diff --git a/apps/smp-server/Main.hs b/apps/smp-server/Main.hs index 3a334d0d59..7be11d2dd7 100644 --- a/apps/smp-server/Main.hs +++ b/apps/smp-server/Main.hs @@ -3,7 +3,7 @@ module Main where import Control.Logger.Simple import Simplex.Messaging.Server.CLI (getEnvPath) import Simplex.Messaging.Server.Main (smpServerCLI_) -import Simplex.Messaging.Server.Web (serveStaticFiles, attachStaticFiles) +import Simplex.Messaging.Server.Web (serveStaticFiles, attachStaticAndWS) import SMPWeb (smpGenerateSite) defaultCfgPath :: FilePath @@ -19,4 +19,4 @@ main :: IO () main = do cfgPath <- getEnvPath "SMP_SERVER_CFG_PATH" defaultCfgPath logPath <- getEnvPath "SMP_SERVER_LOG_PATH" defaultLogPath - withGlobalLogging logCfg $ smpServerCLI_ smpGenerateSite serveStaticFiles attachStaticFiles cfgPath logPath + withGlobalLogging logCfg $ smpServerCLI_ smpGenerateSite serveStaticFiles attachStaticAndWS cfgPath logPath diff --git a/rfcs/2026-03-20-smp-agent-web.md b/rfcs/2026-03-20-smp-agent-web.md new file mode 100644 index 0000000000..8b015f0e8e --- /dev/null +++ b/rfcs/2026-03-20-smp-agent-web.md @@ -0,0 +1,299 @@ +# SMP Agent for Browser — Web Widget Infrastructure + +## 1. Problem & Goal + +The SimpleX web widget needs to create duplex connections, send and receive encrypted messages, and handle the full SMP agent lifecycle — all running in the browser. This requires a TypeScript implementation of the SMP protocol stack: encoding, transport, client, and agent layers, mirroring the Haskell implementation in simplexmq. + +This document covers the protocol infrastructure that lives in the simplexmq repository (`smp-web/`). The widget UI and chat-layer semantics (contact addresses, business addresses, group links) live in simplex-chat. + +## 2. Architecture + +Four layers, mirroring the Haskell codebase: + +``` +┌─────────────────────────────────────────────────────────────┐ +│ Agent Layer │ +│ Duplex connections, X3DH key agreement, double ratchet, │ +│ message delivery, queue rotation, connection lifecycle │ +├─────────────────────────────────────────────────────────────┤ +│ Client Layer │ +│ Connection pool (per server), command/response correlation, │ +│ reconnection, backoff │ +├─────────────────────────────────────────────────────────────┤ +│ Transport Layer │ +│ WebSocket, SMP handshake, block framing (16384 bytes), │ +│ block encryption (X25519 DH + SbChainKeys) │ +├─────────────────────────────────────────────────────────────┤ +│ Protocol Layer │ +│ SMP commands (NEW, KEY, SUB, SEND, ACK, etc.), │ +│ binary encoding, transmission format │ +├─────────────────────────────────────────────────────────────┤ +│ Shared (from xftp-web) │ +│ encoding.ts, secretbox.ts, padding.ts, keys.ts, digest.ts │ +└─────────────────────────────────────────────────────────────┘ + │ + ▼ WebSocket (TLS via browser) + ┌───────────────┐ + │ SMP Server │ + │ (SNI → Warp │ + │ → WS upgrade)│ + └───────────────┘ +``` + +### Core Principle: Mirror Haskell Structure + +TypeScript code mirrors the Haskell module hierarchy as closely as possible. Each Haskell module has a corresponding TypeScript file, placed in the same relative path. Functions keep the same names. This enables: +- Easy cross-reference between codebases +- Sync as protocol evolves +- Code review by people who know the Haskell side +- Byte-for-byte testing of corresponding functions + +### File Structure + +``` +smp-web/ +├── src/ +│ ├── protocol.ts ← SMP commands, transmission format +│ ├── protocol/ +│ │ └── types.ts ← protocol types +│ ├── version.ts ← version range negotiation +│ ├── transport.ts ← handshake, block framing, THandle +│ ├── transport/ +│ │ └── websockets.ts ← WebSocket connection +│ ├── client.ts ← connection pool, correlation, reconnect +│ ├── crypto/ +│ │ ├── ratchet.ts ← double ratchet +│ │ └── shortLink.ts ← HKDF, link data decrypt +│ └── agent/ +│ ├── protocol.ts ← connection types, link data parsing +│ └── client.ts ← connection lifecycle, message delivery +├── package.json +└── tsconfig.json +``` + +Encoding and crypto primitives are imported directly from xftp-web (npm dependency). New files are only created where SMP-specific logic is needed. + +### Haskell Module → TypeScript File Mapping + +| Haskell Module | TypeScript File | Source | +|---|---|---| +| `Simplex.Messaging.Encoding` | xftp-web `protocol/encoding.ts` | import directly | +| `Simplex.Messaging.Crypto` | xftp-web `crypto/*` | import directly | +| `Simplex.Messaging.Protocol` | `protocol.ts` | new | +| `Simplex.Messaging.Protocol.Types` | `protocol/types.ts` | new | +| `Simplex.Messaging.Version` | `version.ts` | new | +| `Simplex.Messaging.Transport` | `transport.ts` | new | +| `Simplex.Messaging.Transport.WebSockets` | `transport/websockets.ts` | new | +| `Simplex.Messaging.Client` | `client.ts` | new | +| `Simplex.Messaging.Crypto.Ratchet` | `crypto/ratchet.ts` | new | +| `Simplex.Messaging.Crypto.ShortLink` | `crypto/shortLink.ts` | new | +| `Simplex.Messaging.Agent.Protocol` | `agent/protocol.ts` | new | +| `Simplex.Messaging.Agent.Client` | `agent/client.ts` | new | + +Function names in TypeScript match Haskell names (camelCase preserved). When a Haskell function is `smpClientHandshake`, TypeScript has `smpClientHandshake`. When Haskell has `contactShortLinkKdf`, TypeScript has `contactShortLinkKdf`. + +## 3. Relationship to xftp-web + +xftp-web (`simplexmq-2/xftp-web/`) is a production TypeScript XFTP client. smp-web reuses its foundations: + +**Reused directly (npm dependency)**: +- `protocol/encoding.ts` — Decoder class, Word16/Word32/Int64, ByteString, Large, Bool, Maybe, List encoding +- `crypto/secretbox.ts` — XSalsa20-Poly1305 (cbEncrypt/cbDecrypt, streaming) +- `crypto/padding.ts` — Block padding (2-byte length prefix + `#` fill) +- `crypto/keys.ts` — Ed25519, X25519 key generation, signing, DH, DER encoding +- `crypto/digest.ts` — SHA-256, SHA-512 +- `crypto/identity.ts` — X.509 certificate chain parsing, signature verification + +**New in smp-web**: +- SMP protocol commands and transmission format +- SMP handshake (different from XFTP handshake) +- WebSocket transport (XFTP uses HTTP/2 fetch) +- SMP client with queue-based correlation +- Agent layer (connections, ratchet, message processing) +- Short link operations (HKDF-SHA512, link data parsing) + +**Same build pattern**: +- TypeScript strict, ES2022 modules +- `tsc` → `dist/` +- Haskell tests via `callNode` (same function from XFTPWebTests) +- Each TypeScript function verified byte-for-byte against Haskell + +## 4. Server Changes + +### Done +- `attachStaticAndWS` — unified HTTP + WebSocket handler via `wai-websockets` +- SNI-based routing: browser (SNI) → Warp → WebSocket upgrade → SMP over WS; native (no SNI) → SMP over TLS +- `acceptWSConnection` — constructs `WS 'TServer` from TLS connection + Warp PendingConnection, preserves peer cert chain +- `AttachHTTP` takes `TLS 'TServer` (not raw Context), enabling proper cert chain forwarding +- Test: `testWebSocketAndTLS` verifies native TLS and WebSocket clients on same port + +### Remaining +- CORS headers for cross-origin widget embedding (pattern available in XFTP server) +- Server CLI configuration for enabling/disabling WebSocket support per port + +## 5. Build Approach + +Bottom-up, function-by-function. Each TypeScript function tested against its Haskell counterpart before building the next. + +**Test infrastructure**: `SMPWebTests.hs` reuses `callNode`, `jsOut`, `jsUint8` from `XFTPWebTests.hs` (generalized, not copied). + +**Pattern**: for each function: +1. Implement in TypeScript +2. Write Haskell test that calls it via `callNode` +3. Compare output byte-for-byte with Haskell reference +4. Also test cross-language: Haskell encodes → TypeScript decodes, and vice versa + +## 6. Implementation Phases + +### Phase 1: Protocol Encoding + Handshake + +Foundation layer. SMP-specific binary encoding and handshake. + +**Functions**: +- SMP transmission format: `[auth ByteString][corrId ByteString][entityId ByteString][command]` +- `encodeTransmission` / `parseTransmission` +- `parseSMPServerHandshake` — versionRange, sessionId, authPubKey (CertChainPubKey) +- `encodeSMPClientHandshake` — version, keyHash, authPubKey, proxyServer, clientService +- Server certificate chain verification (reuse xftp-web identity.ts) +- Version negotiation + +**Key encoding details**: +- `authPubKey` uses `encodeAuthEncryptCmds`: Nothing → empty (0 bytes), Just → raw smpEncode (NOT Maybe 0/1 prefix) +- `proxyServer`: Bool 'T'/'F' (v14+) +- `clientService`: Maybe '0'/'1' (v16+) + +### Phase 2: SMP Commands + +All commands needed for messaging. + +**Sender**: SKEY, SEND +**Receiver**: NEW, KEY, SUB, ACK, OFF, DEL +**Link**: LGET +**Common**: PING + +**For each command**: encode function + decode function for its response, tested against Haskell. + +### Phase 3: Transport + +WebSocket connection with SMP block framing. + +**Functions**: +- WebSocket connect (`wss://` URL) +- Block send/receive (16384-byte binary frames) +- SMP handshake over WebSocket +- Block encryption: X25519 DH → HKDF-SHA512 → SbChainKeys → per-block XSalsa20-Poly1305 + +**Block encryption flow**: +1. Client generates ephemeral X25519 keypair, sends public key in handshake +2. Server sends its signed DH key in handshake +3. Both sides compute DH shared secret +4. `sbcInit(sessionId, dhSecret)` → two 32-byte chain keys (HKDF-SHA512) +5. Each block: `sbcHkdf(chainKey)` → ephemeral key + nonce, advance chain +6. Encrypt/decrypt with XSalsa20-Poly1305, blockSize-16 padding target + +### Phase 4: Client + +Connection management layer. + +**Functions**: +- Connection pool: one WebSocket per SMP server +- Command/response correlation via corrId +- Send queue + receive queue (ABQueue pattern from simplexmq-js) +- Automatic reconnection with exponential backoff +- Timeout handling + +### Phase 5: Agent — Connection Establishment + +Duplex SMP connections with X3DH key agreement. + +**Functions**: +- Create receive queue (NEW) +- Join connection via invitation URI +- X3DH key agreement +- Send confirmation (SKEY + SEND) +- Complete handshake (HELLO exchange) +- Connection state machine + +### Phase 6: Agent — Double Ratchet + +Message encryption/decryption. + +**Functions**: +- Signal double ratchet implementation +- Header encryption +- Ratchet state management +- Key derivation (HKDF) +- Message sequence + hash chain verification + +### Phase 7: Agent — Message Delivery + +Send and receive messages through established connections. + +**Functions**: +- Send path: encrypt → encode agent envelope → SEND → handle OK/delivery receipt +- Receive path: SUB → receive MSG → decrypt → verify → ACK +- Delivery receipts +- Message acknowledgment + +### Phase 8: Short Links + +Entry point for the widget — parse short link, fetch profile. + +**Functions**: +- Parse short link URI (contact, group, business address types) +- HKDF key derivation (SHA-512): `contactShortLinkKdf` +- LGET command → LNK response +- Decrypt link data (XSalsa20-Poly1305) +- Parse FixedLinkData, ConnLinkData, UserLinkData +- Extract profile JSON + +## 7. Persistence + +Agent state (keys, ratchet, connections, messages) must persist across page reloads. + +**Open question**: storage backend. + +Options: +- **IndexedDB directly** — universal browser support, async API, no additional dependencies. Downside: key-value semantics, no SQL queries, manual indexing. +- **SQLite in browser** — sql.js (WASM-compiled SQLite) or wa-sqlite (with OPFS backend for persistence). Upside: matches Haskell agent's SQLite storage, schema can mirror `Simplex.Messaging.Agent.Store.SQLite`. Downside: additional dependency, WASM bundle size. +- **OPFS + SQLite** — Origin Private File System for durable storage, SQLite for structured access. Best durability, but limited browser support (no Safari private browsing). + +**Decision criteria**: how closely we want to mirror the Haskell agent's storage schema, bundle size budget, browser compatibility requirements. + +## 8. Testing Strategy + +### Unit Tests (per function) + +Haskell tests in `SMPWebTests.hs` using `callNode` pattern: +- TypeScript function called via Node.js subprocess +- Output compared byte-for-byte with Haskell reference +- Cross-language tests: encode in one language, decode in the other + +### Integration Tests + +Against live SMP server (spawned by test setup, same pattern as xftp-web globalSetup.ts): +- WebSocket connect + handshake +- Command round-trips (NEW, KEY, SUB, SEND, ACK) +- Message delivery through server +- Reconnection after disconnect + +### Browser Tests + +Vitest + Playwright (same as xftp-web): +- Full connection lifecycle in browser environment +- WebSocket transport in real browser +- Persistence round-trips + +## 9. Security Model + +Same principles as xftp-web: +- **TLS via browser** — browser handles certificate validation for WSS connections +- **SNI routing** — browser connections use SNI, routed to Warp + WebSocket handler +- **Server identity** — verified via certificate chain in SMP handshake (keyHash from short link or known servers) +- **Block encryption** — X25519 DH + SbChainKeys provides forward secrecy per block, on top of TLS +- **End-to-end encryption** — double ratchet between agent peers, server sees only encrypted blobs +- **No server-side secrets** — all keys derived and stored client-side +- **CORS** — required for cross-origin widget embedding, safe because SMP requires auth on every command +- **CSP** — strict content security policy for widget page + +**Threat model**: same as xftp-web. Primary risk is page substitution (malicious JS). Mitigated by HTTPS, CSP, SRI, and optionally IPFS hosting with published fingerprints. diff --git a/rfcs/2026-03-20-smp-agent-web/2026-03-20-smp-agent-web-spike.md b/rfcs/2026-03-20-smp-agent-web/2026-03-20-smp-agent-web-spike.md new file mode 100644 index 0000000000..cf78ed3070 --- /dev/null +++ b/rfcs/2026-03-20-smp-agent-web/2026-03-20-smp-agent-web-spike.md @@ -0,0 +1,359 @@ +# SMP Agent Web: Spike Plan + +Revision 4, 2026-03-20 + +Parent RFC: [2026-03-20-smp-agent-web.md](../2026-03-20-smp-agent-web.md) + +## Revision History + +- **Rev 4**: Aligned with RFC. Restructured as bottom-up build plan with per-function Haskell tests. Router WebSocket support done. File structure mirrors Haskell modules. +- **Rev 3**: Fixed multiple encoding errors discovered during audit (see encoding details below). + +## Objective + +Fetch and display business/contact profile from a SimpleX short link URI, via WebSocket to SMP router. This is the first milestone of the SMP agent web implementation — it proves the protocol encoding, transport, crypto, and data parsing layers work end-to-end. + +The spike is not throwaway code. It is the beginning of the `smp-web/` TypeScript library, built bottom-up with each function tested against its Haskell counterpart. + +## What This Proves + +- WebSocket transport to SMP router works from browser +- SMP protocol encoding is correct (binary format, not ASCII) +- SMP handshake works (version negotiation, server certificate parsing) +- Crypto is compatible (HKDF-SHA512, XSalsa20-Poly1305) +- Short link data parsing matches Haskell (FixedLinkData, ConnLinkData, profile) + +## Success Criteria + +Haskell test creates a short link, TypeScript fetches and decodes it via WebSocket, profile data matches. + +## Protocol Flow + +``` +1. Parse short link URI + https://simplex.chat/c#?h=hosts&p=port&c=keyHash + → server, linkKey + +2. Derive keys (HKDF-SHA512) + linkKey → (linkId, sbKey) + +3. WebSocket connect + wss://server:443 (TLS handled by browser) + +4. SMP handshake + ← SMPServerHandshake {sessionId, smpVersionRange, authPubKey} + → SMPClientHandshake {smpVersion, keyHash, authPubKey=Nothing, proxyServer=False, clientService=Nothing} + +5. Send LGET + → [empty auth][corrId][linkId]["LGET"] + +6. Receive LNK + ← [auth][corrId][linkId]["LNK" space senderId encFixedData encUserData] + +7. Decrypt + XSalsa20-Poly1305 with sbKey + → FixedLinkData, ConnLinkData (with profile JSON) + +8. Display profile +``` + +Note: spike sends `authPubKey=Nothing` so block encryption is not used (blocks are padded only). Block encryption is added in steps 12-13. + + +## Build Approach + +Bottom-up, function-by-function. Each TypeScript function tested against its Haskell counterpart via `callNode` — the same pattern used in xftp-web (see `XFTPWebTests.hs`). + +**Project location**: `simplexmq-2/smp-web/` +**Tests**: `simplexmq-2/tests/SMPWebTests.hs` — reuses `callNode`/`jsOut`/`jsUint8` from XFTPWebTests (generalized, not copied) +**xftp-web**: npm dependency via `file:../xftp-web` (encoding, crypto, padding imported directly). Note: libsodium-wrappers-sumo is xftp-web's dependency; tests must init the same sodium instance that xftp-web's secretbox uses. If xftp-web is ever published to npm, libsodium should become a peerDependency. +**File structure**: mirrors Haskell module hierarchy (see RFC section 2) + +**Pattern for each function**: +1. Check if xftp-web already implements it (or something close). If so, import and reuse — export from xftp-web if not yet exported. Only write new code when no existing implementation covers the need. +2. Implement in TypeScript, in the file corresponding to its Haskell module +3. Write Haskell test that calls it via `callNode` +4. Compare output byte-for-byte with Haskell reference +5. Cross-language: Haskell encodes → TypeScript decodes, and vice versa + +### Parsing Approach + +All binary parsing uses xftp-web's `Decoder` class — the same class, not a copy. `Decoder` tracks position over a `Uint8Array`, throws on malformed input, returns subarray views (zero-copy). + +SMP command parsing follows the same pattern as xftp-web's `decodeResponse` in `commands.ts`: `readTag` reads bytes until space or end, switch dispatches on the tag string, fields are parsed sequentially with `Decoder` methods (`decodeBytes`, `decodeLarge`, `decodeBool`, etc.). + +**Prerequisite xftp-web change**: `readTag` and `readSpace` in xftp-web's `commands.ts` need to be exported so smp-web can import them. + +### WebSocket Transport Approach + +WebSocket transport follows the simplexmq-js `WSTransport` pattern: + +- `WebSocket` connects to `wss://` URL with `binaryType = 'arraybuffer'` +- `onmessage` enqueues received frames into an `ABQueue` (async bounded queue with backpressure) +- `onclose` closes the queue (sentinel-based) +- `readBlock()` dequeues one frame, validates it is exactly 16384 bytes +- `sendBlock(data)` sends one 16384-byte binary frame + +The `ABQueue` class from simplexmq-js provides backpressure via semaphores and clean async iteration. It can be included in smp-web or extracted as a shared utility. + +The SMP transport layer wraps WebSocket transport: +- Receives raw blocks → unpad → parse transmission +- Encodes transmission → pad → send as block +- After handshake, if block encryption is active: decrypt before unpad, encrypt after pad + + +## Encoding Reference + +Binary encoding rules (from `Simplex.Messaging.Encoding`): + +| Type | Format | +|------|--------| +| `Word16` | 2 bytes big-endian | +| `Word32` | 4 bytes big-endian | +| `ByteString` | 1-byte length + bytes (max 255) | +| `Large` | 2-byte length (BE) + bytes (max 65535) | +| `Bool` | 'T' (0x54) or 'F' (0x46) | +| `Maybe a` | '0' (0x30) for Nothing, '1' (0x31) + value for Just | +| `smpEncodeList` | 1-byte count + items | +| `UserLinkData` | ByteString if ≤254 bytes, else 0xFF + Large | + +**Critical**: `encodeAuthEncryptCmds Nothing` = empty (0 bytes), NOT 'F' or '0'. + +**Transmission format** (binary, NOT ASCII with spaces): +``` +[auth ByteString][corrId ByteString][entityId ByteString][command bytes] +``` + +For v7+ (`implySessId = True`): sessionId is NOT sent on wire, but is prepended to the `authorized` data for signature verification. For unauthenticated commands (LGET), this doesn't apply. + +**Block framing**: `pad(transmission, 16384)` = `[2-byte BE length][message][padding with '#' (0x23)]` + + +## Server Changes — DONE + +WebSocket support on the same port as native TLS is implemented and tested. + +- `attachStaticAndWS` — unified HTTP + WebSocket handler via `wai-websockets` +- SNI routing: browser (SNI) → Warp → WebSocket upgrade → SMP over WS +- `acceptWSConnection` — constructs `WS 'TServer` from `TLS 'TServer` + PendingConnection +- Test: `testWebSocketAndTLS` in `ServerTests.hs` + +**Remaining**: CORS headers for cross-origin widget embedding. + + +## Implementation Steps + +Each step produces working, tested code. Steps 1-11 work without block encryption. Steps 12-13 add it. + +### Step 1: Project Setup + xftp-web Changes + +**smp-web setup**: +- Create `smp-web/` with `package.json` (xftp-web + `@noble/hashes` as dependencies), `tsconfig.json` (ES2022, strict, same as xftp-web) +- Build: `tsc` → `dist/` + +**xftp-web change**: +- Export `readTag` and `readSpace` from `commands.ts` (currently unexported) so smp-web can import them + +**Test infrastructure**: +- Create `SMPWebTests.hs`, reusing `callNode`/`jsOut`/`jsUint8` from XFTPWebTests (generalize shared utilities into a common test module, not copy) +- First test: import `decodeBytes` from xftp-web, encode a ByteString, verify output matches Haskell `smpEncode` + +### Step 2: SMP Transmission Encode/Decode + +**File**: `protocol.ts` +**Haskell reference**: `Simplex.Messaging.Protocol` — `encodeTransmission_`, `transmissionP` + +**Implementation**: +- `encodeTransmission(corrId, entityId, command)`: `concatBytes(encodeBytes(emptyAuth), encodeBytes(corrId), encodeBytes(entityId), command)` — unsigned, empty auth byte (0x00) +- `decodeTransmission(data)`: sequential Decoder — `decodeBytes` for auth, corrId, entityId, then `takeAll` for command bytes +- Pad/unpad: reuse xftp-web `blockPad`/`blockUnpad` (same 2-byte length prefix + '#' padding, same 16384 block size) + +**Tests**: encode in TypeScript → decode in Haskell (`transmissionP`), encode in Haskell (`encodeTransmission_`) → decode in TypeScript. Byte-for-byte match. + +### Step 3: SMP Handshake Parse/Encode + +**File**: `transport.ts` +**Haskell reference**: `Simplex.Messaging.Transport` — `SMPServerHandshake`, `SMPClientHandshake` + +**Implementation**: +- `parseSMPServerHandshake(d: Decoder)`: `decodeWord16` × 2 for versionRange, `decodeBytes` for sessionId. For authPubKey: if `maxVersion >= 7` and bytes remaining, parse `CertChainPubKey` (reuse xftp-web `identity.ts` for X.509 cert chain parsing and signature extraction). If no bytes remain, authPubKey is absent (encodeAuthEncryptCmds encoded Nothing as empty). +- `encodeSMPClientHandshake(...)`: `concatBytes(encodeWord16(version), encodeBytes(keyHash), authPubKeyBytes, encodeBool(proxyServer), encodeMaybe(encodeService, clientService))`. Where authPubKey: empty bytes for Nothing, `encodeBytes(pubkey)` for Just. proxyServer only for v14+, clientService only for v16+. + +**Tests**: Haskell encodes `SMPServerHandshake` → TypeScript parses, all fields match. TypeScript encodes `SMPClientHandshake` → Haskell parses via `smpP`. + +### Step 4: LGET Command Encode + +**File**: `protocol.ts` +**Haskell reference**: `Simplex.Messaging.Protocol` — `LGET` command encoding + +**Implementation**: +- `encodeLGET()`: returns `ascii("LGET")` — 4 bytes, no parameters. The LinkId is carried as entityId in the transmission (step 2), not in the command body. +- Full LGET block: `blockPad(encodeTransmission(corrId, linkId, encodeLGET()), 16384)` + +**Tests**: encode full LGET block in TypeScript, Haskell unpad + `transmissionP` + `parseProtocol` decodes as `LGET` with correct corrId and linkId. + +### Step 5: LNK Response Parse + +**File**: `protocol.ts` +**Haskell reference**: `Simplex.Messaging.Protocol` — `LNK` response encoding (line 1834) + +**Implementation**: +- `decodeResponse(d: Decoder)`: `readTag(d)` → switch dispatch (same pattern as xftp-web `decodeResponse`) +- For `"LNK"`: `readSpace(d)`, `decodeBytes(d)` for senderId, `decodeLarge(d)` for encFixedData, `decodeLarge(d)` for encUserData +- Also handle `"ERR"` responses for error reporting + +**Tests**: Haskell encodes `LNK senderId (encFixed, encUser)` → TypeScript `decodeResponse` parses. All fields match byte-for-byte. + +### Step 6: Short Link URI Parse + +**File**: `agent/protocol.ts` +**Haskell reference**: `Simplex.Messaging.Agent.Protocol` — `ConnShortLink` StrEncoding instance (lines 1599-1612) + +**Implementation**: +- `parseShortLink(uri)`: regex to extract scheme (https/simplex), type char (c/g/a), linkKey (base64url, 43 chars → 32 bytes), query params (h=hosts, p=port, c=keyHash) +- `base64UrlDecode(s)`: pad to multiple of 4, replace `-`→`+`, `_`→`/`, decode +- Returns `{scheme, connType, server: {hosts, port, keyHash}, linkKey}` + +**Tests**: Haskell `strEncode` a `ConnShortLink` → TypeScript `connShortLinkStrP` parses. All fields match. Test multiple formats: with/without query params, different type chars. + +**Done**. Function: `connShortLinkStrP` in `agent/protocol.ts`. Uses `base64urlDecode` from xftp-web `description.ts`. + +**Future**: +- Add long link parsing (`ConnectionRequestUri`) and an either-parser that handles both short and long links. +- Add `restoreShortLink`: preset servers are shortened to host-only (`SMPServerOnlyHost` - no port, no keyHash). After parsing, `restoreShortLink` looks up the full server by hostname from a preset servers list. Without this, connections to preset servers will fail. See `Agent/Protocol.hs:1692`. + +### Step 7: HKDF Key Derivation + +**File**: `crypto/shortLink.ts` +**Haskell reference**: `Simplex.Messaging.Crypto.ShortLink` — `contactShortLinkKdf` (line 48) + +**Implementation**: +- `contactShortLinkKdf(linkKey)`: `hkdf(sha512, linkKey, new Uint8Array(0), "SimpleXContactLink", 56)` using `@noble/hashes/hkdf` + `@noble/hashes/sha512`. Split result: first 24 bytes = linkId, remaining 32 bytes = sbKey. + +**Note**: Haskell `C.hkdf` uses SHA-512, not SHA3-256. + +**Tests**: given known linkKey bytes, TypeScript and Haskell produce identical linkId and sbKey. + +### Step 8: Link Data Decrypt + +**File**: `crypto/shortLink.ts` +**Haskell reference**: `Simplex.Messaging.Crypto.ShortLink` — `decryptLinkData` (lines 100-120) + +**Implementation**: +- `decryptLinkData(sbKey, encFixedData, encUserData)`: + 1. For each EncDataBytes: `Decoder` → `decodeBytes(d)` for nonce (24 bytes), `decodeTail(d)` for ciphertext (includes Poly1305 tag) + 2. `cbDecrypt(sbKey, nonce, ciphertext)` via xftp-web `secretbox.ts` + 3. From decrypted plaintext: `decodeBytes(d)` for signature (1-byte len 0x40 + 64 bytes), `decodeTail(d)` for actual data + 4. Return both plaintext data blobs (signature verification skipped for spike) + +**Tests**: Haskell `encodeSignLinkData` + `sbEncrypt` with known key/nonce → TypeScript decrypts → plaintext matches. + +### Step 9: ConnLinkData Parse + +**File**: `agent/protocol.ts` +**Haskell reference**: `Simplex.Messaging.Agent.Protocol` — `ConnLinkData`, `UserContactData`, `OwnerAuth`, `ConnShortLink`, `ProtocolServer` Encoding instances + +**Implementation** (proper decoding, not skipping): +- `decodeConnLinkData(d)`: `anyByte` for connectionMode ('C'=Contact), `decodeWord16` × 2 for agentVRange, then `decodeUserContactData` +- `decodeUserContactData(d)`: `decodeBool` for direct, `smpListP(decodeOwnerAuth, d)` for owners, `smpListP(decodeConnShortLink, d)` for relays, `decodeUserLinkData(d)` for userData +- `decodeOwnerAuth(d)`: `decodeBytes` for outer wrapper, then parse inner: `(ownerId, ownerKey, authOwnerSig)` all as ByteStrings +- `decodeConnShortLink(d)`: `anyByte` for mode, then Contact: `(ctTypeChar, srv, linkKey)` or Invitation: `(srv, linkId, linkKey)` +- `decodeProtocolServer(d)`: `decodeBytes` for scheme+keyHash, `decodeBytes` for host, `decodeBytes` for port — need to verify exact encoding +- `decodeUserLinkData(d)`: first byte 0xFF → `decodeLarge`; otherwise it's the 1-byte length of a ByteString +- `parseProfile(userData)`: check first byte for 'X' (0x58, zstd compressed) — if so, decompress; otherwise `JSON.parse` directly + +**Tests**: Haskell encodes `ContactLinkData` with known values → TypeScript decodes → all fields match. + +**FixedLinkData**: deferred to step 15. `linkConnReq` (ConnectionRequestUri) is NOT length-prefixed in the tuple encoding — it requires full parsing. FixedLinkData is also needed to validate mutable data signature using rootKey. + +### Step 15: FixedLinkData Parse + +**File**: `agent/protocol.ts` +**Haskell reference**: `Simplex.Messaging.Agent.Protocol` — `FixedLinkData`, `ConnectionRequestUri`, `ConnReqUriData` Encoding instances + +**Implementation**: +- `decodeFixedLinkData(d)`: `decodeWord16` × 2 for agentVRange, `decodeBytes` for rootKey (32 bytes Ed25519), then parse `ConnectionRequestUri` (mode byte + `ConnReqUriData`), optional `decodeBytes` for linkEntityId +- `decodeConnectionRequestUri(d)`: full parsing of `ConnReqUriData` including SMP queue URIs +- Needed for: connecting to the contact, and validating mutable data signature with rootKey + +**Tests**: Haskell encodes full `FixedLinkData` → TypeScript decodes → rootKey and linkConnReq fields match. + +### Step 10: WebSocket Transport + +**File**: `transport/websockets.ts` +**Pattern reference**: simplexmq-js `WSTransport` + `ABQueue` + +**Implementation**: +- `ABQueue` class: semaphore-based async bounded queue (from simplexmq-js `queue.ts` — reimplement or include as utility). `enqueue`/`dequeue`/`close`, sentinel-based close, async iterator. +- `connectWS(url)`: `new WebSocket(url)`, `binaryType = 'arraybuffer'`, `onmessage` enqueues `Uint8Array` frames into ABQueue, `onclose` closes queue, `onerror` closes socket. Returns transport handle on `onopen`. +- `readBlock(transport)`: dequeue one frame, verify `byteLength === 16384`, return `Uint8Array` +- `sendBlock(transport, data)`: `ws.send(data)`, verify `data.length === 16384` +- `smpHandshake(transport, keyHash)`: `readBlock` → `blockUnpad` → `parseSMPServerHandshake` → negotiate version → `encodeSMPClientHandshake` → `blockPad` → `sendBlock`. Returns `{sessionId, version}`. + +**Integration test**: spawn test SMP server with web credentials (reuse `cfgWebOn` from SMPClient.hs), connect via WebSocket from Node.js, complete handshake, verify sessionId received. + +### Step 11: End-to-End Integration + +Wire steps 6-10 together: `parseShortLink` → `contactShortLinkKdf` → `connectWS` → `smpHandshake` → encode LGET block → `sendBlock` → `readBlock` → `blockUnpad` → `decodeTransmission` → `decodeResponse` → `decryptLinkData` → `decodeFixedLinkData` + `decodeConnLinkData` → `parseProfile`. + +**Test**: Haskell creates a contact address with short link (using agent), TypeScript fetches and decodes it via WebSocket. Profile displayName matches. This is the full spike proof: browser can fetch a SimpleX contact profile via SMP protocol. + +### Step 12: Server Certificate Verification + +**File**: `transport.ts` +**Approach**: client sends a random challenge in an HTTP header on the WebSocket upgrade request. Server includes the signed challenge in the handshake response. Client verifies the signature using the server's certificate chain. + +**Implementation**: +- Generate 32-byte random challenge, send as HTTP header (e.g. `smp-web-challenge`) on WebSocket upgrade +- Parse `CertChainPubKey` from server handshake (already parsed in step 3 as `authPubKey`) +- Verify certificate chain fingerprint matches `keyHash` (reuse xftp-web `caFingerprint`) +- Verify challenge signature (reuse xftp-web `identity.ts` — `extractCertPublicKeyInfo`, signature verification) +- Requires server-side change: detect the challenge header on WebSocket connections, sign `challenge || sessionId` with server key, include proof in handshake + +**Tests**: connect to test server, verify challenge-response succeeds. Connect with wrong keyHash, verify rejection. + +### Step 13: Block Encryption (DH + SbChainKeys) + +**File**: `transport.ts` +**Haskell reference**: `Simplex.Messaging.Crypto` — `sbcInit`, `sbcHkdf`; `Simplex.Messaging.Transport` — `tPutBlock`, `tGetBlock` + +**Implementation**: +- `generateX25519KeyPair()`, `dh(peerPub, ownPriv)` — reuse from xftp-web `keys.ts` +- `sbcInit(sessionId, dhSecret)`: `hkdf(sha512, dhSecret, sessionId, "SimpleXSbChainInit", 64)` → split at 32: `(sndChainKey, rcvChainKey)`. Note client swaps send/receive keys vs server (line 858 Transport.hs). +- `sbcHkdf(chainKey)`: `hkdf(sha512, chainKey, "", "SimpleXSbChain", 88)` → split: 32 bytes new chainKey, 32 bytes sbKey, 24 bytes nonce. Returns `{sbKey, nonce, nextChainKey}`. +- `encryptBlock(state, block)`: `sbcHkdf` → `cryptoBox(sbKey, nonce, pad(block, blockSize - 16))` → 16-byte tag + ciphertext +- `decryptBlock(state, block)`: `sbcHkdf` → split tag (first 16 bytes) + ciphertext → `cryptoBoxOpen` → `unpad` + +**Tests**: Haskell and TypeScript DH with same keys → identical chain keys. Haskell encrypts block → TypeScript decrypts (and vice versa). Chain key advances identically after each block. + +### Step 14: Full Handshake with Auth + +**File**: `transport.ts` +**Haskell reference**: `Simplex.Messaging.Transport` — `smpClientHandshake` (lines 792-842) + +**Implementation**: +- Update `smpHandshake` to generate ephemeral X25519 keypair and include public key in `encodeSMPClientHandshake` as authPubKey +- Compute DH: `dh(serverDhPub, clientPrivKey)` → shared secret +- `sbcInit(sessionId, dhSecret)` → chain keys (with client-side swap) +- All subsequent `readBlock`/`sendBlock` go through `decryptBlock`/`encryptBlock` + +**Tests**: full handshake with real server, block encryption active, exchange encrypted commands. Haskell sends encrypted response → TypeScript decrypts correctly. + + +## Haskell Code References + +### Handshake +- `Simplex.Messaging.Transport` — `smpClientHandshake`, `smpServerHandshake`, `SMPServerHandshake`, `SMPClientHandshake` +- `encodeAuthEncryptCmds` — Nothing → empty, Just → raw smpEncode + +### Protocol +- `Simplex.Messaging.Protocol` — `LGET`, `LNK`, `encodeTransmission_`, `transmissionP` +- Block: `pad`/`unPad` in `Simplex.Messaging.Crypto` + +### Short Links +- `Simplex.Messaging.Crypto.ShortLink` — `contactShortLinkKdf`, `decryptLinkData` +- `Simplex.Messaging.Agent.Protocol` — `ConnShortLink`, `FixedLinkData`, `ConnLinkData`, `UserLinkData` + +### Block Encryption +- `Simplex.Messaging.Crypto` — `sbcInit`, `sbcHkdf`, `sbEncrypt`, `sbDecrypt`, `dh'` +- `Simplex.Messaging.Transport` — `blockEncryption`, `TSbChainKeys`, `tPutBlock`, `tGetBlock` diff --git a/rfcs/2026-03-20-smp-agent-web/2026-05-17-smp-client.md b/rfcs/2026-03-20-smp-agent-web/2026-05-17-smp-client.md new file mode 100644 index 0000000000..224e705b88 --- /dev/null +++ b/rfcs/2026-03-20-smp-agent-web/2026-05-17-smp-client.md @@ -0,0 +1,355 @@ +# SMP Client for Browser + +**Parent**: [SMP Agent Web Spike](./2026-03-20-smp-agent-web-spike.md) +**Depends on**: Spike 1 (merged) — transport, ratchet, encoding, per-queue E2E + +## Context + +The encoding spike proved all four encryption layers work cross-language. The next implementable and testable piece is the SMP client — the layer that sends commands, correlates responses by CorrId, authenticates with entity keys, and exposes typed async functions. + +Faithful transpilation of `Simplex.Messaging.Client` (Client.hs). Transport is WebSocket (already working), protocol logic is identical to Haskell. + +## Encoding path (per command) + +Traced from `sendSMPMessage` through every function call: + +``` +1. encodeTransmission_(v, (corrId, entityId, command)) + → smpEncode(corrId, entityId) <> encodeProtocol(v, cmd) + Already have as encodeTransmission() in protocol.ts — update in place + +2. encodeTransmissionForAuth(thParams, transmission) + → tForAuth = smpEncode(sessionId) <> encodeTransmission_(...) + → tToSend = encodeTransmission_(...) [when implySessId=true, which is always true for v>=7] + Note: implySessId means tToSend omits sessionId, but tForAuth includes it (for signing) + +3. authTransmission(thAuth, serviceAuth=false, maybePrivKey, nonce, tForAuth) + → thAuth contains serverPubKey (X25519) from handshake + → maybePrivKey is Nothing for unauthenticated commands (LGET, SEND without key) + → Nothing privKey: no auth, encode empty ByteString + → Just X25519 privKey: TAAuthenticator(cbAuthenticate(serverPubKey, privKey, nonce, tForAuth)) + → Just Ed25519 privKey: TASignature(sign(privKey, tForAuth)) + Note: nonce IS the CorrId (same 24 bytes used for both) + Note: serviceAuth is always false for browser client (no service certificates) + +4. tEncodeAuth(serviceAuth=false, maybeAuth) + → Nothing: smpEncode("") [1-byte 0x00] + → Just (TAAuthenticator s, _): smpEncode(s) [1-byte len + 80 bytes] + → Just (TASignature sig, _): smpEncode(signatureBytes sig) [1-byte len + 64 bytes] + Note: TAuthorizations = (TransmissionAuth, Maybe serviceSig) — serviceSig always Nothing for us + +5. tEncode(serviceAuth, (auth, tToSend)) + → tEncodeAuth(auth) <> tToSend + +6. tEncodeBatch1(serviceAuth, sentRawTransmission) + → lenEncode(1) + smpEncode(Large(tEncode(...))) + Single-command batch. Always used when batch=true (v7+). + +7. batchTransmissions_(blockSize, transmissions) + → Pack multiple Large-wrapped transmissions into ≤blockSize blocks + → Count byte prefix, up to 255 per block + → blockSize' = blockSize - 19 (2 pad + 1 count + 16 auth tag) +``` + +## Parsing path (per received block) + +``` +1. tParse(thParams, blockBytes) + → batch=true: parse count byte, then N Large-wrapped transmissions + → Each: transmissionP(thParams) parses: + - authenticator (ByteString, 1-byte len + data) — ignored by client + - rest = authorized bytes + - re-parse authorized: corrId (ByteString) + entityId (ByteString) + command (rest) + - if implySessId=true: sessionId not in wire format, prepended from thParams for verification + → Returns RawTransmission{authenticator, corrId, entityId, command} + +2. tDecodeClient(thParams, rawTransmission) + → Verify sessId matches (skipped when implySessId=true) + → parseProtocol(v, command) → Either ErrorType BrokerMsg + → Return (corrId, entityId, Right msg | Left err) + +3. clientResp classification (Client.hs:708-712): + → Left err (parse error) → PCEResponseError + → Right msg, protocolError msg = Just err → PCEProtocolError (ERR response) + → Right msg, protocolError msg = Nothing → Right msg (success) + +4. Process: lookup corrId in pendingCommands + → Found: resolve Promise with clientResp + → Not found (empty corrId = server push): deliver to event callback +``` + +## Functions to implement + +### Crypto (`src/crypto.ts` — extend) + +| Function | Haskell | Implementation | +|---|---|---| +| `sha512Hash(msg)` | `Crypto.hs:1016` | `sha512(msg)` from `@noble/hashes/sha512` | +| `cbAuthenticator(serverPubKey, entityPrivKey, nonce, msg)` | `Crypto.hs:1367` | `cryptoBox(dh(serverPubKey, privKey), nonce, sha512Hash(msg))` → 80 bytes (16 tag + 64 hash) | +`cryptoBox` and `dh` already available from xftp-web. `sha512` from `@noble/hashes`. + +Not needed in spike: `cbDecryptNoPad` (only used by `cbVerify` and proxy commands). + +Ed25519 signing: `crypto_sign_detached` from libsodium (already loaded and initialized via xftp-web for secretbox — no second implementation needed). + +Not needed: `cbVerify` (server-side only). + +### Transport update (`src/transport/websockets.ts` — update) + +**Gap: `connectSMP` must return `serverPubKey`** (raw X25519 public key bytes from the handshake). Currently it computes the DH secret and derives block keys, but discards the server's raw public key. The client needs it for `cbAuthenticate` on every command. + +Update `SMPConnection` to include: +```typescript +interface SMPConnection { + ws: WebSocket + sessionId: Uint8Array + smpVersion: number + sndKey: Uint8Array | null + rcvKey: Uint8Array | null + serverPubKey: Uint8Array | null // raw X25519 public key — needed for command auth +} +``` + +### Protocol encoding (`src/protocol.ts` — update existing) + +Update `encodeTransmission`, `encodeBatch`, `decodeTransmission` in place — these were spike throwaway. Replace with auth-aware versions and update existing tests accordingly. + +| Function | Haskell ref | Notes | +|---|---|---| +| `encodeTransmission_(v, corrId, entityId, command)` | `Protocol.hs:2194` | Update existing `encodeTransmission`. Also fix `encodeNEW`: QueueReqData should be `Just (QRMessaging Nothing)` not `Nothing`, and rename `sndAuthKey` param to `basicAuth` (it's server auth, not a crypto key) | +| `encodeTransmissionForAuth(sessionId, corrId, entityId, command)` | `Protocol.hs:2186` | Returns `{tForAuth, tToSend}`. `implySessId` always true for v>=7 | +| `authTransmission(serverPubKey, maybePrivKey, nonce, tForAuth)` | `Client.hs:1372` | `maybePrivKey` is `{type: "x25519"|"ed25519", key} | null`. Null for unauthenticated commands. X25519 → cbAuthenticator. Ed25519 → sign. | +| `tEncodeAuth(auth)` | `Protocol.hs:507` | Handles null, authenticator (80 bytes), signature (64 bytes) | +| `tEncode(auth, tToSend)` | `Protocol.hs:2171` | `tEncodeAuth(auth) + tToSend` | +| `tEncodeBatch1(auth, tToSend)` | `Protocol.hs:2179` | `[count=1] + Large(tEncode(...))` | +| `tEncodeForBatch(auth, tToSend)` | `Protocol.hs:2175` | `Large(tEncode(...))` | +| `batchTransmissions(blockSize, transmissions)` | `Protocol.hs:2151` | Pack into ≤(blockSize-19)-byte blocks, count prefix | +| `transmissionP(sessionId, block)` | `Protocol.hs:1629` | Skip auth bytes (1-byte len + data), parse corrId + entityId + command from rest. `implySessId`=true (sessionId not in wire, no need to verify on client side), `serviceAuth`=false (no serviceSig to skip) | +| `tParse(sessionId, block)` | `Protocol.hs:2211` | Parse count, N×Large, each through `transmissionP` | +| `tDecodeClient(sessionId, version, rawTransmission)` | `Protocol.hs:2256` | Parse command bytes → typed BrokerMsg | +| `encodePING()` | | PING command for keepalive | + +Update `decodeResponse`: +- Add `SOK` (subscribe response with optional serviceId, returned by SUB in v19) +- Add `INFO` (queue info response, for `getSMPQueueInfo`) +- Improve `ERR` parsing: currently reads just the tag string. Need to parse structured `ErrorType` (at minimum AUTH, QUOTA, NO_MSG, INTERNAL) for proper error handling in the client + +### Client (`src/client.ts` — new) + +```typescript +interface SMPClient { + sessionId: Uint8Array + smpVersion: number + serverPubKey: Uint8Array // for cbAuthenticate + + // Core: send pre-encoded command, correlate response + // Lower-level than Haskell's sendProtocolCommand — takes pre-encoded command bytes + // privKey: {type: "x25519", key} | {type: "ed25519", key} | null + // Rejects with PCEProtocolError (ERR response), PCEResponseError (parse fail), PCEResponseTimeout + sendCommand(privKey: AuthKey | null, entityId: Uint8Array, command: Uint8Array): Promise + + // High-level commands (keys are DER-encoded unless noted) + // authKeyPair: {publicKey, privateKey, type: "x25519"} — public goes in NEW encoding, private for auth + createQueue(authKeyPair, dhKey, subMode): Promise + subscribeQueue(privKey, rcvId): Promise // SUB can return MSG (queued message) → pushed to onMessage + sendMessage(privKey, sndId, flags, msg): Promise // privKey can be null (before queue secured) + ackMessage(privKey, rcvId, msgId): Promise // ACK can return MSG → pushed to onMessage + secureQueue(privKey, rcvId, senderKey): Promise + secureSndQueue(privKey, sndId): Promise + getQueueLink(linkId): Promise<{senderId, linkData}> + getQueueInfo(privKey, queueId): Promise + deleteQueue(privKey, rcvId): Promise + suspendQueue(privKey, rcvId): Promise + + close(): void +} + +function createSMPClient( + url: string, + keyHash: Uint8Array, + onMessage: (entityId: Uint8Array, msg: BrokerMsg) => void, + onDisconnected: () => void, + wsOptions?: object, +): Promise +``` + +Internally: +- `connectSMP` for WebSocket + handshake (existing, updated to return serverPubKey) +- `Map` for hex(corrId) → Promise correlation +- WebSocket `onmessage`: `receiveEncryptedBlock` → `tParse` → for each transmission: `tDecodeClient` → classify via `protocolError` → correlate by corrId or push to `onMessage` +- `sendCommand`: generate random 24-byte corrId/nonce → `encodeTransmissionForAuth` → `authTransmission` → `tEncodeBatch1` → `sendEncryptedBlock` → return Promise resolved by correlator +- `setInterval` ping: send PING, count timeouts, close after N consecutive +- Timeout per command: `setTimeout` on pending Promise, reject with PCEResponseTimeout + +**Message delivery model:** + +All MSGs reach `onMessage` regardless of how they arrive. Three sources: + +1. **Server push** (empty corrId): receive handler calls `onMessage` directly +2. **SUB response**: `sendCommand` resolves with MSG → `subscribeQueue` pushes to `onMessage`, returns success to caller +3. **ACK response**: same — `ackMessage` pushes to `onMessage`, returns success + +High-level functions never expose MSG to their callers. This mirrors Haskell's `processSUBResponse_` (Client.hs:858-862) and `ackSMPMessage` (Client.hs:1042-1044) which both call `writeSMPMessage` to forward MSGs to msgQ and return OK-equivalent. + +### Client REPL (`smp-web/tests/client-repl.ts` — new, separate from ratchet-repl.ts) + +Separate REPL process holding a WebSocket connection + SMP client state. Same stdin/stdout line protocol approach, different state and commands. + +**Message queue:** The REPL maintains an internal `Message[]` queue. The SMPClient's `onMessage` callback pushes to this queue. MSGs arrive here from three sources: server pushes (no corrId), SUB responses, and ACK responses — all handled identically by the client internals. The `RECV` command dequeues from this queue (or waits with timeout). + +**Concurrency:** Unlike the ratchet REPL (pure, no network), the client REPL receives messages concurrently with stdin. This works because Node's event loop handles WebSocket `onmessage` events between readline callbacks — no explicit threading needed. + +``` +CONNECT [wsOptions] + → Creates SMPClient, returns "ok" + +NEW [subMode] + → createQueue (defaults: no basic auth, SMSubscribe, QRMessaging, no ntf creds) + → returns "ok: " + +SUB + → subscribeQueue, returns "ok" + +SEND + → sendMessage, returns "ok" + +ACK + → ackMessage, returns "ok" + +KEY + → secureQueue, returns "ok" + +SKEY + → secureSndQueue, returns "ok" + +LGET + → getQueueLink, returns "ok: " + +RECV [timeoutMs] + → Dequeue next server-pushed MSG, returns "ok: " + → Times out with "error: timeout" if no message arrives +``` + +### Polymorphic testing + +Same pattern as ratchet tests: `TestPeer` sum type with `TestPeerHS` / `TestPeerJS` dispatch. For SMP client tests: + +```haskell +data TestSMPClient + = TestClientHS SMPClient + | TestClientJS Handle Handle ProcessHandle -- stdin, stdout, process + +-- Dispatch functions +tcCreateQueue :: TestSMPClient -> ... -> IO QueueIdsKeys +tcSubscribe :: TestSMPClient -> ... -> IO () +tcSendMessage :: TestSMPClient -> ... -> IO () +tcReceiveMessage :: TestSMPClient -> IO (EntityId, MsgId, ByteString) +tcSecureQueue :: TestSMPClient -> ... -> IO () +tcAckMessage :: TestSMPClient -> ... -> IO () +``` + +Then the same test function runs against HS↔HS, HS↔JS, JS↔HS, JS↔JS peer combinations. The test creates two clients (one receiver, one sender) on the same SMP server, creates a queue, exchanges keys, sends messages — proving protocol compatibility. + +## Tests + +### Unit tests (callNode, no server) + +1. `sha512Hash` — same input → same output as Haskell +2. `cbAuthenticator` — same serverPubKey + entityPrivKey + nonce + message → same 80 bytes as Haskell +3. `encodeTransmissionForAuth` — same sessionId + corrId + entityId + command (encoded at v19) → same `{tForAuth, tToSend}` as Haskell +4. `authTransmission` with X25519 key — same keys + nonce + tForAuth → same authenticated bytes as Haskell +5. `authTransmission` with Ed25519 key — same key + tForAuth → same signature bytes as Haskell +6. `authTransmission` with no key (Nothing) — produces empty auth, matches Haskell +7. `tEncodeBatch1` — same auth + transmission → same block bytes as Haskell +8. `tParse` + `tDecodeClient` — TS parses Haskell-encoded response block, extracts corrId + entityId + typed response +9. `batchTransmissions` — given N transmissions, produces same batch boundaries and block bytes as Haskell + +### Integration tests (with SMP server, using REPL) + +10. JS client connects, sends PING, receives PONG +11. JS client creates queue (NEW → IDS) +12. JS receiver creates queue + subscribes, JS sender sends message, receiver gets MSG +13. Full handshake: create queue → secure (KEY) → subscribe → send → receive MSG → ack + +### Polymorphic integration tests + +14. Same test function, peer combinations: + - HS sender, JS receiver + - JS sender, HS receiver + - JS sender, JS receiver + +## Implementation order + +1. Transport update — `connectSMP` returns `serverPubKey` +2. Crypto additions — `sha512Hash`, `cbAuthenticator`, Ed25519 `sign` +3. Protocol encoding updates — `encodeTransmissionForAuth`, `authTransmission`, `tEncode`, `tEncodeBatch1`, `batchTransmissions`, `encodePING` +4. Protocol parsing updates — `transmissionP`, `tParse`, `tDecodeClient`, update `decodeResponse` (add `SOK`, `INFO`, structured `ERR`) +5. Unit tests for steps 1-4 +6. Client core — `createSMPClient`, `sendCommand`, corrId correlation, receive dispatch, ping +7. High-level command functions +8. Client REPL +9. Integration tests with server +10. Polymorphic test wiring + +## Files + +| File | Action | +|---|---| +| `smp-web/src/transport/websockets.ts` | Update `connectSMP` to return `serverPubKey` | +| `smp-web/src/crypto.ts` | Add `sha512Hash`, `cbAuthenticator`, Ed25519 `sign` | +| `smp-web/src/protocol.ts` | Update transmission encoding/parsing, add auth, batching | +| `smp-web/src/client.ts` | New — SMP client | +| `smp-web/tests/client-repl.ts` | New — SMP client REPL for integration tests | +| `tests/SMPWebTests.hs` | Unit + integration tests | + +## Scope + +### Client spike (this plan) + +Core client: connect, auth, send/receive, correlate, ping. High-level commands: NEW, SUB, KEY, SKEY, SEND, ACK, OFF, DEL, LGET, GET, QUE (getSMPQueueInfo). Single-command path. Tests against real server. + +### Client MVP (next, after spike) + +- Proxy commands (PRXY, PFWD, PRES) — essential for privacy, users must not connect directly to untrusted servers +- Batch subscribe (subscribeSMPQueues) — needed for groups +- `reverseNonce` — needed for proxy +- Batch delete (deleteSMPQueues) + +### Post-MVP + +| What | Why | +|---|---| +| Notification commands (NKEY, NDEL, NSUB) | Value only with webpush support | +| Service certificates (serviceAuth, serviceSig) | Browser doesn't use | +| Stream commands (streamSubscribeSMPQueues) | Not used in Haskell client either | +| NetworkConfig, SOCKS, host mode, transport selection | Browser connects via WebSocket directly | +| Queue link management (LSET, LDEL, LKEY) | Only needed to create links, not join them | +| `cbVerify` | Server-side only | + +## Haskell references + +- `Client.hs:179-200` — ProtocolClient, PClient types +- `Client.hs:248` — `type SMPClient = ProtocolClient SMPVersion ErrorType BrokerMsg` +- `Client.hs:506-512` — Request type +- `Client.hs:628-642` — client connection, handshake, raceAny_ [send, process, receive, monitor] +- `Client.hs:644-658` — send loop, receive loop +- `Client.hs:660-678` — monitor/ping loop +- `Client.hs:680-719` — process loop, processMsg (corrId correlation, clientResp classification) +- `Client.hs:810-828` — createSMPQueue +- `Client.hs:833-836` — subscribeSMPQueue +- `Client.hs:938-939` — secureSMPQueue +- `Client.hs:1027-1031` — sendSMPMessage +- `Client.hs:1040-1045` — ackSMPMessage (note: ACK can return MSG) +- `Client.hs:1239-1243` — okSMPCommand pattern +- `Client.hs:1300-1326` — sendProtocolCommand_, sendRecv, size check, tEncodeBatch1 +- `Client.hs:1333-1344` — getResponse, timeout handling +- `Client.hs:1349-1370` — mkTransmission_, CorrId=nonce, encodeTransmissionForAuth, authTransmission +- `Client.hs:1372-1391` — authTransmission, authenticate (X25519 vs Ed25519), service sig +- `Protocol.hs:488-525` — RawTransmission, TransmissionAuth, TAuthorizations, tEncodeAuth +- `Protocol.hs:1629-1643` — transmissionP +- `Protocol.hs:2129-2198` — batching, tEncode, tEncodeBatch1, batchTransmissions_ +- `Protocol.hs:2207-2267` — tGetClient, tParse, tDecodeClient +- `Crypto.hs:1016` — sha512Hash +- `Crypto.hs:1296-1298` — cbEncryptNoPad (= cryptoBox without padding) +- `Crypto.hs:1330-1331` — cbDecryptNoPad +- `Crypto.hs:1366-1371` — cbAuthenticate, cbVerify diff --git a/rfcs/2026-03-20-smp-agent-web/2026-05-20-client-mvp.md b/rfcs/2026-03-20-smp-agent-web/2026-05-20-client-mvp.md new file mode 100644 index 0000000000..ab58f6a8d4 --- /dev/null +++ b/rfcs/2026-03-20-smp-agent-web/2026-05-20-client-mvp.md @@ -0,0 +1,238 @@ +# SMP Client MVP: Proxy + Batching — Transpilation Plan + +**Parent**: [SMP Client Spike](./2026-05-17-smp-client.md) + +## Rule + +Every TypeScript function is a faithful transpilation of a specific Haskell function at specific lines. Same name, same steps, same call chain. No inferences, no approximations. Each entry below gives the exact source to transpile from. + +## Crypto functions + +### `reverseNonce` → transpile `Crypto.hs:1409-1410` +```haskell +reverseNonce (CryptoBoxNonce s) = CryptoBoxNonce (B.reverse s) +``` +TS: `function reverseNonce(nonce: Uint8Array): Uint8Array` — reverse the 24 bytes. + +### `cbDecryptNoPad` → transpile `Crypto.hs:1330-1331` +```haskell +cbDecryptNoPad (DhSecretX25519 secret) = sbDecryptNoPad_ secret +``` +Which is `sbDecryptNoPad_` from secretbox. xftp-web's `cbDecrypt` does decrypt+unpad. Need decrypt without unpad — extract tag(16) + cipher, decrypt, verify tag, return raw (no unpad). Use xftp-web's `sbInit`/`sbDecryptChunk`/`sbAuth` directly. + +## Protocol encoding functions + +### `encodeProtocolServer` → transpile `Protocol.hs:1264-1266` +```haskell +smpEncode ProtocolServer {host, port, keyHash} = smpEncode (host, port, keyHash) +``` +Where: +- `host :: NonEmpty TransportHost` → `smpEncodeList` (1-byte count + items) +- Each `TransportHost` → `smpEncode (strEncode host)` → `encodeBytes(ascii(hostname))` (`Transport/Client.hs:77-78`) +- `port :: ServiceName` = ByteString → `encodeBytes(port)` +- `keyHash :: KeyHash` = ByteString → `encodeBytes(keyHash)` + +File: `src/protocol.ts` + +### `encodePRXY` → transpile `Protocol.hs:1710` +```haskell +PRXY host auth_ -> e (PRXY_, ' ', host, auth_) +``` += `"PRXY " + smpEncode(server) + smpEncode(Maybe BasicAuth)` + +Where `Maybe BasicAuth` = `encodeMaybe(encodeBytes, auth)`. + +### `encodePFWD` → transpile `Protocol.hs:1711` +```haskell +PFWD fwdV pubKey (EncTransmission s) -> e (PFWD_, ' ', fwdV, pubKey, Tail s) +``` += `"PFWD " + encodeWord16(version) + encodeBytes(pubKeyDer) + encTransmission` (Tail = no length prefix) + +### `decodePKEY` → transpile `Protocol.hs:1894` +```haskell +PKEY_ -> PKEY <$> _smpP <*> smpP <*> smpP +``` += space + `decodeBytes(d)` (sessionId) + `decodeVersionRange(d)` + `decodeCertChainPubKey(d)` + +`VersionRange` encoding (`Version.hs`): `smpEncode (minVersion, maxVersion)` = two Word16. + +`CertChainPubKey` encoding (`Transport.hs:663-667`): `smpEncode (encodeCertChain chain, SignedObject signedPubKey)` — `encodeCertChain` is `Large`-encoded DER bytes, `SignedObject` is `Large`-encoded DER bytes. + +### `decodePRES` → transpile `Protocol.hs:1896` +```haskell +PRES_ -> PRES <$> (EncResponse . unTail <$> _smpP) +``` += space + rest of bytes (Tail) → `EncResponse` + +### Add to `decodeResponse`: `PKEY` and `PRES` cases. + +## Client functions + +### `sendProtocolCommands` → transpile `Client.hs:1262-1278` + +Call chain: +1. `mapM (mkTransmission c) cs` — for each command: generate corrId, encode, auth, register pending request +2. `batchTransmissions' thParams` — pack into blocks +3. `mapM (sendBatch c nm) bs` — send each block, collect responses +4. `validate` — verify response count matches command count + +In TS: `mkTransmission` = the existing `sendCommand` logic (corrId generation, `encodeTransmissionForAuth`, `authTransmission`) but separated into encode+register vs send+await. Need to refactor `sendCommand` to split these. + +### `batchTransmissions'` → transpile `Protocol.hs:2135-2148` + +Already have `batchTransmissions` in protocol.ts that does `batchTransmissions_`. Need `batchTransmissions'` which wraps with `tEncodeForBatch` before batching. Currently the TS `batchTransmissions` takes pre-encoded Large-wrapped bytes. Need to match the Haskell call chain exactly: + +```haskell +batchTransmissions' params ts + | batch = batchTransmissions_ bSize $ L.map (first $ fmap $ tEncodeForBatch serviceAuth) ts +``` + +### `sendBatch` → transpile `Client.hs:1285-1298` + +Three cases: +- `TBError`: return error response +- `TBTransmissions s n rs`: send block `s`, await all `n` responses concurrently +- `TBTransmission s r`: send block `s`, await one response + +In browser: "concurrently" = all promises pending simultaneously, resolved by `onBlock` handler as responses arrive. + +### `subscribeSMPQueues` → transpile `Client.hs:840-845` +```haskell +subscribeSMPQueues c qs = do + liftIO $ enablePings c + sendProtocolCommands c NRMBackground cs >>= mapM (processSUBResponse c) + where + cs = L.map (\(rId, rpKey) -> (rId, Just rpKey, Cmd SRecipient SUB)) qs +``` + +### `processSUBResponse` → transpile `Client.hs:854-862` +```haskell +processSUBResponse c (Response rId r) = pure r $>>= processSUBResponse_ c rId +processSUBResponse_ c rId = \case + OK -> pure $ Right Nothing + SOK serviceId_ -> pure $ Right serviceId_ + cmd@MSG {} -> writeSMPMessage c rId cmd $> Right Nothing + r' -> pure . Left $ unexpectedResponse r' +``` +MSG → push to `onMessage`, return success. Same pattern as single subscribe. + +### `deleteSMPQueues` → transpile `Client.hs:1062-1065` +```haskell +deleteSMPQueues = okSMPCommands DEL +``` +Uses `okSMPCommands` (`Client.hs:1245-1253`) which calls `sendProtocolCommands` and checks each response is OK. + +### `connectSMPProxiedRelay` → transpile `Client.hs:1069-1093` + +Call chain: +1. Send `PRXY relayServ proxyAuth` to proxy (via `sendProtocolCommand_`, entityId = NoEntity) +2. Receive `PKEY sessionId versionRange certChainPubKey` +3. Check version compatibility +4. `validateRelay chain key` — validate cert chain against relay's keyHash, extract X25519 key +5. Return `ProxiedRelay {sessionId, version, auth, relayKey}` + +`validateRelay` (`Client.hs:1085-1093`): +1. `chainIdCaCerts chain` → extract leaf, id, ca certs +2. Check `Fingerprint kh == getFingerprint idCert SHA256` +3. `x509validate caCert (hostName, port) chain` +4. Extract server key from leaf cert +5. Verify signed key against server key + +In browser: we already have `verifyIdentityProof` and `extractSignedKey` from xftp-web. Need to adapt for relay validation where we receive the cert chain in the PKEY response (DER-encoded, not from TLS handshake). + +### `proxySMPCommand` → transpile `Client.hs:1157-1206` + +Call chain: +1. Construct `serverThParams` = `smpTHParamsSetVersion v proxyThParams {sessionId, thAuth = serverThAuth}` + - `serverThAuth = thAuth proxyThParams with peerServerPubKey = relayKey` +2. Generate ephemeral X25519 keypair: `(cmdPubKey, cmdPrivKey)` +3. `cmdSecret = dh(relayKey, cmdPrivKey)` +4. Generate random nonce (also used as corrId) +5. `encodeTransmissionForAuth serverThParams (CorrId corrId, sId, Cmd sParty command)` — encode as if sending to relay +6. `authTransmission serverThAuth False spKey nonce tForAuth` — authenticate with entity key against relay +7. `batchTransmissions serverThParams [Right (auth, tToSend)]` — batch into single block +8. `cbEncrypt cmdSecret nonce batchBlock paddedProxiedTLength` → `EncTransmission` +9. Send `PFWD version cmdPubKey encTransmission` to proxy (entityId = sessionId) +10. Receive `PRES (EncResponse encResponse)` +11. `cbDecrypt cmdSecret (reverseNonce nonce) encResponse` — decrypt relay's response +12. `tParse serverThParams decrypted` — parse as relay's response +13. `tDecodeClient serverThParams parsed` — decode command +14. Classify: `Right (ERR e)` → throw PCEProtocolError, `Right r` → return Right r, `Left e` → throw PCEResponseError + +Error wrapping (`Client.hs:1200-1206`): proxy-level errors (from PFWD response itself) → `ProxyClientError` returned as `Left`. Relay-level errors (inside PRES) → `PCEProtocolError` thrown. + +### `paddedProxiedTLength` → `Protocol.hs:306-307` = 16226 + +## Constants + +``` +paddedProxiedTLength = 16226 -- Protocol.hs:306 +serviceCertsSMPVersion = 16 -- Transport.hs:213 +``` + +## Testing + +### Unit tests (callNode, no server) +Each encoding function tested byte-for-byte against Haskell: +1. `reverseNonce` — reverse known bytes, compare +2. `encodeProtocolServer` — encode known server, compare with `smpEncode @SMPServer` +3. `encodePRXY` — encode PRXY command, compare with `encodeProtocol v (Cmd SProxiedClient (PRXY srv auth))` +4. `encodePFWD` — encode PFWD command, compare with `encodeProtocol v (Cmd SProxiedClient (PFWD v pk et))` +5. `batchTransmissions` with multiple commands — same batch boundaries as `batchTransmissions_` in Haskell + +### Integration tests (with two SMP servers, from SMPProxyTests.hs pattern) +6. `connectProxiedRelay` — JS connects to proxy, sends PRXY for relay, gets PKEY, validates cert, extracts key +7. `proxySMPMessage` — JS sends SEND via proxy to relay, HS receiver gets MSG +8. Full proxy roundtrip — JS creates queue on relay via proxy, sends message via proxy, HS receives + +### Batch tests +9. `subscribeSMPQueues` — JS batch-subscribes to N queues, verifies all subscribed +10. `deleteSMPQueues` — JS batch-deletes N queues + +## Implementation order + +1. `reverseNonce`, `cbDecryptNoPad` +2. `encodeProtocolServer`, `encodePRXY`, `encodePFWD` +3. `decodePKEY`, `decodePRES`, update `decodeResponse` +4. Unit tests for steps 1-3 +5. Refactor `sendCommand` → split into `mkTransmission` (encode+register) and send +6. `sendProtocolCommands`, `sendBatch` +7. `subscribeSMPQueues`, `deleteSMPQueues` +8. Batch integration tests +9. `connectSMPProxiedRelay` (cert validation, PRXY/PKEY) +10. `proxySMPCommand`, `proxySMPMessage` +11. Proxy integration tests + +## Files + +| File | Action | +|---|---| +| `smp-web/src/crypto.ts` | `reverseNonce`, `cbDecryptNoPad` | +| `smp-web/src/protocol.ts` | `encodeProtocolServer`, `encodePRXY`, `encodePFWD`, `decodePKEY`, `decodePRES` | +| `smp-web/src/client.ts` | `sendProtocolCommands`, `sendBatch`, `subscribeSMPQueues`, `deleteSMPQueues`, `connectSMPProxiedRelay`, `proxySMPCommand` | +| `smp-web/tests/client-repl.ts` | Proxy + batch REPL commands | +| `tests/SMPWebTests.hs` | Tests | + +## Haskell source — exact lines to transpile + +| TS function | Haskell function | File:lines | +|---|---|---| +| `reverseNonce` | `reverseNonce` | `Crypto.hs:1409-1410` | +| `cbDecryptNoPad` | `cbDecryptNoPad` / `sbDecryptNoPad_` | `Crypto.hs:1330-1331` | +| `encodeProtocolServer` | `instance Encoding (ProtocolServer p)` | `Protocol.hs:1264-1266` | +| `encodePRXY` | `encodeProtocol v (PRXY ...)` | `Protocol.hs:1710` | +| `encodePFWD` | `encodeProtocol v (PFWD ...)` | `Protocol.hs:1711` | +| `decodePKEY` | `protocolP v PKEY_` | `Protocol.hs:1894` | +| `decodePRES` | `protocolP v PRES_` | `Protocol.hs:1896` | +| `sendProtocolCommands` | `sendProtocolCommands` | `Client.hs:1262-1278` | +| `sendBatch` | `sendBatch` | `Client.hs:1285-1298` | +| `subscribeSMPQueues` | `subscribeSMPQueues` | `Client.hs:840-845` | +| `processSUBResponse` | `processSUBResponse` + `processSUBResponse_` | `Client.hs:854-862` | +| `deleteSMPQueues` | `deleteSMPQueues` via `okSMPCommands` | `Client.hs:1062-1065, 1245-1253` | +| `connectSMPProxiedRelay` | `connectSMPProxiedRelay` | `Client.hs:1069-1093` | +| `validateRelay` | `validateRelay` (inside `connectSMPProxiedRelay`) | `Client.hs:1085-1093` | +| `proxySMPCommand` | `proxySMPCommand` | `Client.hs:1157-1206` | +| `proxyOKSMPCommand` | `proxyOKSMPCommand` | `Client.hs:1150-1155` | +| `smpTHParamsSetVersion` | `smpTHParamsSetVersion` | `Transport.hs:921-926` | +| `batchTransmissions'` | `batchTransmissions'` | `Protocol.hs:2135-2148` | +| `batchTransmissions_` | `batchTransmissions_` | `Protocol.hs:2150-2169` | diff --git a/simplexmq.cabal b/simplexmq.cabal index 66cd43b174..6637a00024 100644 --- a/simplexmq.cabal +++ b/simplexmq.cabal @@ -359,6 +359,7 @@ library , temporary ==1.3.* , wai >=3.2 && <3.3 , wai-app-static >=3.1 && <3.2 + , wai-websockets >=3.0.1 && <3.1 , warp ==3.3.30 , warp-tls ==3.4.7 , websockets ==0.12.* @@ -514,6 +515,7 @@ test-suite simplexmq-test XFTPServerTests WebTests XFTPWebTests + SMPWebTests SMPWeb XFTPWeb Web.Embedded diff --git a/smp-web/.gitignore b/smp-web/.gitignore new file mode 100644 index 0000000000..0a57d7b8c7 --- /dev/null +++ b/smp-web/.gitignore @@ -0,0 +1,4 @@ +node_modules/ +dist/ +dist-test/ +package-lock.json diff --git a/smp-web/cbits/js_random.js b/smp-web/cbits/js_random.js new file mode 100644 index 0000000000..7c2eececf2 --- /dev/null +++ b/smp-web/cbits/js_random.js @@ -0,0 +1,14 @@ +addToLibrary({ + js_random_bytes: function(buf, len) { + var bytes = new Uint8Array(len); + if (typeof crypto !