2605 lines
68 KiB
JavaScript
2605 lines
68 KiB
JavaScript
|
/*!
|
||
|
|
||
|
otr.js v0.2.12 - 2014-04-15
|
||
|
(c) 2014 - Arlo Breault <arlolra@gmail.com>
|
||
|
Freely distributed under the MPL v2.0 license.
|
||
|
|
||
|
This file is concatenated for the browser.
|
||
|
Please see: https://github.com/arlolra/otr
|
||
|
|
||
|
*/
|
||
|
|
||
|
;(function (root, factory) {
|
||
|
|
||
|
if (typeof define === 'function' && define.amd) {
|
||
|
define([
|
||
|
"bigint"
|
||
|
, "crypto"
|
||
|
, "eventemitter"
|
||
|
], function (BigInt, CryptoJS, EventEmitter) {
|
||
|
if ($.browser.msie) {
|
||
|
return undefined;
|
||
|
}
|
||
|
var root = {
|
||
|
BigInt: BigInt
|
||
|
, CryptoJS: CryptoJS
|
||
|
, EventEmitter: EventEmitter
|
||
|
, OTR: {}
|
||
|
, DSA: {}
|
||
|
}
|
||
|
return factory.call(root)
|
||
|
})
|
||
|
} else {
|
||
|
root.OTR = {}
|
||
|
root.DSA = {}
|
||
|
factory.call(root)
|
||
|
}
|
||
|
|
||
|
}(this, function () {
|
||
|
|
||
|
;(function () {
|
||
|
"use strict";
|
||
|
|
||
|
var root = this
|
||
|
|
||
|
var CONST = {
|
||
|
|
||
|
// diffie-heilman
|
||
|
N : 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF'
|
||
|
, G : '2'
|
||
|
|
||
|
// otr message states
|
||
|
, MSGSTATE_PLAINTEXT : 0
|
||
|
, MSGSTATE_ENCRYPTED : 1
|
||
|
, MSGSTATE_FINISHED : 2
|
||
|
|
||
|
// otr auth states
|
||
|
, AUTHSTATE_NONE : 0
|
||
|
, AUTHSTATE_AWAITING_DHKEY : 1
|
||
|
, AUTHSTATE_AWAITING_REVEALSIG : 2
|
||
|
, AUTHSTATE_AWAITING_SIG : 3
|
||
|
|
||
|
// whitespace tags
|
||
|
, WHITESPACE_TAG : '\x20\x09\x20\x20\x09\x09\x09\x09\x20\x09\x20\x09\x20\x09\x20\x20'
|
||
|
, WHITESPACE_TAG_V2 : '\x20\x20\x09\x09\x20\x20\x09\x20'
|
||
|
, WHITESPACE_TAG_V3 : '\x20\x20\x09\x09\x20\x20\x09\x09'
|
||
|
|
||
|
// otr tags
|
||
|
, OTR_TAG : '?OTR'
|
||
|
, OTR_VERSION_1 : '\x00\x01'
|
||
|
, OTR_VERSION_2 : '\x00\x02'
|
||
|
, OTR_VERSION_3 : '\x00\x03'
|
||
|
|
||
|
// smp machine states
|
||
|
, SMPSTATE_EXPECT0 : 0
|
||
|
, SMPSTATE_EXPECT1 : 1
|
||
|
, SMPSTATE_EXPECT2 : 2
|
||
|
, SMPSTATE_EXPECT3 : 3
|
||
|
, SMPSTATE_EXPECT4 : 4
|
||
|
|
||
|
// unstandard status codes
|
||
|
, STATUS_SEND_QUERY : 0
|
||
|
, STATUS_AKE_INIT : 1
|
||
|
, STATUS_AKE_SUCCESS : 2
|
||
|
, STATUS_END_OTR : 3
|
||
|
|
||
|
}
|
||
|
|
||
|
if (typeof module !== 'undefined' && module.exports) {
|
||
|
module.exports = CONST
|
||
|
} else {
|
||
|
root.OTR.CONST = CONST
|
||
|
}
|
||
|
|
||
|
}).call(this)
|
||
|
;(function () {
|
||
|
"use strict";
|
||
|
|
||
|
var root = this
|
||
|
|
||
|
var HLP = {}, CryptoJS, BigInt
|
||
|
if (typeof module !== 'undefined' && module.exports) {
|
||
|
module.exports = HLP = {}
|
||
|
CryptoJS = require('../vendor/crypto.js')
|
||
|
BigInt = require('../vendor/bigint.js')
|
||
|
} else {
|
||
|
if (root.OTR) root.OTR.HLP = HLP
|
||
|
if (root.DSA) root.DSA.HLP = HLP
|
||
|
CryptoJS = root.CryptoJS
|
||
|
BigInt = root.BigInt
|
||
|
}
|
||
|
|
||
|
// data types (byte lengths)
|
||
|
var DTS = {
|
||
|
BYTE : 1
|
||
|
, SHORT : 2
|
||
|
, INT : 4
|
||
|
, CTR : 8
|
||
|
, MAC : 20
|
||
|
, SIG : 40
|
||
|
}
|
||
|
|
||
|
// otr message wrapper begin and end
|
||
|
var WRAPPER_BEGIN = "?OTR"
|
||
|
, WRAPPER_END = "."
|
||
|
|
||
|
var TWO = BigInt.str2bigInt('2', 10)
|
||
|
|
||
|
HLP.debug = function (msg) {
|
||
|
// used as HLP.debug.call(ctx, msg)
|
||
|
if ( this.debug &&
|
||
|
typeof this.debug !== 'function' &&
|
||
|
typeof console !== 'undefined'
|
||
|
) console.log(msg)
|
||
|
}
|
||
|
|
||
|
HLP.extend = function (child, parent) {
|
||
|
for (var key in parent) {
|
||
|
if (Object.hasOwnProperty.call(parent, key))
|
||
|
child[key] = parent[key]
|
||
|
}
|
||
|
function Ctor() { this.constructor = child }
|
||
|
Ctor.prototype = parent.prototype
|
||
|
child.prototype = new Ctor()
|
||
|
child.__super__ = parent.prototype
|
||
|
}
|
||
|
|
||
|
// constant-time string comparison
|
||
|
HLP.compare = function (str1, str2) {
|
||
|
if (str1.length !== str2.length)
|
||
|
return false
|
||
|
var i = 0, result = 0
|
||
|
for (; i < str1.length; i++)
|
||
|
result |= str1[i].charCodeAt(0) ^ str2[i].charCodeAt(0)
|
||
|
return result === 0
|
||
|
}
|
||
|
|
||
|
HLP.randomExponent = function () {
|
||
|
return BigInt.randBigInt(1536)
|
||
|
}
|
||
|
|
||
|
HLP.smpHash = function (version, fmpi, smpi) {
|
||
|
var sha256 = CryptoJS.algo.SHA256.create()
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(HLP.packBytes(version, DTS.BYTE)))
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(HLP.packMPI(fmpi)))
|
||
|
if (smpi) sha256.update(CryptoJS.enc.Latin1.parse(HLP.packMPI(smpi)))
|
||
|
var hash = sha256.finalize()
|
||
|
return HLP.bits2bigInt(hash.toString(CryptoJS.enc.Latin1))
|
||
|
}
|
||
|
|
||
|
HLP.makeMac = function (aesctr, m) {
|
||
|
var pass = CryptoJS.enc.Latin1.parse(m)
|
||
|
var mac = CryptoJS.HmacSHA256(CryptoJS.enc.Latin1.parse(aesctr), pass)
|
||
|
return HLP.mask(mac.toString(CryptoJS.enc.Latin1), 0, 160)
|
||
|
}
|
||
|
|
||
|
HLP.make1Mac = function (aesctr, m) {
|
||
|
var pass = CryptoJS.enc.Latin1.parse(m)
|
||
|
var mac = CryptoJS.HmacSHA1(CryptoJS.enc.Latin1.parse(aesctr), pass)
|
||
|
return mac.toString(CryptoJS.enc.Latin1)
|
||
|
}
|
||
|
|
||
|
HLP.encryptAes = function (msg, c, iv) {
|
||
|
var opts = {
|
||
|
mode: CryptoJS.mode.CTR
|
||
|
, iv: CryptoJS.enc.Latin1.parse(iv)
|
||
|
, padding: CryptoJS.pad.NoPadding
|
||
|
}
|
||
|
var aesctr = CryptoJS.AES.encrypt(
|
||
|
msg
|
||
|
, CryptoJS.enc.Latin1.parse(c)
|
||
|
, opts
|
||
|
)
|
||
|
var aesctr_decoded = CryptoJS.enc.Base64.parse(aesctr.toString())
|
||
|
return CryptoJS.enc.Latin1.stringify(aesctr_decoded)
|
||
|
}
|
||
|
|
||
|
HLP.decryptAes = function (msg, c, iv) {
|
||
|
msg = CryptoJS.enc.Latin1.parse(msg)
|
||
|
var opts = {
|
||
|
mode: CryptoJS.mode.CTR
|
||
|
, iv: CryptoJS.enc.Latin1.parse(iv)
|
||
|
, padding: CryptoJS.pad.NoPadding
|
||
|
}
|
||
|
return CryptoJS.AES.decrypt(
|
||
|
CryptoJS.enc.Base64.stringify(msg)
|
||
|
, CryptoJS.enc.Latin1.parse(c)
|
||
|
, opts
|
||
|
)
|
||
|
}
|
||
|
|
||
|
HLP.multPowMod = function (a, b, c, d, e) {
|
||
|
return BigInt.multMod(BigInt.powMod(a, b, e), BigInt.powMod(c, d, e), e)
|
||
|
}
|
||
|
|
||
|
HLP.ZKP = function (v, c, d, e) {
|
||
|
return BigInt.equals(c, HLP.smpHash(v, d, e))
|
||
|
}
|
||
|
|
||
|
// greater than, or equal
|
||
|
HLP.GTOE = function (a, b) {
|
||
|
return (BigInt.equals(a, b) || BigInt.greater(a, b))
|
||
|
}
|
||
|
|
||
|
HLP.between = function (x, a, b) {
|
||
|
return (BigInt.greater(x, a) && BigInt.greater(b, x))
|
||
|
}
|
||
|
|
||
|
HLP.checkGroup = function (g, N_MINUS_2) {
|
||
|
return HLP.GTOE(g, TWO) && HLP.GTOE(N_MINUS_2, g)
|
||
|
}
|
||
|
|
||
|
HLP.h1 = function (b, secbytes) {
|
||
|
var sha1 = CryptoJS.algo.SHA1.create()
|
||
|
sha1.update(CryptoJS.enc.Latin1.parse(b))
|
||
|
sha1.update(CryptoJS.enc.Latin1.parse(secbytes))
|
||
|
return (sha1.finalize()).toString(CryptoJS.enc.Latin1)
|
||
|
}
|
||
|
|
||
|
HLP.h2 = function (b, secbytes) {
|
||
|
var sha256 = CryptoJS.algo.SHA256.create()
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(b))
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(secbytes))
|
||
|
return (sha256.finalize()).toString(CryptoJS.enc.Latin1)
|
||
|
}
|
||
|
|
||
|
HLP.mask = function (bytes, start, n) {
|
||
|
return bytes.substr(start / 8, n / 8)
|
||
|
}
|
||
|
|
||
|
var _toString = String.fromCharCode;
|
||
|
HLP.packBytes = function (val, bytes) {
|
||
|
val = val.toString(16)
|
||
|
var nex, res = '' // big-endian, unsigned long
|
||
|
for (; bytes > 0; bytes--) {
|
||
|
nex = val.length ? val.substr(-2, 2) : '0'
|
||
|
val = val.substr(0, val.length - 2)
|
||
|
res = _toString(parseInt(nex, 16)) + res
|
||
|
}
|
||
|
return res
|
||
|
}
|
||
|
|
||
|
HLP.packINT = function (d) {
|
||
|
return HLP.packBytes(d, DTS.INT)
|
||
|
}
|
||
|
|
||
|
HLP.packCtr = function (d) {
|
||
|
return HLP.padCtr(HLP.packBytes(d, DTS.CTR))
|
||
|
}
|
||
|
|
||
|
HLP.padCtr = function (ctr) {
|
||
|
return ctr + '\x00\x00\x00\x00\x00\x00\x00\x00'
|
||
|
}
|
||
|
|
||
|
HLP.unpackCtr = function (d) {
|
||
|
d = HLP.toByteArray(d.substring(0, 8))
|
||
|
return HLP.unpack(d)
|
||
|
}
|
||
|
|
||
|
HLP.unpack = function (arr) {
|
||
|
var val = 0, i = 0, len = arr.length
|
||
|
for (; i < len; i++) {
|
||
|
val = (val * 256) + arr[i]
|
||
|
}
|
||
|
return val
|
||
|
}
|
||
|
|
||
|
HLP.packData = function (d) {
|
||
|
return HLP.packINT(d.length) + d
|
||
|
}
|
||
|
|
||
|
HLP.bits2bigInt = function (bits) {
|
||
|
bits = HLP.toByteArray(bits)
|
||
|
return BigInt.ba2bigInt(bits)
|
||
|
}
|
||
|
|
||
|
HLP.packMPI = function (mpi) {
|
||
|
return HLP.packData(BigInt.bigInt2bits(BigInt.trim(mpi, 0)))
|
||
|
}
|
||
|
|
||
|
HLP.packSHORT = function (short) {
|
||
