +02:00
|
|
|
response, err := e.BuildDirectMessage(privateKey, publicKey, cleartext)
|
2018-09-24 20:07:34 +02:00
|
|
|
if err != nil {
|
|
|
|
errChan <- err
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
output <- response.Message
|
2018-09-24 20:07:34 +02:00
|
|
|
}()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
wg.Wait()
|
|
|
|
close(output)
|
|
|
|
close(errChan)
|
|
|
|
}
|
|
|
|
|
|
|
|
func receiver(
|
2019-05-23 10:47:20 +02:00
|
|
|
s *ProtocolService,
|
2018-09-24 20:07:34 +02:00
|
|
|
privateKey *ecdsa.PrivateKey,
|
|
|
|
publicKey *ecdsa.PublicKey,
|
|
|
|
errChan chan error,
|
2019-05-23 10:47:20 +02:00
|
|
|
input chan *protobuf.ProtocolMessage,
|
2018-09-24 20:07:34 +02:00
|
|
|
) {
|
|
|
|
i := 0
|
|
|
|
|
|
|
|
for payload := range input {
|
2019-05-23 10:47:20 +02:00
|
|
|
actualCleartext, err := s.HandleMessage(privateKey, publicKey, payload, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
if err != nil {
|
|
|
|
errChan <- err
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(actualCleartext, cleartext) {
|
|
|
|
errChan <- errors.New("Decrypted value does not match")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
i++
|
|
|
|
}
|
|
|
|
close(errChan)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *EncryptionServiceTestSuite) TestRandomised() {
|
|
|
|
|
|
|
|
seed := time.Now().UTC().UnixNano()
|
|
|
|
rand.Seed(seed)
|
|
|
|
|
|
|
|
// Print so that if it fails it can be replicated
|
|
|
|
fmt.Printf("Starting test with seed: %x\n", seed)
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle, err := s.alice.GetBundle(aliceKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add alice bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.bob.ProcessPublicBundle(bobKey, aliceBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceChan := make(chan *protobuf.ProtocolMessage, 100)
|
|
|
|
bobChan := make(chan *protobuf.ProtocolMessage, 100)
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
alicePublisherErrChan := make(chan error, 1)
|
|
|
|
bobPublisherErrChan := make(chan error, 1)
|
|
|
|
|
|
|
|
aliceReceiverErrChan := make(chan error, 1)
|
|
|
|
bobReceiverErrChan := make(chan error, 1)
|
|
|
|
|
|
|
|
// Set up alice publishe
|
|
|
|
go publisher(s.alice, aliceKey, &bobKey.PublicKey, alicePublisherErrChan, bobChan)
|
|
|
|
// Set up bob publisher
|
|
|
|
go publisher(s.bob, bobKey, &aliceKey.PublicKey, bobPublisherErrChan, aliceChan)
|
|
|
|
|
|
|
|
// Set up bob receiver
|
2019-05-23 10:47:20 +02:00
|
|
|
go receiver(s.bob, bobKey, &aliceKey.PublicKey, bobReceiverErrChan, bobChan)
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
// Set up alice receiver
|
2019-05-23 10:47:20 +02:00
|
|
|
go receiver(s.alice, aliceKey, &bobKey.PublicKey, aliceReceiverErrChan, aliceChan)
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
aliceErr := <-alicePublisherErrChan
|
|
|
|
s.Require().NoError(aliceErr)
|
|
|
|
|
|
|
|
bobErr := <-bobPublisherErrChan
|
|
|
|
s.Require().NoError(bobErr)
|
|
|
|
|
|
|
|
aliceErr = <-aliceReceiverErrChan
|
|
|
|
s.Require().NoError(aliceErr)
|
|
|
|
|
|
|
|
bobErr = <-bobReceiverErrChan
|
|
|
|
s.Require().NoError(bobErr)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Edge cases
|
|
|
|
|
|
|
|
// The bundle is lost
|
|
|
|
func (s *EncryptionServiceTestSuite) TestBundleNotExisting() {
|
|
|
|
aliceText := []byte("alice text")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle without saving it
|
|
|
|
bobBundleContainer, err := NewBundleContainer(bobKey, bobInstallationID)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
err = SignBundle(bobKey, bobBundleContainer)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
bobBundle := bobBundleContainer.GetBundle()
|
|
|
|
|
|
|
|
// We add bob bundle
|
2018-10-16 12:31:05 +02:00
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceMessage, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, aliceText)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob receives the message, and returns a bundlenotfound error
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, aliceMessage.Message, defaultMessageID)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().Error(err)
|
|
|
|
s.Equal(ErrSessionNotFound, err)
|
|
|
|
}
|
|
|
|
|