== 'undefined' && crypto.getRandomValues) { + crypto.getRandomValues(bytes); + } else { + // Node.js fallback + var nodeCrypto = require('crypto'); + var nodeBytes = nodeCrypto.randomBytes(len); + bytes.set(nodeBytes); + } + HEAPU8.set(bytes, buf); + } +}); diff --git a/smp-web/cbits/sha512.c b/smp-web/cbits/sha512.c new file mode 100644 index 0000000000..8045fa8ee2 --- /dev/null +++ b/smp-web/cbits/sha512.c @@ -0,0 +1,315 @@ +/* +20080913 +D. J. Bernstein +Public domain. + +SHA-512 implementation from SUPERCOP/NaCl. +Source: https://bench.cr.yp.to/supercop.html + crypto_hashblocks/sha512/ref/blocks.c + crypto_hash/sha512/ref/hash.c + +Combined into a single file for WASM compilation alongside sntrup761. +*/ + +#include "sha512.h" + +typedef unsigned long long uint64; + +/* -- crypto_hashblocks_sha512 (blocks.c) -- */ + +static uint64 load_bigendian(const unsigned char *x) +{ + return + (uint64) (x[7]) \ + | (((uint64) (x[6])) << 8) \ + | (((uint64) (x[5])) << 16) \ + | (((uint64) (x[4])) << 24) \ + | (((uint64) (x[3])) << 32) \ + | (((uint64) (x[2])) << 40) \ + | (((uint64) (x[1])) << 48) \ + | (((uint64) (x[0])) << 56) + ; +} + +static void store_bigendian(unsigned char *x,uint64 u) +{ + x[7] = u; u >>= 8; + x[6] = u; u >>= 8; + x[5] = u; u >>= 8; + x[4] = u; u >>= 8; + x[3] = u; u >>= 8; + x[2] = u; u >>= 8; + x[1] = u; u >>= 8; + x[0] = u; +} + +#define SHR(x,c) ((x) >> (c)) +#define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c)))) + +#define Ch(x,y,z) ((x & y) ^ (~x & z)) +#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) +#define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39)) +#define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41)) +#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7)) +#define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6)) + +#define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0; + +#define EXPAND \ + M(w0 ,w14,w9 ,w1 ) \ + M(w1 ,w15,w10,w2 ) \ + M(w2 ,w0 ,w11,w3 ) \ + M(w3 ,w1 ,w12,w4 ) \ + M(w4 ,w2 ,w13,w5 ) \ + M(w5 ,w3 ,w14,w6 ) \ + M(w6 ,w4 ,w15,w7 ) \ + M(w7 ,w5 ,w0 ,w8 ) \ + M(w8 ,w6 ,w1 ,w9 ) \ + M(w9 ,w7 ,w2 ,w10) \ + M(w10,w8 ,w3 ,w11) \ + M(w11,w9 ,w4 ,w12) \ + M(w12,w10,w5 ,w13) \ + M(w13,w11,w6 ,w14) \ + M(w14,w12,w7 ,w15) \ + M(w15,w13,w8 ,w0 ) + +#define F(w,k) \ + T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \ + T2 = Sigma0(a) + Maj(a,b,c); \ + h = g; \ + g = f; \ + f = e; \ + e = d + T1; \ + d = c; \ + c = b; \ + b = a; \ + a = T1 + T2; + +static int crypto_hashblocks_sha512(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen) +{ + uint64 state[8]; + uint64 a; + uint64 b; + uint64 c; + uint64 d; + uint64 e; + uint64 f; + uint64 g; + uint64 h; + uint64 T1; + uint64 T2; + + a = load_bigendian(statebytes + 0); state[0] = a; + b = load_bigendian(statebytes + 8); state[1] = b; + c = load_bigendian(statebytes + 16); state[2] = c; + d = load_bigendian(statebytes + 24); state[3] = d; + e = load_bigendian(statebytes + 32); state[4] = e; + f = load_bigendian(statebytes + 40); state[5] = f; + g = load_bigendian(statebytes + 48); state[6] = g; + h = load_bigendian(statebytes + 56); state[7] = h; + + while (inlen >= 128) { + uint64 w0 = load_bigendian(in + 0); + uint64 w1 = load_bigendian(in + 8); + uint64 w2 = load_bigendian(in + 16); + uint64 w3 = load_bigendian(in + 24); + uint64 w4 = load_bigendian(in + 32); + uint64 w5 = load_bigendian(in + 40); + uint64 w6 = load_bigendian(in + 48); + uint64 w7 = load_bigendian(in + 56); + uint64 w8 = load_bigendian(in + 64); + uint64 w9 = load_bigendian(in + 72); + uint64 w10 = load_bigendian(in + 80); + uint64 w11 = load_bigendian(in + 88); + uint64 w12 = load_bigendian(in + 96); + uint64 w13 = load_bigendian(in + 104); + uint64 w14 = load_bigendian(in + 112); + uint64 w15 = load_bigendian(in + 120); + + F(w0 ,0x428a2f98d728ae22ULL) + F(w1 ,0x7137449123ef65cdULL) + F(w2 ,0xb5c0fbcfec4d3b2fULL) + F(w3 ,0xe9b5dba58189dbbcULL) + F(w4 ,0x3956c25bf348b538ULL) + F(w5 ,0x59f111f1b605d019ULL) + F(w6 ,0x923f82a4af194f9bULL) + F(w7 ,0xab1c5ed5da6d8118ULL) + F(w8 ,0xd807aa98a3030242ULL) + F(w9 ,0x12835b0145706fbeULL) + F(w10,0x243185be4ee4b28cULL) + F(w11,0x550c7dc3d5ffb4e2ULL) + F(w12,0x72be5d74f27b896fULL) + F(w13,0x80deb1fe3b1696b1ULL) + F(w14,0x9bdc06a725c71235ULL) + F(w15,0xc19bf174cf692694ULL) + + EXPAND + + F(w0 ,0xe49b69c19ef14ad2ULL) + F(w1 ,0xefbe4786384f25e3ULL) + F(w2 ,0x0fc19dc68b8cd5b5ULL) + F(w3 ,0x240ca1cc77ac9c65ULL) + F(w4 ,0x2de92c6f592b0275ULL) + F(w5 ,0x4a7484aa6ea6e483ULL) + F(w6 ,0x5cb0a9dcbd41fbd4ULL) + F(w7 ,0x76f988da831153b5ULL) + F(w8 ,0x983e5152ee66dfabULL) + F(w9 ,0xa831c66d2db43210ULL) + F(w10,0xb00327c898fb213fULL) + F(w11,0xbf597fc7beef0ee4ULL) + F(w12,0xc6e00bf33da88fc2ULL) + F(w13,0xd5a79147930aa725ULL) + F(w14,0x06ca6351e003826fULL) + F(w15,0x142929670a0e6e70ULL) + + EXPAND + + F(w0 ,0x27b70a8546d22ffcULL) + F(w1 ,0x2e1b21385c26c926ULL) + F(w2 ,0x4d2c6dfc5ac42aedULL) + F(w3 ,0x53380d139d95b3dfULL) + F(w4 ,0x650a73548baf63deULL) + F(w5 ,0x766a0abb3c77b2a8ULL) + F(w6 ,0x81c2c92e47edaee6ULL) + F(w7 ,0x92722c851482353bULL) + F(w8 ,0xa2bfe8a14cf10364ULL) + F(w9 ,0xa81a664bbc423001ULL) + F(w10,0xc24b8b70d0f89791ULL) + F(w11,0xc76c51a30654be30ULL) + F(w12,0xd192e819d6ef5218ULL) + F(w13,0xd69906245565a910ULL) + F(w14,0xf40e35855771202aULL) + F(w15,0x106aa07032bbd1b8ULL) + + EXPAND + + F(w0 ,0x19a4c116b8d2d0c8ULL) + F(w1 ,0x1e376c085141ab53ULL) + F(w2 ,0x2748774cdf8eeb99ULL) + F(w3 ,0x34b0bcb5e19b48a8ULL) + F(w4 ,0x391c0cb3c5c95a63ULL) + F(w5 ,0x4ed8aa4ae3418acbULL) + F(w6 ,0x5b9cca4f7763e373ULL) + F(w7 ,0x682e6ff3d6b2b8a3ULL) + F(w8 ,0x748f82ee5defb2fcULL) + F(w9 ,0x78a5636f43172f60ULL) + F(w10,0x84c87814a1f0ab72ULL) + F(w11,0x8cc702081a6439ecULL) + F(w12,0x90befffa23631e28ULL) + F(w13,0xa4506cebde82bde9ULL) + F(w14,0xbef9a3f7b2c67915ULL) + F(w15,0xc67178f2e372532bULL) + + EXPAND + + F(w0 ,0xca273eceea26619cULL) + F(w1 ,0xd186b8c721c0c207ULL) + F(w2 ,0xeada7dd6cde0eb1eULL) + F(w3 ,0xf57d4f7fee6ed178ULL) + F(w4 ,0x06f067aa72176fbaULL) + F(w5 ,0x0a637dc5a2c898a6ULL) + F(w6 ,0x113f9804bef90daeULL) + F(w7 ,0x1b710b35131c471bULL) + F(w8 ,0x28db77f523047d84ULL) + F(w9 ,0x32caab7b40c72493ULL) + F(w10,0x3c9ebe0a15c9bebcULL) + F(w11,0x431d67c49c100d4cULL) + F(w12,0x4cc5d4becb3e42b6ULL) + F(w13,0x597f299cfc657e2aULL) + F(w14,0x5fcb6fab3ad6faecULL) + F(w15,0x6c44198c4a475817ULL) + + a += state[0]; + b += state[1]; + c += state[2]; + d += state[3]; + e += state[4]; + f += state[5]; + g += state[6]; + h += state[7]; + + state[0] = a; + state[1] = b; + state[2] = c; + state[3] = d; + state[4] = e; + state[5] = f; + state[6] = g; + state[7] = h; + + in += 128; + inlen -= 128; + } + + store_bigendian(statebytes + 0,state[0]); + store_bigendian(statebytes + 8,state[1]); + store_bigendian(statebytes + 16,state[2]); + store_bigendian(statebytes + 24,state[3]); + store_bigendian(statebytes + 32,state[4]); + store_bigendian(statebytes + 40,state[5]); + store_bigendian(statebytes + 48,state[6]); + store_bigendian(statebytes + 56,state[7]); + + return inlen; +} + +/* -- crypto_hash_sha512 (hash.c) -- */ + +static const unsigned char iv[64] = { + 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, + 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, + 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, + 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, + 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, + 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, + 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, + 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 +}; + +void crypto_hash_sha512(unsigned char *out, + const unsigned char *in, + unsigned long long inlen) +{ + unsigned char h[64]; + unsigned char padded[256]; + int i; + unsigned long long bytes = inlen; + + for (i = 0;i < 64;++i) h[i] = iv[i]; + + crypto_hashblocks_sha512(h,in,inlen); + in += inlen; + inlen &= 127; + in -= inlen; + + for (i = 0;i < (int)inlen;++i) padded[i] = in[i]; + padded[inlen] = 0x80; + + if (inlen < 112) { + for (i = inlen + 1;i < 119;++i) padded[i] = 0; + padded[119] = bytes >> 61; + padded[120] = bytes >> 53; + padded[121] = bytes >> 45; + padded[122] = bytes >> 37; + padded[123] = bytes >> 29; + padded[124] = bytes >> 21; + padded[125] = bytes >> 13; + padded[126] = bytes >> 5; + padded[127] = bytes << 3; + crypto_hashblocks_sha512(h,padded,128); + } else { + for (i = inlen + 1;i < 247;++i) padded[i] = 0; + padded[247] = bytes >> 61; + padded[248] = bytes >> 53; + padded[249] = bytes >> 45; + padded[250] = bytes >> 37; + padded[251] = bytes >> 29; + padded[252] = bytes >> 21; + padded[253] = bytes >> 13; + padded[254] = bytes >> 5; + padded[255] = bytes << 3; + crypto_hashblocks_sha512(h,padded,256); + } + + for (i = 0;i < 64;++i) out[i] = h[i]; +} diff --git a/smp-web/cbits/sntrup761.d.mts b/smp-web/cbits/sntrup761.d.mts new file mode 100644 index 0000000000..2f603d0da7 --- /dev/null +++ b/smp-web/cbits/sntrup761.d.mts @@ -0,0 +1,11 @@ +interface Sntrup761Module { + _sntrup761_wasm_keypair(pk: number, sk: number): void + _sntrup761_wasm_enc(c: number, k: number, pk: number): void + _sntrup761_wasm_dec(k: number, c: number, sk: number): void + _malloc(size: number): number + _free(ptr: number): void + HEAPU8: Uint8Array +} + +declare function createSntrup761(): Promise +export default createSntrup761 diff --git a/smp-web/cbits/sntrup761_wasm.c b/smp-web/cbits/sntrup761_wasm.c new file mode 100644 index 0000000000..857db35066 --- /dev/null +++ b/smp-web/cbits/sntrup761_wasm.c @@ -0,0 +1,34 @@ +/* + * WASM wrapper for sntrup761. + * Provides JS-callable functions with RNG from JS imports. + * + * Build: emcc sntrup761_wasm.c sntrup761.c sha512.c -O2 -o sntrup761.js \ + * -s EXPORTED_FUNCTIONS='["_sntrup761_wasm_keypair","_sntrup761_wasm_enc","_sntrup761_wasm_dec","_malloc","_free"]' \ + * -s EXPORTED_RUNTIME_METHODS='["ccall","cwrap"]' + */ + +#include "sntrup761.h" +#include + +/* Import RNG from JS environment */ +extern void js_random_bytes(unsigned char *buf, int len); + +/* RNG callback adapter for sntrup761 */ +static void wasm_random(void *ctx, size_t length, uint8_t *dst) { + (void)ctx; + js_random_bytes(dst, (int)length); +} + +/* JS-callable wrappers */ + +void sntrup761_wasm_keypair(unsigned char *pk, unsigned char *sk) { + sntrup761_keypair(pk, sk, NULL, wasm_random); +} + +void sntrup761_wasm_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) { + sntrup761_enc(c, k, pk, NULL, wasm_random); +} + +void sntrup761_wasm_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { + sntrup761_dec(k, c, sk); +} diff --git a/smp-web/package.json b/smp-web/package.json new file mode 100644 index 0000000000..ab9ff7c1e5 --- /dev/null +++ b/smp-web/package.json @@ -0,0 +1,35 @@ +{ + "name": "@simplex-chat/smp-web", + "version": "0.1.0", + "description": "SMP protocol client for web/browser environments", + "license": "AGPL-3.0-only", + "repository": { + "type": "git", + "url": "git+https://github.com/simplex-chat/simplexmq.git", + "directory": "smp-web" + }, + "type": "module", + "files": [ + "src", + "dist" + ], + "scripts": { + "build:wasm": "mkdir -p dist/wasm && npx emcc cbits/sntrup761_wasm.c ../cbits/sntrup761.c cbits/sha512.c -I../cbits -O2 -o dist/wasm/sntrup761.mjs -s EXPORTED_FUNCTIONS='[\"_sntrup761_wasm_keypair\",\"_sntrup761_wasm_enc\",\"_sntrup761_wasm_dec\",\"_malloc\",\"_free\"]' -s EXPORTED_RUNTIME_METHODS='[\"ccall\",\"cwrap\",\"HEAPU8\"]' -s MODULARIZE=1 -s EXPORT_NAME='createSntrup761' -s ALLOW_MEMORY_GROWTH=1 -s ENVIRONMENT='web,node' --js-library cbits/js_random.js && cp cbits/sntrup761.d.mts dist/wasm/", + "build:ts": "tsc", + "build:test": "tsc -p tsconfig.test.json", + "build": "npm run build:wasm && npm run build:ts && npm run build:test" + }, + "dependencies": { + "@noble/ciphers": "^2.2.0", + "@noble/curves": "^2.2.0", + "@noble/hashes": "^1.5.0", + "@simplex-chat/xftp-web": "file:../xftp-web", + "emsdk": "^0.4.0" + }, + "devDependencies": { + "@types/node": "^25.5.0", + "@types/ws": "^8.18.1", + "typescript": "^5.4.0", + "ws": "^8.0.0" + } +} diff --git a/smp-web/src/agent/message.ts b/smp-web/src/agent/message.ts new file mode 100644 index 0000000000..edaf9cd2b8 --- /dev/null +++ b/smp-web/src/agent/message.ts @@ -0,0 +1,207 @@ +// Agent message encoding/decoding. +// Mirrors: Simplex.Messaging.Agent.Protocol (AgentMsgEnvelope, AgentMessage, APrivHeader, AMessage) + +import { + Decoder, concatBytes, + encodeBytes, decodeBytes, + encodeLarge, decodeLarge, + encodeInt64, decodeInt64, + encodeWord16, decodeWord16, + encodeMaybe, decodeMaybe, + encodeNonEmpty, decodeNonEmpty, +} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" + +// -- Constants (Agent/Protocol.hs:318-319) + +export const currentSMPAgentVersion = 7 + +// -- AMessage (Agent/Protocol.hs:1001-1020) + +export type AMessage = + | {type: "HELLO"} + | {type: "A_MSG", body: Uint8Array} + | {type: "A_RCVD", receipts: AMessageReceipt[]} // NonEmpty + | {type: "EREADY", lastDecryptedMsgId: bigint} + +// Agent/Protocol.hs:1040-1045 +export interface AMessageReceipt { + agentMsgId: bigint // Int64 + msgHash: Uint8Array // ByteString (32-byte SHA-256) + rcptInfo: Uint8Array // MsgReceiptInfo (ByteString, Large-encoded) +} + +// Agent/Protocol.hs:1078-1100 +export function encodeAMessage(msg: AMessage): Uint8Array { + switch (msg.type) { + case "HELLO": return new Uint8Array([0x48]) // "H" + case "A_MSG": return concatBytes(new Uint8Array([0x4D]), msg.body) // "M" + Tail + case "A_RCVD": return concatBytes(new Uint8Array([0x56]), encodeNonEmpty(encodeAMessageReceipt, msg.receipts)) // "V" + NonEmpty + case "EREADY": return concatBytes(new Uint8Array([0x45]), encodeInt64(msg.lastDecryptedMsgId)) // "E" + Int64 + } +} + +export function decodeAMessage(d: Decoder): AMessage { + const tag = d.anyByte() + switch (tag) { + case 0x48: return {type: "HELLO"} // 'H' + case 0x4D: return {type: "A_MSG", body: d.takeAll()} // 'M' + Tail + case 0x56: return {type: "A_RCVD", receipts: decodeNonEmpty(decodeAMessageReceipt, d)} // 'V' + case 0x45: return {type: "EREADY", lastDecryptedMsgId: decodeInt64(d)} // 'E' + // Queue management tags (not needed for chat messages, but recognized for decoding) + case 0x51: { // 'Q' + const sub = d.anyByte() + switch (sub) { + case 0x43: // 'C' = A_QCONT + case 0x41: // 'A' = QADD + case 0x4B: // 'K' = QKEY + case 0x55: // 'U' = QUSE + case 0x54: // 'T' = QTEST + throw new Error("decodeAMessage: queue management message (Q" + String.fromCharCode(sub) + ") not implemented") + default: + throw new Error("decodeAMessage: unknown Q-subtag " + sub) + } + } + default: + throw new Error("decodeAMessage: unknown tag " + tag) + } +} + +// Agent/Protocol.hs:1106-1111 +function encodeAMessageReceipt(r: AMessageReceipt): Uint8Array { + return concatBytes(encodeInt64(r.agentMsgId), encodeBytes(r.msgHash), encodeLarge(r.rcptInfo)) +} + +function decodeAMessageReceipt(d: Decoder): AMessageReceipt { + return {agentMsgId: decodeInt64(d), msgHash: decodeBytes(d), rcptInfo: decodeLarge(d)} +} + +// -- APrivHeader (Agent/Protocol.hs:946-957) + +export interface APrivHeader { + sndMsgId: bigint // AgentMsgId = Int64 + prevMsgHash: Uint8Array // MsgHash = ByteString +} + +export function encodeAPrivHeader(h: APrivHeader): Uint8Array { + return concatBytes(encodeInt64(h.sndMsgId), encodeBytes(h.prevMsgHash)) +} + +export function decodeAPrivHeader(d: Decoder): APrivHeader { + return {sndMsgId: decodeInt64(d), prevMsgHash: decodeBytes(d)} +} + +// -- AgentMessage (Agent/Protocol.hs:866-888) + +export type AgentMessage = + | {type: "connInfo", cInfo: Uint8Array} + | {type: "connInfoReply", smpQueues: Uint8Array[], cInfo: Uint8Array} // NonEmpty raw-encoded SMPQueueInfo + | {type: "ratchetInfo", info: Uint8Array} + | {type: "message", header: APrivHeader, msg: AMessage} + +export function encodeAgentMessage(msg: AgentMessage): Uint8Array { + switch (msg.type) { + case "connInfo": + return concatBytes(new Uint8Array([0x49]), msg.cInfo) // 'I' + Tail + case "connInfoReply": + // 'D' + NonEmpty SMPQueueInfo + Tail cInfo + // SMPQueueInfo encoding is complex; for now encode the raw bytes + return concatBytes( + new Uint8Array([0x44]), + encodeNonEmpty(b => b, msg.smpQueues), + msg.cInfo, + ) + case "ratchetInfo": + return concatBytes(new Uint8Array([0x52]), msg.info) // 'R' + Tail + case "message": + return concatBytes(new Uint8Array([0x4D]), encodeAPrivHeader(msg.header), encodeAMessage(msg.msg)) // 'M' + header + msg + } +} + +export function decodeAgentMessage(d: Decoder): AgentMessage { + const tag = d.anyByte() + switch (tag) { + case 0x49: return {type: "connInfo", cInfo: d.takeAll()} // 'I' + Tail + case 0x44: { // 'D' + // NonEmpty SMPQueueInfo is complex to decode; skip for now, just capture raw + throw new Error("decodeAgentMessage: connInfoReply ('D') not implemented") + } + case 0x52: return {type: "ratchetInfo", info: d.takeAll()} // 'R' + Tail + case 0x4D: return {type: "message", header: decodeAPrivHeader(d), msg: decodeAMessage(d)} // 'M' + default: + throw new Error("decodeAgentMessage: unknown tag " + tag) + } +} + +// -- AgentMsgEnvelope (Agent/Protocol.hs:812-861) + +export type AgentMsgEnvelope = + | {type: "confirmation", agentVersion: number, e2eEncryption: Uint8Array | null, encConnInfo: Uint8Array} + | {type: "envelope", agentVersion: number, encAgentMessage: Uint8Array} + | {type: "invitation", agentVersion: number, connReqBytes: Uint8Array, connInfo: Uint8Array} + | {type: "ratchetKey", agentVersion: number, e2eEncryption: Uint8Array, info: Uint8Array} + +// Agent/Protocol.hs:835-843 +export function encodeAgentMsgEnvelope(env: AgentMsgEnvelope): Uint8Array { + switch (env.type) { + case "confirmation": + // (agentVersion, 'C', Maybe SndE2ERatchetParams, Tail encConnInfo) + return concatBytes( + encodeWord16(env.agentVersion), + new Uint8Array([0x43]), // 'C' + encodeMaybe(b => b, env.e2eEncryption), // e2eEncryption is already smpEncoded bytes or null + env.encConnInfo, // Tail + ) + case "envelope": + // (agentVersion, 'M', Tail encAgentMessage) + return concatBytes( + encodeWord16(env.agentVersion), + new Uint8Array([0x4D]), // 'M' + env.encAgentMessage, // Tail + ) + case "invitation": + // (agentVersion, 'I', Large connReqBytes, Tail connInfo) + return concatBytes( + encodeWord16(env.agentVersion), + new Uint8Array([0x49]), // 'I' + encodeLarge(env.connReqBytes), + env.connInfo, // Tail + ) + case "ratchetKey": + // (agentVersion, 'R', e2eEncryption, Tail info) + return concatBytes( + encodeWord16(env.agentVersion), + new Uint8Array([0x52]), // 'R' + env.e2eEncryption, // already smpEncoded + env.info, // Tail + ) + } +} + +// Agent/Protocol.hs:844-861 +export function decodeAgentMsgEnvelope(d: Decoder): AgentMsgEnvelope { + const agentVersion = decodeWord16(d) + const tag = d.anyByte() + switch (tag) { + case 0x43: // 'C' Confirmation + // e2eEncryption_ is Maybe (SndE2ERatchetParams 'X448), encConnInfo is Tail + // Full parsing of E2ERatchetParams needed to split the boundary — not implemented in spike + throw new Error("decodeAgentMsgEnvelope: confirmation ('C') not fully implemented") + case 0x4D: // 'M' Message envelope + return {type: "envelope", agentVersion, encAgentMessage: d.takeAll()} // Tail + case 0x49: { // 'I' Invitation + const connReqBytes = decodeLarge(d) + const connInfo = d.takeAll() // Tail + return {type: "invitation", agentVersion, connReqBytes, connInfo} + } + case 0x52: { // 'R' RatchetKey + // e2eEncryption is an E2ERatchetParams — variable-length, not Tail + // For now, capture remaining minus nothing (since info is Tail and comes last) + // This is tricky: e2eEncryption is smpEncoded E2ERatchetParams, info is Tail + // We can't easily split without knowing the E2ERatchetParams length + // For the spike, just capture all remaining as raw + throw new Error("decodeAgentMsgEnvelope: ratchetKey ('R') not fully implemented") + } + default: + throw new Error("decodeAgentMsgEnvelope: unknown tag " + tag) + } +} diff --git a/smp-web/src/agent/protocol.ts b/smp-web/src/agent/protocol.ts new file mode 100644 index 0000000000..36b6e8f4a2 --- /dev/null +++ b/smp-web/src/agent/protocol.ts @@ -0,0 +1,247 @@ +// Agent protocol types and short link parsing. +// Mirrors: Simplex.Messaging.Agent.Protocol + +import {base64urlDecode} from "@simplex-chat/xftp-web/dist/protocol/description.js" +import { + Decoder, decodeBytes, decodeLarge, decodeWord16, decodeBool, +} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" + +// -- Short link types (Agent/Protocol.hs:1462-1470) + +export type ShortLinkScheme = "simplex" | "https" + +export type ContactConnType = "contact" | "channel" | "group" | "relay" + +export interface ProtocolServer { + hosts: Uint8Array[] // NonEmpty, each is the strEncoded host bytes + port: Uint8Array + keyHash: Uint8Array +} + +export type ConnShortLink = + | {mode: "invitation", scheme: ShortLinkScheme, server: ProtocolServer, linkId: Uint8Array, linkKey: Uint8Array} + | {mode: "contact", scheme: ShortLinkScheme, connType: ContactConnType, server: ProtocolServer, linkKey: Uint8Array} + +// -- ProtocolServer binary encoding (Protocol.hs:1264-1269) +// smpEncode (host, port, keyHash) +// host: NonEmpty TransportHost = smpEncodeList (1-byte count + each as ByteString) +// port: String = ByteString (1-byte len + bytes) +// keyHash: KeyHash = ByteString (1-byte len + bytes) + +export function decodeProtocolServer(d: Decoder): ProtocolServer { + const hostCount = d.anyByte() + if (hostCount === 0) throw new Error("empty server host list") + const hosts: Uint8Array[] = [] + for (let i = 0; i < hostCount; i++) hosts.push(decodeBytes(d)) + const port = decodeBytes(d) + const keyHash = decodeBytes(d) + return {hosts, port, keyHash} +} + +// -- ConnShortLink binary encoding (Agent/Protocol.hs:1631-1649) +// Contact: smpEncode (CMContact, ctTypeChar, srv, linkKey) +// Invitation: smpEncode (CMInvitation, srv, linkId, linkKey) + +export interface ConnShortLinkBinary { + mode: "contact" | "invitation" + connType?: ContactConnType + server: ProtocolServer + linkId?: Uint8Array + linkKey: Uint8Array +} + +const ctTypeFromByte: Record = { + 0x41: "contact", // 'A' + 0x43: "channel", // 'C' + 0x47: "group", // 'G' + 0x52: "relay", // 'R' +} + +export function decodeConnShortLink(d: Decoder): ConnShortLinkBinary { + const mode = d.anyByte() + if (mode === 0x49) { + // Invitation: (srv, linkId, linkKey) + const server = decodeProtocolServer(d) + const linkId = decodeBytes(d) + const linkKey = decodeBytes(d) + return {mode: "invitation", server, linkId, linkKey} + } else if (mode === 0x43) { + // Contact: (ctTypeChar, srv, linkKey) + const ctByte = d.anyByte() + const connType = ctTypeFromByte[ctByte] + if (!connType) throw new Error("unknown contact type: 0x" + ctByte.toString(16)) + const server = decodeProtocolServer(d) + const linkKey = decodeBytes(d) + return {mode: "contact", connType, server, linkKey} + } + throw new Error("unknown ConnShortLink mode: 0x" + mode.toString(16)) +} + +// -- OwnerAuth (Agent/Protocol.hs:1793-1800) +// Outer ByteString wrapping inner: (ownerId, ownerKey, authOwnerSig) + +export interface OwnerAuth { + ownerId: Uint8Array + ownerKey: Uint8Array + authOwnerSig: Uint8Array +} + +export function decodeOwnerAuth(d: Decoder): OwnerAuth { + const inner = decodeBytes(d) + const id = new Decoder(inner) + const ownerId = decodeBytes(id) + const ownerKey = decodeBytes(id) + const authOwnerSig = decodeBytes(id) + return {ownerId, ownerKey, authOwnerSig} +} + +// -- UserLinkData (Agent/Protocol.hs:1891-1894) +// If first byte is 0xFF, read Large; otherwise it's a ByteString (1-byte length) + +export function decodeUserLinkData(d: Decoder): Uint8Array { + const firstByte = d.anyByte() + if (firstByte === 0xFF) return decodeLarge(d) + return d.take(firstByte) +} + +// -- UserContactData (Agent/Protocol.hs:1881-1889) + +export interface UserContactData { + direct: boolean + owners: OwnerAuth[] + relays: ConnShortLinkBinary[] + userData: Uint8Array +} + +export function decodeUserContactData(d: Decoder): UserContactData { + const direct = decodeBool(d) + const ownerCount = d.anyByte() + const owners: OwnerAuth[] = [] + for (let i = 0; i < ownerCount; i++) owners.push(decodeOwnerAuth(d)) + const relayCount = d.anyByte() + const relays: ConnShortLinkBinary[] = [] + for (let i = 0; i < relayCount; i++) relays.push(decodeConnShortLink(d)) + const userData = decodeUserLinkData(d) + return {direct, owners, relays, userData} +} + +// -- ConnLinkData (Agent/Protocol.hs:1838-1855) +// Contact: 'C' + versionRange + UserContactData + +export interface ConnLinkDataContact { + mode: "contact" + agentVRange: {min: number; max: number} + userContactData: UserContactData +} + +export function decodeConnLinkData(d: Decoder): ConnLinkDataContact { + const modeChar = d.anyByte() + if (modeChar !== 0x43) throw new Error("expected Contact mode 'C' (0x43), got 0x" + modeChar.toString(16)) + const min = decodeWord16(d) + const max = decodeWord16(d) + const userContactData = decodeUserContactData(d) + return {mode: "contact", agentVRange: {min, max}, userContactData} +} + +// -- FixedLinkData (Agent/Protocol.hs:1830-1836) +// Encoding: smpEncode (agentVRange, rootKey, linkConnReq) <> maybe "" smpEncode linkEntityId +// rootKey is DER-encoded Ed25519 public key (ByteString: 1-byte len + 44 bytes DER) +// linkConnReq is ConnectionRequestUri (variable length, not length-prefixed) +// For now, we parse agentVRange + rootKey and keep the rest as raw bytes. +// Full ConnectionRequestUri parsing is future work. + +export interface FixedLinkData { + agentVRange: {min: number; max: number} + rootKey: Uint8Array // DER-encoded Ed25519 public key (44 bytes) + rest: Uint8Array // raw linkConnReq + linkEntityId bytes +} + +export function decodeFixedLinkData(d: Decoder): FixedLinkData { + const min = decodeWord16(d) + const max = decodeWord16(d) + const rootKey = decodeBytes(d) + const rest = d.takeAll() + return {agentVRange: {min, max}, rootKey, rest} +} + +// -- Profile extraction + +export function parseProfile(userData: Uint8Array): unknown { + if (userData.length > 0 && userData[0] === 0x58) { + throw new Error("zstd-compressed profile not yet supported") + } + return JSON.parse(new TextDecoder().decode(userData)) +} + +// -- Short link URI parsing (below) -- + +export interface ShortLinkServer { + hosts: string[] + port: string + keyHash: Uint8Array +} + +export type ConnShortLinkURI = + | {mode: "invitation", scheme: ShortLinkScheme, server: ShortLinkServer, linkId: Uint8Array, linkKey: Uint8Array} + | {mode: "contact", scheme: ShortLinkScheme, connType: ContactConnType, server: ShortLinkServer, linkKey: Uint8Array} + +const ctTypeFromChar: Record = { + a: "contact", + c: "channel", + g: "group", + r: "relay", +} + +// Mirrors strP for AConnShortLink (Agent/Protocol.hs:1596-1629) +export function connShortLinkStrP(uri: string): ConnShortLinkURI { + let scheme: ShortLinkScheme + let firstHost: string | null = null + let rest: string + + if (uri.startsWith("simplex:")) { + scheme = "simplex" + rest = uri.slice("simplex:".length) + } else if (uri.startsWith("https://")) { + scheme = "https" + const afterScheme = uri.slice("https://".length) + const slashIdx = afterScheme.indexOf("/") + if (slashIdx < 0) throw new Error("bad short link: no path") + firstHost = afterScheme.slice(0, slashIdx) + rest = afterScheme.slice(slashIdx) + } else { + throw new Error("bad short link scheme") + } + + if (rest[0] !== "/") throw new Error("bad short link: expected /") + const typeChar = rest[1] + const hashIdx = rest.indexOf("#") + if (hashIdx < 0) throw new Error("bad short link: no #") + const afterHash = rest.slice(hashIdx + 1) + + const qIdx = afterHash.indexOf("?") + const fragment = qIdx >= 0 ? afterHash.slice(0, qIdx) : afterHash + const queryStr = qIdx >= 0 ? afterHash.slice(qIdx + 1) : "" + const params = new URLSearchParams(queryStr) + + const hParam = params.get("h") + const additionalHosts = hParam ? hParam.split(",") : [] + const allHosts = firstHost ? [firstHost, ...additionalHosts] : additionalHosts + if (allHosts.length === 0) throw new Error("short link without server") + + const port = params.get("p") ?? "" + const keyHash = params.has("c") ? base64urlDecode(params.get("c")!) : new Uint8Array(0) + const server: ShortLinkServer = {hosts: allHosts, port, keyHash} + + if (typeChar === "i") { + const slashIdx = fragment.indexOf("/") + if (slashIdx < 0) throw new Error("invitation link must have linkId/linkKey") + const linkId = base64urlDecode(fragment.slice(0, slashIdx)) + const linkKey = base64urlDecode(fragment.slice(slashIdx + 1)) + return {mode: "invitation", scheme, server, linkId, linkKey} + } else { + const connType = ctTypeFromChar[typeChar] + if (!connType) throw new Error("unknown contact type: " + typeChar) + const linkKey = base64urlDecode(fragment) + return {mode: "contact", scheme, connType, server, linkKey} + } +} diff --git a/smp-web/src/client.ts b/smp-web/src/client.ts new file mode 100644 index 0000000000..9ec46e50bc --- /dev/null +++ b/smp-web/src/client.ts @@ -0,0 +1,490 @@ +// SMP client: command/response correlation, authentication, typed async API. +// Mirrors: Simplex.Messaging.Client + +import { + encodeTransmission, encodeTransmissionForAuth, authTransmission, + tEncodeBatch1, tEncodeForBatch, batchTransmissions, tEncode, + tParse, tDecodeClient, protocolError, encodePING, + decodeResponse, paddedProxiedTLength, encodePRXY, encodePFWD, + type AuthKey, type SMPResponse, type RawTransmission, + encodeNEW, encodeKEY, encodeSKEY, encodeSUB, encodeACK, + encodeSEND, encodeOFF, encodeDEL, encodeGET, encodeQUE, encodeLGET, + type IDSResponse, type MSGResponse, +} from "./protocol.js" +import { + connectSMP, + type SMPConnection, +} from "./transport/websockets.js" +import {SMP_BLOCK_SIZE} from "./transport.js" +import {sbEncryptBlock, sbDecryptBlock, cbAuthenticator, reverseNonce, cbDecryptNoPad} from "./crypto.js" +import {blockPad, blockUnpad} from "@simplex-chat/xftp-web/dist/protocol/transmission.js" +import {Decoder} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" +import {generateX25519KeyPair, x25519KeyPairFromPrivate, dh, encodePubKeyX25519} from "@simplex-chat/xftp-web/dist/crypto/keys.js" +import {cbEncrypt, cbDecrypt} from "@simplex-chat/xftp-web/dist/crypto/secretbox.js" +import {extractSignedKey} from "@simplex-chat/xftp-web/dist/protocol/handshake.js" + +// -- Error types (Client.hs:741-770) + +// ProxiedRelay (Client.hs:1095-1100) +export interface ProxiedRelay { + sessionId: Uint8Array + version: number // negotiated version with relay + basicAuth: Uint8Array | null + relayKey: Uint8Array // relay's X25519 public key (raw 32 bytes) +} + +// ProxyClientError (Client.hs:1102-1109) +export type ProxyClientError = + | {type: "ProxyProtocolError", error: string} + | {type: "ProxyUnexpectedResponse", response: string} + | {type: "ProxyResponseError", error: string} + +export type SMPClientError = + | {type: "PROTOCOL", error: string} // ERR response from server + | {type: "RESPONSE", error: string} // failed to parse response + | {type: "UNEXPECTED", raw: string} // wrong response type for command + | {type: "TIMEOUT"} // response timeout + | {type: "NETWORK", error: string} // connection failure + | {type: "TRANSPORT", error: string} // handshake/transport error + +// -- SMPClient + +export interface SMPClient { + readonly sessionId: Uint8Array + readonly smpVersion: number + readonly serverPubKey: Uint8Array + + // Core: send pre-encoded command, await correlated response + sendCommand(privKey: AuthKey | null, entityId: Uint8Array, command: Uint8Array): Promise + + // High-level commands + createQueue(authKeyPair: {publicKey: Uint8Array, privateKey: Uint8Array}, dhKey: Uint8Array, subscribe: boolean): Promise + subscribeQueue(privKey: AuthKey, rcvId: Uint8Array): Promise + getMessage(privKey: AuthKey, rcvId: Uint8Array): Promise + sendMessage(privKey: AuthKey | null, sndId: Uint8Array, notification: boolean, msg: Uint8Array): Promise + ackMessage(privKey: AuthKey, rcvId: Uint8Array, msgId: Uint8Array): Promise + secureQueue(privKey: AuthKey, rcvId: Uint8Array, senderKey: Uint8Array): Promise + secureSndQueue(privKey: AuthKey, sndId: Uint8Array): Promise + getQueueLink(linkId: Uint8Array): Promise + deleteQueue(privKey: AuthKey, rcvId: Uint8Array): Promise + suspendQueue(privKey: AuthKey, rcvId: Uint8Array): Promise + + // Batch commands (Client.hs:840-845, 1062-1065) + subscribeQueues(queues: Array<{rcvId: Uint8Array, privKey: AuthKey}>): Promise + deleteQueues(queues: Array<{rcvId: Uint8Array, privKey: AuthKey}>): Promise + + // Proxy commands (Client.hs:1069-1206) + connectProxiedRelay(relayHosts: string[], relayPort: string, relayKeyHash: Uint8Array, basicAuth: Uint8Array | null): Promise + proxySMPCommand(relay: ProxiedRelay, privKey: AuthKey | null, entityId: Uint8Array, command: Uint8Array): Promise + proxySendMessage(relay: ProxiedRelay, privKey: AuthKey | null, sndId: Uint8Array, notification: boolean, msg: Uint8Array): Promise + + close(): void +} + +interface PendingRequest { + resolve: (resp: SMPResponse) => void + reject: (err: SMPClientError) => void + timer: ReturnType +} + +function toHex(bytes: Uint8Array): string { + return Array.from(bytes, b => b.toString(16).padStart(2, "0")).join("") +} + +export async function createSMPClient( + url: string, + keyHash: Uint8Array, + onMessage: (entityId: Uint8Array, msg: SMPResponse) => void, + onDisconnected: () => void, + config?: {timeout?: number, pingInterval?: number, pingMaxCount?: number, wsOptions?: object}, +): Promise { + const timeout_ = config?.timeout ?? 10_000 + const pingInterval = config?.pingInterval ?? 600_000 + const pingMaxCount = config?.pingMaxCount ?? 3 + + const conn = await connectSMP(url, keyHash, config?.wsOptions) + if (!conn.serverPubKey) throw new Error("createSMPClient: server has no auth key") + + const serverPubKey = conn.serverPubKey + const pending = new Map() + let closed = false + let pingTimer: ReturnType | null = null + let timeoutCount = 0 + + // -- Receive loop + + function onBlock(data: ArrayBuffer | Buffer) { + if (closed) return + timeoutCount = 0 + try { + const raw = data instanceof ArrayBuffer ? data : data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength) + const block = new Uint8Array(raw) + // Decrypt block + const decrypted = decryptBlock(block) + // Parse batch + const transmissions = tParse(decrypted) + for (const raw of transmissions) { + dispatch(raw) + } + } catch (e: any) { + // Parse error — log to stderr + process.stderr.write("SMP client receive error: " + e.message + "\n") + } + } + + function decryptBlock(block: Uint8Array): Uint8Array { + if (conn.rcvKey) { + const {decrypted, nextChainKey} = sbDecryptBlock(conn.rcvKey, block) + conn.rcvKey = nextChainKey + return decrypted + } + // No block encryption — strip padding + return blockUnpad(block) + } + + function dispatch(raw: RawTransmission) { + // Parse response + let response: SMPResponse + try { + response = decodeResponse(new Decoder(raw.command)) + } catch (e: any) { + process.stderr.write("dispatch parse error: " + e.message + " command=" + toHex(raw.command) + "\n") + // If we can correlate, reject the pending request + const key = toHex(raw.corrId) + const req = pending.get(key) + if (req) { + pending.delete(key) + clearTimeout(req.timer) + req.reject({type: "RESPONSE", error: e.message}) + } + return + } + + // Classify: ERR → PCEProtocolError + const err = protocolError(response) + + // Correlate by corrId + const corrIdBytes = raw.corrId + if (corrIdBytes.length === 0) { + // Server push (no corrId) — deliver to event callback + onMessage(raw.entityId, response) + return + } + + const key = toHex(corrIdBytes) + const req = pending.get(key) + if (req) { + pending.delete(key) + clearTimeout(req.timer) + if (err) { + req.reject({type: "PROTOCOL", error: err}) + } else { + req.resolve(response) + } + } else { + // No pending request — might be a late response or server push with corrId + // Deliver as event + if (!err) onMessage(raw.entityId, response) + } + } + + // Wire up WebSocket receive + conn.ws.onmessage = (event) => onBlock(event.data as ArrayBuffer) + conn.ws.onclose = () => { + if (!closed) { + closed = true + cleanup() + onDisconnected() + } + } + conn.ws.onerror = () => {} + + // -- Ping + + function startPing() { + if (pingInterval <= 0) return + pingTimer = setInterval(async () => { + try { + await client.sendCommand(null, new Uint8Array(0), encodePING()) + } catch { + timeoutCount++ + if (pingMaxCount > 0 && timeoutCount >= pingMaxCount) { + client.close() + } + } + }, pingInterval) + } + + function cleanup() { + if (pingTimer) { + clearInterval(pingTimer) + pingTimer = null + } + // Reject all pending requests + for (const [, req] of pending) { + clearTimeout(req.timer) + req.reject({type: "NETWORK", error: "disconnected"}) + } + pending.clear() + } + + // -- Send + + // mkTransmission (Client.hs:1349-1370) + // Encode, authenticate, register pending request. Returns encoded transmission + promise. + // nonce_ parameter: if provided, used as corrId (for proxy commands where nonce = corrId) + function mkTransmission(privKey: AuthKey | null, entityId: Uint8Array, command: Uint8Array, nonce_?: Uint8Array): {auth: Uint8Array | null, tToSend: Uint8Array, promise: Promise} { + const nonce = nonce_ ?? crypto.getRandomValues(new Uint8Array(24)) + const {tForAuth, tToSend} = encodeTransmissionForAuth(conn.sessionId, nonce, entityId, command) + const auth = authTransmission(serverPubKey, privKey, nonce, tForAuth) + const promise = new Promise((resolve, reject) => { + const key = toHex(nonce) + const timer = setTimeout(() => { + pending.delete(key) + timeoutCount++ + reject({type: "TIMEOUT"} as SMPClientError) + }, timeout_) + pending.set(key, {resolve, reject, timer}) + }) + return {auth, tToSend, promise} + } + + // Send a pre-encoded block (encrypt + write to WebSocket) + function sendBlock(block: Uint8Array): void { + if (conn.sndKey) { + const {encrypted, nextChainKey} = sbEncryptBlock(conn.sndKey, block, SMP_BLOCK_SIZE - 16) + conn.sndKey = nextChainKey + conn.ws.send(encrypted) + } else { + conn.ws.send(blockPad(block, SMP_BLOCK_SIZE)) + } + } + + // sendProtocolCommand (Client.hs:1300-1326) — single command + // nonce_: if provided, used as corrId (for proxy where nonce = corrId) + function sendCommand(privKey: AuthKey | null, entityId: Uint8Array, command: Uint8Array, nonce_?: Uint8Array): Promise { + if (closed) return Promise.reject({type: "NETWORK", error: "closed"} as SMPClientError) + const {auth, tToSend, promise} = mkTransmission(privKey, entityId, command, nonce_) + sendBlock(tEncodeBatch1(auth, tToSend)) + return promise + } + + // sendProtocolCommands (Client.hs:1262-1298) — batch multiple commands + function sendCommands(commands: Array<{privKey: AuthKey | null, entityId: Uint8Array, command: Uint8Array}>): Promise[] { + if (closed) return commands.map(() => Promise.reject({type: "NETWORK", error: "closed"} as SMPClientError)) + // mkTransmission for each + const transmissions = commands.map(c => mkTransmission(c.privKey, c.entityId, c.command)) + // Encode for batching: tEncodeForBatch each + const encoded = transmissions.map(t => tEncodeForBatch(t.auth, t.tToSend)) + // Pack into blocks + const blocks = batchTransmissions(SMP_BLOCK_SIZE, encoded) + // Send each block + for (const block of blocks) sendBlock(block) + // Return all promises + return transmissions.map(t => t.promise) + } + + // -- High-level commands + + // okSMPCommand (Client.hs:1239-1243) — only accepts OK, not SOK + async function okCommand(privKey: AuthKey | null, entityId: Uint8Array, command: Uint8Array): Promise { + const resp = await sendCommand(privKey, entityId, command) + if (resp.type !