|
return HLP.packBytes(short, DTS.SHORT)
|
||
|
}
|
||
|
|
||
|
HLP.unpackSHORT = function (short) {
|
||
|
short = HLP.toByteArray(short)
|
||
|
return HLP.unpack(short)
|
||
|
}
|
||
|
|
||
|
HLP.packTLV = function (type, value) {
|
||
|
return HLP.packSHORT(type) + HLP.packSHORT(value.length) + value
|
||
|
}
|
||
|
|
||
|
HLP.readLen = function (msg) {
|
||
|
msg = HLP.toByteArray(msg.substring(0, 4))
|
||
|
return HLP.unpack(msg)
|
||
|
}
|
||
|
|
||
|
HLP.readData = function (data) {
|
||
|
var n = HLP.unpack(data.splice(0, 4))
|
||
|
return [n, data]
|
||
|
}
|
||
|
|
||
|
HLP.readMPI = function (data) {
|
||
|
data = HLP.toByteArray(data)
|
||
|
data = HLP.readData(data)
|
||
|
return BigInt.ba2bigInt(data[1])
|
||
|
}
|
||
|
|
||
|
HLP.packMPIs = function (arr) {
|
||
|
return arr.reduce(function (prv, cur) {
|
||
|
return prv + HLP.packMPI(cur)
|
||
|
}, '')
|
||
|
}
|
||
|
|
||
|
HLP.unpackMPIs = function (num, mpis) {
|
||
|
var i = 0, arr = []
|
||
|
for (; i < num; i++) arr.push('MPI')
|
||
|
return (HLP.splitype(arr, mpis)).map(function (m) {
|
||
|
return HLP.readMPI(m)
|
||
|
})
|
||
|
}
|
||
|
|
||
|
HLP.wrapMsg = function (msg, fs, v3, our_it, their_it) {
|
||
|
msg = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Latin1.parse(msg))
|
||
|
msg = WRAPPER_BEGIN + ":" + msg + WRAPPER_END
|
||
|
|
||
|
var its
|
||
|
if (v3) {
|
||
|
its = '|'
|
||
|
its += (HLP.readLen(our_it)).toString(16)
|
||
|
its += '|'
|
||
|
its += (HLP.readLen(their_it)).toString(16)
|
||
|
}
|
||
|
|
||
|
if (!fs) return [null, msg]
|
||
|
|
||
|
var n = Math.ceil(msg.length / fs)
|
||
|
if (n > 65535) return ['Too many fragments']
|
||
|
if (n == 1) return [null, msg]
|
||
|
|
||
|
var k, bi, ei, frag, mf, mfs = []
|
||
|
for (k = 1; k <= n; k++) {
|
||
|
bi = (k - 1) * fs
|
||
|
ei = k * fs
|
||
|
frag = msg.slice(bi, ei)
|
||
|
mf = WRAPPER_BEGIN
|
||
|
if (v3) mf += its
|
||
|
mf += ',' + k + ','
|
||
|
mf += n + ','
|
||
|
mf += frag + ','
|
||
|
mfs.push(mf)
|
||
|
}
|
||
|
|
||
|
return [null, mfs]
|
||
|
}
|
||
|
|
||
|
HLP.splitype = function splitype(arr, msg) {
|
||
|
var data = []
|
||
|
arr.forEach(function (a) {
|
||
|
var str
|
||
|
switch (a) {
|
||
|
case 'PUBKEY':
|
||
|
str = splitype(['SHORT', 'MPI', 'MPI', 'MPI', 'MPI'], msg).join('')
|
||
|
break
|
||
|
case 'DATA': // falls through
|
||
|
case 'MPI':
|
||
|
str = msg.substring(0, HLP.readLen(msg) + 4)
|
||
|
break
|
||
|
default:
|
||
|
str = msg.substring(0, DTS[a])
|
||
|
}
|
||
|
data.push(str)
|
||
|
msg = msg.substring(str.length)
|
||
|
})
|
||
|
return data
|
||
|
}
|
||
|
|
||
|
// https://github.com/msgpack/msgpack-javascript/blob/master/msgpack.js
|
||
|
|
||
|
var _bin2num = (function () {
|
||
|
var i = 0, _bin2num = {}
|
||
|
for (; i < 0x100; ++i) {
|
||
|
_bin2num[String.fromCharCode(i)] = i // "\00" -> 0x00
|
||
|
}
|
||
|
for (i = 0x80; i < 0x100; ++i) { // [Webkit][Gecko]
|
||
|
_bin2num[String.fromCharCode(0xf700 + i)] = i // "\f780" -> 0x80
|
||
|
}
|
||
|
return _bin2num
|
||
|
}())
|
||
|
|
||
|
HLP.toByteArray = function (data) {
|
||
|
var rv = []
|
||
|
, ary = data.split("")
|
||
|
, i = -1
|
||
|
, iz = ary.length
|
||
|
, remain = iz % 8
|
||
|
|
||
|
while (remain--) {
|
||
|
++i
|
||
|
rv[i] = _bin2num[ary[i]]
|
||
|
}
|
||
|
remain = iz >> 3
|
||
|
while (remain--) {
|
||
|
rv.push(_bin2num[ary[++i]], _bin2num[ary[++i]],
|
||
|
_bin2num[ary[++i]], _bin2num[ary[++i]],
|
||
|
_bin2num[ary[++i]], _bin2num[ary[++i]],
|
||
|
_bin2num[ary[++i]], _bin2num[ary[++i]])
|
||
|
}
|
||
|
return rv
|
||
|
}
|
||
|
|
||
|
}).call(this)
|
||
|
;(function () {
|
||
|
"use strict";
|
||
|
|
||
|
var root = this
|
||
|
|
||
|
var CryptoJS, BigInt, Worker, WWPath, HLP
|
||
|
if (typeof module !== 'undefined' && module.exports) {
|
||
|
module.exports = DSA
|
||
|
CryptoJS = require('../vendor/crypto.js')
|
||
|
BigInt = require('../vendor/bigint.js')
|
||
|
WWPath = require('path').join(__dirname, '/dsa-webworker.js')
|
||
|
HLP = require('./helpers.js')
|
||
|
} else {
|
||
|
// copy over and expose internals
|
||
|
Object.keys(root.DSA).forEach(function (k) {
|
||
|
DSA[k] = root.DSA[k]
|
||
|
})
|
||
|
root.DSA = DSA
|
||
|
CryptoJS = root.CryptoJS
|
||
|
BigInt = root.BigInt
|
||
|
Worker = root.Worker
|
||
|
WWPath = 'dsa-webworker.js'
|
||
|
HLP = DSA.HLP
|
||
|
}
|
||
|
|
||
|
var ZERO = BigInt.str2bigInt('0', 10)
|
||
|
, ONE = BigInt.str2bigInt('1', 10)
|
||
|
, TWO = BigInt.str2bigInt('2', 10)
|
||
|
, KEY_TYPE = '\x00\x00'
|
||
|
|
||
|
var DEBUG = false
|
||
|
function timer() {
|
||
|
var start = (new Date()).getTime()
|
||
|
return function (s) {
|
||
|
if (!DEBUG || typeof console === 'undefined') return
|
||
|
var t = (new Date()).getTime()
|
||
|
console.log(s + ': ' + (t - start))
|
||
|
start = t
|
||
|
}
|
||
|
}
|
||
|
|
||
|
function makeRandom(min, max) {
|
||
|
var c = BigInt.randBigInt(BigInt.bitSize(max))
|
||
|
if (!HLP.between(c, min, max)) return makeRandom(min, max)
|
||
|
return c
|
||
|
}
|
||
|
|
||
|
// altered BigInt.randProbPrime()
|
||
|
// n rounds of Miller Rabin (after trial division with small primes)
|
||
|
var rpprb = []
|
||
|
function isProbPrime(k, n) {
|
||
|
var i, B = 30000, l = BigInt.bitSize(k)
|
||
|
var primes = BigInt.primes
|
||
|
|
||
|
if (primes.length === 0)
|
||
|
primes = BigInt.findPrimes(B)
|
||
|
|
||
|
if (rpprb.length != k.length)
|
||
|
rpprb = BigInt.dup(k)
|
||
|
|
||
|
// check ans for divisibility by small primes up to B
|
||
|
for (i = 0; (i < primes.length) && (primes[i] <= B); i++)
|
||
|
if (BigInt.modInt(k, primes[i]) === 0 && !BigInt.equalsInt(k, primes[i]))
|
||
|
return 0
|
||
|
|
||
|
// do n rounds of Miller Rabin, with random bases less than k
|
||
|
for (i = 0; i < n; i++) {
|
||
|
BigInt.randBigInt_(rpprb, l, 0)
|
||
|
while(!BigInt.greater(k, rpprb)) // pick a random rpprb that's < k
|
||
|
BigInt.randBigInt_(rpprb, l, 0)
|
||
|
if (!BigInt.millerRabin(k, rpprb))
|
||
|
return 0
|
||
|
}
|
||
|
|
||
|
return 1
|
||
|
}
|
||
|
|
||
|
var bit_lengths = {
|
||
|
'1024': { N: 160, repeat: 40 } // 40x should give 2^-80 confidence
|
||
|
, '2048': { N: 224, repeat: 56 }
|
||
|
}
|
||
|
|
||
|
var primes = {}
|
||
|
|
||
|
// follows go lang http://golang.org/src/pkg/crypto/dsa/dsa.go
|
||
|
// fips version was removed in 0c99af0df3e7
|
||
|
function generatePrimes(bit_length) {
|
||
|
|
||
|
var t = timer() // for debugging
|
||
|
|
||
|
// number of MR tests to perform
|
||
|
var repeat = bit_lengths[bit_length].repeat
|
||
|
|
||
|
var N = bit_lengths[bit_length].N
|
||
|
|
||
|
var LM1 = BigInt.twoToThe(bit_length - 1)
|
||
|
var bl4 = 4 * bit_length
|
||
|
var brk = false
|
||
|
|
||
|
var q, p, rem, counter
|
||
|
for (;;) {
|
||
|
|
||
|
q = BigInt.randBigInt(N, 1)
|
||
|
q[0] |= 1
|
||
|
|
||
|
if (!isProbPrime(q, repeat)) continue
|
||
|
t('q')
|
||
|
|
||
|
for (counter = 0; counter < bl4; counter++) {
|
||
|
p = BigInt.randBigInt(bit_length, 1)
|
||
|
p[0] |= 1
|
||
|
|
||
|
rem = BigInt.mod(p, q)
|
||
|
rem = BigInt.sub(rem, ONE)
|
||
|
p = BigInt.sub(p, rem)
|
||
|
|
||
|
if (BigInt.greater(LM1, p)) continue
|
||
|
if (!isProbPrime(p, repeat)) continue
|
||
|
|
||
|
t('p')
|
||
|
primes[bit_length] = { p: p, q: q }
|
||
|
brk = true
|
||
|
break
|
||
|
}
|
||
|
|
||
|
if (brk) break
|
||
|
}
|
||
|
|
||
|
var h = BigInt.dup(TWO)
|
||
|
var pm1 = BigInt.sub(p, ONE)
|
||
|
var e = BigInt.multMod(pm1, BigInt.inverseMod(q, p), p)
|
||
|
|
||
|
var g
|
||
|
for (;;) {
|
||
|
g = BigInt.powMod(h, e, p)
|
||
|
if (BigInt.equals(g, ONE)) {
|
||
|
h = BigInt.add(h, ONE)
|
||
|
continue
|
||
|
}
|
||
|
primes[bit_length].g = g
|
||
|
t('g')
|
||
|
return
|
||
|
}
|
||
|
|
||
|
throw new Error('Unreachable!')
|
||
|
}
|
||
|
|
||
|
function DSA(obj, opts) {
|
||
|
if (!(this instanceof DSA)) return new DSA(obj, opts)
|
||
|
|
||
|
// options
|
||
|
opts = opts || {}
|
||
|
|
||
|
// inherit
|
||
|
if (obj) {
|
||
|
var self = this
|
||
|
;['p', 'q', 'g', 'y', 'x'].forEach(function (prop) {
|
||
|
self[prop] = obj[prop]
|
||
|
})
|
||
|
this.type = obj.type || KEY_TYPE
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// default to 1024
|
||
|
var bit_length = parseInt(opts.bit_length ? opts.bit_length : 1024, 10)
|
||
|
|
||
|
if (!bit_lengths[bit_length])
|
||
|
throw new Error('Unsupported bit length.')
|
||
|
|
||
|
// set primes
|
||
|
if (!primes[bit_length])
|
||
|
generatePrimes(bit_length)
|
||
|
|
||
|
this.p = primes[bit_length].p
|
||
|
this.q = primes[bit_length].q
|
||
|
this.g = primes[bit_length].g
|
||
|
|
||
|
// key type
|
||
|
this.type = KEY_TYPE
|
||
|
|
||
|
// private key
|
||
|
this.x = makeRandom(ZERO, this.q)
|
||
|
|
||
|
// public keys (p, q, g, y)
|
||
|
this.y = BigInt.powMod(this.g, this.x, this.p)
|
||
|
|
||
|
// nocache?