2018-12-05 09:22:49 +01:00
|
|
|
// Device is not included in the bundle
|
|
|
|
func (s *EncryptionServiceTestSuite) TestDeviceNotIncluded() {
|
|
|
|
bobDevice2InstallationID := "bob2"
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle without saving it
|
|
|
|
bobBundleContainer, err := NewBundleContainer(bobKey, bobDevice2InstallationID)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
err = SignBundle(bobKey, bobBundleContainer)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
bobBundle := bobBundleContainer.GetBundle()
|
|
|
|
|
|
|
|
// We add bob bundle
|
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceMessage, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, []byte("does not matter"))
|
2018-12-05 09:22:49 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob receives the message, and returns a bundlenotfound error
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, aliceMessage.Message, defaultMessageID)
|
2018-12-05 09:22:49 +01:00
|
|
|
s.Require().Error(err)
|
|
|
|
s.Equal(ErrDeviceNotFound, err)
|
|
|
|
}
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
// A new bundle has been received
|
|
|
|
func (s *EncryptionServiceTestSuite) TestRefreshedBundle() {
|
|
|
|
|
2018-11-28 12:34:39 +01:00
|
|
|
config := DefaultEncryptionServiceConfig("none")
|
|
|
|
// Set up refresh interval to "always"
|
|
|
|
config.BundleRefreshInterval = 1000
|
|
|
|
|
|
|
|
s.initDatabases(&config)
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create bundles
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle1, err := s.bob.GetBundle(bobKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
2018-11-28 12:34:39 +01:00
|
|
|
s.Require().Equal(uint32(1), bobBundle1.GetSignedPreKeys()[bobInstallationID].GetVersion())
|
2018-09-24 20:07:34 +02:00
|
|
|
|
2018-11-28 12:34:39 +01:00
|
|
|
// Sleep the required time so that bundle is refreshed
|
|
|
|
time.Sleep(time.Duration(config.BundleRefreshInterval) * time.Millisecond)
|
2018-09-24 20:07:34 +02:00
|
|
|
|
2018-11-28 12:34:39 +01:00
|
|
|
// Create bundles
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle2, err := s.bob.GetBundle(bobKey)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
2018-11-28 12:34:39 +01:00
|
|
|
s.Require().Equal(uint32(2), bobBundle2.GetSignedPreKeys()[bobInstallationID].GetVersion())
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
// We add the first bob bundle
|
2018-11-28 12:34:39 +01:00
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle1)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
response1, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, []byte("anything"))
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
2019-05-23 10:47:20 +02:00
|
|
|
encryptionResponse1 := response1.Message.GetDirectMessage()
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
installationResponse1 := encryptionResponse1[bobInstallationID]
|
|
|
|
s.Require().NotNil(installationResponse1)
|
|
|
|
|
|
|
|
// This message is using bobBundle1
|
|
|
|
|
|
|
|
x3dhHeader1 := installationResponse1.GetX3DHHeader()
|
|
|
|
s.NotNil(x3dhHeader1)
|
2018-11-28 12:34:39 +01:00
|
|
|
s.Equal(bobBundle1.GetSignedPreKeys()[bobInstallationID].GetSignedPreKey(), x3dhHeader1.GetId())
|
2018-09-24 20:07:34 +02:00
|
|
|
|
2019-02-28 13:09:43 +01:00
|
|
|
// Bob decrypts the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, response1.Message, defaultMessageID)
|
2019-02-28 13:09:43 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
2018-09-24 20:07:34 +02:00
|
|
|
// We add the second bob bundle
|
2018-11-28 12:34:39 +01:00
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle2)
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
response2, err := s.alice.BuildDirectMessage(aliceKey, &bobKey.PublicKey, []byte("anything"))
|
2018-09-24 20:07:34 +02:00
|
|
|
s.Require().NoError(err)
|
2019-05-23 10:47:20 +02:00
|
|
|
encryptionResponse2 := response2.Message.GetDirectMessage()
|
2018-09-24 20:07:34 +02:00
|
|
|
|
|
|
|
installationResponse2 := encryptionResponse2[bobInstallationID]
|
|
|
|
s.Require().NotNil(installationResponse2)
|
|
|
|
|
|
|
|
// This message is using bobBundle2
|
|
|
|
|
|
|
|
x3dhHeader2 := installationResponse2.GetX3DHHeader()
|
|
|
|
s.NotNil(x3dhHeader2)
|