== "OK") { + throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + } + } + + const client: SMPClient = { + sessionId: conn.sessionId, + smpVersion: conn.smpVersion, + serverPubKey, + sendCommand, + + // createQueue (Client.hs:813-827) + async createQueue(authKeyPair, dhKey, subscribe) { + const command = encodeNEW(authKeyPair.publicKey, dhKey, null, subscribe) + // Auth with the X25519 private key from the keypair + const privKey: AuthKey = {type: "x25519", key: authKeyPair.privateKey} + const resp = await sendCommand(privKey, new Uint8Array(0), command) + if (resp.type !== "IDS") throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + return resp.response + }, + + // subscribeSMPQueue (Client.hs:833-836) + async subscribeQueue(privKey, rcvId) { + const resp = await sendCommand(privKey, rcvId, encodeSUB()) + // SUB can return MSG (queued message) — push to onMessage + if (resp.type === "MSG") { + onMessage(rcvId, resp) + return + } + if (resp.type !== "OK" && resp.type !== "SOK") { + throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + } + }, + + // getSMPMessage (Client.hs:875-880) + async getMessage(privKey, rcvId) { + const resp = await sendCommand(privKey, rcvId, encodeGET()) + if (resp.type === "OK") return null + if (resp.type === "MSG") { + onMessage(rcvId, resp) + return resp.response + } + throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + }, + + // sendSMPMessage (Client.hs:1027-1031) + async sendMessage(privKey, sndId, notification, msg) { + await okCommand(privKey, sndId, encodeSEND(notification, msg)) + }, + + // ackSMPMessage (Client.hs:1040-1045) + async ackMessage(privKey, rcvId, msgId) { + const resp = await sendCommand(privKey, rcvId, encodeACK(msgId)) + // ACK can return MSG — push to onMessage + if (resp.type === "MSG") { + onMessage(rcvId, resp) + return + } + if (resp.type !== "OK") { + throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + } + }, + + // secureSMPQueue (Client.hs:938-939) + async secureQueue(privKey, rcvId, senderKey) { + await okCommand(privKey, rcvId, encodeKEY(senderKey)) + }, + + // secureSndSMPQueue (Client.hs:943-944) + // SKEY sends the public key derived from the private key + async secureSndQueue(privKey, sndId) { + // x25519KeyPairFromPrivate derives public from private + const pubKey = x25519KeyPairFromPrivate(privKey.key).publicKey + await okCommand(privKey, sndId, encodeSKEY(encodePubKeyX25519(pubKey))) + }, + + // getSMPQueueLink (Client.hs:976-980) + async getQueueLink(linkId) { + return sendCommand(null, linkId, encodeLGET()) + }, + + // deleteSMPQueue (Client.hs:1058-1059) + async deleteQueue(privKey, rcvId) { + await okCommand(privKey, rcvId, encodeDEL()) + }, + + // suspendSMPQueue (Client.hs:1051-1052) + async suspendQueue(privKey, rcvId) { + await okCommand(privKey, rcvId, encodeOFF()) + }, + + // subscribeSMPQueues (Client.hs:840-845) + async subscribeQueues(queues) { + const commands = queues.map(q => ({privKey: q.privKey, entityId: q.rcvId, command: encodeSUB()})) + const promises = sendCommands(commands) + return Promise.all(promises.map(async (p, i) => { + const resp = await p + // processSUBResponse_ (Client.hs:857-862) + if (resp.type === "MSG") { + onMessage(queues[i].rcvId, resp) + return + } + if (resp.type !== "OK" && resp.type !== "SOK") { + throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + } + })) + }, + + // deleteSMPQueues (Client.hs:1062-1065) via okSMPCommands (Client.hs:1245-1253) + async deleteQueues(queues) { + const commands = queues.map(q => ({privKey: q.privKey, entityId: q.rcvId, command: encodeDEL()})) + const promises = sendCommands(commands) + return Promise.all(promises.map(async (p) => { + const resp = await p + if (resp.type !== "OK") { + throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + } + })) + }, + + // connectSMPProxiedRelay (Client.hs:1069-1093) + async connectProxiedRelay(relayHosts, relayPort, relayKeyHash, basicAuth) { + // Send PRXY to proxy server + const command = encodePRXY(relayHosts, relayPort, relayKeyHash, basicAuth) + const resp = await sendCommand(null, new Uint8Array(0), command) + if (resp.type !== "PKEY") throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + const {sessionId: relaySessId, versionRange, signedKeyDer} = resp.response + // Check version compatibility + const version = Math.min(versionRange.max, conn.smpVersion) + if (version < versionRange.min) throw {type: "TRANSPORT", error: "incompatible relay version"} as SMPClientError + // Extract relay's X25519 DH key from signed key (same as connectSMP handshake) + const relayKey = extractSignedKey(signedKeyDer).dhKey + // TODO: full certificate chain validation against relayKeyHash + // For now we trust the proxy's PKEY response (proxy already validated the relay) + return {sessionId: relaySessId, version, basicAuth, relayKey} + }, + + // proxySMPCommand (Client.hs:1157-1206) + async proxySMPCommand(relay, privKey, entityId, command) { + // Prepare relay params — encode as if sending directly to relay + const relaySessionId = relay.sessionId + // Generate ephemeral X25519 keypair for this command + const cmdKp = generateX25519KeyPair() + const cmdSecret = dh(relay.relayKey, cmdKp.privateKey) + const nonce = crypto.getRandomValues(new Uint8Array(24)) + // Encode transmission for relay (using relay's sessionId) + const {tForAuth, tToSend} = encodeTransmissionForAuth(relaySessionId, nonce, entityId, command) + // Authenticate against relay's key + const auth = privKey + ? cbAuthenticator(relay.relayKey, privKey.key, nonce, tForAuth) + : null + // Batch into single block (for relay) + const batchBlock = tEncodeBatch1(auth, tToSend) + // Encrypt for relay: cbEncrypt(cmdSecret, nonce, batchBlock, paddedProxiedTLength) + const encTransmission = cbEncrypt(cmdSecret, nonce, batchBlock, paddedProxiedTLength) + // Send PFWD to proxy (entityId = relay sessionId from PKEY) + // IMPORTANT: nonce is also used as corrId for PFWD (Client.hs:1175,1188) + // The relay extracts it from FwdTransmission.fwdCorrId to decrypt + const cmdPubKeyDer = encodePubKeyX25519(cmdKp.publicKey) + const pfwdCommand = encodePFWD(relay.version, cmdPubKeyDer, encTransmission) + const pfwdResp = await sendCommand(null, relay.sessionId, pfwdCommand, nonce) + // Handle response + if (pfwdResp.type === "PRES") { + // Decrypt relay's response: cbDecrypt(cmdSecret, reverseNonce(nonce), encResponse) + const decrypted = cbDecrypt(cmdSecret, reverseNonce(nonce), pfwdResp.encResponse) + // Parse as relay's response + const transmissions = tParse(decrypted) + if (transmissions.length !== 1) throw {type: "TRANSPORT", error: "bad proxy response block"} as SMPClientError + const decoded = tDecodeClient(transmissions[0]) + const relayResp = decoded.response + const err = protocolError(relayResp) + if (err) throw {type: "PROTOCOL", error: err} as SMPClientError + return relayResp + } + if (pfwdResp.type === "ERR") { + throw {type: "PROTOCOL", error: pfwdResp.error} as SMPClientError + } + throw {type: "UNEXPECTED", raw: pfwdResp.type} as SMPClientError + }, + + // proxySMPMessage — convenience for SEND via proxy + async proxySendMessage(relay, privKey, sndId, notification, msg) { + const command = encodeSEND(notification, msg) + const resp = await client.proxySMPCommand(relay, privKey, sndId, command) + if (resp.type !== "OK") throw {type: "UNEXPECTED", raw: resp.type} as SMPClientError + }, + + close() { + if (closed) return + closed = true + cleanup() + conn.ws.close() + }, + } + + startPing() + return client +} + diff --git a/smp-web/src/crypto.ts b/smp-web/src/crypto.ts new file mode 100644 index 0000000000..881a40bf2e --- /dev/null +++ b/smp-web/src/crypto.ts @@ -0,0 +1,130 @@ +// Crypto primitives. +// Mirrors: Simplex.Messaging.Crypto + +import {hkdf as nobleHkdf} from "@noble/hashes/hkdf" +import {sha512} from "@noble/hashes/sha512" +import {gcm} from "@noble/ciphers/aes.js" +import {cbEncrypt, cbDecrypt, cryptoBox, sbInit, sbDecryptChunk, sbAuth} from "@simplex-chat/xftp-web/dist/crypto/secretbox.js" +import {dh} from "@simplex-chat/xftp-web/dist/crypto/keys.js" +import {concatBytes} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" +import {pad, unPad} from "@simplex-chat/xftp-web/dist/crypto/padding.js" + +// C.hkdf (Crypto.hs:1461-1464) +// HKDF-SHA512 extract + expand +export function hkdf(salt: Uint8Array, ikm: Uint8Array, info: string, n: number): Uint8Array { + return nobleHkdf(sha512, ikm, salt, info, n) +} + +// -- SbChainKey block encryption (Crypto.hs:1449-1464) + +export interface SbKeyNonce { + sbKey: Uint8Array // 32 bytes + nonce: Uint8Array // 24 bytes +} + +// sbcInit (Crypto.hs:1452-1455) +// hkdf(sessionId, dhSecret, "SimpleXSbChainInit", 64) -> (sndChainKey, rcvChainKey) +export function sbcInit(sessionId: Uint8Array, dhSecret: Uint8Array): {sndKey: Uint8Array; rcvKey: Uint8Array} { + const derived = hkdf(sessionId, dhSecret, "SimpleXSbChainInit", 64) + return {sndKey: derived.slice(0, 32), rcvKey: derived.slice(32, 64)} +} + +// sbcHkdf (Crypto.hs:1459-1464) +// hkdf("", chainKey, "SimpleXSbChain", 88) -> ((sbKey, nonce), nextChainKey) +export function sbcHkdf(chainKey: Uint8Array): {keyNonce: SbKeyNonce; nextChainKey: Uint8Array} { + const out = hkdf(new Uint8Array(0), chainKey, "SimpleXSbChain", 88) + return { + keyNonce: {sbKey: out.slice(32, 64), nonce: out.slice(64, 88)}, + nextChainKey: out.slice(0, 32), + } +} + +// sbEncrypt (Crypto.hs:1296-1301) +// pad + cryptoBox (tag prepended to ciphertext) +export function sbEncryptBlock(chainKey: Uint8Array, block: Uint8Array, paddedLen: number): {encrypted: Uint8Array; nextChainKey: Uint8Array} { + const {keyNonce: {sbKey, nonce}, nextChainKey} = sbcHkdf(chainKey) + return {encrypted: cbEncrypt(sbKey, nonce, block, paddedLen), nextChainKey} +} + +// sbDecrypt (Crypto.hs:1330-1336) +// cryptoBoxOpen + unpad +export function sbDecryptBlock(chainKey: Uint8Array, block: Uint8Array): {decrypted: Uint8Array; nextChainKey: Uint8Array} { + const {keyNonce: {sbKey, nonce}, nextChainKey} = sbcHkdf(chainKey) + return {decrypted: cbDecrypt(sbKey, nonce, block), nextChainKey} +} + +// -- AES-256-GCM authenticated encryption (Crypto.hs:1035-1061) +// Uses 16-byte IVs (GCM with GHASH path per NIST SP 800-38D for IVs != 96 bits) + +export const AUTH_TAG_SIZE = 16 + +// encryptAEAD (Crypto.hs:1035-1039) +export function encryptAEAD( + key: Uint8Array, // 32 bytes + iv: Uint8Array, // 16 bytes + paddedLen: number, + ad: Uint8Array, + plaintext: Uint8Array, +): {authTag: Uint8Array; ciphertext: Uint8Array} { + const padded = pad(plaintext, paddedLen) + const cipher = gcm(key, iv, ad) + const encrypted = cipher.encrypt(padded) + return { + ciphertext: encrypted.subarray(0, encrypted.length - AUTH_TAG_SIZE), + authTag: encrypted.subarray(encrypted.length - AUTH_TAG_SIZE), + } +} + +// decryptAEAD (Crypto.hs:1058-1061) +export function decryptAEAD( + key: Uint8Array, + iv: Uint8Array, + ad: Uint8Array, + ciphertext: Uint8Array, + authTag: Uint8Array, +): Uint8Array { + const cipher = gcm(key, iv, ad) + const encrypted = concatBytes(ciphertext, authTag) + const padded = cipher.decrypt(encrypted) + return unPad(padded) +} + +// -- SHA-512 hash (Crypto.hs:1016) + +export function sha512Hash(msg: Uint8Array): Uint8Array { + return sha512(msg) +} + +// -- Command authentication (Crypto.hs:1366-1367) + +// cbAuthenticate (Crypto.hs:1367) +// cryptoBox(dh(serverPubKey, entityPrivKey), nonce, sha512Hash(msg)) → 80 bytes (16 tag + 64 hash) +export function cbAuthenticator(serverPubKey: Uint8Array, entityPrivKey: Uint8Array, nonce: Uint8Array, msg: Uint8Array): Uint8Array { + const dhSecret = dh(serverPubKey, entityPrivKey) + return cryptoBox(dhSecret, nonce, sha512Hash(msg)) +} + +// -- reverseNonce (Crypto.hs:1409-1410) + +export function reverseNonce(nonce: Uint8Array): Uint8Array { + const reversed = new Uint8Array(nonce.length) + for (let i = 0; i < nonce.length; i++) reversed[i] = nonce[nonce.length - 1 - i] + return reversed +} + +// -- cbDecryptNoPad (Crypto.hs:1330-1331) +// Decrypt without unpadding. Used for proxy responses. +// Same as cbDecrypt but returns raw decrypted bytes without unPad. + +export function cbDecryptNoPad(dhSecret: Uint8Array, nonce: Uint8Array, packet: Uint8Array): Uint8Array { + const tag = packet.subarray(0, 16) + const cipher = packet.subarray(16) + const state = sbInit(dhSecret, nonce) + const plaintext = sbDecryptChunk(state, cipher) + const computedTag = sbAuth(state) + // constant-time compare + let diff = 0 + for (let i = 0; i < 16; i++) diff |= tag[i] ^ computedTag[i] + if (diff !== 0) throw new Error("cbDecryptNoPad: authentication failed") + return plaintext +} diff --git a/smp-web/src/crypto/ratchet.ts b/smp-web/src/crypto/ratchet.ts new file mode 100644 index 0000000000..80de7456c5 --- /dev/null +++ b/smp-web/src/crypto/ratchet.ts @@ -0,0 +1,749 @@ +// Double ratchet with X3DH key agreement and PQ KEM. +// Faithful transpilation of Simplex.Messaging.Crypto.Ratchet +// +// Every type, field, and function mirrors the Haskell source. +// Line references are to src/Simplex/Messaging/Crypto/Ratchet.hs + +import {x448} from "@noble/curves/ed448.js" +import {hkdf, encryptAEAD, decryptAEAD, AUTH_TAG_SIZE} from "../crypto.js" +import {sntrup761Keypair, sntrup761Enc, sntrup761Dec} from "./sntrup761.js" +import type {KEMKeyPair} from "./sntrup761.js" +import { + Decoder, concatBytes, + encodeBytes, decodeBytes, decodeWord16, decodeWord32, + encodeLarge, decodeLarge, + encodeMaybe, +} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" + +// -- Version constants (lines 134-155) + +export const pqRatchetE2EEncryptVersion = 3 +export const currentE2EEncryptVersion = 3 + +// -- X448 key operations + +export interface X448KeyPair { + publicKey: Uint8Array // 56 bytes + privateKey: Uint8Array // 56 bytes +} + +export function generateX448KeyPair(): X448KeyPair { + const privateKey = x448.utils.randomSecretKey() + const publicKey = x448.getPublicKey(privateKey) + return {publicKey, privateKey} +} + +export function x448DH(publicKey: Uint8Array, privateKey: Uint8Array): Uint8Array { + return x448.getSharedSecret(privateKey, publicKey) +} + +// DER encoding for X448 public keys (RFC 8410, SubjectPublicKeyInfo) +// SEQUENCE { SEQUENCE { OID 1.3.101.111 } BIT STRING { 0x00 <56 bytes> } } +const X448_PUBKEY_DER_PREFIX = new Uint8Array([ + 0x30, 0x42, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6f, 0x03, 0x39, 0x00, +]) + +export function encodePubKeyX448(rawPubKey: Uint8Array): Uint8Array { + return concatBytes(X448_PUBKEY_DER_PREFIX, rawPubKey) +} + +export function decodePubKeyX448(der: Uint8Array): Uint8Array { + if (der.length !== 68) throw new Error("decodePubKeyX448: invalid length " + der.length) + for (let i = 0; i < X448_PUBKEY_DER_PREFIX.length; i++) { + if (der[i] !== X448_PUBKEY_DER_PREFIX[i]) throw new Error("decodePubKeyX448: invalid DER prefix") + } + return der.subarray(12) +} + +// -- KEM types (lines 567-577) +// KEMKeyPair imported from ./sntrup761.js + +export interface RatchetKEMAccepted { + rcPQRr: Uint8Array // KEMPublicKey - received key (1158 bytes) + rcPQRss: Uint8Array // KEMSharedKey - computed shared secret (32 bytes) + rcPQRct: Uint8Array // KEMCiphertext - sent encaps (1039 bytes) +} + +export interface RatchetKEM { + rcPQRs: KEMKeyPair + rcKEMs: RatchetKEMAccepted | null +} + +// -- RatchetInitParams (lines 457-464) + +export interface RatchetInitParams { + assocData: Uint8Array // Str (raw bytes) + ratchetKey: Uint8Array // RatchetKey (32 bytes) + sndHK: Uint8Array // HeaderKey (32 bytes) + rcvNextHK: Uint8Array // HeaderKey (32 bytes) + kemAccepted: RatchetKEMAccepted | null // Maybe RatchetKEMAccepted +} + +// -- hkdf3 (lines 1174-1179) + +function hkdf3(salt: Uint8Array, ikm: Uint8Array, info: string): [Uint8Array, Uint8Array, Uint8Array] { + const out = hkdf(salt, ikm, info, 96) + return [out.slice(0, 32), out.slice(32, 64), out.slice(64, 96)] +} + +// -- pqX3dh (lines 499-508) + +const X3DH_SALT = new Uint8Array(64) + +function pqX3dh( + sk1: Uint8Array, rk1: Uint8Array, + dh1: Uint8Array, dh2: Uint8Array, dh3: Uint8Array, + kemAccepted: RatchetKEMAccepted | null, +): RatchetInitParams { + const assocData = concatBytes(sk1, rk1) + const pq = kemAccepted ? kemAccepted.rcPQRss : new Uint8Array(0) + const dhs = concatBytes(dh1, dh2, dh3, pq) + const [hk, nhk, sk] = hkdf3(X3DH_SALT, dhs, "SimpleXX3DH") + return {assocData, ratchetKey: sk, sndHK: hk, rcvNextHK: nhk, kemAccepted} +} + +// -- pqX3dhSnd (lines 467-480) +// Used by joiner (Alice in PQDR spec, Bob in DR spec) to init SENDING ratchet. + +export function pqX3dhSnd( + spk1: Uint8Array, spk2: Uint8Array, // our private keys + rk1: Uint8Array, rk2: Uint8Array, // their public keys (raw) + kemAccepted: RatchetKEMAccepted | null = null, +): RatchetInitParams { + const sk1Pub = x448.getPublicKey(spk1) + const dh1 = x448DH(rk1, spk2) + const dh2 = x448DH(rk2, spk1) + const dh3 = x448DH(rk2, spk2) + return pqX3dh(sk1Pub, rk1, dh1, dh2, dh3, kemAccepted) +} + +// -- pqX3dhRcv (lines 483-497) +// Used by initiator (Bob in PQDR spec, Alice in DR spec) to init RECEIVING ratchet. + +export function pqX3dhRcv( + rpk1: Uint8Array, rpk2: Uint8Array, // our private keys + sk1: Uint8Array, sk2: Uint8Array, // their public keys (raw) + kemAccepted: RatchetKEMAccepted | null = null, +): RatchetInitParams { + const rk1Pub = x448.getPublicKey(rpk1) + const dh1 = x448DH(sk2, rpk1) + const dh2 = x448DH(sk1, rpk2) + const dh3 = x448DH(sk2, rpk2) + return pqX3dh(sk1, rk1Pub, dh1, dh2, dh3, kemAccepted) +} + +// -- rootKdf (lines 1159-1166) + +export function rootKdf( + rk: Uint8Array, // RatchetKey (32 bytes) + peerPubKey: Uint8Array, // PublicKey a (raw, 56 bytes for X448) + ownPrivKey: Uint8Array, // PrivateKey a (raw, 56 bytes for X448) + kemSecret: Uint8Array | null, // Maybe KEMSharedKey +): {rk: Uint8Array; ck: Uint8Array; nhk: Uint8Array} { + const dhOut = x448DH(peerPubKey, ownPrivKey) + const ss = kemSecret ? concatBytes(dhOut, kemSecret) : dhOut + const [rk_, ck, nhk] = hkdf3(rk, ss, "SimpleXRootRatchet") + return {rk: rk_, ck, nhk} +} + +// -- chainKdf (lines 1168-1172) + +export function chainKdf(ck: Uint8Array): {ck: Uint8Array; mk: Uint8Array; iv: Uint8Array; ehIV: Uint8Array} { + const EMPTY = new Uint8Array(0) + const [ck_, mk, ivs] = hkdf3(EMPTY, ck, "SimpleXChainRatchet") + return {ck: ck_, mk, iv: ivs.slice(0, 16), ehIV: ivs.slice(16, 32)} +} + +// -- Header padding (lines 716-719) + +export function paddedHeaderLen(v: number, pqSupport: boolean): number { + if (pqSupport && v >= pqRatchetE2EEncryptVersion) return 2310 + return 88 +} + +// -- SndRatchet (lines 554-559) + +export interface SndRatchet { + rcDHRr: Uint8Array // peer's public key (raw, 56 bytes) + rcCKs: Uint8Array // sending chain key (32 bytes) + rcHKs: Uint8Array // sending header key (32 bytes) +} + +// -- RcvRatchet (lines 561-565) + +export interface RcvRatchet { + rcCKr: Uint8Array // receiving chain key (32 bytes) + rcHKr: Uint8Array // receiving header key (32 bytes) +} + +// -- MessageKey (lines 608-609) + +export interface MessageKey { + mk: Uint8Array // Key (32 bytes) + iv: Uint8Array // IV (16 bytes) +} + +// -- RatchetVersions (lines 534-538) + +export interface RatchetVersions { + current: number + maxSupported: number +} + +// -- Ratchet (lines 512-532) + +export interface Ratchet { + rcVersion: RatchetVersions + rcAD: Uint8Array // Str (associated data, raw bytes) + rcDHRs: Uint8Array // PrivateKey a (raw, 56 bytes) + rcKEM: RatchetKEM | null + rcSupportKEM: boolean // PQSupport + rcEnableKEM: boolean // PQEncryption + rcSndKEM: boolean // PQEncryption + rcRcvKEM: boolean // PQEncryption + rcRK: Uint8Array // RatchetKey (32 bytes) + rcSnd: SndRatchet | null + rcRcv: RcvRatchet | null + rcNs: number // Word32 + rcNr: number // Word32 + rcPN: number // Word32 + rcNHKs: Uint8Array // HeaderKey (32 bytes) + rcNHKr: Uint8Array // HeaderKey (32 bytes) +} + +// -- SkippedMsgKeys (lines 580-582) + +export type SkippedMsgKeys = Map> + +const MAX_SKIP = 512 + +function hexKey(k: Uint8Array): string { + return Array.from(k, b => b.toString(16).padStart(2, "0")).join("") +} + +function hexToBytes(hex: string): Uint8Array { + const bytes = new Uint8Array(hex.length / 2) + for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16) + return bytes +} + +// -- initSndRatchet (lines 643-666) + +export function initSndRatchet( + rcVersion: RatchetVersions, + rcDHRr: Uint8Array, // peer's public key (raw) + rcDHRs: Uint8Array, // our private key (raw) + initParams: RatchetInitParams, + rcPQRs_: KEMKeyPair | null, +): Ratchet { + const {assocData, ratchetKey, sndHK, rcvNextHK, kemAccepted} = initParams + // state.RK, state.CKs, state.NHKs = KDF_RK_HE(SK, DH(state.DHRs, state.DHRr) || state.PQRss) + const kemSecret = kemAccepted ? kemAccepted.rcPQRss : null + const {rk: rcRK, ck: rcCKs, nhk: rcNHKs} = rootKdf(ratchetKey, rcDHRr, rcDHRs, kemSecret) + const pqOn = rcPQRs_ !== null + return { + rcVersion, + rcAD: assocData, + rcDHRs, + rcKEM: rcPQRs_ ? {rcPQRs: rcPQRs_, rcKEMs: kemAccepted} : null, + rcSupportKEM: pqOn, + rcEnableKEM: pqOn, + rcSndKEM: kemAccepted !== null, + rcRcvKEM: false, + rcRK, + rcSnd: {rcDHRr, rcCKs, rcHKs: sndHK}, + rcRcv: null, + rcPN: 0, + rcNs: 0, + rcNr: 0, + rcNHKs, + rcNHKr: rcvNextHK, + } +} + +// -- initRcvRatchet (lines 674-699) + +export function initRcvRatchet( + rcVersion: RatchetVersions, + rcDHRs: Uint8Array, // our private key (raw) + initParams: RatchetInitParams, + rcPQRs_: KEMKeyPair | null, + pqSupport: boolean, +): Ratchet { + const {assocData, ratchetKey, sndHK, rcvNextHK, kemAccepted} = initParams + return { + rcVersion, + rcAD: assocData, + rcDHRs, + rcKEM: rcPQRs_ ? {rcPQRs: rcPQRs_, rcKEMs: kemAccepted} : null, + rcSupportKEM: pqSupport, + rcEnableKEM: pqSupport, + rcSndKEM: false, + rcRcvKEM: false, + rcRK: ratchetKey, + rcSnd: null, + rcRcv: null, + rcPN: 0, + rcNs: 0, + rcNr: 0, + rcNHKs: rcvNextHK, + rcNHKr: sndHK, + } +} + +// -- RKEMParams (lines 188-190) - parsed KEM params from message header + +export type RKEMParams = + | {type: "proposed", kemPk: Uint8Array} // RKParamsProposed KEMPublicKey + | {type: "accepted", kemCt: Uint8Array, kemPk: Uint8Array} // RKParamsAccepted KEMCiphertext KEMPublicKey + +// -- MsgHeader (lines 703-711) + +interface MsgHeader { + msgMaxVersion: number + msgDHRs: Uint8Array // PublicKey a (raw, 56 bytes) + msgKEM: RKEMParams | null + msgPN: number // Word32 + msgNs: number // Word32 +} + +// -- encodeMsgHeader (lines 727-730) + +function encodeMsgHeader(v: number, hdr: MsgHeader): Uint8Array { + const vBytes = new Uint8Array(2) + vBytes[0] = (hdr.msgMaxVersion >> 8) & 0xff + vBytes[1] = hdr.msgMaxVersion & 0xff + const dhDer = encodePubKeyX448(hdr.msgDHRs) + const pn = encodeWord32(hdr.msgPN) + const ns = encodeWord32(hdr.msgNs) + if (v >= pqRatchetE2EEncryptVersion) { + // smpEncode (msgMaxVersion, msgDHRs, msgKEM, msgPN, msgNs) + // msgKEM :: Maybe ARKEMParams + const kemBytes = hdr.msgKEM ? encodeRKEMParams(hdr.msgKEM) : new Uint8Array([0x30]) // Nothing + return concatBytes(vBytes, encodeBytes(dhDer), kemBytes, pn, ns) + } + // smpEncode (msgMaxVersion, msgDHRs, msgPN, msgNs) + return concatBytes(vBytes, encodeBytes(dhDer), pn, ns) +} + +// Encode Maybe ARKEMParams: '1' + encoded params, or nothing (handled at call site with '0') +function encodeRKEMParams(params: RKEMParams): Uint8Array { + if (params.type === "proposed") { + // Just ('P', kemPk) - smpEncode ('P', k) where k is KEMPublicKey (Large) + return concatBytes(new Uint8Array([0x31, 0x50]), encodeLarge(params.kemPk)) + } + // Just ('A', ct, kemPk) - smpEncode ('A', ct, k) + return concatBytes(new Uint8Array([0x31, 0x41]), encodeLarge(params.kemCt), encodeLarge(params.kemPk)) +} + +function encodeWord32(n: number): Uint8Array { + const buf = new Uint8Array(4) + buf[0] = (n >> 24) & 0xff; buf[1] = (n >> 16) & 0xff + buf[2] = (n >> 8) & 0xff; buf[3] = n & 0xff + return buf +} + +// -- msgHeaderP (lines 733-740) + +function decodeMsgHeader(v: number, data: Uint8Array): MsgHeader { + const d = new Decoder(data) + const msgMaxVersion = decodeWord16(d) + const dhDer = decodeBytes(d) + const msgDHRs = decodePubKeyX448(dhDer) + let msgKEM: RKEMParams | null = null + if (v >= pqRatchetE2EEncryptVersion) { + // Maybe ARKEMParams + const maybeByte = d.anyByte() + if (maybeByte === 0x31) { + // Just - parse ARKEMParams + const tag = d.anyByte() + if (tag === 0x50) { // 'P' - Proposed: KEMPublicKey (Large) + msgKEM = {type: "proposed", kemPk: decodeLarge(d)} + } else if (tag === 0x41) { // 'A' - Accepted: KEMCiphertext (Large) + KEMPublicKey (Large) + const kemCt = decodeLarge(d) + const kemPk = decodeLarge(d) + msgKEM = {type: "accepted", kemCt, kemPk} + } else { + throw new Error("decodeMsgHeader: unknown KEM tag " + tag) + } + } + // else '0' = Nothing, msgKEM stays null + } + const msgPN = decodeWord32(d) + const msgNs = decodeWord32(d) + return {msgMaxVersion, msgDHRs, msgKEM, msgPN, msgNs} +} + +// -- EncMessageHeader (lines 742-756) + +interface EncMessageHeader { + ehVersion: number // current ratchet version + ehIV: Uint8Array // IV (raw 16 bytes) + ehAuthTag: Uint8Array // AuthTag (raw 16 bytes) + ehBody: Uint8Array // encrypted header body +} + +// smpEncode (lines 751-752) +function encodeEncMessageHeader(emh: EncMessageHeader): Uint8Array { + const vBytes = new Uint8Array(2) + vBytes[0] = (emh.ehVersion >> 8) & 0xff + vBytes[1] = emh.ehVersion & 0xff + // smpEncode (ehVersion, ehIV, ehAuthTag) <> encodeLarge ehVersion ehBody + const bodyEnc = emh.ehVersion >= pqRatchetE2EEncryptVersion + ? encodeLarge(emh.ehBody) + : encodeBytes(emh.ehBody) + return concatBytes(vBytes, emh.ehIV, emh.ehAuthTag, bodyEnc) +} + +// smpP (lines 753-756) +function decodeEncMessageHeader(data: Uint8Array): EncMessageHeader { + const d = new Decoder(data) + const ehVersion = decodeWord16(d) + const ehIV = d.take(16) // IV is raw 16 bytes + const ehAuthTag = d.take(16) // AuthTag is raw 16 bytes + // largeP: peek first byte, if < 32 then Large (2-byte len), else ByteString (1-byte len) + const firstByte = data[d.offset()] + const ehBody = firstByte < 32 ? decodeLarge(d) : decodeBytes(d) + return {ehVersion, ehIV, ehAuthTag, ehBody} +} + +// -- EncRatchetMessage (lines 772-787) + +interface EncRatchetMessage { + emHeader: Uint8Array // smpEncoded EncMessageHeader + emAuthTag: Uint8Array // AuthTag (raw 16 bytes) + emBody: Uint8Array // encrypted message body +} + +// encodeEncRatchetMessage (lines 779-781) +function encodeEncRatchetMessage(v: number, msg: EncRatchetMessage): Uint8Array { + // encodeLarge v emHeader <> smpEncode (emAuthTag, Tail emBody) + const headerEnc = v >= pqRatchetE2EEncryptVersion + ? encodeLarge(msg.emHeader) + : encodeBytes(msg.emHeader) + return concatBytes(headerEnc, msg.emAuthTag, msg.emBody) +} + +// encRatchetMessageP (lines 783-787) +function decodeEncRatchetMessage(data: Uint8Array): EncRatchetMessage { + const d = new Decoder(data) + // largeP + const firstByte = data[d.offset()] + const emHeader = firstByte < 32 ? decodeLarge(d) : decodeBytes(d) + // smpEncode (emAuthTag, Tail emBody) → raw 16 bytes + rest + const emAuthTag = d.take(16) + const emBody = d.takeAll() + return {emHeader, emAuthTag, emBody} +} + +// -- MsgEncryptKey (lines 962-968) + +interface MsgEncryptKey { + msgRcVersion: number + msgKey: MessageKey + msgRcAD: Uint8Array + msgEncHeader: Uint8Array +} + +// -- msgKEMParams (lines 956-958) - build KEM params from ratchet state for message header + +function msgKEMParams(kem: RatchetKEM): RKEMParams { + const {rcPQRs, rcKEMs} = kem + if (!rcKEMs) { + return {type: "proposed", kemPk: rcPQRs.publicKey} + } + return {type: "accepted", kemCt: rcKEMs.rcPQRct, kemPk: rcPQRs.publicKey} +} + +// -- pqEnableSupport (line 836-837) + +function pqEnableSupport(v: number, sup: boolean, enc: boolean): boolean { + return sup || (v >= pqRatchetE2EEncryptVersion && enc) +} + +// -- rcEncryptHeader + rcEncryptMsg (lines 902-975) + +export interface EncryptResult { + ciphertext: Uint8Array + state: Ratchet +} + +export function rcEncrypt( + rc: Ratchet, + plaintext: Uint8Array, + paddedMsgLen: number, +): EncryptResult { + if (!rc.rcSnd) throw new Error("rcEncrypt: no sending ratchet (CERatchetState)") + const snd = rc.rcSnd + const v = rc.rcVersion.current + + // state.CKs, mk = KDF_CK(state.CKs) + const chain = chainKdf(snd.rcCKs) + + // header + const headerPlain = encodeMsgHeader(v, { + msgMaxVersion: rc.rcVersion.maxSupported, + msgDHRs: x448.getPublicKey(rc.rcDHRs), + msgKEM: rc.rcKEM ? msgKEMParams(rc.rcKEM) : null, + msgPN: rc.rcPN, + msgNs: rc.rcNs, + }) + + // enc_header = HENCRYPT(state.HKs, header) + const phl = paddedHeaderLen(v, rc.rcSupportKEM) + const {authTag: ehAuthTag, ciphertext: ehBody} = encryptAEAD(snd.rcHKs, chain.ehIV, phl, rc.rcAD, headerPlain) + + // smpEncode EncMessageHeader + const emHeader = encodeEncMessageHeader({ehVersion: v, ehBody, ehAuthTag, ehIV: chain.ehIV}) + + // ENCRYPT(mk, plaintext, CONCAT(AD, enc_header)) + const bodyAD = concatBytes(rc.rcAD, emHeader) + const {authTag: emAuthTag, ciphertext: emBody} = encryptAEAD(chain.mk, chain.iv, paddedMsgLen, bodyAD, plaintext) + + // encodeEncRatchetMessage + const ciphertext = encodeEncRatchetMessage(v, {emHeader, emBody, emAuthTag}) + + // Update state + const newState: Ratchet = { + ...rc, + rcSnd: {...snd, rcCKs: chain.ck}, + rcNs: rc.rcNs + 1, + } + + return {ciphertext, state: newState} +} + +// -- rcDecrypt (lines 990-1157) + +export interface DecryptResult { + plaintext: Uint8Array + state: Ratchet + skippedKeys: SkippedMsgKeys +} + +export function rcDecrypt( + rc: Ratchet, + skippedKeys: SkippedMsgKeys, + ciphertext: Uint8Array, +): DecryptResult { + const encMsg = decodeEncRatchetMessage(ciphertext) + const encHdr = decodeEncMessageHeader(encMsg.emHeader) + + // TrySkippedMessageKeysHE + const skipped = tryDecryptSkipped(rc, skippedKeys, encHdr, encMsg) + if (skipped) return skipped + + // DecryptHeader + let ratchetStep: "same" | "advance" = "advance" + let hdr: MsgHeader | null = null + + if (rc.rcRcv) { + hdr = tryDecryptHeader(rc.rcRcv.rcHKr, rc.rcAD, encHdr) + if (hdr) ratchetStep = "same" + } + if (!hdr) { + hdr = tryDecryptHeader(rc.rcNHKr, rc.rcAD, encHdr) + if (!hdr) throw new Error("rcDecrypt: header decryption failed (CERatchetHeader)") + ratchetStep = "advance" + } + + // Version upgrade + let state = rc + const {current, maxSupported} = rc.rcVersion + if (hdr.msgMaxVersion > current) { + state = {...state, rcVersion: {...state.rcVersion, current: Math.max(current, Math.min(hdr.msgMaxVersion, maxSupported))}} + } + + let newSkipped = new Map(skippedKeys) + + if (ratchetStep === "advance") { + // SkipMessageKeysHE(state, header.pn) + const skip1 = skipMessageKeys(state, newSkipped, hdr.msgPN) + state = skip1.state; newSkipped = skip1.skippedKeys + + // DHRatchetPQ2HE(state, header) - ratchet step (lines 1043-1071) + const {kemSS, kemSS2, rcKEM: rcKEM_} = pqRatchetStep(state, hdr.msgKEM) + const newDHRs = generateX448KeyPair() + // state.RK, state.CKr, state.NHKr = KDF_RK_HE(state.RK, DH(state.DHRs, state.DHRr) || ss) + const kdf1 = rootKdf(state.rcRK, hdr.msgDHRs, state.rcDHRs, kemSS) + // state.RK, state.CKs, state.NHKs = KDF_RK_HE(state.RK, DH(state.DHRs', state.DHRr) || state.PQRss) + const kdf2 = rootKdf(kdf1.rk, hdr.msgDHRs, newDHRs.privateKey, kemSS2) + const sndKEM = kemSS2 !== null + const rcvKEM = kemSS !== null + const rcEnableKEM_ = sndKEM || rcvKEM || rcKEM_ !