|
||
|
if (opts.nocache) primes[bit_length] = null
|
||
|
}
|
||
|
|
||
|
DSA.prototype = {
|
||
|
|
||
|
constructor: DSA,
|
||
|
|
||
|
packPublic: function () {
|
||
|
var str = this.type
|
||
|
str += HLP.packMPI(this.p)
|
||
|
str += HLP.packMPI(this.q)
|
||
|
str += HLP.packMPI(this.g)
|
||
|
str += HLP.packMPI(this.y)
|
||
|
return str
|
||
|
},
|
||
|
|
||
|
packPrivate: function () {
|
||
|
var str = this.packPublic() + HLP.packMPI(this.x)
|
||
|
str = CryptoJS.enc.Latin1.parse(str)
|
||
|
return str.toString(CryptoJS.enc.Base64)
|
||
|
},
|
||
|
|
||
|
// http://www.imperialviolet.org/2013/06/15/suddendeathentropy.html
|
||
|
generateNonce: function (m) {
|
||
|
var priv = BigInt.bigInt2bits(BigInt.trim(this.x, 0))
|
||
|
var rand = BigInt.bigInt2bits(BigInt.randBigInt(256))
|
||
|
|
||
|
var sha256 = CryptoJS.algo.SHA256.create()
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(priv))
|
||
|
sha256.update(m)
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(rand))
|
||
|
|
||
|
var hash = sha256.finalize()
|
||
|
hash = HLP.bits2bigInt(hash.toString(CryptoJS.enc.Latin1))
|
||
|
BigInt.rightShift_(hash, 256 - BigInt.bitSize(this.q))
|
||
|
|
||
|
return HLP.between(hash, ZERO, this.q) ? hash : this.generateNonce(m)
|
||
|
},
|
||
|
|
||
|
sign: function (m) {
|
||
|
m = CryptoJS.enc.Latin1.parse(m)
|
||
|
var b = BigInt.str2bigInt(m.toString(CryptoJS.enc.Hex), 16)
|
||
|
var k, r = ZERO, s = ZERO
|
||
|
while (BigInt.isZero(s) || BigInt.isZero(r)) {
|
||
|
k = this.generateNonce(m)
|
||
|
r = BigInt.mod(BigInt.powMod(this.g, k, this.p), this.q)
|
||
|
if (BigInt.isZero(r)) continue
|
||
|
s = BigInt.inverseMod(k, this.q)
|
||
|
s = BigInt.mult(s, BigInt.add(b, BigInt.mult(this.x, r)))
|
||
|
s = BigInt.mod(s, this.q)
|
||
|
}
|
||
|
return [r, s]
|
||
|
},
|
||
|
|
||
|
fingerprint: function () {
|
||
|
var pk = this.packPublic()
|
||
|
if (this.type === KEY_TYPE) pk = pk.substring(2)
|
||
|
pk = CryptoJS.enc.Latin1.parse(pk)
|
||
|
return CryptoJS.SHA1(pk).toString(CryptoJS.enc.Hex)
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
DSA.parsePublic = function (str, priv) {
|
||
|
var fields = ['SHORT', 'MPI', 'MPI', 'MPI', 'MPI']
|
||
|
if (priv) fields.push('MPI')
|
||
|
str = HLP.splitype(fields, str)
|
||
|
var obj = {
|
||
|
type: str[0]
|
||
|
, p: HLP.readMPI(str[1])
|
||
|
, q: HLP.readMPI(str[2])
|
||
|
, g: HLP.readMPI(str[3])
|
||
|
, y: HLP.readMPI(str[4])
|
||
|
}
|
||
|
if (priv) obj.x = HLP.readMPI(str[5])
|
||
|
return new DSA(obj)
|
||
|
}
|
||
|
|
||
|
function tokenizeStr(str) {
|
||
|
var start, end
|
||
|
|
||
|
start = str.indexOf("(")
|
||
|
end = str.lastIndexOf(")")
|
||
|
|
||
|
if (start < 0 || end < 0)
|
||
|
throw new Error("Malformed S-Expression")
|
||
|
|
||
|
str = str.substring(start + 1, end)
|
||
|
|
||
|
var splt = str.search(/\s/)
|
||
|
var obj = {
|
||
|
type: str.substring(0, splt)
|
||
|
, val: []
|
||
|
}
|
||
|
|
||
|
str = str.substring(splt + 1, end)
|
||
|
start = str.indexOf("(")
|
||
|
|
||
|
if (start < 0) obj.val.push(str)
|
||
|
else {
|
||
|
|
||
|
var i, len, ss, es
|
||
|
while (start > -1) {
|
||
|
i = start + 1
|
||
|
len = str.length
|
||
|
for (ss = 1, es = 0; i < len && es < ss; i++) {
|
||
|
if (str[i] === "(") ss++
|
||
|
if (str[i] === ")") es++
|
||
|
}
|
||
|
obj.val.push(tokenizeStr(str.substring(start, ++i)))
|
||
|
str = str.substring(++i)
|
||
|
start = str.indexOf("(")
|
||
|
}
|
||
|
|
||
|
}
|
||
|
return obj
|
||
|
}
|
||
|
|
||
|
function parseLibotr(obj) {
|
||
|
if (!obj.type) throw new Error("Parse error.")
|
||
|
|
||
|
var o, val
|
||
|
if (obj.type === "privkeys") {
|
||
|
o = []
|
||
|
obj.val.forEach(function (i) {
|
||
|
o.push(parseLibotr(i))
|
||
|
})
|
||
|
return o
|
||
|
}
|
||
|
|
||
|
o = {}
|
||
|
obj.val.forEach(function (i) {
|
||
|
|
||
|
val = i.val[0]
|
||
|
if (typeof val === "string") {
|
||
|
|
||
|
if (val.indexOf("#") === 0) {
|
||
|
val = val.substring(1, val.lastIndexOf("#"))
|
||
|
val = BigInt.str2bigInt(val, 16)
|
||
|
}
|
||
|
|
||
|
} else {
|
||
|
val = parseLibotr(i)
|
||
|
}
|
||
|
|
||
|
o[i.type] = val
|
||
|
})
|
||
|
|
||
|
return o
|
||
|
}
|
||
|
|
||
|
DSA.parsePrivate = function (str, libotr) {
|
||
|
if (!libotr) {
|
||
|
str = CryptoJS.enc.Base64.parse(str)
|
||
|
str = str.toString(CryptoJS.enc.Latin1)
|
||
|
return DSA.parsePublic(str, true)
|
||
|
}
|
||
|
// only returning the first key found
|
||
|
return parseLibotr(tokenizeStr(str))[0]["private-key"].dsa
|
||
|
}
|
||
|
|
||
|
DSA.verify = function (key, m, r, s) {
|
||
|
if (!HLP.between(r, ZERO, key.q) || !HLP.between(s, ZERO, key.q))
|
||
|
return false
|
||
|
|
||
|
var hm = CryptoJS.enc.Latin1.parse(m) // CryptoJS.SHA1(m)
|
||
|
hm = BigInt.str2bigInt(hm.toString(CryptoJS.enc.Hex), 16)
|
||
|
|
||
|
var w = BigInt.inverseMod(s, key.q)
|
||
|
var u1 = BigInt.multMod(hm, w, key.q)
|
||
|
var u2 = BigInt.multMod(r, w, key.q)
|
||
|
|
||
|
u1 = BigInt.powMod(key.g, u1, key.p)
|
||
|
u2 = BigInt.powMod(key.y, u2, key.p)
|
||
|
|
||
|
var v = BigInt.mod(BigInt.multMod(u1, u2, key.p), key.q)
|
||
|
|
||
|
return BigInt.equals(v, r)
|
||
|
}
|
||
|
|
||
|
DSA.createInWebWorker = function (options, cb) {
|
||
|
var opts = {
|
||
|
path: WWPath
|
||
|
, seed: BigInt.getSeed
|
||
|
}
|
||
|
if (options && typeof options === 'object')
|
||
|
Object.keys(options).forEach(function (k) {
|
||
|
opts[k] = options[k]
|
||
|
})
|
||
|
|
||
|
// load optional dep. in node
|
||
|
if (typeof module !== 'undefined' && module.exports)
|
||
|
Worker = require('webworker-threads').Worker
|
||
|
|
||
|
var worker = new Worker(opts.path)
|
||
|
worker.onmessage = function (e) {
|
||
|
var data = e.data
|
||
|
switch (data.type) {
|
||
|
case "debug":
|
||
|
if (!DEBUG || typeof console === 'undefined') return
|
||
|
console.log(data.val)
|
||
|
break;
|
||
|
case "data":
|
||
|
worker.terminate()
|
||
|
cb(DSA.parsePrivate(data.val))
|
||
|
break;
|
||
|
default:
|
||
|
throw new Error("Unrecognized type.")
|
||
|
}
|
||
|
}
|
||
|
worker.postMessage({
|
||
|
seed: opts.seed()
|
||
|
, imports: opts.imports
|
||
|
, debug: DEBUG
|
||
|
})
|
||
|
}
|
||
|
|
||
|
}).call(this)
|
||
|
;(function () {
|
||
|
"use strict";
|
||
|
|
||
|
var root = this
|
||
|
|
||
|
var Parse = {}, CryptoJS, CONST, HLP
|
||
|
if (typeof module !== 'undefined' && module.exports) {
|
||
|
module.exports = Parse
|
||
|
CryptoJS = require('../vendor/crypto.js')
|
||
|
CONST = require('./const.js')
|
||
|
HLP = require('./helpers.js')
|
||
|
} else {
|
||
|
root.OTR.Parse = Parse
|
||
|
CryptoJS = root.CryptoJS
|
||
|
CONST = root.OTR.CONST
|
||
|
HLP = root.OTR.HLP
|
||
|
}
|
||
|
|
||
|
// whitespace tags
|
||
|
var tags = {}
|
||
|
tags[CONST.WHITESPACE_TAG_V2] = CONST.OTR_VERSION_2
|
||
|
tags[CONST.WHITESPACE_TAG_V3] = CONST.OTR_VERSION_3
|
||
|
|
||
|
Parse.parseMsg = function (otr, msg) {
|
||
|
|
||
|
var ver = []
|
||
|
|
||
|
// is this otr?
|
||
|
var start = msg.indexOf(CONST.OTR_TAG)
|
||
|
if (!~start) {
|
||
|
|
||
|
// restart fragments
|
||
|
this.initFragment(otr)
|
||
|
|
||
|
// whitespace tags
|
||
|
ind = msg.indexOf(CONST.WHITESPACE_TAG)
|
||
|
|
||
|
if (~ind) {
|
||
|
|
||
|
msg = msg.split('')
|
||
|
msg.splice(ind, 16)
|
||
|
|
||
|
var tag, len = msg.length
|
||
|
for (; ind < len;) {
|
||
|
tag = msg.slice(ind, ind + 8).join('')
|
||
|
if (Object.hasOwnProperty.call(tags, tag)) {
|
||
|
msg.splice(ind, 8)
|
||
|
ver.push(tags[tag])
|
||
|
continue
|
||
|
}
|
||
|
ind += 8
|
||
|
}
|
||
|
|
||
|
msg = msg.join('')
|
||
|
|
||
|
}
|
||
|
|
||
|
return { msg: msg, ver: ver }
|
||
|
}
|
||
|
|
||
|
var ind = start + CONST.OTR_TAG.length
|
||
|
var com = msg[ind]
|
||
|
|
||
|
// message fragment
|
||
|
if (com === ',' || com === '|') {
|
||
|
return this.msgFragment(otr, msg.substring(ind + 1), (com === '|'))
|
||
|
}
|
||
|
|
||
|
this.initFragment(otr)
|
||
|
|
||
|
// query message
|
||
|
if (~['?', 'v'].indexOf(com)) {
|
||
|
|
||
|
// version 1
|
||
|
if (msg[ind] === '?') {
|
||
|
ver.push(CONST.OTR_VERSION_1)
|
||
|
ind += 1
|
||
|
}
|
||
|
|
||
|
// other versions
|
||
|
var vers = {
|
||
|
'2': CONST.OTR_VERSION_2
|
||
|
, '3': CONST.OTR_VERSION_3
|
||
|
}
|
||
|
var qs = msg.substring(ind + 1)
|
||
|
var qi = qs.indexOf('?')
|
||
|
|
||
|
if (qi >= 1) {
|
||
|
qs = qs.substring(0, qi).split('')
|
||
|
if (msg[ind] === 'v') {
|
||
|
qs.forEach(function (q) {
|
||
|
if (Object.hasOwnProperty.call(vers, q)) ver.push(vers[q])
|
||
|
})
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return { cls: 'query', ver: ver }
|
||
|
}
|
||
|
|
||
|
// otr message
|
||
|
if (com === ':') {
|
||
|
|
||
|
ind += 1
|
||
|
|
||
|
var info = msg.substring(ind, ind + 4)
|
||
|
if (info.length < 4) return { msg: msg }
|
||
|
info = CryptoJS.enc.Base64.parse(info).toString(CryptoJS.enc.Latin1)
|
||
|
|
||
|
var version = info.substring(0, 2)
|
||
|
var type = info.substring(2)
|
||
|
|
||
|
// supporting otr versions 2 and 3
|
||
|
if (!otr['ALLOW_V' + HLP.unpackSHORT(version)]) return { msg: msg }
|
||
|
|
||
|
ind += 4
|
||
|
|
||
|
var end = msg.substring(ind).indexOf('.')