2018-11-28 12:34:39 +01:00
|
|
|
s.Equal(bobBundle2.GetSignedPreKeys()[bobInstallationID].GetSignedPreKey(), x3dhHeader2.GetId())
|
2018-09-24 20:07:34 +02:00
|
|
|
|
2019-02-28 13:09:43 +01:00
|
|
|
// Bob decrypts the message
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.bob.HandleMessage(bobKey, &aliceKey.PublicKey, response2.Message, defaultMessageID)
|
2019-02-28 13:09:43 +01:00
|
|
|
s.Require().NoError(err)
|
2018-09-24 20:07:34 +02:00
|
|
|
}
|
2019-02-19 13:58:42 +01:00
|
|
|
|
|
|
|
func (s *EncryptionServiceTestSuite) TestMessageConfirmation() {
|
|
|
|
bobText1 := []byte("bob text 1")
|
|
|
|
|
|
|
|
bobKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
aliceKey, err := crypto.GenerateKey()
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
bobBundle, err := s.bob.GetBundle(bobKey)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add bob bundle
|
|
|
|
_, err = s.alice.ProcessPublicBundle(aliceKey, bobBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Create a bundle
|
2019-05-23 10:47:20 +02:00
|
|
|
aliceBundle, err := s.alice.GetBundle(aliceKey)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// We add alice bundle
|
|
|
|
_, err = s.bob.ProcessPublicBundle(bobKey, aliceBundle)
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Bob sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMessage1, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText1)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
bobMessage1ID := []byte("bob-message-1-id")
|
|
|
|
|
|
|
|
// Alice receives the message once
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage1.Message, bobMessage1ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives the message twice
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage1.Message, bobMessage1ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice confirms the message
|
|
|
|
err = s.alice.ConfirmMessagesProcessed([][]byte{bobMessage1ID})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice decrypts it again, it should fail
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage1.Message, bobMessage1ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().Equal(errors.New("can't skip current chain message keys: bad until: probably an out-of-order message that was deleted"), err)
|
|
|
|
|
|
|
|
// Bob sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMessage2, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText1)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
bobMessage2ID := []byte("bob-message-2-id")
|
|
|
|
|
|
|
|
// Bob sends a message
|
2019-05-23 10:47:20 +02:00
|
|
|
bobMessage3, err := s.bob.BuildDirectMessage(bobKey, &aliceKey.PublicKey, bobText1)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
bobMessage3ID := []byte("bob-message-3-id")
|
|
|
|
|
|
|
|
// Alice receives message 3 once
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage3.Message, bobMessage3ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives message 3 twice
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage3.Message, bobMessage3ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives message 2 once
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage2.Message, bobMessage2ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice receives message 2 twice
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage2.Message, bobMessage2ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice confirms the messages
|
|
|
|
err = s.alice.ConfirmMessagesProcessed([][]byte{bobMessage2ID, bobMessage3ID})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
|
|
|
|
// Alice decrypts it again, it should fail
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage3.Message, bobMessage3ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().Equal(errors.New("can't skip current chain message keys: bad until: probably an out-of-order message that was deleted"), err)
|
|
|
|
|
|
|
|
// Alice decrypts it again, it should fail
|
2019-05-23 10:47:20 +02:00
|
|
|
_, err = s.alice.HandleMessage(aliceKey, &bobKey.PublicKey, bobMessage2.Message, bobMessage2ID)
|
2019-02-19 13:58:42 +01:00
|
|
|
s.Require().Equal(errors.New("can't skip current chain message keys: bad until: probably an out-of-order message that was deleted"), err)
|
|
|
|
}
|