== null + + state = { + ...state, + rcDHRs: newDHRs.privateKey, + rcKEM: rcKEM_, + rcSupportKEM: pqEnableSupport(state.rcVersion.current, state.rcSupportKEM, rcEnableKEM_), + rcEnableKEM: rcEnableKEM_, + rcSndKEM: sndKEM, + rcRcvKEM: rcvKEM, + rcRK: kdf2.rk, + rcSnd: {rcDHRr: hdr.msgDHRs, rcCKs: kdf2.ck, rcHKs: state.rcNHKs}, + rcRcv: {rcCKr: kdf1.ck, rcHKr: state.rcNHKr}, + rcPN: rc.rcNs, + rcNs: 0, + rcNr: 0, + rcNHKs: kdf2.nhk, + rcNHKr: kdf1.nhk, + } + } + + // SkipMessageKeysHE(state, header.n) + const skip2 = skipMessageKeys(state, newSkipped, hdr.msgNs) + state = skip2.state; newSkipped = skip2.skippedKeys + + if (!state.rcRcv) throw new Error("rcDecrypt: no receiving ratchet after skip") + + // state.CKr, mk = KDF_CK(state.CKr) + const chain = chainKdf(state.rcRcv.rcCKr) + + // DECRYPT(mk, cipher-text, CONCAT(AD, enc_header)) + const bodyAD = concatBytes(state.rcAD, encMsg.emHeader) + const plaintext = decryptAEAD(chain.mk, chain.iv, bodyAD, encMsg.emBody, encMsg.emAuthTag) + + // state.Nr += 1 + state = { + ...state, + rcRcv: {...state.rcRcv, rcCKr: chain.ck}, + rcNr: state.rcNr + 1, + } + + return {plaintext, state, skippedKeys: newSkipped} +} + +// -- skipMessageKeys (lines 1105-1121) + +function skipMessageKeys( + rc: Ratchet, + skippedKeys: SkippedMsgKeys, + untilN: number, +): {state: Ratchet; skippedKeys: SkippedMsgKeys} { + if (!rc.rcRcv) return {state: rc, skippedKeys} + const rcv = rc.rcRcv + const rcNr = rc.rcNr + + if (rcNr > untilN + 1) throw new Error("rcDecrypt: earlier message (CERatchetEarlierMessage)") + if (rcNr === untilN + 1) throw new Error("rcDecrypt: duplicate message (CERatchetDuplicateMessage)") + if (rcNr + MAX_SKIP < untilN) throw new Error("rcDecrypt: too many skipped (CERatchetTooManySkipped)") + if (rcNr === untilN) return {state: rc, skippedKeys} + + // advanceRcvRatchet + let ck = rcv.rcCKr + let nr = rcNr + const hkHex = hexKey(rcv.rcHKr) + const msgKeys = new Map(skippedKeys.get(hkHex) || new Map()) + + while (nr < untilN) { + const chain = chainKdf(ck) + msgKeys.set(nr, {mk: chain.mk, iv: chain.iv}) + ck = chain.ck + nr++ + } + + const newSkipped = new Map(skippedKeys) + newSkipped.set(hkHex, msgKeys) + + return { + state: {...rc, rcRcv: {...rcv, rcCKr: ck}, rcNr: nr}, + skippedKeys: newSkipped, + } +} + +// -- tryDecryptSkipped (lines 1122-1141) + +function tryDecryptSkipped( + rc: Ratchet, + skippedKeys: SkippedMsgKeys, + encHdr: EncMessageHeader, + encMsg: EncRatchetMessage, +): DecryptResult | null { + for (const [hkHex, msgKeys] of skippedKeys) { + const hk = hexToBytes(hkHex) + const hdr = tryDecryptHeader(hk, rc.rcAD, encHdr) + if (hdr) { + const mk = msgKeys.get(hdr.msgNs) + if (mk) { + const bodyAD = concatBytes(rc.rcAD, encMsg.emHeader) + const plaintext = decryptAEAD(mk.mk, mk.iv, bodyAD, encMsg.emBody, encMsg.emAuthTag) + const newMsgKeys = new Map(msgKeys) + newMsgKeys.delete(hdr.msgNs) + const newSkipped = new Map(skippedKeys) + if (newMsgKeys.size === 0) newSkipped.delete(hkHex) + else newSkipped.set(hkHex, newMsgKeys) + return {plaintext, state: rc, skippedKeys: newSkipped} + } + // Header decrypted but msgNs not in skipped keys - check if same/advance ratchet + // For now, fall through to normal decrypt + } + } + return null +} + +// -- pqRatchetStep (lines 1072-1104) +// Returns (kemSS for receive rootKdf, kemSS' for send rootKdf, new RatchetKEM state) + +function pqRatchetStep( + rc: Ratchet, + msgKEM: RKEMParams | null, +): {kemSS: Uint8Array | null; kemSS2: Uint8Array | null; rcKEM: RatchetKEM | null} { + const pqEnc = rc.rcEnableKEM + const v = rc.rcVersion.current + + if (!msgKEM) { + // Received message does not have KEM in header + if (!rc.rcKEM && pqEnc && v >= pqRatchetE2EEncryptVersion) { + // User enabled KEM but no KEM state yet - generate new keypair + const rcPQRs = sntrup761Keypair() + return {kemSS: null, kemSS2: null, rcKEM: {rcPQRs, rcKEMs: null}} + } + return {kemSS: null, kemSS2: null, rcKEM: null} + } + + // Received message has KEM in header + if (pqEnc && v >= pqRatchetE2EEncryptVersion) { + // Get shared secret from received KEM params + const {ss, rcPQRr} = kemSharedSecret(rc.rcKEM, msgKEM) + // state.PQRct = PQKEM-ENC(state.PQRr, state.PQRss) + const kemEncResult = sntrup761Enc(rcPQRr) + // state.PQRs = GENERATE_PQKEM() + const rcPQRs = sntrup761Keypair() + const kem: RatchetKEM = { + rcPQRs, + rcKEMs: {rcPQRr, rcPQRss: kemEncResult.sharedSecret, rcPQRct: kemEncResult.ciphertext}, + } + return {kemSS: ss, kemSS2: kemEncResult.sharedSecret, rcKEM: kem} + } + + // PQ not enabled but message has KEM - extract shared secret only (no new KEM state) + const {ss} = kemSharedSecret(rc.rcKEM, msgKEM) + return {kemSS: ss, kemSS2: null, rcKEM: null} +} + +// Extract shared secret from received KEM params (lines 1097-1104) +function kemSharedSecret( + rcKEM: RatchetKEM | null, + params: RKEMParams, +): {ss: Uint8Array | null; rcPQRr: Uint8Array} { + if (params.type === "proposed") { + // RKParamsProposed k -> no shared secret yet, just received the public key + return {ss: null, rcPQRr: params.kemPk} + } + // RKParamsAccepted ct k -> decapsulate ct with our private KEM key + if (!rcKEM) throw new Error("pqRatchetStep: CERatchetKEMState - no KEM state for accepted params") + const ss = sntrup761Dec(params.kemCt, rcKEM.rcPQRs.secretKey) + return {ss, rcPQRr: params.kemPk} +} + +// -- decryptHeader helper (lines 1151-1153) + +function tryDecryptHeader(headerKey: Uint8Array, ad: Uint8Array, encHdr: EncMessageHeader): MsgHeader | null { + try { + const plainHeader = decryptAEAD(headerKey, encHdr.ehIV, ad, encHdr.ehBody, encHdr.ehAuthTag) + return decodeMsgHeader(encHdr.ehVersion, plainHeader) + } catch { + return null + } +} diff --git a/smp-web/src/crypto/shortLink.ts b/smp-web/src/crypto/shortLink.ts new file mode 100644 index 0000000000..e46ee4c1a3 --- /dev/null +++ b/smp-web/src/crypto/shortLink.ts @@ -0,0 +1,50 @@ +// Short link key derivation and decryption. +// Mirrors: Simplex.Messaging.Crypto.ShortLink + +import {hkdf} from "../crypto.js" +import {cbDecrypt} from "@simplex-chat/xftp-web/dist/crypto/secretbox.js" +import {Decoder, decodeBytes} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" + +const emptySalt = new Uint8Array(0) + +// contactShortLinkKdf (Crypto/ShortLink.hs:47-50) +// hkdf("", linkKey, "SimpleXContactLink", 56) -> (linkId[24], sbKey[32]) +export function contactShortLinkKdf(linkKey: Uint8Array): {linkId: Uint8Array; sbKey: Uint8Array} { + const derived = hkdf(emptySalt, linkKey, "SimpleXContactLink", 56) + return { + linkId: derived.slice(0, 24), + sbKey: derived.slice(24, 56), + } +} + +// invShortLinkKdf (Crypto/ShortLink.hs:52-53) +// hkdf("", linkKey, "SimpleXInvLink", 32) -> sbKey[32] +export function invShortLinkKdf(linkKey: Uint8Array): Uint8Array { + return hkdf(emptySalt, linkKey, "SimpleXInvLink", 32) +} + +// decryptLinkData (Crypto/ShortLink.hs:100-125) +// Decrypts both EncDataBytes blobs, strips signature prefix, returns raw data. +// Signature verification is skipped for spike. +export function decryptLinkData( + sbKey: Uint8Array, + encFixedData: Uint8Array, + encUserData: Uint8Array +): {fixedData: Uint8Array; userData: Uint8Array} { + return { + fixedData: decryptSigned(sbKey, encFixedData), + userData: decryptSigned(sbKey, encUserData), + } +} + +// EncDataBytes format: [nonce 24 bytes][ciphertext with prepended Poly1305 tag] +// After decrypt+unpad: [sig ByteString (1-byte len + 64 bytes)][data] +function decryptSigned(sbKey: Uint8Array, encData: Uint8Array): Uint8Array { + const nonce = encData.subarray(0, 24) + const ct = encData.subarray(24) + const plaintext = cbDecrypt(sbKey, nonce, ct) + // Skip signature: decodeBytes reads 1-byte length + that many bytes + const d = new Decoder(plaintext) + decodeBytes(d) // signature, discarded + return d.takeAll() +} diff --git a/smp-web/src/crypto/sntrup761.ts b/smp-web/src/crypto/sntrup761.ts new file mode 100644 index 0000000000..8914607ef7 --- /dev/null +++ b/smp-web/src/crypto/sntrup761.ts @@ -0,0 +1,89 @@ +// SNTRUP761 post-quantum KEM. +// Mirrors: Simplex.Messaging.Crypto.SNTRUP761 +// +// Uses WASM compiled from the same C source as the Haskell build +// (cbits/sntrup761.c by djb et al., public domain). +// SHA-512 from SUPERCOP/NaCl (djb, public domain). + +// Key sizes (from sntrup761.h) +export const SNTRUP761_PUBLICKEY_SIZE = 1158 +export const SNTRUP761_SECRETKEY_SIZE = 1763 +export const SNTRUP761_CIPHERTEXT_SIZE = 1039 +export const SNTRUP761_SIZE = 32 // shared secret + +export interface KEMKeyPair { + publicKey: Uint8Array // 1158 bytes + secretKey: Uint8Array // 1763 bytes +} + +export interface KEMEncResult { + ciphertext: Uint8Array // 1039 bytes + sharedSecret: Uint8Array // 32 bytes +} + +// WASM module instance +let wasmModule: any = null + +export async function initSntrup761(): Promise { + if (wasmModule) return + const createSntrup761 = (await import("../../dist/wasm/sntrup761.mjs")).default + wasmModule = await createSntrup761() +} + +function getModule(): any { + if (!wasmModule) throw new Error("sntrup761 WASM not initialized - call initSntrup761() first") + return wasmModule +} + +export function sntrup761Keypair(): KEMKeyPair { + const m = getModule() + const pkPtr = m._malloc(SNTRUP761_PUBLICKEY_SIZE) + const skPtr = m._malloc(SNTRUP761_SECRETKEY_SIZE) + try { + m._sntrup761_wasm_keypair(pkPtr, skPtr) + const publicKey = new Uint8Array(m.HEAPU8.buffer, pkPtr, SNTRUP761_PUBLICKEY_SIZE).slice() + const secretKey = new Uint8Array(m.HEAPU8.buffer, skPtr, SNTRUP761_SECRETKEY_SIZE).slice() + return {publicKey, secretKey} + } finally { + m._free(pkPtr) + m._free(skPtr) + } +} + +export function sntrup761Enc(publicKey: Uint8Array): KEMEncResult { + if (publicKey.length !== SNTRUP761_PUBLICKEY_SIZE) throw new Error("bad public key length") + const m = getModule() + const pkPtr = m._malloc(SNTRUP761_PUBLICKEY_SIZE) + const ctPtr = m._malloc(SNTRUP761_CIPHERTEXT_SIZE) + const ssPtr = m._malloc(SNTRUP761_SIZE) + try { + m.HEAPU8.set(publicKey, pkPtr) + m._sntrup761_wasm_enc(ctPtr, ssPtr, pkPtr) + const ciphertext = new Uint8Array(m.HEAPU8.buffer, ctPtr, SNTRUP761_CIPHERTEXT_SIZE).slice() + const sharedSecret = new Uint8Array(m.HEAPU8.buffer, ssPtr, SNTRUP761_SIZE).slice() + return {ciphertext, sharedSecret} + } finally { + m._free(pkPtr) + m._free(ctPtr) + m._free(ssPtr) + } +} + +export function sntrup761Dec(ciphertext: Uint8Array, secretKey: Uint8Array): Uint8Array { + if (ciphertext.length !== SNTRUP761_CIPHERTEXT_SIZE) throw new Error("bad ciphertext length") + if (secretKey.length !== SNTRUP761_SECRETKEY_SIZE) throw new Error("bad secret key length") + const m = getModule() + const ctPtr = m._malloc(SNTRUP761_CIPHERTEXT_SIZE) + const skPtr = m._malloc(SNTRUP761_SECRETKEY_SIZE) + const ssPtr = m._malloc(SNTRUP761_SIZE) + try { + m.HEAPU8.set(ciphertext, ctPtr) + m.HEAPU8.set(secretKey, skPtr) + m._sntrup761_wasm_dec(ssPtr, ctPtr, skPtr) + return new Uint8Array(m.HEAPU8.buffer, ssPtr, SNTRUP761_SIZE).slice() + } finally { + m._free(ctPtr) + m._free(skPtr) + m._free(ssPtr) + } +} diff --git a/smp-web/src/index.ts b/smp-web/src/index.ts new file mode 100644 index 0000000000..fa23b4f606 --- /dev/null +++ b/smp-web/src/index.ts @@ -0,0 +1,12 @@ +// SMP protocol client for web/browser environments. +// Re-exports encoding primitives from xftp-web for convenience. +export { + Decoder, + encodeBytes, decodeBytes, + encodeLarge, decodeLarge, + encodeWord16, decodeWord16, + encodeBool, decodeBool, + encodeMaybe, decodeMaybe, + encodeList, decodeList, + concatBytes +} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" diff --git a/smp-web/src/protocol.ts b/smp-web/src/protocol.ts new file mode 100644 index 0000000000..151d9f3b00 --- /dev/null +++ b/smp-web/src/protocol.ts @@ -0,0 +1,571 @@ +// SMP protocol commands and transmission format. +// Mirrors: Simplex.Messaging.Protocol + Simplex.Messaging.Client (auth) + +import { + Decoder, concatBytes, + encodeBytes, decodeBytes, + encodeLarge, decodeLarge, + encodeWord16, decodeWord16, + encodeBool, decodeBool, + encodeMaybe, decodeMaybe, +} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" +import {cbEncrypt, cbDecrypt} from "@simplex-chat/xftp-web/dist/crypto/secretbox.js" +import {sign} from "@simplex-chat/xftp-web/dist/crypto/keys.js" +import {readTag, readSpace} from "@simplex-chat/xftp-web/dist/protocol/commands.js" +import {cbAuthenticator} from "./crypto.js" + +// -- Auth key type for command authentication (Client.hs:1372-1391) + +export type AuthKey = + | {type: "x25519", key: Uint8Array} // raw 32-byte private key → cbAuthenticator + | {type: "ed25519", key: Uint8Array} // raw 64-byte private key → sign + +// -- Transmission encoding (Protocol.hs:2186-2198) + +// encodeTransmission_ (Protocol.hs:2194-2198) +// smpEncode (corrId, entityId) <> encodeProtocol v command +// (command is pre-encoded bytes) +export function encodeTransmission(corrId: Uint8Array, entityId: Uint8Array, command: Uint8Array): Uint8Array { + return concatBytes(encodeBytes(corrId), encodeBytes(entityId), command) +} + +// encodeTransmissionForAuth (Protocol.hs:2186-2192) +// implySessId = true for v>=7 (always true for web client v19) +// tForAuth = sessionId <> encodeTransmission_(...) +// tToSend = encodeTransmission_(...) +export function encodeTransmissionForAuth( + sessionId: Uint8Array, corrId: Uint8Array, entityId: Uint8Array, command: Uint8Array, +): {tForAuth: Uint8Array, tToSend: Uint8Array} { + const tToSend = encodeTransmission(corrId, entityId, command) + const tForAuth = concatBytes(encodeBytes(sessionId), tToSend) + return {tForAuth, tToSend} +} + +// -- Command authentication (Client.hs:1372-1391) + +// authTransmission: produce auth bytes for a transmission +// Returns null for unauthenticated commands, Uint8Array of auth bytes otherwise +export function authTransmission( + serverPubKey: Uint8Array, // server's X25519 public key from handshake + privKey: AuthKey | null, // null for unauthenticated commands (LGET, SEND without key) + nonce: Uint8Array, // 24-byte CorrId/nonce (same bytes) + tForAuth: Uint8Array, // transmission bytes to authenticate +): Uint8Array | null { + if (privKey === null) return null + switch (privKey.type) { + case "x25519": + // TAAuthenticator: cbAuthenticate(serverPubKey, entityPrivKey, nonce, tForAuth) + return cbAuthenticator(serverPubKey, privKey.key, nonce, tForAuth) + case "ed25519": + // TASignature: sign(entityPrivKey, tForAuth) + return sign(privKey.key, tForAuth) + } +} + +// tEncodeAuth (Protocol.hs:507-516) +// For v16+ (serviceAuth=true): when auth is present, encode serviceSig as Nothing (0x30) after auth. +// When auth is absent: just empty ByteString. +export function tEncodeAuth(auth: Uint8Array | null): Uint8Array { + if (auth === null) return encodeBytes(new Uint8Array(0)) // empty ByteString: [0x00] + // serviceAuth=true for v16+: smpEncode (authBytes, serviceSig) where serviceSig = Nothing + return concatBytes(encodeBytes(auth), new Uint8Array([0x30])) // auth + Nothing +} + +// tEncode (Protocol.hs:2171-2172) +export function tEncode(auth: Uint8Array | null, tToSend: Uint8Array): Uint8Array { + return concatBytes(tEncodeAuth(auth), tToSend) +} + +// tEncodeBatch1 (Protocol.hs:2179-2180) +// Single-command batch: count=1 + Large(tEncode(...)) +export function tEncodeBatch1(auth: Uint8Array | null, tToSend: Uint8Array): Uint8Array { + return concatBytes(new Uint8Array([1]), encodeLarge(tEncode(auth, tToSend))) +} + +// tEncodeForBatch (Protocol.hs:2175-2176) +// Large(tEncode(...)) — for multi-command batches +export function tEncodeForBatch(auth: Uint8Array | null, tToSend: Uint8Array): Uint8Array { + return encodeLarge(tEncode(auth, tToSend)) +} + +// batchTransmissions (Protocol.hs:2151-2168) +// Pack multiple encoded transmissions into ≤blockSize blocks. +// Each input is an already-encoded Large-wrapped transmission. +// Returns array of blocks, each prefixed with count byte. +export function batchTransmissions(blockSize: number, transmissions: Uint8Array[]): Uint8Array[] { + const maxPayload = blockSize - 19 // 2 pad + 1 count + 16 auth tag + const blocks: Uint8Array[] = [] + let currentParts: Uint8Array[] = [] + let currentLen = 0 + let count = 0 + for (const t of transmissions) { + const tLen = t.length + if (tLen > maxPayload) throw new Error("batchTransmissions: transmission too large") + if (currentLen + tLen > maxPayload || count >= 255) { + if (count > 0) blocks.push(concatBytes(new Uint8Array([count]), ...currentParts)) + currentParts = [t] + currentLen = tLen + count = 1 + } else { + currentParts.push(t) + currentLen += tLen + count++ + } + } + if (count > 0) blocks.push(concatBytes(new Uint8Array([count]), ...currentParts)) + return blocks +} + +// -- Transmission parsing (Protocol.hs:1629-1643, 2211-2267) + +export interface RawTransmission { + corrId: Uint8Array + entityId: Uint8Array + command: Uint8Array +} + +// transmissionP (Protocol.hs:1629-1642) +// Parse a single transmission from block bytes. +// implySessId=true, serviceAuth=false for web client. +export function transmissionP(data: Uint8Array): RawTransmission { + const d = new Decoder(data) + const auth = decodeBytes(d) // authenticator + // serviceAuth=true for v16+: if auth is non-empty, skip serviceSig (Maybe Signature) + if (auth.length > 0) { + decodeMaybe(decodeBytes, d) // skip serviceSig + } + const rest = d.takeAll() // authorized bytes + // re-parse authorized: corrId + entityId + command + const d2 = new Decoder(rest) + // implySessId=true: no sessionId in wire format + const corrId = decodeBytes(d2) + const entityId = decodeBytes(d2) + const command = d2.takeAll() + return {corrId, entityId, command} +} + +// tParse (Protocol.hs:2211-2217) +// Parse a received block into individual transmissions. +// batch=true: count byte + N Large-wrapped transmissions +export function tParse(block: Uint8Array): RawTransmission[] { + const d = new Decoder(block) + const count = d.anyByte() + const transmissions: RawTransmission[] = [] + for (let i = 0; i < count; i++) { + const data = decodeLarge(d) + transmissions.push(transmissionP(data)) + } + return transmissions +} + +// tDecodeClient (Protocol.hs:2256-2266) +// Parse command bytes into typed response. +export function tDecodeClient(raw: RawTransmission): {corrId: Uint8Array, entityId: Uint8Array, response: SMPResponse} { + const response = decodeResponse(new Decoder(raw.command)) + return {corrId: raw.corrId, entityId: raw.entityId, response} +} + +// -- SMP command tags + +const SPACE = 0x20 + +function ascii(s: string): Uint8Array { + const buf = new Uint8Array(s.length) + for (let i = 0; i < s.length; i++) buf[i] = s.charCodeAt(i) + return buf +} + +// -- LGET command (Protocol.hs:1709) +// No parameters. EntityId carries LinkId in transmission. + +export function encodeLGET(): Uint8Array { + return ascii("LGET") +} + +// -- LNK response (Protocol.hs:1834) +// LNK sId d -> e (LNK_, ' ', sId, d) +// where d = (EncFixedDataBytes, EncUserDataBytes), both Large-encoded + +export interface LNKResponse { + senderId: Uint8Array + encFixedData: Uint8Array + encUserData: Uint8Array +} + +export function decodeLNK(d: Decoder): LNKResponse { + const senderId = decodeBytes(d) + const encFixedData = decodeLarge(d) + const encUserData = decodeLarge(d) + return {senderId, encFixedData, encUserData} +} + +// -- Response dispatch (same pattern as xftp-web decodeResponse) + +export interface PKEYResponse { + sessionId: Uint8Array + versionRange: {min: number, max: number} + certChainDer: Uint8Array // Large-encoded DER certificate chain + signedKeyDer: Uint8Array // Large-encoded DER signed public key +} + +export type SMPResponse = + | {type: "LNK", response: LNKResponse} + | {type: "IDS", response: IDSResponse} + | {type: "MSG", response: MSGResponse} + | {type: "OK"} + | {type: "SOK", serviceId: Uint8Array | null} + | {type: "PKEY", response: PKEYResponse} + | {type: "PRES", encResponse: Uint8Array} + | {type: "PONG"} + | {type: "END"} + | {type: "DELD"} + | {type: "ERR", error: string} + +// protocolError check (Client.hs:710-712) +// Returns the error string if this is an ERR response, null otherwise +export function protocolError(resp: SMPResponse): string | null { + return resp.type === "ERR" ? resp.error : null +} + +export function decodeResponse(d: Decoder): SMPResponse { + const tag = readTag(d) + switch (tag) { + case "LNK": { + readSpace(d) + return {type: "LNK", response: decodeLNK(d)} + } + case "IDS": { + readSpace(d) + return {type: "IDS", response: decodeIDS(d)} + } + case "MSG": { + readSpace(d) + return {type: "MSG", response: decodeMSG(d)} + } + case "OK": return {type: "OK"} + case "SOK": { + // SOK serviceId_ → e(SOK_, ' ', serviceId_) + readSpace(d) + const serviceId = d.remaining() > 0 ? decodeMaybe(decodeBytes, d) : null + return {type: "SOK", serviceId} + } + case "PKEY": { + // PKEY sessionId versionRange certChainPubKey (Protocol.hs:1894) + // PKEY_ -> PKEY <$> _smpP <*> smpP <*> smpP + // sessionId: ByteString, versionRange: (Word16, Word16) + // certChainPubKey: (NonEmpty Large, SignedObject) (Transport.hs:663-664) + // certChain = NonEmpty Large = 1-byte count + N × Large(2-byte len + DER) + // signedKey = Large(2-byte len + DER) + readSpace(d) + const sessionId = decodeBytes(d) + const min = decodeWord16(d) + const max = decodeWord16(d) + // certChain: NonEmpty Large (1-byte count + N × Large-encoded DER certs) + const certCount = d.anyByte() + const certChainDers: Uint8Array[] = [] + for (let i = 0; i < certCount; i++) certChainDers.push(decodeLarge(d)) + // signedKey: Large-encoded DER + const signedKeyDer = decodeLarge(d) + return {type: "PKEY", response: {sessionId, versionRange: {min, max}, certChainDer: certChainDers[0] ?? new Uint8Array(0), signedKeyDer}} + } + case "PRES": { + // PRES (EncResponse encBlock) (Protocol.hs:1896) + // PRES_ -> PRES <$> (EncResponse . unTail <$> _smpP) + readSpace(d) + return {type: "PRES", encResponse: d.takeAll()} + } + case "PONG": return {type: "PONG"} + case "END": return {type: "END"} + case "DELD": return {type: "DELD"} + case "ERR": { + readSpace(d) + // Read the full error string (may be multi-word like "AUTH" or "QUOTA") + const errBytes = d.takeAll() + return {type: "ERR", error: new TextDecoder().decode(errBytes)} + } + default: throw new Error("unknown SMP response: " + tag) + } +} + +// -- SMP command encoders (Protocol.hs:1679-1715) + +// MsgFlags (Protocol.hs:884-892) +// Single byte: Bool encoding of notification flag +export function encodeMsgFlags(notification: boolean): Uint8Array { + return encodeBool(notification) +} + +// SubscriptionMode (Protocol.hs:651-659) +// 'S' = SMSubscribe, 'C' = SMOnlyCreate +export function encodeSubMode(subscribe: boolean): Uint8Array { + return ascii(subscribe ? "S" : "C") +} + +// NEW (Protocol.hs:1682-1689) +// For v19: e(NEW_, ' ', rKey, dhKey) <> e(auth_, subMode, queueReqData, ntfCreds) +// QueueReqData: QRMessaging Nothing = 'M' + Nothing(0x30) +export function encodeNEW( + rcvAuthKey: Uint8Array, // DER-encoded Ed25519 or X25519 public key + rcvDhKey: Uint8Array, // DER-encoded X25519 public key + basicAuth: Uint8Array | null, // Maybe BasicAuth (server auth, not a crypto key) + subscribe: boolean, +): Uint8Array { + // QRMessaging Nothing: Just('M', Nothing) = 0x31 0x4D 0x30 + const queueReqData = new Uint8Array([0x31, 0x4D, 0x30]) + return concatBytes( + ascii("NEW "), + encodeBytes(rcvAuthKey), + encodeBytes(rcvDhKey), + encodeMaybe(encodeBytes, basicAuth), + encodeSubMode(subscribe), + queueReqData, + new Uint8Array([0x30]), // ntfCreds = Nothing + ) +} + +// KEY (Protocol.hs:1692) +// KEY k -> e(KEY_, ' ', k) +export function encodeKEY(senderKey: Uint8Array): Uint8Array { + return concatBytes(ascii("KEY "), encodeBytes(senderKey)) +} + +// SKEY (Protocol.hs:1703) +// SKEY k -> e(SKEY_, ' ', k) +export function encodeSKEY(senderKey: Uint8Array): Uint8Array { + return concatBytes(ascii("SKEY "), encodeBytes(senderKey)) +} + +// SUB (Protocol.hs:1690) +export function encodeSUB(): Uint8Array { + return ascii("SUB") +} + +// ACK (Protocol.hs:1699) +// ACK msgId -> e(ACK_, ' ', msgId) +export function encodeACK(msgId: Uint8Array): Uint8Array { + return concatBytes(ascii("ACK "), encodeBytes(msgId)) +} + +// SEND (Protocol.hs:1704) +// SEND flags msg -> e(SEND_, ' ', flags, ' ', Tail msg) +export function encodeSEND(notification: boolean, msgBody: Uint8Array): Uint8Array { + return concatBytes( + ascii("SEND "), + encodeMsgFlags(notification), + ascii(" "), + msgBody, // Tail - no length prefix + ) +} + +// OFF (Protocol.hs:1700) +export function encodeOFF(): Uint8Array { + return ascii("OFF") +} + +// DEL (Protocol.hs:1701) +export function encodeDEL(): Uint8Array { + return ascii("DEL") +} + +// GET (Protocol.hs:1698) +export function encodeGET(): Uint8Array { + return ascii("GET") +} + +// QUE (Protocol.hs:1702) +export function encodeQUE(): Uint8Array { + return ascii("QUE") +} + +// PING (Protocol.hs:1705) +export function encodePING(): Uint8Array { + return ascii("PING") +} + +// -- Proxy commands (Protocol.hs:1710-1711) + +// encodeProtocolServer (Protocol.hs:1264-1266) +// smpEncode ProtocolServer {host, port, keyHash} = smpEncode (host, port, keyHash) +// host :: NonEmpty TransportHost → smpEncodeList (1-byte count + encodeBytes(strEncode(host)) for each) +// port :: ServiceName = ByteString → encodeBytes +// keyHash :: KeyHash = ByteString → encodeBytes +export function encodeProtocolServer(hosts: string[], port: string, keyHash: Uint8Array): Uint8Array { + const encodedHosts = hosts.map(h => encodeBytes(ascii(h))) + const hostList = concatBytes(new Uint8Array([hosts.length]), ...encodedHosts) + return concatBytes(hostList, encodeBytes(ascii(port)), encodeBytes(keyHash)) +} + +// PRXY (Protocol.hs:1710) +// PRXY host auth_ -> e(PRXY_, ' ', host, auth_) +export function encodePRXY(hosts: string[], port: string, keyHash: Uint8Array, basicAuth: Uint8Array | null): Uint8Array { + return concatBytes( + ascii("PRXY "), + encodeProtocolServer(hosts, port, keyHash), + encodeMaybe(encodeBytes, basicAuth), + ) +} + +// PFWD (Protocol.hs:1711) +// PFWD fwdV pubKey (EncTransmission s) -> e(PFWD_, ' ', fwdV, pubKey, Tail s) +export function encodePFWD(version: number, pubKeyDer: Uint8Array, encTransmission: Uint8Array): Uint8Array { + return concatBytes( + ascii("PFWD "), + encodeWord16(version), + encodeBytes(pubKeyDer), + encTransmission, // Tail — no length prefix + ) +} + +// paddedProxiedTLength (Protocol.hs:306-307) +export const paddedProxiedTLength = 16226 + +// -- SMP response decoders + +// IDS (Protocol.hs:1914-1921) +// For v19: e(IDS_, ' ', rcvId, sndId, srvDh) <> e(queueMode, linkId, serviceId, ntfCreds) +export interface IDSResponse { + rcvId: Uint8Array + sndId: Uint8Array + srvDhKey: Uint8Array + queueMode: string | null // 'M' = Messaging, 'C' = Contact + linkId: Uint8Array | null +} + +export function decodeIDS(d: Decoder): IDSResponse { + const rcvId = decodeBytes(d) + const sndId = decodeBytes(d) + const srvDhKey = decodeBytes(d) + // v19: queueMode (Maybe QueueMode), linkId (Maybe ByteString), serviceId, ntfCreds + // QueueMode is encoded as Maybe Char ('M'/'C'), not Maybe ByteString + let queueMode: string | null = null + if (d.remaining() > 0) { + const qmByte = d.anyByte() + if (qmByte === 0x31) { // '1' = Just + queueMode = String.fromCharCode(d.anyByte()) + } + // '0' = Nothing, queueMode stays null + } + let linkId: Uint8Array | null = null + if (d.remaining() > 0) { + linkId = decodeMaybe(decodeBytes, d) + } + // serviceId and ntfCreds - skip remaining + return {rcvId, sndId, srvDhKey, queueMode, linkId} +} + +// MSG (Protocol.hs:1927-1928) +// MSG RcvMessage {msgId, msgBody = EncRcvMsgBody body} -> e(MSG_, ' ', msgId, Tail body) +export interface MSGResponse { + msgId: Uint8Array + msgBody: Uint8Array +} + +export function decodeMSG(d: Decoder): MSGResponse { + const msgId = decodeBytes(d) + const msgBody = d.takeAll() + return {msgId, msgBody} +} + +// -- Per-queue E2E encryption (Protocol.hs:1071-1114) + +// Protocol.hs:316-320 +export const e2eEncMessageLength = 16000 +export const e2eEncConfirmationLength = 15904 + +// Protocol.hs:1078-1086 +export interface PubHeader { + phVersion: number // VersionSMPC (Word16) + phE2ePubDhKey: Uint8Array | null // Maybe PublicKeyX25519 (DER-encoded ByteString) +} + +export function encodePubHeader(h: PubHeader): Uint8Array { + return concatBytes(encodeWord16(h.phVersion), encodeMaybe(encodeBytes, h.phE2ePubDhKey)) +} + +export function decodePubHeader(d: Decoder): PubHeader { + return {phVersion: decodeWord16(d), phE2ePubDhKey: decodeMaybe(decodeBytes, d)} +} + +// Protocol.hs:1097-1110 +export type PrivHeader = + | {type: "PHConfirmation", key: Uint8Array} // 'K' + DER-encoded APublicAuthKey + | {type: "PHEmpty"} // '_' + +export function encodePrivHeader(h: PrivHeader): Uint8Array { + switch (h.type) { + case "PHConfirmation": return concatBytes(new Uint8Array([0x4B]), encodeBytes(h.key)) // 'K' + encodeBytes + case "PHEmpty": return new Uint8Array([0x5F]) // '_' + } +} + +export function decodePrivHeader(d: Decoder): PrivHeader { + const tag = d.anyByte() + switch (tag) { + case 0x4B: return {type: "PHConfirmation", key: decodeBytes(d)} // 'K' + case 0x5F: return {type: "PHEmpty"} // '_' + default: throw new Error("decodePrivHeader: unknown tag " + tag) + } +} + +// Protocol.hs:1095, 1112-1114 +export interface ClientMessage { + privHeader: PrivHeader + body: Uint8Array +} + +// smpEncode (ClientMessage h msg) = smpEncode h <> msg +export function encodeClientMessage(msg: ClientMessage): Uint8Array { + return concatBytes(encodePrivHeader(msg.privHeader), msg.body) +} + +export function decodeClientMessage(d: Decoder): ClientMessage { + const privHeader = decodePrivHeader(d) + const body = d.takeAll() + return {privHeader, body} +} + +// Protocol.hs:1071-1093 +export interface ClientMsgEnvelope { + cmHeader: PubHeader + cmNonce: Uint8Array // CbNonce: raw 24 bytes + cmEncBody: Uint8Array // encrypted body (Tail) +} + +// smpEncode (cmHeader, cmNonce, Tail cmEncBody) +export function encodeClientMsgEnvelope(env: ClientMsgEnvelope): Uint8Array { + return concatBytes(encodePubHeader(env.cmHeader), env.cmNonce, env.cmEncBody) +} + +export function decodeClientMsgEnvelope(d: Decoder): ClientMsgEnvelope { + const cmHeader = decodePubHeader(d) + const cmNonce = d.take(24) // CbNonce is raw 24 bytes + const cmEncBody = d.takeAll() + return {cmHeader, cmNonce, cmEncBody} +} + +// -- Per-queue E2E encrypt/decrypt (Agent/Client.hs:2074-2102) + +// agentCbEncrypt: encrypt a ClientMessage and wrap in ClientMsgEnvelope +export function agentCbEncrypt( + e2eDhSecret: Uint8Array, // X25519 DH shared secret (32 bytes) + smpClientVersion: number, // Word16 + e2ePubKey: Uint8Array | null, // DER-encoded X25519 public key, null for normal messages + msg: Uint8Array, // smpEncode(ClientMessage) +): Uint8Array { + const cmNonce = crypto.getRandomValues(new Uint8Array(24)) + const paddedLen = e2ePubKey !== null ? e2eEncConfirmationLength : e2eEncMessageLength + const cmEncBody = cbEncrypt(e2eDhSecret, cmNonce, msg, paddedLen) + const cmHeader: PubHeader = {phVersion: smpClientVersion, phE2ePubDhKey: e2ePubKey} + return encodeClientMsgEnvelope({cmHeader, cmNonce, cmEncBody}) +} + +// agentCbDecrypt: decrypt a ClientMsgEnvelope +export function agentCbDecrypt( + dhSecret: Uint8Array, // X25519 DH shared secret (32 bytes) + data: Uint8Array, // raw ClientMsgEnvelope bytes +): {pubHeader: PubHeader, clientMessage: ClientMessage} { + const env = decodeClientMsgEnvelope(new Decoder(data)) + const plaintext = cbDecrypt(dhSecret, env.cmNonce, env.cmEncBody) + const clientMessage = decodeClientMessage(new Decoder(plaintext)) + return {pubHeader: env.cmHeader, clientMessage} +} diff --git a/smp-web/src/transport.ts b/smp-web/src/transport.ts new file mode 100644 index 0000000000..69b7759a4c --- /dev/null +++ b/smp-web/src/transport.ts @@ -0,0 +1,77 @@ +// SMP transport: handshake, block framing. +// Mirrors: Simplex.Messaging.Transport + +import { + Decoder, concatBytes, + encodeWord16, decodeWord16, + encodeBytes, decodeBytes, + encodeLarge, decodeLarge, + encodeBool, + encodeMaybe, + decodeNonEmpty +} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" + +// -- Version constants (Transport.hs:186-213) + +export const SMP_BLOCK_SIZE = 16384 +export const currentSMPVersion = 19 +export const webClientSMPVersion = 19 + +// -- SMPServerHandshake (Transport.hs:631-640) + +export interface SMPServerHandshake { + smpVersionRange: {min: number; max: number} + sessionId: Uint8Array + authPubKey: SMPAuthPubKey | null + webIdentityProof: Uint8Array | null // raw signature bytes (v19+) +} + +export interface SMPAuthPubKey { + certChainDer: Uint8Array[] // DER-encoded certificate chain + signedKeyDer: Uint8Array // DER-encoded SignedExact PubKey +} + +export function decodeSMPServerHandshake(d: Decoder): SMPServerHandshake { + const min = decodeWord16(d) + const max = decodeWord16(d) + const sessionId = decodeBytes(d) + // authPubKey: version-gated (v7+) + let authPubKey: SMPAuthPubKey | null = null + if (max >= 7 && d.remaining() > 0) { + const certChainDer = decodeNonEmpty(decodeLarge, d) + const signedKeyDer = decodeLarge(d) + authPubKey = {certChainDer, signedKeyDer} + } + // webIdentityProof: version-gated (v19+) + let webIdentityProof: Uint8Array | null = null + if (max >= webClientSMPVersion && d.remaining() > 0) { + webIdentityProof = decodeBytes(d) + } + return {smpVersionRange: {min, max}, sessionId, authPubKey, webIdentityProof} +} + +// -- SMPClientHandshake (Transport.hs:592-604) + +export interface SMPClientHandshake { + smpVersion: number + keyHash: Uint8Array + authPubKey: Uint8Array | null // X25519 public key, or null for no block encryption + proxyServer: boolean + clientService: null // not used in web client +} + +export function encodeSMPClientHandshake(h: SMPClientHandshake): Uint8Array { + const parts: Uint8Array[] = [ + encodeWord16(h.smpVersion), + encodeBytes(h.keyHash), + ] + // authPubKey: encodeAuthEncryptCmds — empty for Nothing, encodeBytes for Just (v7+) + if (h.authPubKey !