|
||
|
if (!~end) return { msg: msg }
|
||
|
|
||
|
msg = CryptoJS.enc.Base64.parse(msg.substring(ind, ind + end))
|
||
|
msg = CryptoJS.enc.Latin1.stringify(msg)
|
||
|
|
||
|
// instance tags
|
||
|
var instance_tags
|
||
|
if (version === CONST.OTR_VERSION_3) {
|
||
|
instance_tags = msg.substring(0, 8)
|
||
|
msg = msg.substring(8)
|
||
|
}
|
||
|
|
||
|
var cls
|
||
|
if (~['\x02', '\x0a', '\x11', '\x12'].indexOf(type)) {
|
||
|
cls = 'ake'
|
||
|
} else if (type === '\x03') {
|
||
|
cls = 'data'
|
||
|
}
|
||
|
|
||
|
return {
|
||
|
version: version
|
||
|
, type: type
|
||
|
, msg: msg
|
||
|
, cls: cls
|
||
|
, instance_tags: instance_tags
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// error message
|
||
|
if (msg.substring(ind, ind + 7) === ' Error:') {
|
||
|
if (otr.ERROR_START_AKE) {
|
||
|
otr.sendQueryMsg()
|
||
|
}
|
||
|
return { msg: msg.substring(ind + 7), cls: 'error' }
|
||
|
}
|
||
|
|
||
|
return { msg: msg }
|
||
|
}
|
||
|
|
||
|
Parse.initFragment = function (otr) {
|
||
|
otr.fragment = { s: '', j: 0, k: 0 }
|
||
|
}
|
||
|
|
||
|
Parse.msgFragment = function (otr, msg, v3) {
|
||
|
|
||
|
msg = msg.split(',')
|
||
|
|
||
|
// instance tags
|
||
|
if (v3) {
|
||
|
var its = msg.shift().split('|')
|
||
|
var their_it = HLP.packINT(parseInt(its[0], 16))
|
||
|
var our_it = HLP.packINT(parseInt(its[1], 16))
|
||
|
if (otr.checkInstanceTags(their_it + our_it)) return // ignore
|
||
|
}
|
||
|
|
||
|
if (msg.length < 4 ||
|
||
|
isNaN(parseInt(msg[0], 10)) ||
|
||
|
isNaN(parseInt(msg[1], 10))
|
||
|
) return
|
||
|
|
||
|
var k = parseInt(msg[0], 10)
|
||
|
var n = parseInt(msg[1], 10)
|
||
|
msg = msg[2]
|
||
|
|
||
|
if (n < k || n === 0 || k === 0) {
|
||
|
this.initFragment(otr)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
if (k === 1) {
|
||
|
this.initFragment(otr)
|
||
|
otr.fragment = { k: 1, n: n, s: msg }
|
||
|
} else if (n === otr.fragment.n && k === (otr.fragment.k + 1)) {
|
||
|
otr.fragment.s += msg
|
||
|
otr.fragment.k += 1
|
||
|
} else {
|
||
|
this.initFragment(otr)
|
||
|
}
|
||
|
|
||
|
if (n === k) {
|
||
|
msg = otr.fragment.s
|
||
|
this.initFragment(otr)
|
||
|
return this.parseMsg(otr, msg)
|
||
|
}
|
||
|
|
||
|
return
|
||
|
}
|
||
|
|
||
|
}).call(this)
|
||
|
;(function () {
|
||
|
"use strict";
|
||
|
|
||
|
var root = this
|
||
|
|
||
|
var CryptoJS, BigInt, CONST, HLP, DSA
|
||
|
if (typeof module !== 'undefined' && module.exports) {
|
||
|
module.exports = AKE
|
||
|
CryptoJS = require('../vendor/crypto.js')
|
||
|
BigInt = require('../vendor/bigint.js')
|
||
|
CONST = require('./const.js')
|
||
|
HLP = require('./helpers.js')
|
||
|
DSA = require('./dsa.js')
|
||
|
} else {
|
||
|
root.OTR.AKE = AKE
|
||
|
CryptoJS = root.CryptoJS
|
||
|
BigInt = root.BigInt
|
||
|
CONST = root.OTR.CONST
|
||
|
HLP = root.OTR.HLP
|
||
|
DSA = root.DSA
|
||
|
}
|
||
|
|
||
|
// diffie-hellman modulus
|
||
|
// see group 5, RFC 3526
|
||
|
var N = BigInt.str2bigInt(CONST.N, 16)
|
||
|
var N_MINUS_2 = BigInt.sub(N, BigInt.str2bigInt('2', 10))
|
||
|
|
||
|
function hMac(gx, gy, pk, kid, m) {
|
||
|
var pass = CryptoJS.enc.Latin1.parse(m)
|
||
|
var hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, pass)
|
||
|
hmac.update(CryptoJS.enc.Latin1.parse(HLP.packMPI(gx)))
|
||
|
hmac.update(CryptoJS.enc.Latin1.parse(HLP.packMPI(gy)))
|
||
|
hmac.update(CryptoJS.enc.Latin1.parse(pk))
|
||
|
hmac.update(CryptoJS.enc.Latin1.parse(kid))
|
||
|
return (hmac.finalize()).toString(CryptoJS.enc.Latin1)
|
||
|
}
|
||
|
|
||
|
// AKE constructor
|
||
|
function AKE(otr) {
|
||
|
if (!(this instanceof AKE)) return new AKE(otr)
|
||
|
|
||
|
// otr instance
|
||
|
this.otr = otr
|
||
|
|
||
|
// our keys
|
||
|
this.our_dh = otr.our_old_dh
|
||
|
this.our_keyid = otr.our_keyid - 1
|
||
|
|
||
|
// their keys
|
||
|
this.their_y = null
|
||
|
this.their_keyid = null
|
||
|
this.their_priv_pk = null
|
||
|
|
||
|
// state
|
||
|
this.ssid = null
|
||
|
this.transmittedRS = false
|
||
|
this.r = null
|
||
|
|
||
|
// bind methods
|
||
|
var self = this
|
||
|
;['sendMsg'].forEach(function (meth) {
|
||
|
self[meth] = self[meth].bind(self)
|
||
|
})
|
||
|
}
|
||
|
|
||
|
AKE.prototype = {
|
||
|
|
||
|
constructor: AKE,
|
||
|
|
||
|
createKeys: function(g) {
|
||
|
var s = BigInt.powMod(g, this.our_dh.privateKey, N)
|
||
|
var secbytes = HLP.packMPI(s)
|
||
|
this.ssid = HLP.mask(HLP.h2('\x00', secbytes), 0, 64) // first 64-bits
|
||
|
var tmp = HLP.h2('\x01', secbytes)
|
||
|
this.c = HLP.mask(tmp, 0, 128) // first 128-bits
|
||
|
this.c_prime = HLP.mask(tmp, 128, 128) // second 128-bits
|
||
|
this.m1 = HLP.h2('\x02', secbytes)
|
||
|
this.m2 = HLP.h2('\x03', secbytes)
|
||
|
this.m1_prime = HLP.h2('\x04', secbytes)
|
||
|
this.m2_prime = HLP.h2('\x05', secbytes)
|
||
|
},
|
||
|
|
||
|
verifySignMac: function (mac, aesctr, m2, c, their_y, our_dh_pk, m1, ctr) {
|
||
|
// verify mac
|
||
|
var vmac = HLP.makeMac(aesctr, m2)
|
||
|
if (!HLP.compare(mac, vmac))
|
||
|
return ['MACs do not match.']
|
||
|
|
||
|
// decrypt x
|
||
|
var x = HLP.decryptAes(aesctr.substring(4), c, ctr)
|
||
|
x = HLP.splitype(['PUBKEY', 'INT', 'SIG'], x.toString(CryptoJS.enc.Latin1))
|
||
|
|
||
|
var m = hMac(their_y, our_dh_pk, x[0], x[1], m1)
|
||
|
var pub = DSA.parsePublic(x[0])
|
||
|
|
||
|
var r = HLP.bits2bigInt(x[2].substring(0, 20))
|
||
|
var s = HLP.bits2bigInt(x[2].substring(20))
|
||
|
|
||
|
// verify sign m
|
||
|
if (!DSA.verify(pub, m, r, s)) return ['Cannot verify signature of m.']
|
||
|
|
||
|
return [null, HLP.readLen(x[1]), pub]
|
||
|
},
|
||
|
|
||
|
makeM: function (their_y, m1, c, m2) {
|
||
|
var pk = this.otr.priv.packPublic()
|
||
|
var kid = HLP.packINT(this.our_keyid)
|
||
|
var m = hMac(this.our_dh.publicKey, their_y, pk, kid, m1)
|
||
|
m = this.otr.priv.sign(m)
|
||
|
var msg = pk + kid
|
||
|
msg += BigInt.bigInt2bits(m[0], 20) // pad to 20 bytes
|
||
|
msg += BigInt.bigInt2bits(m[1], 20)
|
||
|
msg = CryptoJS.enc.Latin1.parse(msg)
|
||
|
var aesctr = HLP.packData(HLP.encryptAes(msg, c, HLP.packCtr(0)))
|
||
|
var mac = HLP.makeMac(aesctr, m2)
|
||
|
return aesctr + mac
|
||
|
},
|
||
|
|
||
|
akeSuccess: function (version) {
|
||
|
HLP.debug.call(this.otr, 'success')
|
||
|
|
||
|
if (BigInt.equals(this.their_y, this.our_dh.publicKey))
|
||
|
return this.otr.error('equal keys - we have a problem.', true)
|
||
|
|
||
|
this.otr.our_old_dh = this.our_dh
|
||
|
this.otr.their_priv_pk = this.their_priv_pk
|
||
|
|
||
|
if (!(
|
||
|
(this.their_keyid === this.otr.their_keyid &&
|
||
|
BigInt.equals(this.their_y, this.otr.their_y)) ||
|
||
|
(this.their_keyid === (this.otr.their_keyid - 1) &&
|
||
|
BigInt.equals(this.their_y, this.otr.their_old_y))
|
||
|
)) {
|
||
|
|
||
|
this.otr.their_y = this.their_y
|
||
|
this.otr.their_old_y = null
|
||
|
this.otr.their_keyid = this.their_keyid
|
||
|
|
||
|
// rotate keys
|
||
|
this.otr.sessKeys[0] = [ new this.otr.DHSession(
|
||
|
this.otr.our_dh
|
||
|
, this.otr.their_y
|
||
|
), null ]
|
||
|
this.otr.sessKeys[1] = [ new this.otr.DHSession(
|
||
|
this.otr.our_old_dh
|
||
|
, this.otr.their_y
|
||
|
), null ]
|
||
|
|
||
|
}
|
||
|
|
||
|
// ake info
|
||
|
this.otr.ssid = this.ssid
|
||
|
this.otr.transmittedRS = this.transmittedRS
|
||
|
this.otr_version = version
|
||
|
|
||
|
// go encrypted
|
||
|
this.otr.authstate = CONST.AUTHSTATE_NONE
|
||
|
this.otr.msgstate = CONST.MSGSTATE_ENCRYPTED
|
||
|
|
||
|
// null out values
|
||
|
this.r = null
|
||
|
this.myhashed = null
|
||
|
this.dhcommit = null
|
||
|
this.encrypted = null
|
||
|
this.hashed = null
|
||
|
|
||
|
this.otr.trigger('status', [CONST.STATUS_AKE_SUCCESS])
|
||
|
|
||
|
// send stored msgs
|
||
|
this.otr.sendStored()
|
||
|
},
|
||
|
|
||
|
handleAKE: function (msg) {
|
||
|
var send, vsm, type
|
||
|
var version = msg.version
|
||
|
|
||
|
switch (msg.type) {
|
||
|
|
||
|
case '\x02':
|
||
|
HLP.debug.call(this.otr, 'd-h key message')
|
||
|
|
||
|
msg = HLP.splitype(['DATA', 'DATA'], msg.msg)
|
||
|
|
||
|
if (this.otr.authstate === CONST.AUTHSTATE_AWAITING_DHKEY) {
|
||
|
var ourHash = HLP.readMPI(this.myhashed)
|
||
|
var theirHash = HLP.readMPI(msg[1])
|
||
|
if (BigInt.greater(ourHash, theirHash)) {
|
||
|
type = '\x02'
|
||
|
send = this.dhcommit
|
||
|
break // ignore
|
||
|
} else {
|
||
|
// forget
|
||
|
this.our_dh = this.otr.dh()
|
||
|
this.otr.authstate = CONST.AUTHSTATE_NONE
|
||
|
this.r = null
|
||
|
this.myhashed = null
|
||
|
}
|
||
|
} else if (
|
||
|
this.otr.authstate === CONST.AUTHSTATE_AWAITING_SIG
|
||
|
) this.our_dh = this.otr.dh()
|
||
|
|
||
|
this.otr.authstate = CONST.AUTHSTATE_AWAITING_REVEALSIG
|
||
|
|
||
|
this.encrypted = msg[0].substring(4)
|
||
|
this.hashed = msg[1].substring(4)
|
||
|
|
||
|
type = '\x0a'
|
||
|
send = HLP.packMPI(this.our_dh.publicKey)
|
||
|
break
|
||
|
|
||
|
case '\x0a':
|
||
|
HLP.debug.call(this.otr, 'reveal signature message')
|
||
|
|
||
|
msg = HLP.splitype(['MPI'], msg.msg)
|
||
|
|
||
|
if (this.otr.authstate !== CONST.AUTHSTATE_AWAITING_DHKEY) {
|
||
|
if (this.otr.authstate === CONST.AUTHSTATE_AWAITING_SIG) {
|
||
|
if (!BigInt.equals(this.their_y, HLP.readMPI(msg[0]))) return
|
||
|
} else {
|
||
|
return // ignore
|
||
|
}
|
||
|
}
|
||
|
|
||
|
this.otr.authstate = CONST.AUTHSTATE_AWAITING_SIG
|
||
|
|
||
|
this.their_y = HLP.readMPI(msg[0])
|
||
|
|
||
|
// verify gy is legal 2 <= gy <= N-2
|
||
|
if (!HLP.checkGroup(this.their_y, N_MINUS_2))
|
||
|
return this.otr.error('Illegal g^y.', true)
|
||
|
|
||
|
this.createKeys(this.their_y)
|
||
|
|
||
|
type = '\x11'
|
||
|
send = HLP.packMPI(this.r)
|
||
|
send += this.makeM(this.their_y, this.m1, this.c, this.m2)
|
||
|
|
||
|
this.m1 = null
|
||
|
this.m2 = null
|
||
|
this.c = null
|
||
|
break
|
||
|
|
||
|
case '\x11':
|
||
|
HLP.debug.call(this.otr, 'signature message')
|
||
|
|
||
|
if (this.otr.authstate !== CONST.AUTHSTATE_AWAITING_REVEALSIG)
|
||
|
return // ignore
|
||
|
|
||
|
msg = HLP.splitype(['DATA', 'DATA', 'MAC'], msg.msg)
|
||
|
|
||
|
this.r = HLP.readMPI(msg[0])
|
||
|
|
||
|
// decrypt their_y
|
||
|
var key = CryptoJS.enc.Hex.parse(BigInt.bigInt2str(this.r, 16))
|
||
|
key = CryptoJS.enc.Latin1.stringify(key)
|
||
|
|
||
|
var gxmpi = HLP.decryptAes(this.encrypted, key, HLP.packCtr(0))
|
||
|
gxmpi = gxmpi.toString(CryptoJS.enc.Latin1)
|
||
|
|
||
|
this.their_y = HLP.readMPI(gxmpi)
|
||
|
|
||
|
// verify hash
|
||
|
var hash = CryptoJS.SHA256(CryptoJS.enc.Latin1.parse(gxmpi))
|
||
|
|
||
|
if (!HLP.compare(this.hashed, hash.toString(CryptoJS.enc.Latin1)))
|
||
|
return this.otr.error('Hashed g^x does not match.', true)
|
||
|
|
||
|
// verify gx is legal 2 <= g^x <= N-2
|
||
|
if (!HLP.checkGroup(this.their_y, N_MINUS_2))
|
||
|
return this.otr.error('Illegal g^x.', true)
|
||
|
|
||
|
this.createKeys(this.their_y)
|
||
|
|
||
|
vsm = this.verifySignMac(
|
||
|
msg[2]
|
||
|
, msg[1]
|
||
|
, this.m2
|
||
|
, this.c
|
||
|
, this.their_y
|
||
|
, this.our_dh.publicKey
|
||
|
, this.m1
|
||
|
, HLP.packCtr(0)
|
||
|
)
|
||
|
if (vsm[0]) return this.otr.error(vsm[0], true)
|
||
|
|
||
|
// store their key
|
||
|
this.their_keyid = vsm[1]
|
||
|
this.their_priv_pk = vsm[2]
|
||
|
|
||
|
send = this.makeM(
|
||
|
this.their_y
|
||
|
, this.m1_prime
|
||
|
, this.c_prime
|
||
|
, this.m2_prime
|
||
|
)
|
||
|
|
||
|
this.m1 = null
|
||
|
this.m2 = null
|
||
|
this.m1_prime = null
|
||
|
this.m2_prime = null
|
||
|
this.c = null
|
||
|
this.c_prime = null
|
||
|
|
||
|
this.sendMsg(version, '\x12', send)
|
||
|
this.akeSuccess(version)
|
||
|
return
|
||
|
|
||
|
case '\x12':
|
||
|
HLP.debug.call(this.otr, 'data message')
|
||
|
|
||
|
if (this.otr.authstate !== CONST.AUTHSTATE_AWAITING_SIG)
|
||
|
return // ignore
|
||
|
|
||
|
msg = HLP.splitype(['DATA', 'MAC'], msg.msg)
|
||
|
|
||
|
vsm = this.verifySignMac(
|
||
|
msg[1]
|
||
|
, msg[0]
|
||
|
, this.m2_prime
|
||
|
, this.c_prime
|
||
|
, this.their_y
|
||
|
, this.our_dh.publicKey
|
||
|
, this.m1_prime
|
||
|
, HLP.packCtr(0)
|
||
|
)
|
||
|
if (vsm[0]) return this.otr.error(vsm[0], true)
|
||
|
|
||
|
// store their key
|
||
|
this.their_keyid = vsm[1]
|
||
|
this.their_priv_pk = vsm[2]
|
||
|
|
||
|
this.m1_prime = null
|
||
|
this.m2_prime = null
|
||
|
this.c_prime = null
|
||
|
|
||
|
this.transmittedRS = true
|
||
|
this.akeSuccess(version)
|
||
|
return
|
||
|
|
||
|
default:
|
||
|
return // ignore
|
||
|
|
||
|
}
|
||
|
|
||
|
this.sendMsg(version, type, send)
|
||
|
},
|
||
|
|
||
|
sendMsg: function (version, type, msg) {
|
||
|
var send = version + type
|
||
|
var v3 = (version === CONST.OTR_VERSION_3)
|
||
|
|
||
|
// instance tags for v3
|
||
|
if (v3) {
|
||
|
HLP.debug.call(this.otr, 'instance tags')
|
||
|
send += this.otr.our_instance_tag
|
||
|
send += this.otr.their_instance_tag
|
||
|
}
|
||
|
|
||
|
send += msg
|
||
|
|
||
|
// fragment message if necessary
|
||
|
send = HLP.wrapMsg(
|
||
|
send
|
||
|
, this.otr.fragment_size
|
||
|
, v3
|
||
|
, this.otr.our_instance_tag
|
||
|
, this.otr.their_instance_tag
|
||
|
)
|
||
|
if (send[0]) return this.otr.error(send[0])
|
||
|
|
||
|
this.otr.io(send[1])
|
||
|
},
|
||
|
|
||
|
initiateAKE: function (version) {
|
||
|
HLP.debug.call(this.otr, 'd-h commit message')
|
||
|
|
||
|
this.otr.trigger('status', [CONST.STATUS_AKE_INIT])
|
||
|
|
||
|
this.otr.authstate = CONST.AUTHSTATE_AWAITING_DHKEY
|
||
|
|
||
|
var gxmpi = HLP.packMPI(this.our_dh.publicKey)
|
||
|
gxmpi = CryptoJS.enc.Latin1.parse(gxmpi)
|
||
|
|
||
|
this.r = BigInt.randBigInt(128)
|
||
|
var key = CryptoJS.enc.Hex.parse(BigInt.bigInt2str(this.r, 16))
|
||
|
key = CryptoJS.enc.Latin1.stringify(key)
|
||
|
|
||
|
this.myhashed = CryptoJS.SHA256(gxmpi)
|
||
|
this.myhashed = HLP.packData(this.myhashed.toString(CryptoJS.enc.Latin1))
|
||
|
|
||
|
this.dhcommit = HLP.packData(HLP.encryptAes(gxmpi, key, HLP.packCtr(0)))
|
||
|
this.dhcommit += this.myhashed
|
||
|
|
||
|
this.sendMsg(version, '\x02', this.dhcommit)
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
}).call(this)
|
||
|
;(function () {
|
||
|
"use strict";
|
||
|
|
||
|
var root = this
|
||
|
|
||
|
var CryptoJS, BigInt, EventEmitter, CONST, HLP
|
||
|
if (typeof module !== 'undefined' && module.exports) {
|
||
|
module.exports = SM
|
||
|
CryptoJS = require('../vendor/crypto.js')
|
||
|
BigInt = require('../vendor/bigint.js')
|
||
|
EventEmitter = require('../vendor/eventemitter.js')
|
||
|
CONST = require('./const.js')
|
||
|
HLP = require('./helpers.js')
|
||
|
} else {
|
||
|
root.OTR.SM = SM
|
||
|
CryptoJS = root.CryptoJS
|
||
|
BigInt = root.BigInt
|
||
|
EventEmitter = root.EventEmitter
|
||
|
CONST = root.OTR.CONST
|
||
|
HLP = root.OTR.HLP
|
||
|
}
|
||
|
|
||
|
// diffie-hellman modulus and generator
|
||
|
// see group 5, RFC 3526
|
||
|
var G = BigInt.str2bigInt(CONST.G, 10)
|
||
|
var N = BigInt.str2bigInt(CONST.N, 16)
|
||
|
var N_MINUS_2 = BigInt.sub(N, BigInt.str2bigInt('2', 10))
|
||
|
|
||
|
// to calculate D's for zero-knowledge proofs
|
||
|
var Q = BigInt.sub(N, BigInt.str2bigInt('1', 10))
|
||
|
BigInt.divInt_(Q, 2) // meh
|
||
|
|
||
|
function SM(reqs) {
|
||
|
if (!(this instanceof SM)) return new SM(reqs)
|
||
|
|
||
|
this.version = 1
|
||
|
|
||
|
this.our_fp = reqs.our_fp
|
||
|
this.their_fp = reqs.their_fp
|
||
|
this.ssid = reqs.ssid
|
||
|
|
||
|
this.debug = !!reqs.debug
|
||
|
|
||
|
// initial state
|
||
|
this.init()
|
||
|
}
|
||
|
|
||
|
// inherit from EE
|
||
|
HLP.extend(SM, EventEmitter)
|
||
|
|
||
|
// set the initial values
|
||
|
// also used when aborting
|
||
|
SM.prototype.init = function () {
|
||
|
this.smpstate = CONST.SMPSTATE_EXPECT1
|
||
|
this.secret = null
|
||
|
}
|
||
|
|
||
|
SM.prototype.makeSecret = function (our, secret) {
|
||
|
var sha256 = CryptoJS.algo.SHA256.create()
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(HLP.packBytes(this.version, 1)))
|
||
|
sha256.update(CryptoJS.enc.Hex.parse(our ? this.our_fp : this.their_fp))
|
||
|
sha256.update(CryptoJS.enc.Hex.parse(our ? this.their_fp : this.our_fp))
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(this.ssid))
|
||
|
sha256.update(CryptoJS.enc.Latin1.parse(secret))
|
||
|
var hash = sha256.finalize()
|
||
|
this.secret = HLP.bits2bigInt(hash.toString(CryptoJS.enc.Latin1))
|
||
|
}
|
||
|
|
||
|
SM.prototype.makeG2s = function () {
|
||
|
this.a2 = HLP.randomExponent()
|
||
|
this.a3 = HLP.randomExponent()
|
||
|
this.g2a = BigInt.powMod(G, this.a2, N)
|
||
|
this.g3a = BigInt.powMod(G, this.a3, N)
|
||
|
if ( !HLP.checkGroup(this.g2a, N_MINUS_2) ||
|
||
|
!HLP.checkGroup(this.g3a, N_MINUS_2)
|
||
|
) this.makeG2s()
|
||
|
}
|
||
|
|
||
|
SM.prototype.computeGs = function (g2a, g3a) {
|
||
|
this.g2 = BigInt.powMod(g2a, this.a2, N)
|
||
|
this.g3 = BigInt.powMod(g3a, this.a3, N)
|
||
|
}
|
||
|
|
||
|
SM.prototype.computePQ = function (r) {
|
||
|
this.p = BigInt.powMod(this.g3, r, N)
|
||
|
this.q = HLP.multPowMod(G, r, this.g2, this.secret, N)
|
||
|
}
|
||
|
|
||
|
SM.prototype.computeR = function () {
|
||
|
this.r = BigInt.powMod(this.QoQ, this.a3, N)
|
||
|
}
|
||
|
|
||
|
SM.prototype.computeRab = function (r) {
|
||
|
return BigInt.powMod(r, this.a3, N)
|
||
|
}
|
||
|
|
||
|
SM.prototype.computeC = function (v, r) {
|
||
|
return HLP.smpHash(v, BigInt.powMod(G, r, N))
|
||
|
}
|
||
|
|
||
|
SM.prototype.computeD = function (r, a, c) {
|
||
|
return BigInt.subMod(r, BigInt.multMod(a, c, Q), Q)
|
||
|
}
|
||
|
|
||
|
// the bulk of the work
|
||
|
SM.prototype.handleSM = function (msg) {
|
||
|
var send, r2, r3, r7, t1, t2, t3, t4, rab, tmp2, cR, d7, ms, trust
|
||
|
|
||
|
var expectStates = {
|
||
|
2: CONST.SMPSTATE_EXPECT1
|
||
|
, 3: CONST.SMPSTATE_EXPECT2
|
||
|
, 4: CONST.SMPSTATE_EXPECT3
|
||
|
, 5: CONST.SMPSTATE_EXPECT4
|
||
|
, 7: CONST.SMPSTATE_EXPECT1
|
||
|
}
|
||
|
|
||
|
if (msg.type === 6) {
|
||
|
this.init()
|
||
|
this.trigger('abort')
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// abort! there was an error
|
||
|
if (this.smpstate !== expectStates[msg.type])
|
||
|
return this.abort()
|
||
|
|
||
|
switch (this.smpstate) {
|
||
|
|
||
|
case CONST.SMPSTATE_EXPECT1:
|
||
|
HLP.debug.call(this, 'smp tlv 2')
|
||
|
|
||
|
// user specified question
|
||
|
var ind, question
|
||
|
if (msg.type === 7) {
|
||
|
ind = msg.msg.indexOf('\x00')
|
||
|
question = msg.msg.substring(0, ind)
|
||
|
msg.msg = msg.msg.substring(ind + 1)
|
||
|
}
|
||
|
|
||
|
// 0:g2a, 1:c2, 2:d2, 3:g3a, 4:c3, 5:d3
|
||
|
ms = HLP.readLen(msg.msg.substr(0, 4))
|
||
|
if (ms !== 6) return this.abort()
|
||
|
msg = HLP.unpackMPIs(6, msg.msg.substring(4))
|
||
|
|
||
|
if ( !HLP.checkGroup(msg[0], N_MINUS_2) ||
|
||
|
!HLP.checkGroup(msg[3], N_MINUS_2)
|
||
|
) return this.abort()
|
||
|
|
||
|
// verify znp's
|
||
|
if (!HLP.ZKP(1, msg[1], HLP.multPowMod(G, msg[2], msg[0], msg[1], N)))
|
||
|
return this.abort()
|
||
|
|
||
|
if (!HLP.ZKP(2, msg[4], HLP.multPowMod(G, msg[5], msg[3], msg[4], N)))
|
||
|
return this.abort()
|
||
|
|
||
|
this.g3ao = msg[3] // save for later
|
||
|
|
||
|
this.makeG2s()
|
||
|
|
||
|
// zero-knowledge proof that the exponents
|
||
|
// associated with g2a & g3a are known
|
||
|
r2 = HLP.randomExponent()
|
||
|
r3 = HLP.randomExponent()
|
||
|
this.c2 = this.computeC(3, r2)
|
||
|
this.c3 = this.computeC(4, r3)
|
||
|
this.d2 = this.computeD(r2, this.a2, this.c2)
|
||
|
this.d3 = this.computeD(r3, this.a3, this.c3)
|
||
|
|
||
|
this.computeGs(msg[0], msg[3])
|
||
|
|
||
|
this.smpstate = CONST.SMPSTATE_EXPECT0
|
||
|
|
||
|
// assume utf8 question
|
||
|
question = CryptoJS.enc.Latin1
|
||
|
.parse(question)
|
||
|
.toString(CryptoJS.enc.Utf8)
|
||
|
|
||
|
// invoke question