== null) { + parts.push(encodeBytes(h.authPubKey)) + } + // proxyServer: Bool (v14+) + parts.push(encodeBool(h.proxyServer)) + // clientService: Maybe (v16+) — Nothing = '0' (0x30) + parts.push(encodeMaybe(() => new Uint8Array(0), null)) + return concatBytes(...parts) +} diff --git a/smp-web/src/transport/websockets.ts b/smp-web/src/transport/websockets.ts new file mode 100644 index 0000000000..d2147883ec --- /dev/null +++ b/smp-web/src/transport/websockets.ts @@ -0,0 +1,132 @@ +// WebSocket transport for SMP protocol. +// Mirrors: Simplex.Messaging.Transport.WebSockets (client side) + +import WebSocket from "ws" +import {randomBytes} from "crypto" +import {Decoder} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" +import {base64urlEncode} from "@simplex-chat/xftp-web/dist/protocol/description.js" +import {blockPad, blockUnpad} from "@simplex-chat/xftp-web/dist/protocol/transmission.js" +import {verifyIdentityProof} from "@simplex-chat/xftp-web/dist/crypto/identity.js" +import {generateX25519KeyPair, dh, encodePubKeyX25519} from "@simplex-chat/xftp-web/dist/crypto/keys.js" +import {extractSignedKey} from "@simplex-chat/xftp-web/dist/protocol/handshake.js" +import {decodeSMPServerHandshake, encodeSMPClientHandshake, SMP_BLOCK_SIZE, currentSMPVersion} from "../transport.js" +import {sbcInit, sbEncryptBlock, sbDecryptBlock} from "../crypto.js" + +export interface SMPConnection { + ws: WebSocket + sessionId: Uint8Array + smpVersion: number + // Block encryption state (null if no auth) + sndKey: Uint8Array | null + rcvKey: Uint8Array | null + // Server's raw X25519 public key — needed for command auth (cbAuthenticate) + serverPubKey: Uint8Array | null +} + +export async function connectSMP(url: string, keyHash: Uint8Array, wsOptions?: object): Promise { + // Generate challenge and append to URL + const challenge = new Uint8Array(randomBytes(32)) + const challengeUrl = url + (url.includes("?") ? "&" : "?") + "challenge=" + base64urlEncode(challenge).replace(/=+$/, "") + + const ws = new WebSocket(challengeUrl, wsOptions) + ws.binaryType = "arraybuffer" + + await new Promise((resolve, reject) => { + ws.onopen = () => resolve() + ws.onerror = (e) => reject(e) + }) + + // Receive server handshake (first block) + const serverBlock = await receiveBlock(ws) + const serverHs = decodeSMPServerHandshake(new Decoder(blockUnpad(serverBlock))) + + // Negotiate version + const version = Math.min(serverHs.smpVersionRange.max, currentSMPVersion) + if (version < 6) throw new Error("Incompatible server version") + + // Verify server identity and extract DH key + let sndKey: Uint8Array | null = null + let rcvKey: Uint8Array | null = null + let clientAuthPubKey: Uint8Array | null = null + let serverPubKey: Uint8Array | null = null + + if (serverHs.authPubKey) { + // Verify server identity if server supports web challenge (v19+) + if (serverHs.webIdentityProof) { + const ok = verifyIdentityProof({ + certChainDer: serverHs.authPubKey.certChainDer, + signedKeyDer: serverHs.authPubKey.signedKeyDer, + sigBytes: serverHs.webIdentityProof, + challenge, + sessionId: serverHs.sessionId, + keyHash, + }) + if (!ok) throw new Error("Server identity verification failed") + } + + // DH key exchange for block encryption (v11+) + serverPubKey = extractSignedKey(serverHs.authPubKey.signedKeyDer).dhKey + const clientKp = generateX25519KeyPair() + clientAuthPubKey = encodePubKeyX25519(clientKp.publicKey) + const dhSecret = dh(serverPubKey, clientKp.privateKey) + // Client swaps snd/rcv vs server (Transport.hs:880) + const keys = sbcInit(serverHs.sessionId, dhSecret) + sndKey = keys.rcvKey + rcvKey = keys.sndKey + } + + // Send client handshake + const clientHs = encodeSMPClientHandshake({ + smpVersion: version, + keyHash, + authPubKey: clientAuthPubKey, + proxyServer: false, + clientService: null + }) + sendBlock(ws, blockPad(clientHs, SMP_BLOCK_SIZE)) + + return {ws, sessionId: serverHs.sessionId, smpVersion: version, sndKey, rcvKey, serverPubKey} +} + +export function receiveBlock(ws: WebSocket): Promise { + return new Promise((resolve, reject) => { + ws.onmessage = (e) => { + const data = e.data + if (data instanceof ArrayBuffer) { + resolve(new Uint8Array(data)) + } else if (data instanceof Buffer) { + resolve(new Uint8Array(data)) + } else { + reject(new Error("Expected binary frame")) + } + } + ws.onerror = (e) => reject(e) + }) +} + +export function sendBlock(ws: WebSocket, data: Uint8Array): void { + if (data.length !== SMP_BLOCK_SIZE) throw new Error("Block must be " + SMP_BLOCK_SIZE + " bytes") + ws.send(data) +} + +// Encrypted block send: pad to (blockSize - 16), encrypt (adds 16-byte tag) +export function sendEncryptedBlock(conn: SMPConnection, plaintext: Uint8Array): void { + if (!conn.sndKey) throw new Error("no block encryption keys") + const {encrypted, nextChainKey} = sbEncryptBlock(conn.sndKey, plaintext, SMP_BLOCK_SIZE - 16) + conn.sndKey = nextChainKey + ws_send(conn.ws, encrypted) +} + +// Encrypted block receive: decrypt (removes 16-byte tag + unpad) +export async function receiveEncryptedBlock(conn: SMPConnection): Promise { + if (!conn.rcvKey) throw new Error("no block encryption keys") + const block = await receiveBlock(conn.ws) + const {decrypted, nextChainKey} = sbDecryptBlock(conn.rcvKey, block) + conn.rcvKey = nextChainKey + return decrypted +} + +function ws_send(ws: WebSocket, data: Uint8Array): void { + if (data.length !== SMP_BLOCK_SIZE) throw new Error("Encrypted block must be " + SMP_BLOCK_SIZE + " bytes") + ws.send(data) +} diff --git a/smp-web/tests/client-repl.ts b/smp-web/tests/client-repl.ts new file mode 100644 index 0000000000..f40aef21b0 --- /dev/null +++ b/smp-web/tests/client-repl.ts @@ -0,0 +1,257 @@ +// SMP client REPL for cross-language testing. +// Holds one SMPClient, reads commands from stdin, writes results to stdout. +// +// Commands: +// CONNECT [wsOptionsJson] +// NEW +// SUB +// SEND +// ACK +// KEY +// SKEY +// DEL +// OFF +// PING +// RECV [timeoutMs] +// CLOSE + +import {createInterface} from "readline" +import {createSMPClient, type SMPClient} from "../dist/client.js" +import type {SMPResponse, AuthKey} from "../dist/protocol.js" +import {generateX25519KeyPair, dh, encodePubKeyX25519, decodePubKeyX25519} from "@simplex-chat/xftp-web/dist/crypto/keys.js" +import {cbDecrypt} from "@simplex-chat/xftp-web/dist/crypto/secretbox.js" +import {Decoder, decodeBytes, decodeBool} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" + +import type {ProxiedRelay} from "../dist/client.js" + +// -- State + +let client: SMPClient | null = null +let proxiedRelay: ProxiedRelay | null = null +// Per-queue DH shared secrets for decrypting received messages (keyed by rcvId hex) +const queueSecrets = new Map() +const messageQueue: Array<{entityId: Uint8Array, msg: SMPResponse}> = [] +let messageWaiter: {resolve: (m: {entityId: Uint8Array, msg: SMPResponse}) => void, timer: ReturnType} | null = null + +// -- Hex helpers + +function toHex(bytes: Uint8Array): string { + return Array.from(bytes, b => b.toString(16).padStart(2, "0")).join("") +} + +function fromHex(hex: string): Uint8Array { + const bytes = new Uint8Array(hex.length / 2) + for (let i = 0; i < hex.length; i += 2) + bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16) + return bytes +} + +// -- Message delivery + +function onMessage(entityId: Uint8Array, msg: SMPResponse): void { + if (messageWaiter) { + const w = messageWaiter + messageWaiter = null + clearTimeout(w.timer) + w.resolve({entityId, msg}) + } else { + messageQueue.push({entityId, msg}) + } +} + +function waitForMessage(timeoutMs: number): Promise<{entityId: Uint8Array, msg: SMPResponse}> { + if (messageQueue.length > 0) { + return Promise.resolve(messageQueue.shift()!) + } + return new Promise((resolve, reject) => { + const timer = setTimeout(() => { + messageWaiter = null + reject(new Error("timeout")) + }, timeoutMs) + messageWaiter = {resolve, timer} + }) +} + +function makeAuthKey(hexKey: string): AuthKey { + return {type: "x25519", key: fromHex(hexKey)} +} + +// -- Command parser + +async function parseLine(line: string): Promise { + const parts = line.split(" ") + const cmd = parts[0] + + try { + switch (cmd) { + case "CONNECT": { + const url = parts[1] + const keyHash = fromHex(parts[2]) + const wsOptions = parts[3] ? JSON.parse(parts[3]) : undefined + client = await createSMPClient(url, keyHash, onMessage, () => { + process.stderr.write("disconnected\n") + }, {wsOptions, timeout: 15000}) + return "ok" + } + + case "NEW": { + if (!client) return "error: not connected" + const rcvAuthKey = fromHex(parts[1]) + const rcvPrivKey = fromHex(parts[2]) + // Generate DH keypair for per-queue E2E + const dhKp = generateX25519KeyPair() + const dhPubDer = encodePubKeyX25519(dhKp.publicKey) + const resp = await client.createQueue( + {publicKey: rcvAuthKey, privateKey: rcvPrivKey}, + dhPubDer, + true, + ) + // Compute and store DH shared secret for decrypting received messages + const srvDhRaw = decodePubKeyX25519(resp.srvDhKey) + const dhShared = dh(srvDhRaw, dhKp.privateKey) + queueSecrets.set(toHex(resp.rcvId), dhShared) + return "ok: " + toHex(resp.rcvId) + " " + toHex(resp.sndId) + " " + toHex(resp.srvDhKey) + } + + case "SUB": { + if (!client) return "error: not connected" + await client.subscribeQueue(makeAuthKey(parts[2]), fromHex(parts[1])) + return "ok" + } + + case "SEND": { + if (!client) return "error: not connected" + const sndId = fromHex(parts[1]) + const privKey: AuthKey | null = parts[2] === "none" ? null : makeAuthKey(parts[2]) + const notification = parts[3] === "1" + const body = fromHex(parts[4]) + await client.sendMessage(privKey, sndId, notification, body) + return "ok" + } + + case "ACK": { + if (!client) return "error: not connected" + await client.ackMessage(makeAuthKey(parts[2]), fromHex(parts[1]), fromHex(parts[3])) + return "ok" + } + + case "KEY": { + if (!client) return "error: not connected" + await client.secureQueue(makeAuthKey(parts[2]), fromHex(parts[1]), fromHex(parts[3])) + return "ok" + } + + case "SKEY": { + if (!client) return "error: not connected" + await client.secureSndQueue(makeAuthKey(parts[2]), fromHex(parts[1])) + return "ok" + } + + case "DEL": { + if (!client) return "error: not connected" + await client.deleteQueue(makeAuthKey(parts[2]), fromHex(parts[1])) + return "ok" + } + + case "OFF": { + if (!client) return "error: not connected" + await client.suspendQueue(makeAuthKey(parts[2]), fromHex(parts[1])) + return "ok" + } + + case "PING": { + if (!client) return "error: not connected" + // Optional auth key as second arg: PING + const pingKey: AuthKey | null = parts[1] ? makeAuthKey(parts[1]) : null + const resp = await client.sendCommand(pingKey, new Uint8Array(0), new TextEncoder().encode("PING")) + return resp.type === "PONG" ? "ok" : "error: unexpected " + resp.type + } + + case "RECV": { + if (!client) return "error: not connected" + const timeoutMs = parts[1] ? parseInt(parts[1]) : 5000 + const m = await waitForMessage(timeoutMs) + if (m.msg.type === "MSG") { + const {msgId, msgBody} = m.msg.response + // Decrypt per-queue E2E: cbDecrypt(dhShared, cbNonce(msgId), body) + const dhShared = queueSecrets.get(toHex(m.entityId)) + if (dhShared) { + // decryptMsgV3: cbDecrypt then parse ClientRcvMsgBody (msgTs + msgFlags + space + Tail msgBody) + const decrypted = cbDecrypt(dhShared, msgId, msgBody) + const dd = new Decoder(decrypted) + dd.take(8) // skip msgTs (SystemTime = Int64 = 8 bytes) + dd.take(1) // skip msgFlags (Bool = 1 byte) + dd.take(1) // skip space (0x20) + const body = dd.takeAll() + return "ok: " + toHex(m.entityId) + " " + toHex(msgId) + " " + toHex(body) + } + // No DH secret (sender queue) — return raw + return "ok: " + toHex(m.entityId) + " " + toHex(msgId) + " " + toHex(msgBody) + } + return "ok: " + toHex(m.entityId) + " " + m.msg.type + } + + // BSUB : : ... + case "BSUB": { + if (!client) return "error: not connected" + const queues = parts.slice(1).map(p => { + const [rcvIdHex, privKeyHex] = p.split(":") + return {rcvId: fromHex(rcvIdHex), privKey: makeAuthKey(privKeyHex)} + }) + await client.subscribeQueues(queues) + return "ok" + } + + // PRXY [basicAuthHex] + case "PRXY": { + if (!client) return "error: not connected" + const hosts = parts[1].split(",") + const port = parts[2] + const keyHash = fromHex(parts[3]) + const auth = parts[4] ? fromHex(parts[4]) : null + proxiedRelay = await client.connectProxiedRelay(hosts, port, keyHash, auth) + return "ok: " + toHex(proxiedRelay.sessionId) + " " + proxiedRelay.version + } + + // PSEND + case "PSEND": { + if (!client || !proxiedRelay) return "error: not connected or no proxy session" + const sndId = fromHex(parts[1]) + const privKey: AuthKey | null = parts[2] === "none" ? null : makeAuthKey(parts[2]) + const notification = parts[3] === "1" + const body = fromHex(parts[4]) + await client.proxySendMessage(proxiedRelay, privKey, sndId, notification, body) + return "ok" + } + + case "CLOSE": { + if (client) client.close() + client = null + return "ok" + } + + default: + return "error: unknown command: " + cmd + } + } catch (e: any) { + if (e.type) return "error: " + e.type + (e.error ? " " + e.error : "") + return "error: " + (e.message || String(e)) + } +} + +// -- Main + +async function main() { + const rl = createInterface({input: process.stdin, terminal: false}) + for await (const line of rl) { + const trimmed = line.trim() + if (!trimmed) continue + const response = await parseLine(trimmed) + process.stdout.write(response + "\n") + } +} + +main().catch(e => { + process.stderr.write("FATAL: " + e.message + "\n") + process.exit(1) +}) diff --git a/smp-web/tests/ratchet-repl.ts b/smp-web/tests/ratchet-repl.ts new file mode 100644 index 0000000000..4b8bc40336 --- /dev/null +++ b/smp-web/tests/ratchet-repl.ts @@ -0,0 +1,326 @@ +// Double ratchet REPL for cross-language testing. +// Holds one ratchet state, reads commands from stdin, writes results to stdout. +// +// Init protocol: +// INIT_RCV +// → ok: +// COMPLETE +// → ok +// INIT_SND +// → ok: +// kemMode: none | propose | accept +// +// Encrypt/decrypt operators (same syntax as Haskell DoubleRatchetTests): +// \#> encrypt, assert noSndKEM +// !#> <plaintext> encrypt, assert hasSndKEM +// \#>! <plaintext> encrypt PQEncOn, assert noSndKEM +// !#>! <plaintext> encrypt PQEncOn, assert hasSndKEM +// !#>\ <plaintext> encrypt PQEncOff, assert hasSndKEM +// \#>\ <plaintext> encrypt PQEncOff, assert noSndKEM +// <#\ <hex ct> <expected> decrypt, assert noRcvKEM +// <#! <hex ct> <expected> decrypt, assert hasRcvKEM +// +// Plain encrypt/decrypt (no assertions): +// E <plaintext> → ok: <hex ciphertext> +// D <hex ciphertext> → ok: <plaintext> +// +// Response format: ok: <data> or error: <message> + +import {createInterface} from "readline" +import { + generateX448KeyPair, pqX3dhSnd, pqX3dhRcv, + encodePubKeyX448, decodePubKeyX448, + initSndRatchet, initRcvRatchet, + rcEncrypt, rcDecrypt, + rootKdf, + type Ratchet, type SkippedMsgKeys, type RatchetVersions, + type RatchetInitParams, type RatchetKEMAccepted, +} from "../dist/crypto/ratchet.js" +import {initSntrup761, sntrup761Keypair, sntrup761Enc, sntrup761Dec} from "../dist/crypto/sntrup761.js" +import type {KEMKeyPair} from "../dist/crypto/sntrup761.js" +import { + Decoder, decodeBytes, decodeLarge, encodeBytes, encodeWord16, concatBytes, +} from "@simplex-chat/xftp-web/dist/protocol/encoding.js" + +// -- State + +let ratchet: Ratchet | null = null +let skippedKeys: SkippedMsgKeys = new Map() +const PADDED_MSG_LEN = 16000 + +// Intermediate state for RCV init (between INIT_RCV and COMPLETE) +let rcvInitState: { + privKey1: Uint8Array + privKey2: Uint8Array + kemKeyPair: KEMKeyPair | null + pqSupport: boolean +} | null = null + +// -- Hex helpers + +function toHex(bytes: Uint8Array): string { + return Array.from(bytes, b => b.toString(16).padStart(2, "0")).join("") +} + +function fromHex(hex: string): Uint8Array { + const bytes = new Uint8Array(hex.length / 2) + for (let i = 0; i < hex.length; i += 2) + bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16) + return bytes +} + +// -- E2E params helpers + +// Parse E2ERatchetParams: version(Word16) + pk1(ByteString) + pk2(ByteString) + Maybe KEMParams +interface ParsedE2EParams { + version: number + pk1Raw: Uint8Array // raw X448 public key + pk2Raw: Uint8Array // raw X448 public key + kemPk: Uint8Array | null // KEM public key if proposed + kemCt: Uint8Array | null // KEM ciphertext if accepted + kemAcceptPk: Uint8Array | null // KEM public key in accepted +} + +function parseE2EParams(data: Uint8Array): ParsedE2EParams { + const d = new Decoder(data) + const version = d.anyByte() * 256 + d.anyByte() + const pk1Raw = decodePubKeyX448(decodeBytes(d)) + const pk2Raw = decodePubKeyX448(decodeBytes(d)) + let kemPk: Uint8Array | null = null + let kemCt: Uint8Array | null = null + let kemAcceptPk: Uint8Array | null = null + if (version >= 3 && d.remaining() > 0) { + const maybeByte = d.anyByte() + if (maybeByte === 0x31) { // Just + const tag = d.anyByte() + if (tag === 0x50) { // 'P' Proposed + kemPk = decodeLarge(d) + } else if (tag === 0x41) { // 'A' Accepted + kemCt = decodeLarge(d) + kemAcceptPk = decodeLarge(d) + } + } + } + return {version, pk1Raw, pk2Raw, kemPk, kemCt, kemAcceptPk} +} + +// Encode E2ERatchetParams for sending to peer +function encodeE2EParams( + version: number, + pk1Raw: Uint8Array, pk2Raw: Uint8Array, + kemPk: Uint8Array | null, // for proposed + kemCt: Uint8Array | null, // for accepted + kemAcceptPk: Uint8Array | null, // public key in accepted +): Uint8Array { + const vBytes = new Uint8Array(2) + vBytes[0] = (version >> 8) & 0xff + vBytes[1] = version & 0xff + const parts = [vBytes, encodeBytes(encodePubKeyX448(pk1Raw)), encodeBytes(encodePubKeyX448(pk2Raw))] + if (version >= 3) { + if (kemCt && kemAcceptPk) { + // Just Accepted + parts.push(new Uint8Array([0x31, 0x41])) // Just + 'A' + parts.push(new Uint8Array([(kemCt.length >> 8) & 0xff, kemCt.length & 0xff])) + parts.push(kemCt) + parts.push(new Uint8Array([(kemAcceptPk.length >> 8) & 0xff, kemAcceptPk.length & 0xff])) + parts.push(kemAcceptPk) + } else if (kemPk) { + // Just Proposed + parts.push(new Uint8Array([0x31, 0x50])) // Just + 'P' + parts.push(new Uint8Array([(kemPk.length >> 8) & 0xff, kemPk.length & 0xff])) + parts.push(kemPk) + } else { + // Nothing + parts.push(new Uint8Array([0x30])) + } + } + return concatBytes(...parts) +} + +// -- Init handlers + +function handleInitRcv(version: number, pqSupport: boolean): string { + const kp1 = generateX448KeyPair() + const kp2 = generateX448KeyPair() + let kemKeyPair: KEMKeyPair | null = null + let kemPk: Uint8Array | null = null + if (pqSupport) { + kemKeyPair = sntrup761Keypair() + kemPk = kemKeyPair.publicKey + } + rcvInitState = {privKey1: kp1.privateKey, privKey2: kp2.privateKey, kemKeyPair, pqSupport} + const params = encodeE2EParams(version, kp1.publicKey, kp2.publicKey, kemPk, null, null) + return "ok: " + toHex(params) +} + +function handleComplete(peerParamsHex: string): string { + if (!rcvInitState) return "error: not in RCV init state" + const {privKey1, privKey2, kemKeyPair, pqSupport} = rcvInitState + const peerParams = parseE2EParams(fromHex(peerParamsHex)) + + // Build kemAccepted for X3DH if peer accepted our KEM proposal + let kemAccepted: RatchetKEMAccepted | null = null + if (peerParams.kemCt && peerParams.kemAcceptPk && kemKeyPair) { + const ss = sntrup761Dec(peerParams.kemCt, kemKeyPair.secretKey) + kemAccepted = {rcPQRr: peerParams.kemAcceptPk, rcPQRss: ss, rcPQRct: peerParams.kemCt} + } + + // X3DH (receiver side) + const initParams = pqX3dhRcv(privKey1, privKey2, peerParams.pk1Raw, peerParams.pk2Raw, kemAccepted) + + // Init receiving ratchet + const vs: RatchetVersions = {current: peerParams.version, maxSupported: peerParams.version} + ratchet = initRcvRatchet(vs, privKey2, initParams, kemKeyPair, pqSupport) + skippedKeys = new Map() + rcvInitState = null + return "ok" +} + +function handleInitSnd(version: number, kemMode: string, peerParamsHex: string): string { + const peerParams = parseE2EParams(fromHex(peerParamsHex)) + + const kp1 = generateX448KeyPair() + const kp2 = generateX448KeyPair() + const kp3 = generateX448KeyPair() // fresh DH key for ratchet + + // KEM handling + let kemAccepted: RatchetKEMAccepted | null = null + let ownKemKp: KEMKeyPair | null = null + let outKemPk: Uint8Array | null = null + let outKemCt: Uint8Array | null = null + let outKemAcceptPk: Uint8Array | null = null + + if (kemMode === "accept" && peerParams.kemPk) { + // Accept peer's KEM proposal + const encResult = sntrup761Enc(peerParams.kemPk) + ownKemKp = sntrup761Keypair() + kemAccepted = {rcPQRr: peerParams.kemPk, rcPQRss: encResult.sharedSecret, rcPQRct: encResult.ciphertext} + outKemCt = encResult.ciphertext + outKemAcceptPk = ownKemKp.publicKey + } else if (kemMode === "propose") { + ownKemKp = sntrup761Keypair() + outKemPk = ownKemKp.publicKey + } + + // X3DH (sender side) + const initParams = pqX3dhSnd(kp1.privateKey, kp2.privateKey, peerParams.pk1Raw, peerParams.pk2Raw, kemAccepted) + + // Init sending ratchet + const vs: RatchetVersions = {current: version, maxSupported: version} + ratchet = initSndRatchet(vs, peerParams.pk2Raw, kp3.privateKey, initParams, ownKemKp) + skippedKeys = new Map() + + const params = encodeE2EParams(version, kp1.publicKey, kp2.publicKey, outKemPk, outKemCt, outKemAcceptPk) + return "ok: " + toHex(params) +} + +// -- Encrypt/decrypt handlers + +function handleEncrypt(kemAssert: boolean | null, _pqPref: boolean | null, plaintext: string): string { + if (!ratchet) return "error: not initialized" + try { + const result = rcEncrypt(ratchet, new TextEncoder().encode(plaintext), PADDED_MSG_LEN) + ratchet = result.state + if (kemAssert === true && !ratchet.rcSndKEM) return "error: expected hasSndKEM" + if (kemAssert === false && ratchet.rcSndKEM) return "error: expected noSndKEM" + return "ok: " + toHex(result.ciphertext) + } catch (e: any) { + return "error: " + e.message + } +} + +function handleDecrypt(kemAssert: boolean | null, hexCt: string, expectedPlaintext: string | null): string { + if (!ratchet) return "error: not initialized" + try { + const ct = fromHex(hexCt) + const result = rcDecrypt(ratchet, skippedKeys, ct) + ratchet = result.state + skippedKeys = result.skippedKeys + const plaintext = new TextDecoder().decode(result.plaintext) + if (kemAssert === true && !ratchet.rcRcvKEM) return "error: expected hasRcvKEM" + if (kemAssert === false && ratchet.rcRcvKEM) return "error: expected noRcvKEM" + if (expectedPlaintext !== null && plaintext !== expectedPlaintext) + return "error: expected '" + expectedPlaintext + "', got '" + plaintext + "'" + return "ok: " + plaintext + } catch (e: any) { + return "error: " + e.message + } +} + +// -- Command parser + +function parseLine(line: string): string { + // Init commands + if (line.startsWith("INIT_RCV ")) { + const parts = line.split(" ") + return handleInitRcv(parseInt(parts[1]), parts[2] === "1") + } + if (line.startsWith("COMPLETE ")) { + return handleComplete(line.substring(9).trim()) + } + if (line.startsWith("INIT_SND ")) { + const parts = line.split(" ") + return handleInitSnd(parseInt(parts[1]), parts[2], parts[3]) + } + + // Query commands + if (line === "SNDKEM") { + if (!ratchet) return "error: not initialized" + return "ok: " + (ratchet.rcSndKEM ? "1" : "0") + } + if (line === "RCVKEM") { + if (!ratchet) return "error: not initialized" + return "ok: " + (ratchet.rcRcvKEM ? "1" : "0") + } + + // Encrypt operators: \#> !#> \#>! !#>! !#>\ \#>\ + const encMatch = line.match(/^([!\\])#(>[!\\]?)\s+(.+)$/) + if (encMatch) { + const [, kemChar, arrow, msg] = encMatch + const kemAssert = kemChar === "!" ? true : false + let pqPref: boolean | null = null + if (arrow === ">!") pqPref = true + else if (arrow === ">\\") pqPref = false + return handleEncrypt(kemAssert, pqPref, msg) + } + + // Decrypt operators: <#\ <#! + const decMatch = line.match(/^<#([!\\])\s+(\S+)\s+(.+)$/) + if (decMatch) { + const [, kemChar, hexCt, expected] = decMatch + const kemAssert = kemChar === "!" ? true : false + return handleDecrypt(kemAssert, hexCt, expected) + } + + // Plain encrypt (no assertion) + if (line.startsWith("E ")) { + return handleEncrypt(null, null, line.substring(2)) + } + + // Plain decrypt (no assertion, no expected) + if (line.startsWith("D ")) { + return handleDecrypt(null, line.substring(2), null) + } + + return "error: unknown command: " + line +} + +// -- Main + +async function main() { + await initSntrup761() + + const rl = createInterface({input: process.stdin, terminal: false}) + + for await (const line of rl) { + const trimmed = line.trim() + if (!trimmed) continue + const response = parseLine(trimmed) + process.stdout.write(response + "\n") + } +} + +main().catch(e => { + process.stderr.write("FATAL: " + e.message + "\n") + process.exit(1) +}) diff --git a/smp-web/tsconfig.json b/smp-web/tsconfig.json new file mode 100644 index 0000000000..2d66241bd4 --- /dev/null +++ b/smp-web/tsconfig.json @@ -0,0 +1,19 @@ +{ + "compilerOptions": { + "target": "ES2022", + "module": "ES2022", + "moduleResolution": "node", + "lib": ["ES2022"], + "outDir": "dist", + "rootDir": "src", + "declaration": true, + "strict": true, + "esModuleInterop": true, + "skipLibCheck": true, + "forceConsistentCasingInFileNames": true, + "resolveJsonModule": true, + "sourceMap": true + }, + "include": ["src/**/*.ts"], + "exclude": ["node_modules", "dist"] +} diff --git a/smp-web/tsconfig.test.json b/smp-web/tsconfig.test.json new file mode 100644 index 0000000000..960f588294 --- /dev/null +++ b/smp-web/tsconfig.test.json @@ -0,0 +1,15 @@ +{ + "compilerOptions": { + "target": "ES2022", + "module": "ES2022", + "moduleResolution": "node", + "lib": ["ES2022"], + "outDir": "dist-test", + "rootDir": "tests", + "strict": true, + "esModuleInterop": true, + "skipLibCheck": true, + "sourceMap": true + }, + "include": ["tests/**/*.ts"] +} diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index ec75a07d43..bdcdb6a42d 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -40,6 +40,7 @@ module Simplex.Messaging.Server dummyVerifyCmd, randomId, AttachHTTP, + WSHandler, MessageStats (..), ) where @@ -121,6 +122,7 @@ import qualified Simplex.Messaging.TMap as TM import Simplex.Messaging.Transport import Simplex.Messaging.Transport.Buffer (trimCR) import Simplex.Messaging.Transport.Server +import Simplex.Messaging.Transport.WebSockets (WS (..)) import Simplex.Messaging.Util import Simplex.Messaging.Version import System.Environment (lookupEnv) @@ -160,7 +162,8 @@ runSMPServerBlocking :: MsgStoreClass s => TMVar Bool -> ServerConfig s -> Maybe runSMPServerBlocking started cfg attachHTTP_ = newEnv cfg >>= runReaderT (smpServer started cfg attachHTTP_) type M s a = ReaderT (Env s) IO a -type AttachHTTP = Socket -> TLS.Context -> IO () +type AttachHTTP = Socket -> TLS 'TServer -> Maybe WSHandler -> IO () +type WSHandler = WS 'TServer -> IO () -- actions used in serverThread to reduce STM transaction scope data ClientSubAction @@ -211,10 +214,11 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt (Just httpCreds, Just attachHTTP) | addHTTP -> runTransportServerState_ ss started tcpPort defaultSupportedParamsHTTPS combinedCreds tCfg $ \s (sniUsed, h) -> case cast h of - Just (TLS {tlsContext} :: TLS 'TServer) | sniUsed -> labelMyThread "https client" >> attachHTTP s tlsContext + Just (tls :: TLS 'TServer) | sniUsed -> labelMyThread "https client" >> attachHTTP s tls (Just wsHandler) _ -> runClient srvCert srvSignKey t h `runReaderT` env where combinedCreds = TLSServerCredential {credential = smpCreds, sniCredential = Just httpCreds} + wsHandler ws = runClient srvCert srvSignKey (TProxy :: TProxy WS 'TServer) ws `runReaderT` env _ -> runTransportServerState ss started tcpPort defaultSupportedParams smpCreds tCfg $ \h -> runClient srvCert srvSignKey t h `runReaderT` env diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 92f0b08211..22c114ddd7 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -106,7 +106,7 @@ import System.Directory (renameFile) #endif smpServerCLI :: FilePath -> FilePath -> IO () -smpServerCLI = smpServerCLI_ (\_ _ _ -> pure ()) (\_ -> pure ()) (\_ -> error "attachStaticFiles not available") +smpServerCLI = smpServerCLI_ (\_ _ _ -> pure ()) (\_ -> pure ()) (\_ -> error "attachStaticAndWS not available") smpServerCLI_ :: (ServerInformation -> Maybe TransportHost -> FilePath -> IO ()) -> @@ -115,7 +115,7 @@ smpServerCLI_ :: FilePath -> FilePath -> IO () -smpServerCLI_ generateSite serveStaticFiles attachStaticFiles cfgPath logPath = +smpServerCLI_ generateSite serveStaticFiles attachStaticAndWS cfgPath logPath = getCliCommand' (cliCommandP cfgPath logPath iniFile) serverVersion >>= \case Init opts -> doesFileExist iniFile >>= \case @@ -489,7 +489,7 @@ smpServerCLI_ generateSite serveStaticFiles attachStaticFiles cfgPath logPath = case webStaticPath' of Just path | sharedHTTP -> do runWebServer path Nothing ServerInformation {config, information} - attachStaticFiles path $ \attachHTTP -> do + attachStaticAndWS path $ \attachHTTP -> do logDebug "Allocated web server resources" runSMPServer cfg (Just attachHTTP) `finally` logDebug "Releasing web server resources..." Just path -> do diff --git a/src/Simplex/Messaging/Server/Web.hs b/src/Simplex/Messaging/Server/Web.hs index 7044a7e393..c1eabedf80 100644 --- a/src/Simplex/Messaging/Server/Web.hs +++ b/src/Simplex/Messaging/Server/Web.hs @@ -1,3 +1,4 @@ +{-# LANGUAGE DataKinds #-} {-# LANGUAGE LambdaCase #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} @@ -8,7 +9,7 @@ module Simplex.Messaging.Server.Web WebHttpsParams (..), EmbeddedContent (..), serveStaticFiles, - attachStaticFiles, + attachStaticAndWS, serveStaticPageH2, generateSite, serverInfoSubsts, @@ -41,11 +42,14 @@ import qualified Network.Wai.Application.Static as S import qualified Network.Wai.Handler.Warp as W import qualified Network.Wai.Handler.Warp.Internal as WI import qualified Network.Wai.Handler.WarpTLS as WT +import qualified Network.Wai.Handler.WebSockets as WaiWS +import Network.WebSockets (defaultConnectionOptions, ConnectionOptions(..), SizeLimit(..), PendingConnection) import Simplex.Messaging.Encoding.String (strEncode) -import Simplex.Messaging.Server (AttachHTTP) +import Simplex.Messaging.Server (AttachHTTP, WSHandler) import Simplex.Messaging.Server.CLI (simplexmqCommit) import Simplex.Messaging.Server.Information -import Simplex.Messaging.Transport (simplexMQVersion) +import Simplex.Messaging.Transport (TLS (..), smpBlockSize, simplexMQVersion) +import Simplex.Messaging.Transport.WebSockets (WS (..), acceptWSConnection) import Simplex.Messaging.Util (tshow) import System.Directory (canonicalizePath, createDirectoryIfMissing, doesFileExist) import System.FilePath @@ -84,20 +88,23 @@ serveStaticFiles EmbeddedWebParams {webStaticPath, webHttpPort, webHttpsParams} where mkSettings port = W.setPort port warpSettings --- | Prepare context and prepare HTTP handler for TLS connections that already passed TLS.handshake and ALPN check. -attachStaticFiles :: FilePath -> (AttachHTTP -> IO ()) -> IO () -attachStaticFiles path action = do - app <- staticFiles path - -- Initialize global internal state for http server. +attachStaticAndWS :: FilePath -> (AttachHTTP -> IO a) -> IO a +attachStaticAndWS path action = WI.withII warpSettings $ \ii -> do - action $ \socket cxt -> do - -- Initialize internal per-connection resources. + action $ \socket tls wsHandler_ -> do + app <- case wsHandler_ of + Just wsHandler -> + WaiWS.websocketsOr wsOpts (acceptWSConnection tls >=> wsHandler) <$> staticFiles path + Nothing -> staticFiles path addr <- getPeerName socket - withConnection addr cxt $ \(conn, transport) -> + withConnection addr (tlsContext tls) $ \(conn, transport) -> withTimeout ii conn $ \th -> - -- Run Warp connection handler to process HTTP requests for static files. WI.serveConnection conn ii th addr transport warpSettings app where + wsOpts = defaultConnectionOptions + { connectionFramePayloadSizeLimit = SizeLimit $ fromIntegral smpBlockSize, + connectionMessageDataSizeLimit = SizeLimit 65536 + } -- from warp-tls withConnection socket cxt = bracket (WT.attachConn socket cxt) (terminate . fst) -- from warp @@ -105,7 +112,6 @@ attachStaticFiles path action = do bracket (WI.registerKillThread (WI.timeoutManager ii) (WI.connClose conn)) WI.cancel - -- shared clean up terminate conn = WI.connClose conn `finally` (readIORef (WI.connWriteBuffer conn) >>= WI.bufFree) warpSettings :: W.Settings diff --git a/src/Simplex/Messaging/Transport.hs b/src/Simplex/Messaging/Transport.hs index e2e912875f..f9dc4455ea 100644 --- a/src/Simplex/Messaging/Transport.hs +++ b/src/Simplex/Messaging/Transport.hs @@ -56,6 +56,7 @@ module Simplex.Messaging.Transport serviceCertsSMPVersion, newNtfCredsSMPVersion, clientNoticesSMPVersion, + webClientSMPVersion, simplexMQVersion, smpBlockSize, TransportConfig (..), @@ -140,7 +141,7 @@ import Simplex.Messaging.Encoding.String import Simplex.Messaging.Parsers (dropPrefix, parseRead1, sumTypeJSON) import Simplex.Messaging.Transport.Buffer import Simplex.Messaging.Transport.Shared -import Simplex.Messaging.Util (bshow, catchAll, catchAll_, liftEitherWith) +import Simplex.Messaging.Util (bshow, catchAll, catchAll_, liftEitherWith, (<$?