|
||
|
this.trigger('question', [question])
|
||
|
return
|
||
|
|
||
|
case CONST.SMPSTATE_EXPECT2:
|
||
|
HLP.debug.call(this, 'smp tlv 3')
|
||
|
|
||
|
// 0:g2a, 1:c2, 2:d2, 3:g3a, 4:c3, 5:d3, 6:p, 7:q, 8:cP, 9:d5, 10:d6
|
||
|
ms = HLP.readLen(msg.msg.substr(0, 4))
|
||
|
if (ms !== 11) return this.abort()
|
||
|
msg = HLP.unpackMPIs(11, msg.msg.substring(4))
|
||
|
|
||
|
if ( !HLP.checkGroup(msg[0], N_MINUS_2) ||
|
||
|
!HLP.checkGroup(msg[3], N_MINUS_2) ||
|
||
|
!HLP.checkGroup(msg[6], N_MINUS_2) ||
|
||
|
!HLP.checkGroup(msg[7], N_MINUS_2)
|
||
|
) return this.abort()
|
||
|
|
||
|
// verify znp of c3 / c3
|
||
|
if (!HLP.ZKP(3, msg[1], HLP.multPowMod(G, msg[2], msg[0], msg[1], N)))
|
||
|
return this.abort()
|
||
|
|
||
|
if (!HLP.ZKP(4, msg[4], HLP.multPowMod(G, msg[5], msg[3], msg[4], N)))
|
||
|
return this.abort()
|
||
|
|
||
|
this.g3ao = msg[3] // save for later
|
||
|
|
||
|
this.computeGs(msg[0], msg[3])
|
||
|
|
||
|
// verify znp of cP
|
||
|
t1 = HLP.multPowMod(this.g3, msg[9], msg[6], msg[8], N)
|
||
|
t2 = HLP.multPowMod(G, msg[9], this.g2, msg[10], N)
|
||
|
t2 = BigInt.multMod(t2, BigInt.powMod(msg[7], msg[8], N), N)
|
||
|
|
||
|
if (!HLP.ZKP(5, msg[8], t1, t2))
|
||
|
return this.abort()
|
||
|
|
||
|
var r4 = HLP.randomExponent()
|
||
|
this.computePQ(r4)
|
||
|
|
||
|
// zero-knowledge proof that P & Q
|
||
|
// were generated according to the protocol
|
||
|
var r5 = HLP.randomExponent()
|
||
|
var r6 = HLP.randomExponent()
|
||
|
var tmp = HLP.multPowMod(G, r5, this.g2, r6, N)
|
||
|
var cP = HLP.smpHash(6, BigInt.powMod(this.g3, r5, N), tmp)
|
||
|
var d5 = this.computeD(r5, r4, cP)
|
||
|
var d6 = this.computeD(r6, this.secret, cP)
|
||
|
|
||
|
// store these
|
||
|
this.QoQ = BigInt.divMod(this.q, msg[7], N)
|
||
|
this.PoP = BigInt.divMod(this.p, msg[6], N)
|
||
|
|
||
|
this.computeR()
|
||
|
|
||
|
// zero-knowledge proof that R
|
||
|
// was generated according to the protocol
|
||
|
r7 = HLP.randomExponent()
|
||
|
tmp2 = BigInt.powMod(this.QoQ, r7, N)
|
||
|
cR = HLP.smpHash(7, BigInt.powMod(G, r7, N), tmp2)
|
||
|
d7 = this.computeD(r7, this.a3, cR)
|
||
|
|
||
|
this.smpstate = CONST.SMPSTATE_EXPECT4
|
||
|
|
||
|
send = HLP.packINT(8) + HLP.packMPIs([
|
||
|
this.p
|
||
|
, this.q
|
||
|
, cP
|
||
|
, d5
|
||
|
, d6
|
||
|
, this.r
|
||
|
, cR
|
||
|
, d7
|
||
|
])
|
||
|
|
||
|
// TLV
|
||
|
send = HLP.packTLV(4, send)
|
||
|
break
|
||
|
|
||
|
case CONST.SMPSTATE_EXPECT3:
|
||
|
HLP.debug.call(this, 'smp tlv 4')
|
||
|
|
||
|
// 0:p, 1:q, 2:cP, 3:d5, 4:d6, 5:r, 6:cR, 7:d7
|
||
|
ms = HLP.readLen(msg.msg.substr(0, 4))
|
||
|
if (ms !== 8) return this.abort()
|
||
|
msg = HLP.unpackMPIs(8, msg.msg.substring(4))
|
||
|
|
||
|
if ( !HLP.checkGroup(msg[0], N_MINUS_2) ||
|
||
|
!HLP.checkGroup(msg[1], N_MINUS_2) ||
|
||
|
!HLP.checkGroup(msg[5], N_MINUS_2)
|
||
|
) return this.abort()
|
||
|
|
||
|
// verify znp of cP
|
||
|
t1 = HLP.multPowMod(this.g3, msg[3], msg[0], msg[2], N)
|
||
|
t2 = HLP.multPowMod(G, msg[3], this.g2, msg[4], N)
|
||
|
t2 = BigInt.multMod(t2, BigInt.powMod(msg[1], msg[2], N), N)
|
||
|
|
||
|
if (!HLP.ZKP(6, msg[2], t1, t2))
|
||
|
return this.abort()
|
||
|
|
||
|
// verify znp of cR
|
||
|
t3 = HLP.multPowMod(G, msg[7], this.g3ao, msg[6], N)
|
||
|
this.QoQ = BigInt.divMod(msg[1], this.q, N) // save Q over Q
|
||
|
t4 = HLP.multPowMod(this.QoQ, msg[7], msg[5], msg[6], N)
|
||
|
|
||
|
if (!HLP.ZKP(7, msg[6], t3, t4))
|
||
|
return this.abort()
|
||
|
|
||
|
this.computeR()
|
||
|
|
||
|
// zero-knowledge proof that R
|
||
|
// was generated according to the protocol
|
||
|
r7 = HLP.randomExponent()
|
||
|
tmp2 = BigInt.powMod(this.QoQ, r7, N)
|
||
|
cR = HLP.smpHash(8, BigInt.powMod(G, r7, N), tmp2)
|
||
|
d7 = this.computeD(r7, this.a3, cR)
|
||
|
|
||
|
send = HLP.packINT(3) + HLP.packMPIs([ this.r, cR, d7 ])
|
||
|
send = HLP.packTLV(5, send)
|
||
|
|
||
|
rab = this.computeRab(msg[5])
|
||
|
trust = !!BigInt.equals(rab, BigInt.divMod(msg[0], this.p, N))
|
||
|
|
||
|
this.trigger('trust', [trust, 'answered'])
|
||
|
this.init()
|
||
|
break
|
||
|
|
||
|
case CONST.SMPSTATE_EXPECT4:
|
||
|
HLP.debug.call(this, 'smp tlv 5')
|
||
|
|
||
|
// 0:r, 1:cR, 2:d7
|
||
|
ms = HLP.readLen(msg.msg.substr(0, 4))
|
||
|
if (ms !== 3) return this.abort()
|
||
|
msg = HLP.unpackMPIs(3, msg.msg.substring(4))
|
||
|
|
||
|
if (!HLP.checkGroup(msg[0], N_MINUS_2)) return this.abort()
|
||
|
|
||
|
// verify znp of cR
|
||
|
t3 = HLP.multPowMod(G, msg[2], this.g3ao, msg[1], N)
|
||
|
t4 = HLP.multPowMod(this.QoQ, msg[2], msg[0], msg[1], N)
|
||
|
if (!HLP.ZKP(8, msg[1], t3, t4))
|
||
|
return this.abort()
|
||
|
|
||
|
rab = this.computeRab(msg[0])
|
||
|
trust = !!BigInt.equals(rab, this.PoP)
|
||
|
|
||
|
this.trigger('trust', [trust, 'asked'])
|
||
|
this.init()
|
||
|
return
|
||
|
|
||
|
}
|
||
|
|
||
|
this.sendMsg(send)
|
||
|
}
|
||
|
|
||
|
// send a message
|
||
|
SM.prototype.sendMsg = function (send) {
|
||
|
this.trigger('send', [this.ssid, '\x00' + send])
|
||
|
}
|
||
|
|
||
|
SM.prototype.rcvSecret = function (secret, question) {
|
||
|
HLP.debug.call(this, 'receive secret')
|
||
|
|
||
|
var fn, our = false
|
||
|
if (this.smpstate === CONST.SMPSTATE_EXPECT0) {
|
||
|
fn = this.answer
|
||
|
} else {
|
||
|
fn = this.initiate
|
||
|
our = true
|
||
|
}
|
||
|
|
||
|
this.makeSecret(our, secret)
|
||
|
fn.call(this, question)
|
||
|
}
|
||
|
|
||
|
SM.prototype.answer = function () {
|
||
|
HLP.debug.call(this, 'smp answer')
|
||
|
|
||
|
var r4 = HLP.randomExponent()
|
||
|
this.computePQ(r4)
|
||
|
|
||
|
// zero-knowledge proof that P & Q
|
||
|
// were generated according to the protocol
|
||
|
var r5 = HLP.randomExponent()
|
||
|
var r6 = HLP.randomExponent()
|
||
|
var tmp = HLP.multPowMod(G, r5, this.g2, r6, N)
|
||
|
var cP = HLP.smpHash(5, BigInt.powMod(this.g3, r5, N), tmp)
|
||
|
var d5 = this.computeD(r5, r4, cP)
|
||
|
var d6 = this.computeD(r6, this.secret, cP)
|
||
|
|
||
|
this.smpstate = CONST.SMPSTATE_EXPECT3
|
||
|
|
||
|
var send = HLP.packINT(11) + HLP.packMPIs([
|
||
|
this.g2a
|
||
|
, this.c2
|
||
|
, this.d2
|
||
|
, this.g3a
|
||
|
, this.c3
|
||
|
, this.d3
|
||
|
, this.p
|
||
|
, this.q
|
||
|
, cP
|
||
|
, d5
|
||
|
, d6
|
||
|
])
|
||
|
|
||
|
this.sendMsg(HLP.packTLV(3, send))
|
||
|
}
|
||
|
|
||
|
SM.prototype.initiate = function (question) {
|
||
|
HLP.debug.call(this, 'smp initiate')
|
||
|
|
||
|
if (this.smpstate !== CONST.SMPSTATE_EXPECT1)
|
||
|
this.abort() // abort + restart
|
||
|
|
||
|
this.makeG2s()
|
||
|
|
||
|
// zero-knowledge proof that the exponents
|
||
|
// associated with g2a & g3a are known
|
||
|
var r2 = HLP.randomExponent()
|
||
|
var r3 = HLP.randomExponent()
|
||
|
this.c2 = this.computeC(1, r2)
|
||
|
this.c3 = this.computeC(2, r3)
|
||
|
this.d2 = this.computeD(r2, this.a2, this.c2)
|
||
|
this.d3 = this.computeD(r3, this.a3, this.c3)
|
||
|
|
||
|
// set the next expected state
|
||
|
this.smpstate = CONST.SMPSTATE_EXPECT2
|
||
|
|
||
|
var send = ''
|
||
|
var type = 2
|
||
|
|
||
|
if (question) {
|
||
|
send += question
|
||
|
send += '\x00'
|
||
|
type = 7
|
||
|
}
|
||
|
|
||
|
send += HLP.packINT(6) + HLP.packMPIs([
|
||
|
this.g2a
|
||
|
, this.c2
|
||
|
, this.d2
|
||
|
, this.g3a
|
||
|
, this.c3
|
||
|
, this.d3
|
||
|
])
|
||
|
|
||
|
this.sendMsg(HLP.packTLV(type, send))
|
||
|
}
|
||
|
|
||
|
SM.prototype.abort = function () {
|
||
|
this.init()
|
||
|
this.sendMsg(HLP.packTLV(6, ''))
|
||
|
this.trigger('abort')
|
||
|
}
|
||
|
|
||
|
}).call(this)
|
||
|
;(function () {
|
||
|
"use strict";
|
||
|
|
||
|
var root = this
|
||
|
|
||
|
var CryptoJS, BigInt, EventEmitter, Worker, SMWPath
|
||
|
, CONST, HLP, Parse, AKE, SM, DSA
|
||
|
if (typeof module !== 'undefined' && module.exports) {
|
||
|
module.exports = OTR
|
||
|
CryptoJS = require('../vendor/crypto.js')
|
||
|
BigInt = require('../vendor/bigint.js')
|
||
|
EventEmitter = require('../vendor/eventemitter.js')
|
||
|
SMWPath = require('path').join(__dirname, '/sm-webworker.js')
|
||
|
CONST = require('./const.js')
|
||
|
HLP = require('./helpers.js')
|
||
|
Parse = require('./parse.js')
|
||
|
AKE = require('./ake.js')
|
||
|
SM = require('./sm.js')
|
||
|
DSA = require('./dsa.js')
|
||
|
// expose CONST for consistency with docs
|
||
|
OTR.CONST = CONST
|
||
|
} else {
|
||
|
// copy over and expose internals
|
||
|
Object.keys(root.OTR).forEach(function (k) {
|
||
|
OTR[k] = root.OTR[k]
|
||
|
})
|
||
|
root.OTR = OTR
|
||
|
CryptoJS = root.CryptoJS
|
||
|
BigInt = root.BigInt
|
||
|
EventEmitter = root.EventEmitter
|
||
|
Worker = root.Worker
|
||
|
SMWPath = 'sm-webworker.js'
|
||
|
CONST = OTR.CONST
|
||
|
HLP = OTR.HLP
|
||
|
Parse = OTR.Parse
|
||
|
AKE = OTR.AKE
|
||
|
SM = OTR.SM
|
||
|
DSA = root.DSA
|
||
|
}
|
||
|
|
||
|
// diffie-hellman modulus and generator
|
||
|
// see group 5, RFC 3526
|
||
|
var G = BigInt.str2bigInt(CONST.G, 10)
|
||
|
var N = BigInt.str2bigInt(CONST.N, 16)
|
||
|
|
||
|
// JavaScript integers
|
||
|
var MAX_INT = Math.pow(2, 53) - 1 // doubles
|
||
|
var MAX_UINT = Math.pow(2, 31) - 1 // bitwise operators
|
||
|
|
||
|
// OTR contructor
|
||
|
function OTR(options) {
|
||
|
if (!(this instanceof OTR)) return new OTR(options)
|
||
|
|
||
|
// options
|
||
|
options = options || {}
|
||
|
|
||
|
// private keys
|
||
|
if (options.priv && !(options.priv instanceof DSA))
|
||
|
throw new Error('Requires long-lived DSA key.')
|
||
|
|
||
|
this.priv = options.priv ? options.priv : new DSA()
|
||
|
|
||
|
this.fragment_size = options.fragment_size || 0
|
||
|
if (this.fragment_size < 0)
|
||
|
throw new Error('Fragment size must be a positive integer.')
|
||
|
|
||
|
this.send_interval = options.send_interval || 0
|
||
|
if (this.send_interval < 0)
|
||
|
throw new Error('Send interval must be a positive integer.')
|
||
|
|
||
|
this.outgoing = []
|
||
|
|
||
|
// instance tag
|
||
|
this.our_instance_tag = options.instance_tag || OTR.makeInstanceTag()
|
||
|
|
||
|
// debug
|
||
|
this.debug = !!options.debug
|
||
|
|
||
|
// smp in webworker options
|
||
|
// this is still experimental and undocumented
|
||
|
this.smw = options.smw
|
||
|
|
||
|
// init vals
|
||
|
this.init()
|
||
|
|
||
|
// bind methods
|
||
|
var self = this
|
||
|
;['sendMsg', 'receiveMsg'].forEach(function (meth) {
|
||
|
self[meth] = self[meth].bind(self)
|
||
|
})
|
||
|
|
||
|
EventEmitter.call(this)
|
||
|
}
|
||
|
|
||
|
// inherit from EE
|
||
|
HLP.extend(OTR, EventEmitter)
|
||
|
|
||
|
// add to prototype
|
||
|
OTR.prototype.init = function () {
|
||
|
|
||
|
this.msgstate = CONST.MSGSTATE_PLAINTEXT
|
||
|
this.authstate = CONST.AUTHSTATE_NONE
|
||
|
|
||
|
this.ALLOW_V2 = true
|
||
|
this.ALLOW_V3 = true
|
||
|
|
||
|
this.REQUIRE_ENCRYPTION = false
|
||
|
this.SEND_WHITESPACE_TAG = false
|
||
|
this.WHITESPACE_START_AKE = false
|
||
|
this.ERROR_START_AKE = false
|
||
|
|
||
|
Parse.initFragment(this)
|
||
|
|
||
|
// their keys
|
||
|
this.their_y = null
|
||
|
this.their_old_y = null
|
||
|
this.their_keyid = 0
|
||
|
this.their_priv_pk = null
|
||
|
this.their_instance_tag = '\x00\x00\x00\x00'
|
||
|
|
||
|
// our keys
|
||
|
this.our_dh = this.dh()
|
||
|
this.our_old_dh = this.dh()
|
||
|
this.our_keyid = 2
|
||
|
|
||
|
// session keys
|
||
|
this.sessKeys = [ new Array(2), new Array(2) ]
|
||
|
|
||
|
// saved
|
||
|
this.storedMgs = []
|
||
|
this.oldMacKeys = []
|
||
|
|
||
|
// smp
|
||
|
this.sm = null // initialized after AKE
|
||
|
|
||
|
// when ake is complete
|
||
|
// save their keys and the session
|
||
|
this._akeInit()
|
||
|
|
||
|
// receive plaintext message since switching to plaintext
|
||
|
// used to decide when to stop sending pt tags when SEND_WHITESPACE_TAG
|
||
|
this.receivedPlaintext = false
|
||
|
|
||
|
}
|
||
|
|
||
|
OTR.prototype._akeInit = function () {
|
||
|
this.ake = new AKE(this)
|
||
|
this.transmittedRS = false
|
||
|
this.ssid = null
|
||
|
}
|
||
|
|
||
|
// smp over webworker
|
||
|
OTR.prototype._SMW = function (otr, reqs) {
|
||
|
this.otr = otr
|
||
|
var opts = {
|
||
|
path: SMWPath
|
||
|
, seed: BigInt.getSeed
|
||
|
}
|
||
|
if (typeof otr.smw === 'object')
|
||
|
Object.keys(otr.smw).forEach(function (k) {
|
||
|
opts[k] = otr.smw[k]
|
||
|
})
|
||
|
|
||
|
// load optional dep. in node
|
||
|
if (typeof module !== 'undefined' && module.exports)
|
||
|
Worker = require('webworker-threads').Worker
|
||
|
|
||
|
this.worker = new Worker(opts.path)
|
||
|
var self = this
|
||
|
this.worker.onmessage = function (e) {
|
||
|
var d = e.data
|
||
|
if (!d) return
|
||
|
self.trigger(d.method, d.args)
|
||
|
}
|
||
|
this.worker.postMessage({
|
||
|
type: 'seed'
|
||
|
, seed: opts.seed()
|
||
|
, imports: opts.imports
|
||
|
})
|
||
|
this.worker.postMessage({
|
||
|
type: 'init'
|
||
|
, reqs: reqs
|
||
|
})
|
||
|
}
|
||
|
|
||
|
// inherit from EE
|
||
|
HLP.extend(OTR.prototype._SMW, EventEmitter)
|
||
|
|
||
|
// shim sm methods
|
||
|
;['handleSM', 'rcvSecret', 'abort'].forEach(function (m) {
|
||
|
OTR.prototype._SMW.prototype[m] = function () {
|
||
|
this.worker.postMessage({
|
||
|
type: 'method'
|
||
|
, method: m
|
||
|
, args: Array.prototype.slice.call(arguments, 0)
|
||
|
})
|
||
|
}
|
||
|
})
|
||
|
|
||
|
OTR.prototype._smInit = function () {
|
||
|
var reqs = {
|
||
|
ssid: this.ssid
|
||
|
, our_fp: this.priv.fingerprint()
|
||
|
, their_fp: this.their_priv_pk.fingerprint()
|
||
|
, debug: this.debug
|
||
|
}
|
||
|
if (this.smw) {
|
||
|
if (this.sm) this.sm.worker.terminate() // destroy prev webworker
|
||
|
this.sm = new this._SMW(this, reqs)
|
||
|
} else {
|
||
|
this.sm = new SM(reqs)
|
||
|
}
|
||
|
var self = this
|
||
|
;['trust', 'abort', 'question'].forEach(function (e) {
|
||
|
self.sm.on(e, function () {
|
||
|
self.trigger('smp', [e].concat(Array.prototype.slice.call(arguments)))
|
||
|
})
|
||
|
})
|
||
|
this.sm.on('send', function (ssid, send) {
|
||
|
if (self.ssid === ssid) {
|
||
|
send = self.prepareMsg(send)
|
||
|
self.io(send)
|
||
|
}
|
||
|
})
|
||
|
}
|
||
|
|
||
|
OTR.prototype.io = function (msg, meta) {
|
||
|
|
||
|
// buffer
|
||
|
msg = ([].concat(msg)).map(function(m){
|
||
|
return { msg: m, meta: meta }
|
||
|
})
|
||
|
this.outgoing = this.outgoing.concat(msg)
|
||
|
|
||
|
var self = this
|
||
|
;(function send(first) {
|
||
|
if (!first) {
|
||
|
if (!self.outgoing.length) return
|
||
|
var elem = self.outgoing.shift()
|
||
|
self.trigger('io', [elem.msg, elem.meta])
|
||
|
}
|
||
|
setTimeout(send, first ? 0 : self.send_interval)
|
||
|
}(true))
|
||
|
|
||
|
}
|
||
|
|
||
|
OTR.prototype.dh = function dh() {
|
||
|
var keys = { privateKey: BigInt.randBigInt(320) }
|
||
|
keys.publicKey = BigInt.powMod(G, keys.privateKey, N)
|
||
|
return keys
|
||
|
}
|
||
|
|
||
|
// session constructor
|
||
|
OTR.prototype.DHSession = function DHSession(our_dh, their_y) {
|
||
|
if (!(this instanceof DHSession)) return new DHSession(our_dh, their_y)
|
||
|
|
||
|
// shared secret
|
||
|
var s = BigInt.powMod(their_y, our_dh.privateKey, N)
|
||
|
var secbytes = HLP.packMPI(s)
|
||
|
|
||
|
// session id
|
||
|
this.id = HLP.mask(HLP.h2('\x00', secbytes), 0, 64) // first 64-bits
|
||
|
|
||
|
// are we the high or low end of the connection?
|
||
|
var sq = BigInt.greater(our_dh.publicKey, their_y)
|
||
|
var sendbyte = sq ? '\x01' : '\x02'
|
||
|
var rcvbyte = sq ? '\x02' : '\x01'
|
||
|
|
||
|
// sending and receiving keys
|
||
|
this.sendenc = HLP.mask(HLP.h1(sendbyte, secbytes), 0, 128) // f16 bytes
|
||
|
this.sendmac = CryptoJS.SHA1(CryptoJS.enc.Latin1.parse(this.sendenc))
|
||
|
this.sendmac = this.sendmac.toString(CryptoJS.enc.Latin1)
|
||
|
|
||
|
this.rcvenc = HLP.mask(HLP.h1(rcvbyte, secbytes), 0, 128)
|
||
|
this.rcvmac = CryptoJS.SHA1(CryptoJS.enc.Latin1.parse(this.rcvenc))
|
||
|
this.rcvmac = this.rcvmac.toString(CryptoJS.enc.Latin1)
|
||
|
this.rcvmacused = false
|
||
|
|
||
|
// extra symmetric key
|
||
|
this.extra_symkey = HLP.h2('\xff', secbytes)
|
||
|
|
||
|
// counters
|
||
|
this.send_counter = 0
|
||
|
this.rcv_counter = 0
|
||
|
}
|
||
|
|
||
|
OTR.prototype.rotateOurKeys = function () {
|
||
|
|
||
|
// reveal old mac keys
|
||
|
var self = this
|
||
|
this.sessKeys[1].forEach(function (sk) {
|
||
|
if (sk && sk.rcvmacused) self.oldMacKeys.push(sk.rcvmac)
|
||
|
})
|
||
|
|
||
|
// rotate our keys
|
||
|
this.our_old_dh = this.our_dh
|
||
|
this.our_dh = this.dh()
|
||
|
this.our_keyid += 1
|
||
|
|
||
|
this.sessKeys[1][0] = this.sessKeys[0][0]
|
||
|
this.sessKeys[1][1] = this.sessKeys[0][1]
|
||
|
this.sessKeys[0] = [
|
||
|
this.their_y ?
|
||
|
new this.DHSession(this.our_dh, this.their_y) : null
|
||
|
, this.their_old_y ?
|
||
|
new this.DHSession(this.our_dh, this.their_old_y) : null
|
||
|
]
|
||
|
|
||
|
}
|
||
|
|
||
|
OTR.prototype.rotateTheirKeys = function (their_y) {
|
||
|
|
||
|
// increment their keyid
|
||
|
this.their_keyid += 1
|
||
|
|
||
|
// reveal old mac keys
|
||
|
var self = this
|
||
|
this.sessKeys.forEach(function (sk) {
|
||
|
if (sk[1] && sk[1].rcvmacused) self.oldMacKeys.push(sk[1].rcvmac)
|
||
|
})
|
||
|
|
||
|
// rotate their keys / session
|
||
|
this.their_old_y = this.their_y
|
||
|
this.sessKeys[0][1] = this.sessKeys[0][0]
|
||
|
this.sessKeys[1][1] = this.sessKeys[1][0]
|
||
|
|
||
|
// new keys / sessions
|
||
|
this.their_y = their_y
|
||
|
this.sessKeys[0][0] = new this.DHSession(this.our_dh, this.their_y)
|
||
|
this.sessKeys[1][0] = new this.DHSession(this.our_old_dh, this.their_y)
|
||
|
|
||
|
}
|
||
|
|
||
|
OTR.prototype.prepareMsg = function (msg, esk) {
|
||
|
if (this.msgstate !== CONST.MSGSTATE_ENCRYPTED || this.their_keyid === 0)
|
||
|
return this.error('Not ready to encrypt.')
|
||
|
|
||
|
var sessKeys = this.sessKeys[1][0]
|
||
|
|
||
|
if (sessKeys.send_counter >= MAX_INT)
|
||
|
return this.error('Should have rekeyed by now.')
|
||
|
|
||
|
sessKeys.send_counter += 1
|
||
|
|
||
|
var ctr = HLP.packCtr(sessKeys.send_counter)
|
||
|
|
||
|
var send = this.ake.otr_version + '\x03' // version and type
|
||
|
var v3 = (this.ake.otr_version === CONST.OTR_VERSION_3)
|
||
|
|
||
|
if (v3) {
|
||
|
send += this.our_instance_tag
|
||
|
send += this.their_instance_tag
|
||
|
}
|
||
|
|
||
|
send += '\x00' // flag
|
||
|
send += HLP.packINT(this.our_keyid - 1)
|
||
|
send += HLP.packINT(this.their_keyid)
|
||
|
send += HLP.packMPI(this.our_dh.publicKey)
|
||
|
send += ctr.substring(0, 8)
|
||
|
|
||
|
if (Math.ceil(msg.length / 8) >= MAX_UINT) // * 16 / 128
|
||
|
return this.error('Message is too long.')
|
||
|
|
||
|
var aes = HLP.encryptAes(
|
||
|
CryptoJS.enc.Latin1.parse(msg)
|
||
|
, sessKeys.sendenc
|
||
|
, ctr
|
||
|
)
|
||
|
|
||
|
send += HLP.packData(aes)
|
||
|
send += HLP.make1Mac(send, sessKeys.sendmac)
|
||
|
send += HLP.packData(this.oldMacKeys.splice(0).join(''))
|
||
|
|
||
|
send = HLP.wrapMsg(
|
||
|
send
|
||
|
, this.fragment_size
|
||
|
, v3
|
||
|
, this.our_instance_tag
|
||
|
, this.their_instance_tag
|
||
|
)
|
||
|
if (send[0]) return this.error(send[0])
|
||
|
|
||
|
// emit extra symmetric key
|
||
|
if (esk) this.trigger('file', ['send', sessKeys.extra_symkey, esk])
|
||
|
|
||
|
return send[1]
|
||
|
}
|
||
|
|
||
|
OTR.prototype.handleDataMsg = function (msg) {
|
||
|
var vt = msg.version + msg.type
|
||
|
|
||
|
if (this.ake.otr_version === CONST.OTR_VERSION_3)
|
||
|
vt += msg.instance_tags
|
||
|
|
||
|
var types = ['BYTE', 'INT', 'INT', 'MPI', 'CTR', 'DATA', 'MAC', 'DATA']
|
||
|
msg = HLP.splitype(types, msg.msg)
|
||
|
|
||
|
// ignore flag
|
||
|
var ign = (msg[0] === '\x01')
|
||
|
|
||
|
if (this.msgstate !== CONST.MSGSTATE_ENCRYPTED || msg.length !== 8) {
|
||
|
if (!ign) this.error('Received an unreadable encrypted message.', true)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
var our_keyid = this.our_keyid - HLP.readLen(msg[2])
|
||
|
var their_keyid = this.their_keyid - HLP.readLen(msg[1])
|
||
|
|
||
|
if (our_keyid < 0 || our_keyid > 1) {
|
||
|
if (!ign) this.error('Not of our latest keys.', true)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
if (their_keyid < 0 || their_keyid > 1) {
|
||
|
if (!ign) this.error('Not of your latest keys.', true)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
var their_y = their_keyid ? this.their_old_y : this.their_y
|
||
|
|
||
|
if (their_keyid === 1 && !their_y) {
|
||
|
if (!ign) this.error('Do not have that key.')