>)) import Simplex.Messaging.Version import Simplex.Messaging.Version.Internal import System.IO.Error (isEOFError) @@ -218,6 +219,9 @@ newNtfCredsSMPVersion = VersionSMP 17 clientNoticesSMPVersion :: VersionSMP clientNoticesSMPVersion = VersionSMP 18 +webClientSMPVersion :: VersionSMP +webClientSMPVersion = VersionSMP 19 + minClientSMPRelayVersion :: VersionSMP minClientSMPRelayVersion = VersionSMP 6 @@ -225,13 +229,13 @@ minServerSMPRelayVersion :: VersionSMP minServerSMPRelayVersion = VersionSMP 6 currentClientSMPRelayVersion :: VersionSMP -currentClientSMPRelayVersion = VersionSMP 18 +currentClientSMPRelayVersion = VersionSMP 19 legacyServerSMPRelayVersion :: VersionSMP legacyServerSMPRelayVersion = VersionSMP 6 currentServerSMPRelayVersion :: VersionSMP -currentServerSMPRelayVersion = VersionSMP 18 +currentServerSMPRelayVersion = VersionSMP 19 -- Max SMP protocol version to be used in e2e encrypted -- connection between client and server, as defined by SMP proxy. @@ -296,6 +300,10 @@ class Typeable c => Transport (c :: TransportPeer -> Type) where -- | ALPN value negotiated for the session getSessionALPN :: c p -> Maybe ALPN + -- | Web client challenge for server identity verification (WebSocket only) + getWebChallenge :: c p -> Maybe ByteString + getWebChallenge _ = Nothing + -- | Close connection closeConnection :: c p -> IO () @@ -537,7 +545,9 @@ data SMPServerHandshake = SMPServerHandshake sessionId :: SessionId, -- pub key to agree shared secrets for command authorization and entity ID encryption. -- todo C.PublicKeyX25519 - authPubKey :: Maybe CertChainPubKey + authPubKey :: Maybe CertChainPubKey, + -- | signed web client challenge for server identity verification (v19+) + webIdentityProof :: Maybe C.ASignature } -- This is the third handshake message that SMP server sends to services @@ -629,15 +639,19 @@ ifHasService :: VersionSMP -> a -> a -> a ifHasService v a b = if v >= serviceCertsSMPVersion then a else b instance Encoding SMPServerHandshake where - smpEncode SMPServerHandshake {smpVersionRange, sessionId, authPubKey} = - smpEncode (smpVersionRange, sessionId) <> auth + smpEncode SMPServerHandshake {smpVersionRange, sessionId, authPubKey, webIdentityProof} = + smpEncode (smpVersionRange, sessionId) <> auth <> webProof where - auth = encodeAuthEncryptCmds (maxVersion smpVersionRange) authPubKey + v = maxVersion smpVersionRange + auth = encodeAuthEncryptCmds v authPubKey + webProof = encodeWebIdentityProof v webIdentityProof smpP = do (smpVersionRange, sessionId) <- smpP + let v = maxVersion smpVersionRange -- TODO drop SMP v6: remove special parser and make key non-optional - authPubKey <- authEncryptCmdsP (maxVersion smpVersionRange) smpP - pure SMPServerHandshake {smpVersionRange, sessionId, authPubKey} + authPubKey <- authEncryptCmdsP v smpP + webIdentityProof <- webIdentityProofP v + pure SMPServerHandshake {smpVersionRange, sessionId, authPubKey, webIdentityProof} -- newtype for CertificateChain and a session key signed with this certificate data CertChainPubKey = CertChainPubKey @@ -661,6 +675,16 @@ encodeAuthEncryptCmds v k authEncryptCmdsP :: VersionSMP -> Parser a -> Parser (Maybe a) authEncryptCmdsP v p = if v >= authCmdsSMPVersion then optional p else pure Nothing +encodeWebIdentityProof :: VersionSMP -> Maybe C.ASignature -> ByteString +encodeWebIdentityProof v sig + | v >= webClientSMPVersion = maybe "" (smpEncode . C.signatureBytes) sig + | otherwise = "" + +webIdentityProofP :: VersionSMP -> Parser (Maybe C.ASignature) +webIdentityProofP v + | v >= webClientSMPVersion = optional $ C.decodeSignature <$?> smpP + | otherwise = pure Nothing + instance Encoding SMPServerHandshakeResponse where smpEncode = \case SMPServerHandshakeResponse serviceId -> smpEncode ('R', serviceId) @@ -758,7 +782,8 @@ smpServerHandshake :: smpServerHandshake srvCert srvSignKey c (k, pk) kh smpVRange getService = do let sk = C.signX509 srvSignKey $ C.publicToX509 k smpVersionRange = maybe legacyServerSMPRelayVRange (const smpVRange) $ getSessionALPN c - sendHandshake th $ SMPServerHandshake {sessionId, smpVersionRange, authPubKey = Just (CertChainPubKey srvCert sk)} + webIdentityProof = C.sign srvSignKey . (<> sessionId) <$> getWebChallenge c + sendHandshake th $ SMPServerHandshake {sessionId, smpVersionRange, authPubKey = Just (CertChainPubKey srvCert sk), webIdentityProof} SMPClientHandshake {smpVersion = v, keyHash, authPubKey = k', proxyServer, clientService} <- getHandshake th when (keyHash /= kh) $ throwE $ TEHandshake IDENTITY case compatibleVRange' smpVersionRange v of @@ -791,7 +816,7 @@ smpServerHandshake srvCert srvSignKey c (k, pk) kh smpVRange getService = do -- See https://github.com/simplex-chat/simplexmq/blob/master/protocol/simplex-messaging.md#appendix-a smpClientHandshake :: forall c. Transport c => c 'TClient -> Maybe C.KeyPairX25519 -> C.KeyHash -> VersionRangeSMP -> Bool -> Maybe (ServiceCredentials, C.KeyPairEd25519) -> ExceptT TransportError IO (THandleSMP c 'TClient) smpClientHandshake c ks_ keyHash@(C.KeyHash kh) vRange proxyServer serviceKeys_ = do - SMPServerHandshake {sessionId = sessId, smpVersionRange, authPubKey} <- getHandshake th + SMPServerHandshake {sessionId = sessId, smpVersionRange, authPubKey, webIdentityProof = _} <- getHandshake th when (sessionId /= sessId) $ throwE TEBadSession -- Below logic downgrades version range in case the "client" is SMP proxy server and it is -- connected to the destination server of the version 11 or older. diff --git a/src/Simplex/Messaging/Transport/WebSockets.hs b/src/Simplex/Messaging/Transport/WebSockets.hs index 3ab213dcda..9832b1ce99 100644 --- a/src/Simplex/Messaging/Transport/WebSockets.hs +++ b/src/Simplex/Messaging/Transport/WebSockets.hs @@ -1,5 +1,6 @@ {-# LANGUAGE GADTs #-} {-# LANGUAGE DataKinds #-} +{-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE InstanceSigs #-} {-# LANGUAGE KindSignatures #-} {-# LANGUAGE LambdaCase #-} @@ -7,10 +8,11 @@ {-# LANGUAGE ScopedTypeVariables #-} {-# LANGUAGE TypeApplications #-} -module Simplex.Messaging.Transport.WebSockets (WS (..)) where +module Simplex.Messaging.Transport.WebSockets (WS (..), acceptWSConnection) where import qualified Control.Exception as E import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Base64.URL as B64 import qualified Data.ByteString.Char8 as B import qualified Data.ByteString.Lazy as LB import qualified Data.X509 as X @@ -20,6 +22,7 @@ import Network.WebSockets.Stream (Stream) import qualified Network.WebSockets.Stream as S import Simplex.Messaging.Transport ( ALPN, + TLS (TLS, tlsContext, tlsPeerCert, tlsTransportConfig), Transport (..), TransportConfig (..), TransportError (..), @@ -40,7 +43,8 @@ data WS (p :: TransportPeer) = WS wsConnection :: Connection, wsTransportConfig :: TransportConfig, wsCertSent :: Bool, - wsPeerCert :: X.CertificateChain + wsPeerCert :: X.CertificateChain, + wsWebChallenge :: Maybe ByteString } websocketsOpts :: ConnectionOptions @@ -64,6 +68,8 @@ instance Transport WS where {-# INLINE getPeerCertChain #-} getSessionALPN = wsALPN {-# INLINE getSessionALPN #-} + getWebChallenge = wsWebChallenge + {-# INLINE getWebChallenge #-} tlsUnique = tlsUniq {-# INLINE tlsUnique #-} closeConnection = S.close . wsStream @@ -93,7 +99,7 @@ getWS cfg wsCertSent wsPeerCert cxt = withTlsUnique @WS @p cxt connectWS s <- makeTLSContextStream cxt wsConnection <- connectPeer s wsALPN <- T.getNegotiatedProtocol cxt - pure $ WS {tlsUniq, wsALPN, wsStream = s, wsConnection, wsTransportConfig = cfg, wsCertSent, wsPeerCert} + pure $ WS {tlsUniq, wsALPN, wsStream = s, wsConnection, wsTransportConfig = cfg, wsCertSent, wsPeerCert, wsWebChallenge = Nothing} connectPeer :: Stream -> IO Connection connectPeer = case sTransportPeer @p of STServer -> acceptClientRequest @@ -101,6 +107,25 @@ getWS cfg wsCertSent wsPeerCert cxt = withTlsUnique @WS @p cxt connectWS acceptClientRequest s = makePendingConnectionFromStream s websocketsOpts >>= acceptRequest sendClientRequest s = newClientConnection s "" "/" websocketsOpts [] +acceptWSConnection :: TLS 'TServer -> PendingConnection -> IO (WS 'TServer) +acceptWSConnection tls pending = withTlsUnique @WS @'TServer cxt $ \wsUniq -> do + wsStream <- makeTLSContextStream cxt + wsConnection <- acceptRequest pending + wsALPN <- T.getNegotiatedProtocol cxt + let wsWebChallenge = parseChallenge $ requestPath $ pendingRequest pending + pure WS {tlsUniq = wsUniq, wsALPN, wsStream, wsConnection, wsTransportConfig = tlsTransportConfig tls, wsCertSent = False, wsPeerCert = tlsPeerCert tls, wsWebChallenge} + where + cxt = tlsContext tls + -- Parse ?challenge=<base64url> from request path + parseChallenge path = case B.breakSubstring "challenge=" path of + (_, rest) + | B.null rest -> Nothing + | otherwise -> + let val = B.takeWhile (/= '&') $ B.drop 10 rest -- drop "challenge=" + in case B64.decodeUnpadded val of + Right ch | B.length ch == 32 -> Just ch + _ -> Nothing + makeTLSContextStream :: T.Context -> IO Stream makeTLSContextStream cxt = S.makeStream readStream writeStream diff --git a/tests/AgentTests/DoubleRatchetTests.hs b/tests/AgentTests/DoubleRatchetTests.hs index eef5be27f5..fd160dbd3e 100644 --- a/tests/AgentTests/DoubleRatchetTests.hs +++ b/tests/AgentTests/DoubleRatchetTests.hs @@ -73,15 +73,19 @@ runMessageTests :: Bool -> Spec runMessageTests initRatchets_ agreeRatchetKEMs = do - it "should encrypt and decrypt messages" $ run $ testEncryptDecrypt agreeRatchetKEMs - it "should encrypt and decrypt skipped messages" $ run $ testSkippedMessages agreeRatchetKEMs - it "should encrypt and decrypt many messages" $ run $ testManyMessages agreeRatchetKEMs - it "should allow skipped after ratchet advance" $ run $ testSkippedAfterRatchetAdvance agreeRatchetKEMs + it "should encrypt and decrypt messages" $ run testEncryptDecrypt + it "should encrypt and decrypt skipped messages" $ run testSkippedMessages + it "should encrypt and decrypt many messages" $ run testManyMessages + it "should allow skipped after ratchet advance" $ run testSkippedAfterRatchetAdvance where run :: (forall a. (AlgorithmI a, DhAlgorithm a) => TestRatchets a) -> IO () run test = do - withRatchets_ @X25519 initRatchets_ test - withRatchets_ @X448 initRatchets_ test + withRatchets_ @X25519 initRatchets_ (withKEM test) + withRatchets_ @X448 initRatchets_ (withKEM test) + withKEM :: (AlgorithmI a, DhAlgorithm a) => TestRatchets a -> TestRatchets a + withKEM test alice bob encrypt decrypt (#>) = do + when agreeRatchetKEMs $ initRatchetKEM bob alice >> initRatchetKEM alice bob + test alice bob encrypt decrypt (#>) testAlgs :: (forall a. (AlgorithmI a, DhAlgorithm a) => C.SAlgorithm a -> IO ()) -> IO () testAlgs test = test C.SX25519 >> test C.SX448 @@ -146,6 +150,12 @@ type TestRatchets a = EncryptDecryptSpec a -> IO () +-- Peer-polymorphic types for cross-language testing +type EncryptP p = p -> ByteString -> IO (Either CryptoError ByteString) +type DecryptP p = p -> ByteString -> IO (Either CryptoError (Either CryptoError ByteString)) +type EncryptDecryptSpecP p = (p, ByteString) -> p -> Expectation +type TestRatchetsP p = p -> p -> EncryptP p -> DecryptP p -> EncryptDecryptSpecP p -> IO () + deriving instance Eq (Ratchet a) deriving instance Eq (SndRatchet a) @@ -170,9 +180,8 @@ deriving instance Eq (MsgHeader a) initRatchetKEM :: (AlgorithmI a, DhAlgorithm a) => TVar (TVar ChaChaDRG, Ratchet a, SkippedMsgKeys) -> TVar (TVar ChaChaDRG, Ratchet a, SkippedMsgKeys) -> IO () initRatchetKEM s r = encryptDecrypt (Just $ PQEncOn) (const ()) (const ()) (s, "initialising ratchet") r -testEncryptDecrypt :: (AlgorithmI a, DhAlgorithm a) => Bool -> TestRatchets a -testEncryptDecrypt agreeRatchetKEMs alice bob encrypt decrypt (#>) = do - when agreeRatchetKEMs $ initRatchetKEM bob alice >> initRatchetKEM alice bob +testEncryptDecrypt :: TestRatchetsP p +testEncryptDecrypt alice bob encrypt decrypt (#>) = do (bob, "hello alice") #> alice (alice, "hello bob") #> bob Right b1 <- encrypt bob "how are you, alice?" @@ -191,9 +200,8 @@ testEncryptDecrypt agreeRatchetKEMs alice bob encrypt decrypt (#>) = do (alice, "I'm here too, same") #> bob pure () -testSkippedMessages :: (AlgorithmI a, DhAlgorithm a) => Bool -> TestRatchets a -testSkippedMessages agreeRatchetKEMs alice bob encrypt decrypt _ = do - when agreeRatchetKEMs $ initRatchetKEM bob alice >> initRatchetKEM alice bob +testSkippedMessages :: TestRatchetsP p +testSkippedMessages alice bob encrypt decrypt _ = do Right msg1 <- encrypt bob "hello alice" Right msg2 <- encrypt bob "hello there again" Right msg3 <- encrypt bob "are you there?" @@ -203,9 +211,8 @@ testSkippedMessages agreeRatchetKEMs alice bob encrypt decrypt _ = do Decrypted "hello alice" <- decrypt alice msg1 pure () -testManyMessages :: (AlgorithmI a, DhAlgorithm a) => Bool -> TestRatchets a -testManyMessages agreeRatchetKEMs alice bob _ _ (#>) = do - when agreeRatchetKEMs $ initRatchetKEM bob alice >> initRatchetKEM alice bob +testManyMessages :: TestRatchetsP p +testManyMessages alice bob _ _ (#>) = do (bob, "b1") #> alice (bob, "b2") #> alice (bob, "b3") #> alice @@ -222,9 +229,8 @@ testManyMessages agreeRatchetKEMs alice bob _ _ (#>) = do (bob, "b15") #> alice (bob, "b16") #> alice -testSkippedAfterRatchetAdvance :: (AlgorithmI a, DhAlgorithm a) => Bool -> TestRatchets a -testSkippedAfterRatchetAdvance agreeRatchetKEMs alice bob encrypt decrypt (#>) = do - when agreeRatchetKEMs $ initRatchetKEM bob alice >> initRatchetKEM alice bob +testSkippedAfterRatchetAdvance :: TestRatchetsP p +testSkippedAfterRatchetAdvance alice bob encrypt decrypt (#>) = do (bob, "b1") #> alice Right b2 <- encrypt bob "b2" Right b3 <- encrypt bob "b3" diff --git a/tests/CLITests.hs b/tests/CLITests.hs index 66af74ab80..5489877ad4 100644 --- a/tests/CLITests.hs +++ b/tests/CLITests.hs @@ -31,7 +31,7 @@ import qualified Simplex.Messaging.Transport.HTTP2.Client as HC import Simplex.Messaging.Transport.Server (loadFileFingerprint) import Simplex.Messaging.Util (catchAll_) import qualified SMPWeb -import Simplex.Messaging.Server.Web (serveStaticFiles, attachStaticFiles) +import Simplex.Messaging.Server.Web (serveStaticFiles, attachStaticAndWS) import System.Directory (doesFileExist) import System.Environment (withArgs) import System.FilePath ((</>)) @@ -152,7 +152,7 @@ smpServerTestStatic = do Right ini_ <- readIniFile iniFile lookupValue "WEB" "https" ini_ `shouldBe` Right "5223" - let smpServerCLI' = smpServerCLI_ SMPWeb.smpGenerateSite serveStaticFiles attachStaticFiles + let smpServerCLI' = smpServerCLI_ SMPWeb.smpGenerateSite serveStaticFiles attachStaticAndWS let server = capture_ (withArgs ["start"] $ smpServerCLI' cfgPath logPath `catchAny` print) bracket (async server) cancel $ \_t -> do threadDelay 1000000 diff --git a/tests/SMPClient.hs b/tests/SMPClient.hs index c51079d5ec..7afff7830b 100644 --- a/tests/SMPClient.hs +++ b/tests/SMPClient.hs @@ -26,13 +26,16 @@ import Simplex.Messaging.Client.Agent (SMPClientAgentConfig (..), defaultSMPClie import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding import Simplex.Messaging.Protocol -import Simplex.Messaging.Server (runSMPServerBlocking) +import Simplex.Messaging.Server (runSMPServerBlocking, AttachHTTP) import Simplex.Messaging.Server.Env.STM import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SMSType (..), SQSType (..)) import Simplex.Messaging.Server.QueueStore.Postgres.Config (PostgresStoreCfg (..)) +import Data.X509.Validation (Fingerprint (..)) import Simplex.Messaging.Transport import Simplex.Messaging.Transport.Client -import Simplex.Messaging.Transport.Server +import Simplex.Messaging.Transport.HTTP2 (httpALPN) +import Simplex.Messaging.Transport.Server (ServerCredentials (..), TransportServerConfig (..), loadFileFingerprint, loadFingerprint, loadServerCredential, mkTransportServerConfig) +import Simplex.Messaging.Transport.WebSockets (WS) import Simplex.Messaging.Util (ifM) import Simplex.Messaging.Version import Simplex.Messaging.Version.Internal @@ -155,7 +158,8 @@ testSMPClientVR vr client = do testSMPClient_ :: Transport c => TransportHost -> ServiceName -> VersionRangeSMP -> (THandleSMP c 'TClient -> IO a) -> IO a testSMPClient_ host port vr client = do - let tcConfig = defaultTransportClientConfig {clientALPN} :: TransportClientConfig + -- SMP clients use useSNI = False (matches defaultSMPClientConfig) + let tcConfig = defaultTransportClientConfig {clientALPN, useSNI = False} :: TransportClientConfig runTransportClient tcConfig Nothing host port (Just testKeyHash) $ \h -> runExceptT (smpClientHandshake h Nothing testKeyHash vr False Nothing) >>= \case Right th -> client th @@ -283,6 +287,17 @@ serverStoreConfig_ useDbStoreLog = \case dbStoreLogPath = if useDbStoreLog then Just testStoreLogFile else Nothing storeCfg = PostgresStoreCfg {dbOpts = testStoreDBOpts, dbStoreLogPath, confirmMigrations = MCYesUp, deletedTTL = 86400} +cfgWebOn :: AStoreType -> ServiceName -> AServerConfig +cfgWebOn msType port' = updateCfg (cfgMS msType) $ \cfg' -> + cfg' { transports = [(port', transport @TLS, True)], + httpCredentials = Just ServerCredentials + { caCertificateFile = Nothing, + privateKeyFile = "tests/fixtures/web.key", + certificateFile = "tests/fixtures/web.crt" + }, + transportConfig = mkTransportServerConfig True (Just $ alpnSupportedSMPHandshakes <> httpALPN) True + } + cfgV7 :: AServerConfig cfgV7 = updateCfg cfg $ \cfg' -> cfg' {smpServerVRange = mkVersionRange minServerSMPRelayVersion authCmdsSMPVersion} @@ -333,9 +348,12 @@ withServerCfg :: AServerConfig -> (forall s. ServerConfig s -> a) -> a withServerCfg (ASrvCfg _ _ cfg') f = f cfg' withSmpServerConfigOn :: HasCallStack => ASrvTransport -> AServerConfig -> ServiceName -> (HasCallStack => ThreadId -> IO a) -> IO a -withSmpServerConfigOn t (ASrvCfg _ _ cfg') port' = +withSmpServerConfigOn t cfg' port' = withSmpServerConfig (updateCfg cfg' $ \c -> c {transports = [(port', t, False)]}) Nothing + +withSmpServerConfig :: HasCallStack => AServerConfig -> Maybe AttachHTTP -> (HasCallStack => ThreadId -> IO a) -> IO a +withSmpServerConfig (ASrvCfg _ _ cfg') attachHTTP_ = serverBracket - (\started -> runSMPServerBlocking started cfg' {transports = [(port', t, False)]} Nothing) + (\started -> runSMPServerBlocking started cfg' attachHTTP_) (threadDelay 10000) withSmpServerThreadOn :: HasCallStack => (ASrvTransport, AStoreType) -> ServiceName -> (HasCallStack => ThreadId -> IO a) -> IO a diff --git a/tests/SMPWebTests.hs b/tests/SMPWebTests.hs new file mode 100644 index 0000000000..183ef10540 --- /dev/null +++ b/tests/SMPWebTests.hs @@ -0,0 +1,1837 @@ +{-# LANGUAGE DataKinds #-} +{-# LANGUAGE GADTs #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE PatternSynonyms #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE TypeApplications #-} + +-- | Per-function tests for the smp-web TypeScript SMP client library. +-- Each test calls the Haskell function and the corresponding TypeScript function +-- via node, then asserts byte-identical output. +-- +-- Prerequisites: cd smp-web && npm install && npm run build +-- Run: cabal test --test-option=--match="/SMP Web Client/" +module SMPWebTests (smpWebTests) where + +import Control.Concurrent.STM +import Control.Monad (forM, forM_, when) +import Data.Bifunctor (first) +import Control.Exception (bracket) +import Control.Monad.Except (ExceptT, liftEither, runExceptT, throwError, withExceptT) +import Crypto.Random (ChaChaDRG) +import Data.IORef +import System.IO (Handle, hFlush, hGetLine, hPutStr, hSetBuffering, BufferMode (..)) +import System.Process (CreateProcess (..), StdStream (..), ProcessHandle, createProcess, proc, terminateProcess) +import qualified Data.ByteString as B +import qualified Data.ByteString.Char8 as BC +import Data.List (isInfixOf, isPrefixOf) +import Data.List.NonEmpty (NonEmpty (..)) +import System.Directory (doesDirectoryExist) +import Data.Word (Word16) +import qualified Simplex.Messaging.Agent as A +import qualified Simplex.Messaging.Agent.Protocol as AP +import Simplex.Messaging.Agent.Protocol (CreatedConnLink (..), UserLinkData (..), UserContactData (..), UserConnLinkData (..)) +import Simplex.Messaging.Client (pattern NRMInteractive, authTransmission, getProtocolClient, defaultSMPClientConfig, ProtocolClientConfig (..), connectSMPProxiedRelay, proxySMPMessage, closeProtocolClient, ProxyClientError (..)) +import Simplex.Messaging.Version (mkVersionRange) +import Simplex.Messaging.Version.Internal (Version (..)) +import qualified Simplex.Messaging.Crypto as C +import Simplex.Messaging.Crypto (Algorithm (..)) +import qualified Simplex.Messaging.Crypto.Ratchet as CR +import Simplex.Messaging.Crypto.SNTRUP761.Bindings (KEMPublicKey (..), KEMSecretKey, KEMCiphertext (..), KEMSharedKey (..), sntrup761Keypair, sntrup761Enc, sntrup761Dec) +import qualified Crypto.Cipher.Types as AES +import qualified Data.Map.Strict as M +import qualified Data.ByteArray as BA +import Simplex.Messaging.Crypto.ShortLink (contactShortLinkKdf, invShortLinkKdf) +import Simplex.Messaging.Encoding +import Simplex.Messaging.Encoding.String (Str (..), strEncode) +import Simplex.Messaging.Protocol (EntityId (..), SMPServer, SubscriptionMode (..), MsgFlags (..), noMsgFlags, pattern SMPServer, pattern NoEntity, encodeProtocol, Cmd (..), SParty (..), Command (..), NewQueueReq (..), QueueReqData (..), BrokerMsg (..), RcvMessage (..), EncRcvMsgBody (..), QueueIdsKeys (..), PubHeader (..), PrivHeader (..), ClientMessage (..), ClientMsgEnvelope (..), pattern VersionSMPC) +import Simplex.Messaging.Server.Env.STM (AStoreType (..), ServerConfig (..)) +import Simplex.Messaging.Server.MsgStore.Types (SMSType (..), SQSType (..)) +import Simplex.Messaging.Server.Web (attachStaticAndWS) +import Data.Time.Clock (getCurrentTime) +import Simplex.Messaging.Transport (TLS, transport, smpBlockSize, currentServerSMPRelayVersion, currentClientSMPRelayVersion, minServerSMPRelayVersion, supportedClientSMPRelayVRange, alpnSupportedSMPHandshakes) +import Simplex.Messaging.Version (mkVersionRange) +import Simplex.Messaging.Transport.Server (ServerCredentials (..), mkTransportServerConfig) +import Simplex.Messaging.Transport.HTTP2 (httpALPN) +import Simplex.Messaging.Transport.Client (TransportHost (..)) +import SMPAgentClient (agentCfg, initAgentServers, testDB) +import SMPClient (cfgWebOn, cfgMS, proxyCfgMS, updateCfg, testKeyHash, testPort, testPort2, testSMPClient, testSMPClient_, testHost2, testStoreLogFile2, testStoreMsgsDir2, journalCfg, withSmpServerConfig, withSmpServerConfigOn) +import ServerTests (sendRecv, signSendRecv, tGet1, decryptMsgV3, _SEND, pattern Resp, pattern Ids, pattern Msg, pattern New) +import AgentTests.DoubleRatchetTests (testEncryptDecrypt, testSkippedMessages, testManyMessages, testSkippedAfterRatchetAdvance) +import AgentTests.FunctionalAPITests (withAgent) +import Test.Hspec hiding (it) +import Util +import XFTPWebTests (callNode_, jsOut, jsUint8) + +smpWebDir :: FilePath +smpWebDir = "smp-web" + +callNode :: String -> IO B.ByteString +callNode = callNode_ smpWebDir + +impEnc :: String +impEnc = "import { Decoder, decodeBytes, decodeLarge, encodeBytes, encodeWord16 } from '@simplex-chat/xftp-web/dist/protocol/encoding.js';" + +impProto_ :: String +impProto_ = "import { encodeTransmission, encodeTransmissionForAuth, authTransmission, tEncodeAuth, tEncode, tEncodeBatch1, tEncodeForBatch, batchTransmissions, transmissionP, tParse, tDecodeClient, protocolError, encodeLGET, decodeLNK, decodeResponse, encodeNEW, encodeKEY, encodeSKEY, encodeSUB, encodeACK, encodeSEND, encodeOFF, encodeDEL, encodeGET, encodeQUE, encodePING, encodeProtocolServer, encodePRXY, encodePFWD, paddedProxiedTLength } from './dist/protocol.js';" + +impProto :: String +impProto = impEnc <> impProto_ + +impTransport :: String +impTransport = "import { decodeSMPServerHandshake, encodeSMPClientHandshake } from './dist/transport.js';" + <> "import { Decoder, encodeWord16 } from '@simplex-chat/xftp-web/dist/protocol/encoding.js';" + +impWS :: String +impWS = "import { connectSMP, sendBlock, receiveBlock } from './dist/transport/websockets.js';" + <> "import { blockPad, blockUnpad } from '@simplex-chat/xftp-web/dist/protocol/transmission.js';" + +impAgentProto_ :: String +impAgentProto_ = "import { connShortLinkStrP, decodeConnLinkData, decodeFixedLinkData, decodeProtocolServer, decodeConnShortLink, decodeOwnerAuth, decodeUserLinkData, parseProfile } from './dist/agent/protocol.js';" + +impAgentProto :: String +impAgentProto = impEnc <> impAgentProto_ + +impCryptoShortLink :: String +impCryptoShortLink = "import { contactShortLinkKdf, invShortLinkKdf, decryptLinkData } from './dist/crypto/shortLink.js';" + +impRatchet :: String +impRatchet = "import { generateX448KeyPair, pqX3dhSnd, pqX3dhRcv, x448DH, encodePubKeyX448, decodePubKeyX448, chainKdf, rootKdf, initSndRatchet, initRcvRatchet, rcEncrypt, rcDecrypt } from './dist/crypto/ratchet.js';" + <> "import { encryptAEAD, decryptAEAD } from './dist/crypto.js';" + +impSntrup :: String +impSntrup = "import { initSntrup761, sntrup761Keypair, sntrup761Enc, sntrup761Dec } from './dist/crypto/sntrup761.js'; await initSntrup761();" + +impAgentMsg :: String +impAgentMsg = "import { encodeAMessage, decodeAMessage, encodeAPrivHeader, decodeAPrivHeader, encodeAgentMessage, decodeAgentMessage, encodeAgentMsgEnvelope, decodeAgentMsgEnvelope } from './dist/agent/message.js';" + +impProtoE2E :: String +impProtoE2E = "import { encodePubHeader, decodePubHeader, encodePrivHeader, decodePrivHeader, encodeClientMessage, decodeClientMessage, encodeClientMsgEnvelope, decodeClientMsgEnvelope, agentCbEncrypt, agentCbDecrypt, e2eEncMessageLength } from './dist/protocol.js';" + +impCrypto :: String +impCrypto = "import { sbcInit, sbcHkdf, sbEncryptBlock, sbDecryptBlock } from './dist/crypto.js';" + +-- Init sodium from xftp-web's copy (same instance secretbox.ts uses) +impSodium :: String +impSodium = "import sodium from '@simplex-chat/xftp-web/node_modules/libsodium-wrappers-sumo/dist/modules-sumo/libsodium-wrappers.js'; await sodium.ready;" + +jsStr :: B.ByteString -> String +jsStr bs = "'" <> BC.unpack bs <> "'" + +paddedMsgLen :: Int +paddedMsgLen = 100 + +-- -- TestPeer: sum type for cross-language ratchet tests + +type HsPeer a = TVar (TVar ChaChaDRG, CR.Ratchet a, CR.SkippedMsgKeys) + +data TestPeer + = forall a. (C.AlgorithmI a, C.DhAlgorithm a) => TestPeerHS (HsPeer a) + | TestPeerJS Handle Handle ProcessHandle -- stdin, stdout, process + +-- dispatch functions + +tpEncrypt :: TestPeer -> B.ByteString -> IO (Either C.CryptoError B.ByteString) +tpEncrypt (TestPeerHS tvar) msg = do + (_, rc, smks) <- readTVarIO tvar + result <- runExceptT $ do + (mek, rc') <- CR.rcEncryptHeader rc Nothing CR.currentE2EEncryptVersion + ct <- CR.rcEncryptMsg mek paddedMsgLen msg + pure (ct, rc') + case result of + Right (ct, rc') -> do + (g, _, smks') <- readTVarIO tvar + atomically $ writeTVar tvar (g, rc', smks') + pure $ Right ct + Left e -> pure $ Left e +tpEncrypt (TestPeerJS hIn hOut _) msg = do + hPutStrLn' hIn $ "E " <> BC.unpack msg + resp <- hGetLine hOut + case parseResponse resp of + Right hex -> pure $ Right $ hexToBS hex + Left err -> error $ "tpEncrypt JS error: " <> err + +tpDecrypt :: TestPeer -> B.ByteString -> IO (Either C.CryptoError (Either C.CryptoError B.ByteString)) +tpDecrypt (TestPeerHS tvar) ct = do + (g, rc, smks) <- readTVarIO tvar + result <- runExceptT $ CR.rcDecrypt g rc smks ct + case result of + Right (msg, rc', smDiff) -> do + atomically $ writeTVar tvar (g, rc', CR.applySMDiff smks smDiff) + pure $ Right msg + Left e -> pure $ Left e +tpDecrypt (TestPeerJS hIn hOut _) ct = do + hPutStrLn' hIn $ "D " <> bsToHex ct + resp <- hGetLine hOut + case parseResponse resp of + Right txt -> pure $ Right $ Right $ BC.pack txt + Left err -> parseJsError err + +-- Map JS REPL error strings to CryptoError at the correct Either level. +-- Outer Left: errors that abort rcDecrypt (header failure, first skipMessageKeys). +-- Inner Right (Left _): errors from second skipMessageKeys (duplicate/earlier in current ratchet state). +parseJsError :: String -> IO (Either C.CryptoError (Either C.CryptoError B.ByteString)) +parseJsError err + -- Outer errors (ExceptT failures in Haskell rcDecrypt) + | has "CERatchetHeader" = pure $ Left C.CERatchetHeader + | has "CERatchetKEMState" = pure $ Left C.CERatchetKEMState + -- Inner errors (pure Left in second skipMessageKeys) + | has "CERatchetDuplicateMessage" = pure $ Right $ Left C.CERatchetDuplicateMessage + | has "CERatchetEarlierMessage" = pure $ Right $ Left $ C.CERatchetEarlierMessage 0 + | has "CERatchetTooManySkipped" = pure $ Right $ Left $ C.CERatchetTooManySkipped 0 + | has "CERatchetState" = pure $ Right $ Left C.CERatchetState + | otherwise = pure $ Left $ C.CryptoHeaderError err + where + has s = s `isInfixOf` err + +tpSndKEM :: TestPeer -> IO Bool +tpSndKEM (TestPeerHS tvar) = do + (_, rc, _) <- readTVarIO tvar + pure $ CR.enablePQ $ CR.rcSndKEM rc +tpSndKEM (TestPeerJS hIn hOut _) = do + hPutStrLn' hIn "SNDKEM" + resp <- hGetLine hOut + pure $ resp == "ok: 1" + +tpRcvKEM :: TestPeer -> IO Bool +tpRcvKEM (TestPeerHS tvar) = do + (_, rc, _) <- readTVarIO tvar + pure $ CR.enablePQ $ CR.rcRcvKEM rc +tpRcvKEM (TestPeerJS hIn hOut _) = do + hPutStrLn' hIn "RCVKEM" + resp <- hGetLine hOut + pure $ resp == "ok: 1" + +tpEncryptDecrypt :: Maybe CR.PQEncryption -> Bool -> Bool -> (TestPeer, B.ByteString) -> TestPeer -> Expectation +tpEncryptDecrypt _pqEnc expectSndKEM expectRcvKEM (sender, msg) receiver = do + Right ct <- tpEncrypt sender msg + sndK <- tpSndKEM sender + when (sndK /= expectSndKEM) $ expectationFailure $ "sndKEM: expected " <> show expectSndKEM <> ", got " <> show sndK + Right (Right msg') <- tpDecrypt receiver ct + rcvK <- tpRcvKEM receiver + when (rcvK /= expectRcvKEM) $ expectationFailure $ "rcvKEM: expected " <> show expectRcvKEM <> ", got " <> show rcvK + msg' `shouldBe` msg + +-- TestPeer operators (matching Haskell DoubleRatchetTests) +tp_noKEM, tp_hasKEM :: (TestPeer, B.ByteString) -> TestPeer -> Expectation +tp_noKEM = tpEncryptDecrypt Nothing False False +tp_hasKEM = tpEncryptDecrypt Nothing True True + +-- JS process helpers + +spawnJsRatchet :: IO (Handle, Handle, ProcessHandle) +spawnJsRatchet = do + let cp = (proc "node" ["dist-test/ratchet-repl.js"]) {cwd = Just "smp-web", std_in = CreatePipe, std_out = CreatePipe, std_err = CreatePipe} + (Just hIn, Just hOut, _, ph) <- createProcess cp + hSetBuffering hIn LineBuffering + hSetBuffering hOut LineBuffering + pure (hIn, hOut, ph) + +spawnJsClient :: IO (Handle, Handle, ProcessHandle) +spawnJsClient = do + let cp = (proc "node" ["dist-test/client-repl.js"]) {cwd = Just "smp-web", std_in = CreatePipe, std_out = CreatePipe, std_err = Inherit} + (Just hIn, Just hOut, _, ph) <- createProcess cp + hSetBuffering hIn LineBuffering + hSetBuffering hOut LineBuffering + pure (hIn, hOut, ph) + +destroyJsRatchet :: TestPeer -> IO () +destroyJsRatchet (TestPeerJS _ _ ph) = terminateProcess ph +destroyJsRatchet _ = pure () + +jsCmd :: Handle -> Handle -> String -> IO String +jsCmd hIn hOut cmd = do + hPutStrLn' hIn cmd + hGetLine hOut + +hPutStrLn' :: Handle -> String -> IO () +hPutStrLn' h s = do + hPutStr h (s <> "\n") + hFlush h + +parseResponse :: String -> Either String String +parseResponse resp + | take 4 resp == "ok: " = Right $ drop 4 resp + | take 7 resp == "error: " = Left $ drop 7 resp + | otherwise = Left $ "unexpected response: " <> resp + +bsToHex :: B.ByteString -> String +bsToHex = concatMap (\w -> let h = showHex' w in h) . B.unpack + where + showHex' w = [hexDigit (w `div` 16), hexDigit (w `mod` 16)] + hexDigit n | n < 10 = toEnum (fromEnum '0' + fromIntegral n) + | otherwise = toEnum (fromEnum 'a' + fromIntegral n - 10) + +hexToBS :: String -> B.ByteString +hexToBS = B.pack . go + where + go [] = [] + go (a:b:rest) = fromIntegral (hexVal a * 16 + hexVal b) : go rest + go _ = [] + hexVal c + | c >= '0' && c <= '9' = fromEnum c - fromEnum '0' + | c >= 'a' && c <= 'f' = fromEnum c - fromEnum 'a' + 10 + | c >= 'A' && c <= 'F' = fromEnum c - fromEnum 'A' + 10 + | otherwise = 0 + +runRight :: (Show e, HasCallStack) => ExceptT e IO a -> IO a +runRight action = runExceptT action >>= either (error . ("Unexpected error: " <>) . show) pure + +-- -- Cross-language ratchet init functions and test patterns + +withCrossPeers :: IO (TestPeer, TestPeer) -> ((TestPeer, TestPeer) -> IO ()) -> IO () +withCrossPeers initPeers test = bracket initPeers cleanup test + where + cleanup (a, b) = destroyJsRatchet a >> destroyJsRatchet b + +-- HS (receiver) <-> JS (sender), no PQ +initHsJs_noPQ :: IO (TestPeer, TestPeer) +initHsJs_noPQ = do + g <- C.newRandom + let v = CR.currentE2EEncryptVersion + Version vNum = v + (pkAlice1, pkAlice2, Nothing, e2eAlice) <- CR.generateRcvE2EParams @'X448 g v CR.PQSupportOff + let aliceE2EHex = bsToHex $ smpEncode e2eAlice + (hIn, hOut, ph) <- spawnJsRatchet + bobE2EHex <- either error pure . parseResponse =<< jsCmd hIn hOut ("INIT_SND " ++ show vNum ++ " none " ++ aliceE2EHex) + Right (CR.AE2ERatchetParams _ bobE2E :: CR.AE2ERatchetParams 'X448) <- pure $ smpDecode $ hexToBS bobE2EHex + Right (aliceInitParams, _) <- runExceptT $ CR.pqX3dhRcv pkAlice1 pkAlice2 Nothing bobE2E + let aliceRatchet = CR.initRcvRatchet (CR.RatchetVersions v v) pkAlice2 (aliceInitParams, Nothing) CR.PQSupportOff + ga <- C.newRandom + aliceTVar <- newTVarIO (ga, aliceRatchet, M.empty :: CR.SkippedMsgKeys) + pure (TestPeerHS aliceTVar, TestPeerJS hIn hOut ph) + +-- HS (receiver) <-> JS (sender), PQ KEM accepted +initHsJs_PQ :: IO (TestPeer, TestPeer) +initHsJs_PQ = do + g <- C.newRandom + let v = CR.currentE2EEncryptVersion + Version vNum = v + (pkAlice1, pkAlice2, alicePKem_@(Just _), e2eAlice) <- CR.generateRcvE2EParams @'X448 g v CR.PQSupportOn + let aliceE2EHex = bsToHex $ smpEncode e2eAlice + (hIn, hOut, ph) <- spawnJsRatchet + bobE2EHex <- either error pure . parseResponse =<< jsCmd hIn hOut ("INIT_SND " ++ show vNum ++ " accept " ++ aliceE2EHex) + Right (CR.AE2ERatchetParams _ bobE2E :: CR.AE2ERatchetParams 'X448) <- pure $ smpDecode $ hexToBS bobE2EHex + Right (aliceInitParams, aliceKemKp_) <- runExceptT $ CR.pqX3dhRcv pkAlice1 pkAlice2 alicePKem_ bobE2E + let aliceRatchet = CR.initRcvRatchet (CR.RatchetVersions v v) pkAlice2 (aliceInitParams, aliceKemKp_) CR.PQSupportOn + ga <- C.newRandom + aliceTVar <- newTVarIO (ga, aliceRatchet, M.empty :: CR.SkippedMsgKeys) + pure (TestPeerHS aliceTVar, TestPeerJS hIn hOut ph) + +-- JS (receiver) <-> JS (sender), no PQ +initTsTs_noPQ :: IO (TestPeer, TestPeer) +initTsTs_noPQ = do + let Version vNum = CR.currentE2EEncryptVersion + (hInA, hOutA, phA) <- spawnJsRatchet + aliceE2EHex <- either error pure . parseResponse =<< jsCmd hInA hOutA ("INIT_RCV " ++ show vNum ++ " 0") + (hInB, hOutB, phB) <- spawnJsRatchet + bobE2EHex <- either error pure . parseResponse =<< jsCmd hInB hOutB ("INIT_SND " ++ show vNum ++ " none " ++ aliceE2EHex) + completeResp <- jsCmd hInA hOutA ("COMPLETE " ++ bobE2EHex) + when (completeResp /= "ok") $ error $ "COMPLETE failed: " ++ completeResp + pure (TestPeerJS hInA hOutA phA, TestPeerJS hInB hOutB phB) + +-- JS (receiver) <-> JS (sender), PQ KEM accepted +initTsTs_PQ :: IO (TestPeer, TestPeer) +initTsTs_PQ = do + let Version vNum = CR.currentE2EEncryptVersion + (hInA, hOutA, phA) <- spawnJsRatchet + aliceE2EHex <- either error pure . parseResponse =<< jsCmd hInA hOutA ("INIT_RCV " ++ show vNum ++ " 1") + (hInB, hOutB, phB) <- spawnJsRatchet + bobE2EHex <- either error pure . parseResponse =<< jsCmd hInB hOutB ("INIT_SND " ++ show vNum ++ " accept " ++ aliceE2EHex) + completeResp <- jsCmd hInA hOutA ("COMPLETE " ++ bobE2EHex) + when (completeResp /= "ok") $ error $ "COMPLETE failed: " ++ completeResp + pure (TestPeerJS hInA hOutA phA, TestPeerJS hInB hOutB phB) + +smpWebTests :: SpecWith () +smpWebTests = describe "SMP Web Client" $ do + distExists <- runIO $ doesDirectoryExist (smpWebDir <> "/dist") + if distExists + then smpWebTests_ + else + it "skipped (run 'cd smp-web && npm install && npm run build' first)" $ + pendingWith "TS project not compiled" + +smpWebTests_ :: SpecWith () +smpWebTests_ = do + describe "protocol" $ do + describe "transmission" $ do + it "encodeTransmission matches Haskell" $ do + let corrId = "1" + entityId = B.pack [1..24] + command = "LGET" + hsEncoded = smpEncode (corrId :: B.ByteString, entityId :: B.ByteString) <> command + tsEncoded <- callNode $ impProto + <> jsOut ("encodeTransmission(" + <> jsUint8 corrId <> "," + <> jsUint8 entityId <> "," + <> "new Uint8Array([0x4C,0x47,0x45,0x54])" + <> ")") + tsEncoded `shouldBe` hsEncoded + + it "transmissionP parses Haskell-encoded" $ do + let corrId = "abc" + entityId = B.pack [10..33] + command = "TEST" + -- Wire format: auth(ByteString) + corrId(ByteString) + entityId(ByteString) + command(rest) + encoded = smpEncode (B.empty :: B.ByteString) + <> smpEncode corrId + <> smpEncode entityId + <> command + tsResult <- callNode $ impProto + <> "const t = transmissionP(" <> jsUint8 encoded <> ");" + <> jsOut ("new Uint8Array([...t.corrId, ...t.entityId, ...t.command])") + tsResult `shouldBe` (corrId <> entityId <> command) + + describe "LGET" $ do + it "encodeLGET produces correct bytes" $ do + tsResult <- callNode $ impProto <> jsOut "encodeLGET()" + tsResult `shouldBe` "LGET" + + describe "LNK" $ do + it "decodeLNK parses correctly" $ do + let senderId = B.pack [1..24] + fixedData = B.pack [100..110] + userData = B.pack [200..220] + encoded = smpEncode senderId <> smpEncode (Large fixedData) <> smpEncode (Large userData) + tsResult <- callNode $ impProto + <> "const r = decodeLNK(new Decoder(" <> jsUint8 encoded <> "));" + <> jsOut ("new Uint8Array([...r.senderId, ...r.encFixedData, ...r.encUserData])") + tsResult `shouldBe` (senderId <> fixedData <> userData) + + describe "decodeResponse" $ do + it "decodes LNK response" $ do + let senderId = B.pack [1..24] + fixedData = B.pack [100..110] + userData = B.pack [200..220] + commandBytes = "LNK " <> smpEncode senderId <> smpEncode (Large fixedData) <> smpEncode (Large userData) + tsResult <- callNode $ impProto + <> "const r = decodeResponse(new Decoder(" <> jsUint8 commandBytes <> "));" + <> "if (r.type !