|
||
|
return
|
||
|
}
|
||
|
|
||
|
var sessKeys = this.sessKeys[our_keyid][their_keyid]
|
||
|
|
||
|
var ctr = HLP.unpackCtr(msg[4])
|
||
|
if (ctr <= sessKeys.rcv_counter) {
|
||
|
if (!ign) this.error('Counter in message is not larger.')
|
||
|
return
|
||
|
}
|
||
|
sessKeys.rcv_counter = ctr
|
||
|
|
||
|
// verify mac
|
||
|
vt += msg.slice(0, 6).join('')
|
||
|
var vmac = HLP.make1Mac(vt, sessKeys.rcvmac)
|
||
|
|
||
|
if (!HLP.compare(msg[6], vmac)) {
|
||
|
if (!ign) this.error('MACs do not match.')
|
||
|
return
|
||
|
}
|
||
|
sessKeys.rcvmacused = true
|
||
|
|
||
|
var out = HLP.decryptAes(
|
||
|
msg[5].substring(4)
|
||
|
, sessKeys.rcvenc
|
||
|
, HLP.padCtr(msg[4])
|
||
|
)
|
||
|
out = out.toString(CryptoJS.enc.Latin1)
|
||
|
|
||
|
if (!our_keyid) this.rotateOurKeys()
|
||
|
if (!their_keyid) this.rotateTheirKeys(HLP.readMPI(msg[3]))
|
||
|
|
||
|
// parse TLVs
|
||
|
var ind = out.indexOf('\x00')
|
||
|
if (~ind) {
|
||
|
this.handleTLVs(out.substring(ind + 1), sessKeys)
|
||
|
out = out.substring(0, ind)
|
||
|
}
|
||
|
|
||
|
out = CryptoJS.enc.Latin1.parse(out)
|
||
|
return out.toString(CryptoJS.enc.Utf8)
|
||
|
}
|
||
|
|
||
|
OTR.prototype.handleTLVs = function (tlvs, sessKeys) {
|
||
|
var type, len, msg
|
||
|
for (; tlvs.length; ) {
|
||
|
type = HLP.unpackSHORT(tlvs.substr(0, 2))
|
||
|
len = HLP.unpackSHORT(tlvs.substr(2, 2))
|
||
|
|
||
|
msg = tlvs.substr(4, len)
|
||
|
|
||
|
// TODO: handle pathological cases better
|
||
|
if (msg.length < len) break
|
||
|
|
||
|
switch (type) {
|
||
|
case 1:
|
||
|
// Disconnected
|
||
|
this.msgstate = CONST.MSGSTATE_FINISHED
|
||
|
this.trigger('status', [CONST.STATUS_END_OTR])
|
||
|
break
|
||
|
case 2: case 3: case 4:
|
||
|
case 5: case 6: case 7:
|
||
|
// SMP
|
||
|
if (this.msgstate !== CONST.MSGSTATE_ENCRYPTED) {
|
||
|
if (this.sm) this.sm.abort()
|
||
|
return
|
||
|
}
|
||
|
if (!this.sm) this._smInit()
|
||
|
this.sm.handleSM({ msg: msg, type: type })
|
||
|
break
|
||
|
case 8:
|
||
|
// utf8 filenames
|
||
|
msg = msg.substring(4) // remove 4-byte indication
|
||
|
msg = CryptoJS.enc.Latin1.parse(msg)
|
||
|
msg = msg.toString(CryptoJS.enc.Utf8)
|
||
|
|
||
|
// Extra Symkey
|
||
|
this.trigger('file', ['receive', sessKeys.extra_symkey, msg])
|
||
|
break
|
||
|
}
|
||
|
|
||
|
tlvs = tlvs.substring(4 + len)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
OTR.prototype.smpSecret = function (secret, question) {
|
||
|
if (this.msgstate !== CONST.MSGSTATE_ENCRYPTED)
|
||
|
return this.error('Must be encrypted for SMP.')
|
||
|
|
||
|
if (typeof secret !== 'string' || secret.length < 1)
|
||
|
return this.error('Secret is required.')
|
||
|
|
||
|
if (!this.sm) this._smInit()
|
||
|
|
||
|
// utf8 inputs
|
||
|
secret = CryptoJS.enc.Utf8.parse(secret).toString(CryptoJS.enc.Latin1)
|
||
|
question = CryptoJS.enc.Utf8.parse(question).toString(CryptoJS.enc.Latin1)
|
||
|
|
||
|
this.sm.rcvSecret(secret, question)
|
||
|
}
|
||
|
|
||
|
OTR.prototype.sendQueryMsg = function () {
|
||
|
var versions = {}
|
||
|
, msg = CONST.OTR_TAG
|
||
|
|
||
|
if (this.ALLOW_V2) versions['2'] = true
|
||
|
if (this.ALLOW_V3) versions['3'] = true
|
||
|
|
||
|
// but we don't allow v1
|
||
|
// if (versions['1']) msg += '?'
|
||
|
|
||
|
var vs = Object.keys(versions)
|
||
|
if (vs.length) {
|
||
|
msg += 'v'
|
||
|
vs.forEach(function (v) {
|
||
|
if (v !== '1') msg += v
|
||
|
})
|
||
|
msg += '?'
|
||
|
}
|
||
|
|
||
|
this.io(msg)
|
||
|
this.trigger('status', [CONST.STATUS_SEND_QUERY])
|
||
|
}
|
||
|
|
||
|
OTR.prototype.sendMsg = function (msg, meta) {
|
||
|
if ( this.REQUIRE_ENCRYPTION ||
|
||
|
this.msgstate !== CONST.MSGSTATE_PLAINTEXT
|
||
|
) {
|
||
|
msg = CryptoJS.enc.Utf8.parse(msg)
|
||
|
msg = msg.toString(CryptoJS.enc.Latin1)
|
||
|
}
|
||
|
|
||
|
switch (this.msgstate) {
|
||
|
case CONST.MSGSTATE_PLAINTEXT:
|
||
|
if (this.REQUIRE_ENCRYPTION) {
|
||
|
this.storedMgs.push({msg: msg, meta: meta})
|
||
|
this.sendQueryMsg()
|
||
|
return
|
||
|
}
|
||
|
if (this.SEND_WHITESPACE_TAG && !this.receivedPlaintext) {
|
||
|
msg += CONST.WHITESPACE_TAG // 16 byte tag
|
||
|
if (this.ALLOW_V3) msg += CONST.WHITESPACE_TAG_V3
|
||
|
if (this.ALLOW_V2) msg += CONST.WHITESPACE_TAG_V2
|
||
|
}
|
||
|
break
|
||
|
case CONST.MSGSTATE_FINISHED:
|
||
|
this.storedMgs.push({msg: msg, meta: meta})
|
||
|
this.error('Message cannot be sent at this time.')
|
||
|
return
|
||
|
case CONST.MSGSTATE_ENCRYPTED:
|
||
|
msg = this.prepareMsg(msg)
|
||
|
break
|
||
|
default:
|
||
|
throw new Error('Unknown message state.')
|
||
|
}
|
||
|
|
||
|
if (msg) this.io(msg, meta)
|
||
|
}
|
||
|
|
||
|
OTR.prototype.receiveMsg = function (msg) {
|
||
|
|
||
|
// parse type
|
||
|
msg = Parse.parseMsg(this, msg)
|
||
|
|
||
|
if (!msg) return
|
||
|
|
||
|
switch (msg.cls) {
|
||
|
case 'error':
|
||
|
this.error(msg.msg)
|
||
|
return
|
||
|
case 'ake':
|
||
|
if ( msg.version === CONST.OTR_VERSION_3 &&
|
||
|
this.checkInstanceTags(msg.instance_tags)
|
||
|
) return // ignore
|
||
|
this.ake.handleAKE(msg)
|
||
|
return
|
||
|
case 'data':
|
||
|
if ( msg.version === CONST.OTR_VERSION_3 &&
|
||
|
this.checkInstanceTags(msg.instance_tags)
|
||
|
) return // ignore
|
||
|
msg.msg = this.handleDataMsg(msg)
|
||
|
msg.encrypted = true
|
||
|
break
|
||
|
case 'query':
|
||
|
if (this.msgstate === CONST.MSGSTATE_ENCRYPTED) this._akeInit()
|
||
|
this.doAKE(msg)
|
||
|
break
|
||
|
default:
|
||
|
// check for encrypted
|
||
|
if ( this.REQUIRE_ENCRYPTION ||
|
||
|
this.msgstate !== CONST.MSGSTATE_PLAINTEXT
|
||
|
) this.error('Received an unencrypted message.')
|
||
|
|
||
|
// received a plaintext message
|
||
|
// stop sending the whitespace tag
|
||
|
this.receivedPlaintext = true
|
||
|
|
||
|
// received a whitespace tag
|
||
|
if (this.WHITESPACE_START_AKE && msg.ver.length > 0)
|
||
|
this.doAKE(msg)
|
||
|
}
|
||
|
|
||
|
if (msg.msg) this.trigger('ui', [msg.msg, !!msg.encrypted])
|
||
|
}
|
||
|
|
||
|
OTR.prototype.checkInstanceTags = function (it) {
|
||
|
var their_it = HLP.readLen(it.substr(0, 4))
|
||
|
var our_it = HLP.readLen(it.substr(4, 4))
|
||
|
|
||
|
if (our_it && our_it !== HLP.readLen(this.our_instance_tag))
|
||
|
return true
|
||
|
|
||
|
if (HLP.readLen(this.their_instance_tag)) {
|
||
|
if (HLP.readLen(this.their_instance_tag) !== their_it) return true
|
||
|
} else {
|
||
|
if (their_it < 100) return true
|
||
|
this.their_instance_tag = HLP.packINT(their_it)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
OTR.prototype.doAKE = function (msg) {
|
||
|
if (this.ALLOW_V3 && ~msg.ver.indexOf(CONST.OTR_VERSION_3)) {
|
||
|
this.ake.initiateAKE(CONST.OTR_VERSION_3)
|
||
|
} else if (this.ALLOW_V2 && ~msg.ver.indexOf(CONST.OTR_VERSION_2)) {
|
||
|
this.ake.initiateAKE(CONST.OTR_VERSION_2)
|
||
|
} else {
|
||
|
// is this an error?
|
||
|
this.error('OTR conversation requested, ' +
|
||
|
'but no compatible protocol version found.')
|
||
|
}
|
||
|
}
|
||
|
|
||
|
OTR.prototype.error = function (err, send) {
|
||
|
if (send) {
|
||
|
if (!this.debug) err = "An OTR error has occurred."
|
||
|
err = '?OTR Error:' + err
|
||
|
this.io(err)
|
||
|
return
|
||
|
}
|
||
|
this.trigger('error', [err])
|
||
|
}
|
||
|
|
||
|
OTR.prototype.sendStored = function () {
|
||
|
var self = this
|
||
|
;(this.storedMgs.splice(0)).forEach(function (elem) {
|
||
|
var msg = self.prepareMsg(elem.msg)
|
||
|
self.io(msg, elem.meta)
|
||
|
})
|
||
|
}
|
||
|
|
||
|
OTR.prototype.sendFile = function (filename) {
|
||
|
if (this.msgstate !== CONST.MSGSTATE_ENCRYPTED)
|
||
|
return this.error('Not ready to encrypt.')
|
||
|
|
||
|
if (this.ake.otr_version !== CONST.OTR_VERSION_3)
|
||
|
return this.error('Protocol v3 required.')
|
||
|
|
||
|
if (!filename) return this.error('Please specify a filename.')
|
||
|
|
||
|
// utf8 filenames
|
||
|
var l1name = CryptoJS.enc.Utf8.parse(filename)
|
||
|
l1name = l1name.toString(CryptoJS.enc.Latin1)
|
||
|
|
||
|
if (l1name.length >= 65532) return this.error('filename is too long.')
|
||
|
|
||
|
var msg = '\x00' // null byte
|
||
|
msg += '\x00\x08' // type 8 tlv
|
||
|
msg += HLP.packSHORT(4 + l1name.length) // length of value
|
||
|
msg += '\x00\x00\x00\x01' // four bytes indicating file
|
||
|
msg += l1name
|
||
|
|
||
|
msg = this.prepareMsg(msg, filename)
|
||
|
this.io(msg)
|
||
|
}
|
||
|
|
||
|
OTR.prototype.endOtr = function () {
|
||
|
if (this.msgstate === CONST.MSGSTATE_ENCRYPTED) {
|
||
|
this.sendMsg('\x00\x00\x01\x00\x00')
|
||
|
if (this.sm) {
|
||
|
if (this.smw) this.sm.worker.terminate() // destroy webworker
|
||
|
this.sm = null
|
||
|
}
|
||
|
}
|
||
|
this.msgstate = CONST.MSGSTATE_PLAINTEXT
|
||
|
this.receivedPlaintext = false
|
||
|
this.trigger('status', [CONST.STATUS_END_OTR])
|
||
|
}
|
||
|
|
||
|
// attach methods
|
||
|
|
||
|
OTR.makeInstanceTag = function () {
|
||
|
var num = BigInt.randBigInt(32)
|
||
|
if (BigInt.greater(BigInt.str2bigInt('100', 16), num))
|
||
|
return OTR.makeInstanceTag()
|
||
|
return HLP.packINT(parseInt(BigInt.bigInt2str(num, 10), 10))
|
||
|
}
|
||
|
|
||
|
}).call(this)
|
||
|
|
||
|
|
||
|
return {
|
||
|
OTR: this.OTR
|
||
|
, DSA: this.DSA
|
||
|
}
|
||
|
|
||
|
}))
|