== 'LNK') throw new Error('expected LNK, got ' + r.type);" + <> jsOut ("new Uint8Array([...r.response.senderId])") + tsResult `shouldBe` senderId + + it "decodes OK response" $ do + tsResult <- callNode $ impProto + <> "const r = decodeResponse(new Decoder(new Uint8Array([0x4F, 0x4B])));" + <> jsOut ("new Uint8Array([r.type === 'OK' ? 1 : 0])") + tsResult `shouldBe` B.singleton 1 + + describe "commands" $ do + let v = currentServerSMPRelayVersion + + it "encodeNEW matches Haskell" $ do + g <- C.newRandom + (rcvAuthPub, _) <- atomically $ C.generateAuthKeyPair C.SX25519 g + (rcvDhPub, _) <- atomically $ C.generateKeyPair @'C.X25519 g + let rcvAuthPubDer = C.encodePubKey rcvAuthPub + rcvDhPubDer = C.encodePubKey rcvDhPub + cmd = NEW $ NewQueueReq rcvAuthPub rcvDhPub Nothing SMSubscribe (Just $ QRMessaging Nothing) Nothing + hsEncoded = encodeProtocol v cmd + tsEncoded <- callNode $ impProto + <> jsOut ("encodeNEW(" <> jsUint8 rcvAuthPubDer <> "," <> jsUint8 rcvDhPubDer <> ", null, true)") + tsEncoded `shouldBe` hsEncoded + + it "encodeSUB matches Haskell" $ do + let hsEncoded = encodeProtocol v SUB + tsEncoded <- callNode $ impProto <> jsOut "encodeSUB()" + tsEncoded `shouldBe` hsEncoded + + it "encodeKEY matches Haskell" $ do + let keyDer = B.pack [0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, 0x03, 0x21, 0x00] <> B.pack [1..32] + hsEncoded = "KEY " <> smpEncode keyDer + tsEncoded <- callNode $ impProto + <> jsOut ("encodeKEY(" <> jsUint8 keyDer <> ")") + tsEncoded `shouldBe` hsEncoded + + it "encodeSKEY matches Haskell" $ do + let keyDer = B.pack [0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, 0x03, 0x21, 0x00] <> B.pack [1..32] + hsEncoded = "SKEY " <> smpEncode keyDer + tsEncoded <- callNode $ impProto + <> jsOut ("encodeSKEY(" <> jsUint8 keyDer <> ")") + tsEncoded `shouldBe` hsEncoded + + it "encodeACK matches Haskell" $ do + let msgId = B.pack [1..24] + hsEncoded = encodeProtocol v (ACK msgId) + tsEncoded <- callNode $ impProto + <> jsOut ("encodeACK(" <> jsUint8 msgId <> ")") + tsEncoded `shouldBe` hsEncoded + + it "encodeSEND matches Haskell" $ do + let flags = MsgFlags {notification = True} + body = "hello world" + hsEncoded = encodeProtocol v (SEND flags body) + tsEncoded <- callNode $ impProto + <> jsOut ("encodeSEND(true, new TextEncoder().encode('hello world'))") + tsEncoded `shouldBe` hsEncoded + + it "decodes IDS response" $ do + let rcvId = B.pack [1..24] + sndId = B.pack [25..48] + srvDhKey = B.pack [0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, 0x03, 0x21, 0x00] <> B.pack [50..81] + -- Manually encode IDS response: "IDS " <> rcvId <> sndId <> srvDhKey <> Maybe queueMode <> Maybe linkId ... + encoded = "IDS " <> smpEncode (EntityId rcvId) <> smpEncode (EntityId sndId) <> smpEncode srvDhKey + <> smpEncode (Nothing :: Maybe B.ByteString) <> smpEncode (Nothing :: Maybe B.ByteString) + <> smpEncode (Nothing :: Maybe B.ByteString) <> smpEncode (Nothing :: Maybe B.ByteString) + tsResult <- callNode $ impProto + <> "const r = decodeResponse(new Decoder(" <> jsUint8 encoded <> "));" + <> "if (r.type !== 'IDS') throw new Error('expected IDS, got ' + r.type);" + <> jsOut ("new Uint8Array([...r.response.rcvId, ...r.response.sndId])") + tsResult `shouldBe` (rcvId <> sndId) + + it "decodes Haskell-encoded MSG response" $ do + let msgId = B.pack [1..24] + body = "encrypted message body" + hsEncoded = "MSG " <> smpEncode msgId <> body + tsResult <- callNode $ impProto + <> "const r = decodeResponse(new Decoder(" <> jsUint8 hsEncoded <> "));" + <> "if (r.type !== 'MSG') throw new Error('expected MSG, got ' + r.type);" + <> jsOut ("new Uint8Array([...r.response.msgId, ...r.response.msgBody])") + tsResult `shouldBe` (msgId <> body) + + describe "transport" $ do + describe "SMPServerHandshake" $ do + it "TypeScript parses Haskell-encoded server handshake (no authPubKey)" $ do + -- Manually construct: smpEncode (versionRange, sessionId) <> "" (no authPubKey) + let vRange = (6 :: Word16, 18 :: Word16) + sessId = B.pack [1..32] + encoded = smpEncode vRange <> smpEncode sessId + tsResult <- callNode $ impTransport + <> "const hs = decodeSMPServerHandshake(new Decoder(" <> jsUint8 encoded <> "));" + <> jsOut ("new Uint8Array([" + <> "hs.smpVersionRange.min, hs.smpVersionRange.max," + <> "hs.authPubKey === null ? 1 : 0," + <> "hs.sessionId.length" + <> "])") + tsResult `shouldBe` B.pack [6, 18, 1, 32] + + describe "SMPClientHandshake" $ do + it "TypeScript-encoded client handshake matches Haskell (no authPubKey)" $ do + -- Haskell encoding: smpEncode (v18, keyHash) <> "" (no authPubKey) <> smpEncode False <> smpEncode (Nothing :: Maybe ()) + let v = 18 :: Word16 + keyHash = B.pack [1..32] + hsEncoded = smpEncode (v, keyHash) + <> "" -- authPubKey Nothing = empty + <> smpEncode False -- proxyServer + <> smpEncode (Nothing :: Maybe B.ByteString) -- clientService + tsEncoded <- callNode $ impTransport + <> jsOut ("encodeSMPClientHandshake({" + <> "smpVersion: 18," + <> "keyHash: " <> jsUint8 keyHash <> "," + <> "authPubKey: null," + <> "proxyServer: false," + <> "clientService: null" + <> "})") + tsEncoded `shouldBe` hsEncoded + + describe "crypto/shortLink" $ do + describe "contactShortLinkKdf" $ do + it "TypeScript produces same linkId and sbKey as Haskell" $ do + let linkKey = AP.LinkKey $ B.pack [1..32] + (EntityId hsLinkId, C.SbKey hsKey) = contactShortLinkKdf linkKey + tsResult <- callNode $ impCryptoShortLink + <> "const r = contactShortLinkKdf(" <> jsUint8 (B.pack [1..32]) <> ");" + <> jsOut ("new Uint8Array([...r.linkId, ...r.sbKey])") + tsResult `shouldBe` (hsLinkId <> hsKey) + + describe "invShortLinkKdf" $ do + it "TypeScript produces same sbKey as Haskell" $ do + let linkKey = AP.LinkKey $ B.pack [50..81] + C.SbKey hsKey = invShortLinkKdf linkKey + tsResult <- callNode $ impCryptoShortLink + <> jsOut ("invShortLinkKdf(" <> jsUint8 (B.pack [50..81]) <> ")") + tsResult `shouldBe` hsKey + + describe "decryptLinkData" $ do + it "TypeScript decrypts Haskell-encrypted data" $ do + let sbKey = C.unsafeSbKey $ B.pack [1..32] + nonce = C.cbNonce $ B.pack [1..24] + -- Simulate encodeSign: smpEncode signature <> plaintext + fakeSig = B.pack [1..64] -- 64-byte "signature" + fixedPlain = "fixed-data-here" + userPlain = "user-data-here" + signedFixed = smpEncode fakeSig <> fixedPlain + signedUser = smpEncode fakeSig <> userPlain + case (,) <$> C.sbEncrypt sbKey nonce signedFixed 2008 + <*> C.sbEncrypt sbKey nonce signedUser 13784 of + Left e -> expectationFailure $ "encrypt failed: " <> show e + Right (ctFixed, ctUser) -> do + let encFixed = C.unCbNonce nonce <> ctFixed + encUser = C.unCbNonce nonce <> ctUser + tsResult <- callNode $ impSodium <> impCryptoShortLink + <> "const r = decryptLinkData(" + <> jsUint8 (C.unSbKey sbKey) <> "," + <> jsUint8 encFixed <> "," + <> jsUint8 encUser <> ");" + <> jsOut ("new Uint8Array([...r.fixedData, 0, ...r.userData])") + tsResult `shouldBe` (fixedPlain <> B.singleton 0 <> userPlain) + + describe "crypto/sntrup761" $ do + it "TypeScript encapsulates, Haskell decapsulates - shared secret matches" $ do + g <- C.newRandom + (KEMPublicKey pkBytes, sk) <- sntrup761Keypair g + tsResult <- callNode $ impSntrup + <> "const enc = sntrup761Enc(" <> jsUint8 pkBytes <> ");" + <> jsOut ("new Uint8Array([...enc.ciphertext, ...enc.sharedSecret])") + let (ctBytes, tsSharedSecret) = B.splitAt 1039 tsResult + KEMSharedKey hsSharedSecret <- sntrup761Dec (KEMCiphertext ctBytes) sk + (BA.convert hsSharedSecret :: B.ByteString) `shouldBe` tsSharedSecret + + it "Haskell encapsulates, TypeScript decapsulates - shared secret matches" $ do + -- TypeScript generates keypair, passes public key to Haskell via stdout, + -- but callNode is one-shot. So: TypeScript generates keypair, outputs (pk, sk). + -- Then Haskell encapsulates against pk, passes (ct) to TypeScript. + -- TypeScript decapsulates with sk, outputs shared secret. + -- We compare with Haskell's shared secret. + -- + -- Two callNode calls: first to get keypair, second to decapsulate. + kpResult <- callNode $ impSntrup + <> "const kp = sntrup761Keypair();" + <> jsOut ("new Uint8Array([...kp.publicKey, ...kp.secretKey])") + let (tsPk, tsSk) = B.splitAt 1158 kpResult + g <- C.newRandom + (KEMCiphertext ctBytes, KEMSharedKey hsSharedSecret) <- sntrup761Enc g (KEMPublicKey tsPk) + tsResult <- callNode $ impSntrup + <> "const ss = sntrup761Dec(" <> jsUint8 ctBytes <> "," <> jsUint8 tsSk <> ");" + <> jsOut ("ss") + tsResult `shouldBe` (BA.convert hsSharedSecret :: B.ByteString) + + describe "crypto/aesGcm" $ do + it "Haskell encryptAEAD (16-byte IV), TypeScript decrypts" $ do + let key = C.Key $ B.pack [1..32] + iv = C.IV $ B.pack [1..16] + ad = "associated data" + msg = "hello from haskell aes-gcm" + Right (C.AuthTag authTag, ct) <- runExceptT $ C.encryptAEAD key iv 64 ad msg + let tagBytes = BA.convert authTag :: B.ByteString + tsResult <- callNode $ impEnc + <> "import { gcm } from '@noble/ciphers/aes.js';" + <> "const key = " <> jsUint8 (B.pack [1..32]) <> ";" + <> "const iv = " <> jsUint8 (B.pack [1..16]) <> ";" + <> "const ad = new TextEncoder().encode('associated data');" + <> "const ct = " <> jsUint8 ct <> ";" + <> "const tag = " <> jsUint8 tagBytes <> ";" + <> "const cipher = gcm(key, iv, ad);" + <> "const encrypted = new Uint8Array([...ct, ...tag]);" + <> "const decrypted = cipher.decrypt(encrypted);" + -- unpad: 2-byte BE length prefix + message + '#' padding + <> "const len = (decrypted[0] << 8) | decrypted[1];" + <> jsOut ("decrypted.subarray(2, 2 + len)") + tsResult `shouldBe` msg + + describe "crypto/ratchet" $ do + describe "X3DH" $ do + it "pqX3dhSnd and pqX3dhRcv produce same ratchetKey" $ do + -- TypeScript generates two key pairs, computes X3DH from both sides, verifies match + tsResult <- callNode $ impSodium <> impRatchet + <> "const alice1 = generateX448KeyPair();" + <> "const alice2 = generateX448KeyPair();" + <> "const bob1 = generateX448KeyPair();" + <> "const bob2 = generateX448KeyPair();" + -- Bob (joiner) inits sending ratchet with Alice's public keys + <> "const snd = pqX3dhSnd(bob1.privateKey, bob2.privateKey, alice1.publicKey, alice2.publicKey);" + -- Alice (initiator) inits receiving ratchet with Bob's public keys + <> "const rcv = pqX3dhRcv(alice1.privateKey, alice2.privateKey, bob1.publicKey, bob2.publicKey);" + -- ratchetKey, sndHK, rcvNextHK should match + <> "const match = snd.ratchetKey.every((b, i) => b === rcv.ratchetKey[i]) && snd.sndHK.every((b, i) => b === rcv.sndHK[i]) && snd.rcvNextHK.every((b, i) => b === rcv.rcvNextHK[i]);" + <> jsOut ("new Uint8Array([match ? 1 : 0, snd.ratchetKey.length, snd.sndHK.length, snd.rcvNextHK.length])") + tsResult `shouldBe` B.pack [1, 32, 32, 32] + + describe "chainKdf" $ do + it "TypeScript chainKdf produces correct output via HKDF" $ do + -- chainKdf is hkdf3("", ck, "SimpleXChainRatchet") split into 32+32+16+16 + -- Since hkdf is already tested against Haskell, test the split logic + tsResult <- callNode $ impRatchet + <> "const r = chainKdf(" <> jsUint8 (B.pack [1..32]) <> ");" + <> jsOut ("new Uint8Array([r.ck.length, r.mk.length, r.iv.length, r.ehIV.length])") + tsResult `shouldBe` B.pack [32, 32, 16, 16] + + describe "encryptAEAD" $ do + it "TypeScript encrypt matches Haskell encrypt (same ciphertext)" $ do + let key = C.Key $ B.pack [1..32] + iv = C.IV $ B.pack [1..16] + ad = "test associated data" + msg = "ratchet plaintext" + Right (C.AuthTag hsTag, hsCt) <- runExceptT $ C.encryptAEAD key iv 64 ad msg + let hsTagBytes = BA.convert hsTag :: B.ByteString + tsResult <- callNode $ impRatchet + <> "const r = encryptAEAD(" <> jsUint8 (B.pack [1..32]) <> "," <> jsUint8 (B.pack [1..16]) <> ",64," + <> "new TextEncoder().encode('test associated data')," + <> "new TextEncoder().encode('ratchet plaintext'));" + <> jsOut ("new Uint8Array([...r.authTag, ...r.ciphertext])") + tsResult `shouldBe` (hsTagBytes <> hsCt) + + it "TypeScript decrypts Haskell-encrypted" $ do + let key = C.Key $ B.pack [10..41] + iv = C.IV $ B.pack [10..25] + ad = "ad for decrypt test" + msg = "hello from haskell ratchet" + Right (C.AuthTag hsTag, hsCt) <- runExceptT $ C.encryptAEAD key iv 64 ad msg + let hsTagBytes = BA.convert hsTag :: B.ByteString + tsResult <- callNode $ impRatchet + <> "const plain = decryptAEAD(" <> jsUint8 (B.pack [10..41]) <> "," <> jsUint8 (B.pack [10..25]) <> "," + <> "new TextEncoder().encode('ad for decrypt test')," + <> jsUint8 hsCt <> "," <> jsUint8 hsTagBytes <> ");" + <> jsOut ("plain") + tsResult `shouldBe` msg + + it "Haskell decrypts TypeScript-encrypted" $ do + let key = C.Key $ B.pack [20..51] + iv = C.IV $ B.pack [20..35] + ad = "ad for ts encrypt" + msg = "hello from typescript ratchet" + tsResult <- callNode $ impRatchet + <> "const r = encryptAEAD(" <> jsUint8 (B.pack [20..51]) <> "," <> jsUint8 (B.pack [20..35]) <> ",64," + <> "new TextEncoder().encode('ad for ts encrypt')," + <> "new TextEncoder().encode('hello from typescript ratchet'));" + <> jsOut ("new Uint8Array([...r.authTag, ...r.ciphertext])") + let (tsTag, tsCt) = B.splitAt 16 tsResult + Right hsPlain <- runExceptT $ C.decryptAEAD key iv ad tsCt (C.AuthTag $ AES.AuthTag $ BA.convert tsTag) + hsPlain `shouldBe` msg + + describe "ratchet encrypt/decrypt" $ do + it "TypeScript ratchet self-consistency: encrypt, decrypt, ratchet advance, skipped" $ do + tsResult <- callNode $ impRatchet + <> "const a1 = generateX448KeyPair(), a2 = generateX448KeyPair();" + <> "const b1 = generateX448KeyPair(), b2 = generateX448KeyPair();" + <> "const bp = pqX3dhSnd(b1.privateKey, b2.privateKey, a1.publicKey, a2.publicKey);" + <> "const ap = pqX3dhRcv(a1.privateKey, a2.privateKey, b1.publicKey, b2.publicKey);" + <> "const b3 = generateX448KeyPair();" + <> "let bob = initSndRatchet({current:3,maxSupported:3}, a2.publicKey, b3.privateKey, bp, null);" + <> "let alice = initRcvRatchet({current:3,maxSupported:3}, a2.privateKey, ap, null, false);" + <> "let sk = new Map();" + -- Bob sends 3 + <> "const e1 = rcEncrypt(bob, new TextEncoder().encode('msg1'), 100); bob = e1.state;" + <> "const e2 = rcEncrypt(bob, new TextEncoder().encode('msg2'), 100); bob = e2.state;" + <> "const e3 = rcEncrypt(bob, new TextEncoder().encode('msg3'), 100); bob = e3.state;" + -- Alice decrypts msg3 first (skip 1,2) + <> "let d3 = rcDecrypt(alice, sk, e3.ciphertext); alice = d3.state; sk = d3.skippedKeys;" + -- Alice decrypts msg1 from skipped + <> "let d1 = rcDecrypt(alice, sk, e1.ciphertext); alice = d1.state; sk = d1.skippedKeys;" + -- Alice responds + <> "const ea = rcEncrypt(alice, new TextEncoder().encode('reply'), 100); alice = ea.state;" + <> "const da = rcDecrypt(bob, new Map(), ea.ciphertext); bob = da.state;" + -- Verify + <> "const ok = new TextDecoder().decode(d3.plaintext) === 'msg3'" + <> " && new TextDecoder().decode(d1.plaintext) === 'msg1'" + <> " && new TextDecoder().decode(da.plaintext) === 'reply';" + <> jsOut ("new Uint8Array([ok ? 1 : 0])") + tsResult `shouldBe` B.singleton 1 + + it "cross-language: Haskell encrypts, TypeScript decrypts" $ do + -- Round 1: TypeScript generates alice's keys, outputs private keys + smpEncoded E2E params + tsAliceOutput <- callNode $ impEnc <> impRatchet + <> "const a1 = generateX448KeyPair(), a2 = generateX448KeyPair();" + -- smpEncode E2ERatchetParams v3: (version, pk1, pk2, Maybe KEMParams) + -- Nothing = 0x30 ('0') + <> "const e2e = new Uint8Array([...encodeWord16(3), ...encodeBytes(encodePubKeyX448(a1.publicKey)), ...encodeBytes(encodePubKeyX448(a2.publicKey)), 0x30]);" + -- Output: a1.privateKey(56) + a2.privateKey(56) + e2e_len(2) + e2e_bytes + <> "const lenBuf = new Uint8Array(2); lenBuf[0] = (e2e.length >> 8) & 0xff; lenBuf[1] = e2e.length & 0xff;" + <> jsOut ("new Uint8Array([...a1.privateKey, ...a2.privateKey, ...lenBuf, ...e2e])") + let (alicePriv1, rest1) = B.splitAt 56 tsAliceOutput + (alicePriv2, rest2) = B.splitAt 56 rest1 + e2eLen = fromIntegral (B.index rest2 0) * 256 + fromIntegral (B.index rest2 1) + aliceE2EBytes = B.take e2eLen $ B.drop 2 rest2 + + -- Round 2: Haskell decodes alice's E2E params, generates bob, encrypts + g <- C.newRandom + let v = CR.currentE2EEncryptVersion + Right (aliceE2E@(CR.E2ERatchetParams _ _ alicePk2 _) :: CR.E2ERatchetParams 'CR.RKSProposed 'X448) <- pure $ smpDecode aliceE2EBytes + (bobPk1, bobPk2, _pKem, CR.AE2ERatchetParams _ bobE2E) <- CR.generateSndE2EParams @'X448 g v Nothing + Right (bobInitParams, _) <- pure $ CR.pqX3dhSnd bobPk1 bobPk2 Nothing aliceE2E + (_, bobDHRs) <- atomically $ C.generateKeyPair @'X448 g + let bobRatchet = CR.initSndRatchet (CR.RatchetVersions v v) alicePk2 bobDHRs (bobInitParams, Nothing) + Right (mek, _) <- runExceptT $ CR.rcEncryptHeader bobRatchet Nothing v + Right ciphertext <- runExceptT $ CR.rcEncryptMsg mek paddedMsgLen "hello from haskell ratchet" + let bobE2EBytes = smpEncode bobE2E + + -- Round 3: TypeScript decodes bob's params, inits ratchet, decrypts + tsResult <- callNode $ impEnc <> impRatchet + -- Parse bob's E2E params + <> "const d = new Decoder(" <> jsUint8 bobE2EBytes <> ");" + <> "const bobV = d.anyByte() * 256 + d.anyByte();" + <> "const bobPk1Raw = decodePubKeyX448(decodeBytes(d));" + <> "const bobPk2Raw = decodePubKeyX448(decodeBytes(d));" + <> "const a1Priv = " <> jsUint8 alicePriv1 <> ";" + <> "const a2Priv = " <> jsUint8 alicePriv2 <> ";" + <> "const ap = pqX3dhRcv(a1Priv, a2Priv, bobPk1Raw, bobPk2Raw);" + <> "const alice = initRcvRatchet({current:3,maxSupported:3}, a2Priv, ap, null, false);" + <> "const dec = rcDecrypt(alice, new Map(), " <> jsUint8 ciphertext <> ");" + <> jsOut ("dec.plaintext") + tsResult `shouldBe` "hello from haskell ratchet" + + it "cross-language: TypeScript encrypts, Haskell decrypts" $ do + -- Round 1: Haskell generates alice's keys, outputs encoded E2E params + g <- C.newRandom + let v = CR.currentE2EEncryptVersion + (alicePk1, alicePk2, _pKem, aliceE2E) <- CR.generateRcvE2EParams @'X448 g v CR.PQSupportOff + let aliceE2EBytes = smpEncode aliceE2E + + -- Round 2: TypeScript generates bob's keys, does X3DH, inits snd ratchet, encrypts + tsOutput <- callNode $ impEnc <> impRatchet + -- Parse alice's E2E params + <> "const d = new Decoder(" <> jsUint8 aliceE2EBytes <> ");" + <> "const aliceV = d.anyByte() * 256 + d.anyByte();" + <> "const alicePk1Raw = decodePubKeyX448(decodeBytes(d));" + <> "const alicePk2Raw = decodePubKeyX448(decodeBytes(d));" + -- Bob generates keys + <> "const b1 = generateX448KeyPair(), b2 = generateX448KeyPair();" + <> "const b3 = generateX448KeyPair();" + -- X3DH (bob is sender) + <> "const bp = pqX3dhSnd(b1.privateKey, b2.privateKey, alicePk1Raw, alicePk2Raw);" + -- Init sending ratchet + <> "let bob = initSndRatchet({current:3,maxSupported:3}, alicePk2Raw, b3.privateKey, bp, null);" + -- Encrypt + <> "const enc = rcEncrypt(bob, new TextEncoder().encode('hello from typescript ratchet'), 100);" + -- Output: bob's E2E params (version + 2 DER keys + Nothing KEM) + ciphertext + <> "const bobE2E = new Uint8Array([...encodeWord16(3), ...encodeBytes(encodePubKeyX448(b1.publicKey)), ...encodeBytes(encodePubKeyX448(b2.publicKey)), 0x30]);" + <> "const lenBuf = new Uint8Array(2); lenBuf[0] = (bobE2E.length >> 8) & 0xff; lenBuf[1] = bobE2E.length & 0xff;" + <> "const ctLenBuf = new Uint8Array(2); ctLenBuf[0] = (enc.ciphertext.length >> 8) & 0xff; ctLenBuf[1] = enc.ciphertext.length & 0xff;" + <> jsOut ("new Uint8Array([...lenBuf, ...bobE2E, ...ctLenBuf, ...enc.ciphertext])") + -- Parse output: [2 bytes e2e len][e2e bytes][2 bytes ct len][ct bytes] + let (e2eLenBs, rest1) = B.splitAt 2 tsOutput + bobE2ELen = fromIntegral (B.index e2eLenBs 0) * 256 + fromIntegral (B.index e2eLenBs 1) + (bobE2EBytes, rest2) = B.splitAt bobE2ELen rest1 + (ctLenBs, rest3) = B.splitAt 2 rest2 + ctLen = fromIntegral (B.index ctLenBs 0) * 256 + fromIntegral (B.index ctLenBs 1) + ciphertext = B.take ctLen rest3 + + -- Round 3: Haskell decodes bob's params, does X3DH, inits rcv ratchet, decrypts + Right (CR.AE2ERatchetParams _ bobE2EParams :: CR.AE2ERatchetParams 'X448) <- pure $ smpDecode bobE2EBytes + Right (aliceInitParams, _) <- runExceptT $ CR.pqX3dhRcv alicePk1 alicePk2 Nothing bobE2EParams + let aliceRatchet = CR.initRcvRatchet (CR.RatchetVersions v v) alicePk2 (aliceInitParams, Nothing) CR.PQSupportOff + gAlice <- C.newRandom + Right (msg, _, _) <- runExceptT $ CR.rcDecrypt gAlice aliceRatchet M.empty ciphertext + msg `shouldBe` Right "hello from typescript ratchet" + + it "cross-language: PQ X3DH - Haskell proposes KEM, TypeScript accepts, encrypts" $ do + -- Round 1: Haskell (alice) generates keys with PQ KEM proposal + g <- C.newRandom + let v = CR.currentE2EEncryptVersion + (alicePk1, alicePk2, alicePKem_@(Just _), aliceE2E) <- CR.generateRcvE2EParams @'X448 g v CR.PQSupportOn + let aliceE2EBytes = smpEncode aliceE2E + + -- Round 2: TypeScript (bob) accepts KEM, does X3DH, inits snd ratchet, encrypts + tsOutput <- callNode $ impEnc <> impSodium <> impRatchet <> impSntrup + -- Parse alice's E2E params (v3: version + pk1 + pk2 + Maybe ARKEMParams) + <> "const d = new Decoder(" <> jsUint8 aliceE2EBytes <> ");" + <> "const aliceV = d.anyByte() * 256 + d.anyByte();" + <> "const alicePk1Raw = decodePubKeyX448(decodeBytes(d));" + <> "const alicePk2Raw = decodePubKeyX448(decodeBytes(d));" + -- Parse Maybe ARKEMParams: '1' + 'P' + KEMPublicKey(Large) + <> "const maybeByte = d.anyByte();" + <> "if (maybeByte !== 0x31) throw new Error('expected Just KEM');" + <> "const kemTag = d.anyByte();" + <> "if (kemTag !== 0x50) throw new Error('expected P (proposed), got ' + kemTag);" + <> "const aliceKemPk = decodeLarge(d);" + -- Bob generates DH keys + <> "const b1 = generateX448KeyPair(), b2 = generateX448KeyPair();" + <> "const b3 = generateX448KeyPair();" + -- Bob encapsulates against alice's KEM public key + <> "const kemEnc = sntrup761Enc(aliceKemPk);" + -- Bob generates his own KEM keypair for future ratchet steps + <> "const bobKem = sntrup761Keypair();" + -- Construct kemAccepted matching Haskell RatchetKEMAccepted: + -- rcPQRr = alice's KEM public key (received) + -- rcPQRss = shared secret (from encapsulation) + -- rcPQRct = ciphertext (sent to alice) + <> "const kemAccepted = {rcPQRr: aliceKemPk, rcPQRss: kemEnc.sharedSecret, rcPQRct: kemEnc.ciphertext};" + -- X3DH with kemAccepted (folds shared secret into HKDF AND stores in RatchetInitParams) + <> "const bp = pqX3dhSnd(b1.privateKey, b2.privateKey, alicePk1Raw, alicePk2Raw, kemAccepted);" + -- Init sending ratchet with bob's KEM keypair + <> "let bob = initSndRatchet({current:3,maxSupported:3}, alicePk2Raw, b3.privateKey, bp, bobKem);" + -- Encrypt + <> "const enc = rcEncrypt(bob, new TextEncoder().encode('hello with PQ'), 100);" + -- Build bob's E2E params: version + pk1 + pk2 + Just(Accepted(ct, bobKemPk)) + -- smpEncode ('A', ct, bobKemPk) where ct and pk are Large-encoded + <> "const bobE2E = new Uint8Array([" + <> " ...encodeWord16(3)," + <> " ...encodeBytes(encodePubKeyX448(b1.publicKey))," + <> " ...encodeBytes(encodePubKeyX448(b2.publicKey))," + <> " 0x31," -- Just + <> " 0x41," -- 'A' = Accepted + <> " ...new Uint8Array([(kemEnc.ciphertext.length >> 8) & 0xff, kemEnc.ciphertext.length & 0xff]), ...kemEnc.ciphertext," + <> " ...new Uint8Array([(bobKem.publicKey.length >> 8) & 0xff, bobKem.publicKey.length & 0xff]), ...bobKem.publicKey," + <> "]);" + <> "const lenBuf = new Uint8Array(2); lenBuf[0] = (bobE2E.length >> 8) & 0xff; lenBuf[1] = bobE2E.length & 0xff;" + <> "const ctLenBuf = new Uint8Array(2); ctLenBuf[0] = (enc.ciphertext.length >> 8) & 0xff; ctLenBuf[1] = enc.ciphertext.length & 0xff;" + <> jsOut ("new Uint8Array([...lenBuf, ...bobE2E, ...ctLenBuf, ...enc.ciphertext])") + let (e2eLenBs, rest1) = B.splitAt 2 tsOutput + bobE2ELen = fromIntegral (B.index e2eLenBs 0) * 256 + fromIntegral (B.index e2eLenBs 1) + (bobE2EBytes, rest2) = B.splitAt bobE2ELen rest1 + (ctLenBs, rest3) = B.splitAt 2 rest2 + ctLen = fromIntegral (B.index ctLenBs 0) * 256 + fromIntegral (B.index ctLenBs 1) + ciphertext = B.take ctLen rest3 + + -- Round 3: Haskell decodes bob's params (with KEM accepted), does X3DH with KEM, decrypts + Right (CR.AE2ERatchetParams _ bobE2EParams :: CR.AE2ERatchetParams 'X448) <- pure $ smpDecode bobE2EBytes + Right (aliceInitParams, aliceKemKp_) <- runExceptT $ CR.pqX3dhRcv alicePk1 alicePk2 alicePKem_ bobE2EParams + let aliceRatchet = CR.initRcvRatchet (CR.RatchetVersions v v) alicePk2 (aliceInitParams, aliceKemKp_) CR.PQSupportOn + gAlice <- C.newRandom + result <- runExceptT $ CR.rcDecrypt gAlice aliceRatchet M.empty ciphertext + case result of + Right (msg, _, _) -> msg `shouldBe` Right "hello with PQ" + Left e -> expectationFailure $ "rcDecrypt failed: " <> show e + + it "TypeScript PQ ratchet self-consistency: multi-message with KEM ratchet steps" $ do + tsResult <- callNode $ impSodium <> impSntrup <> impRatchet + <> "const a1 = generateX448KeyPair(), a2 = generateX448KeyPair();" + <> "const b1 = generateX448KeyPair(), b2 = generateX448KeyPair();" + <> "const b3 = generateX448KeyPair();" + -- Alice proposes KEM + <> "const aliceKem = sntrup761Keypair();" + -- Bob accepts: encapsulate against alice's KEM public key + <> "const kemEnc = sntrup761Enc(aliceKem.publicKey);" + <> "const bobKem = sntrup761Keypair();" + <> "const kemAccepted = {rcPQRr: aliceKem.publicKey, rcPQRss: kemEnc.sharedSecret, rcPQRct: kemEnc.ciphertext};" + -- Alice receives bob's acceptance: decapsulate to get shared secret + <> "const aliceSS = sntrup761Dec(kemEnc.ciphertext, aliceKem.secretKey);" + <> "const aliceKemAccepted = {rcPQRr: bobKem.publicKey, rcPQRss: aliceSS, rcPQRct: kemEnc.ciphertext};" + -- X3DH for both sides + <> "const bp = pqX3dhSnd(b1.privateKey, b2.privateKey, a1.publicKey, a2.publicKey, kemAccepted);" + <> "const ap = pqX3dhRcv(a1.privateKey, a2.privateKey, b1.publicKey, b2.publicKey, aliceKemAccepted);" + -- Init ratchets with KEM keypairs + <> "let bob = initSndRatchet({current:3,maxSupported:3}, a2.publicKey, b3.privateKey, bp, bobKem);" + <> "let alice = initRcvRatchet({current:3,maxSupported:3}, a2.privateKey, ap, aliceKem, true);" + <> "let sk = new Map();" + -- Bob sends msg1 (has KEM params in header from initSndRatchet) + <> "const e1 = rcEncrypt(bob, new TextEncoder().encode('pq msg1'), 100); bob = e1.state;" + -- Alice decrypts msg1 (triggers ratchet advance with KEM) + <> "let d1 = rcDecrypt(alice, sk, e1.ciphertext); alice = d1.state; sk = d1.skippedKeys;" + -- Alice sends msg2 (ratchet advanced, has KEM params from pqRatchetStep) + <> "const e2 = rcEncrypt(alice, new TextEncoder().encode('pq msg2'), 100); alice = e2.state;" + -- Bob decrypts msg2 (triggers ratchet advance with KEM on bob's side) + <> "let d2 = rcDecrypt(bob, new Map(), e2.ciphertext); bob = d2.state;" + -- Bob sends msg3 (another ratchet advance with KEM) + <> "const e3 = rcEncrypt(bob, new TextEncoder().encode('pq msg3'), 100); bob = e3.state;" + -- Alice decrypts msg3 + <> "let d3 = rcDecrypt(alice, sk, e3.ciphertext); alice = d3.state; sk = d3.skippedKeys;" + -- Verify all messages + <> "const ok = new TextDecoder().decode(d1.plaintext) === 'pq msg1'" + <> " && new TextDecoder().decode(d2.plaintext) === 'pq msg2'" + <> " && new TextDecoder().decode(d3.plaintext) === 'pq msg3'" + -- Verify KEM state is maintained + <> " && alice.rcKEM !== null && bob.rcKEM !== null" + <> " && alice.rcSndKEM === true && bob.rcSndKEM === true;" + <> jsOut ("new Uint8Array([ok ? 1 : 0])") + tsResult `shouldBe` B.singleton 1 + + describe "DER encoding" $ do + it "X448 DER round-trips" $ do + tsResult <- callNode $ impRatchet + <> "const kp = generateX448KeyPair();" + <> "const der = encodePubKeyX448(kp.publicKey);" + <> "const raw = decodePubKeyX448(der);" + <> "const match = kp.publicKey.every((b, i) => b === raw[i]);" + <> jsOut ("new Uint8Array([match ? 1 : 0, der.length, raw.length])") + tsResult `shouldBe` B.pack [1, 68, 56] + + describe "cross-language ratchet advance" $ do + let run initPeers op test = withCrossPeers initPeers $ \(alice, bob) -> + test alice bob tpEncrypt tpDecrypt op + describe "HS rcv, JS snd, no PQ" $ do + it "encrypt and decrypt" $ run initHsJs_noPQ tp_noKEM testEncryptDecrypt + it "skipped messages" $ run initHsJs_noPQ tp_noKEM testSkippedMessages + it "many messages" $ run initHsJs_noPQ tp_noKEM testManyMessages + it "skipped after ratchet advance" $ run initHsJs_noPQ tp_noKEM testSkippedAfterRatchetAdvance + describe "HS rcv, JS snd, PQ" $ do + it "encrypt and decrypt" $ run initHsJs_PQ tp_hasKEM testEncryptDecrypt + it "skipped messages" $ run initHsJs_PQ tp_hasKEM testSkippedMessages + it "many messages" $ run initHsJs_PQ tp_hasKEM testManyMessages + it "skipped after ratchet advance" $ run initHsJs_PQ tp_hasKEM testSkippedAfterRatchetAdvance + describe "JS rcv, JS snd, no PQ" $ do + it "encrypt and decrypt" $ run initTsTs_noPQ tp_noKEM testEncryptDecrypt + it "skipped messages" $ run initTsTs_noPQ tp_noKEM testSkippedMessages + it "many messages" $ run initTsTs_noPQ tp_noKEM testManyMessages + it "skipped after ratchet advance" $ run initTsTs_noPQ tp_noKEM testSkippedAfterRatchetAdvance + describe "JS rcv, JS snd, PQ" $ do + it "encrypt and decrypt" $ run initTsTs_PQ tp_hasKEM testEncryptDecrypt + it "skipped messages" $ run initTsTs_PQ tp_hasKEM testSkippedMessages + it "many messages" $ run initTsTs_PQ tp_hasKEM testManyMessages + it "skipped after ratchet advance" $ run initTsTs_PQ tp_hasKEM testSkippedAfterRatchetAdvance + + describe "crypto/blockEncryption" $ do + describe "sbcInit + sbcHkdf" $ do + it "TypeScript produces same sbKey/nonce via sbcInit+sbcHkdf as Haskell" $ do + let sessId = B.pack [1..32] + secret = B.pack [50..81] + (sndCk, _rcvCk) = C.sbcInit sessId secret + ((C.SbKey sbKey, C.CbNonce nonce), _nextCk) = C.sbcHkdf sndCk + -- TypeScript does sbcInit then sbcHkdf on sndKey, should produce same sbKey/nonce + tsResult <- callNode $ impSodium <> impCrypto + <> "const ck = sbcInit(" <> jsUint8 sessId <> "," <> jsUint8 secret <> ");" + <> "const r = sbcHkdf(ck.sndKey);" + <> jsOut ("new Uint8Array([...r.keyNonce.sbKey, ...r.keyNonce.nonce])") + tsResult `shouldBe` (sbKey <> nonce) + + describe "block encrypt/decrypt" $ do + it "Haskell encrypts, TypeScript decrypts" $ do + let sessId = B.pack [1..32] + secret = B.pack [1..32] + (sndCk, _) = C.sbcInit sessId secret + msg = "hello encrypted block" + ((sk, nonce), _nextCk) = C.sbcHkdf sndCk + case C.sbEncrypt sk nonce msg (smpBlockSize - 16) of + Left e -> expectationFailure $ "encrypt failed: " <> show e + Right ct -> do + tsResult <- callNode $ impSodium <> impCrypto + <> "const ck = sbcInit(" <> jsUint8 sessId <> "," <> jsUint8 secret <> ");" + <> "const r = sbDecryptBlock(ck.sndKey," <> jsUint8 ct <> ");" + <> jsOut ("r.decrypted") + tsResult `shouldBe` msg + + it "TypeScript encrypts, Haskell decrypts" $ do + let sessId = B.pack [10..41] + secret = B.pack [10..41] + (sndCk, _) = C.sbcInit sessId secret + msg = "hello from typescript" + tsResult <- callNode $ impSodium <> impCrypto + <> "const ck = sbcInit(" <> jsUint8 sessId <> "," <> jsUint8 secret <> ");" + <> jsOut ("sbEncryptBlock(ck.sndKey, new TextEncoder().encode('hello from typescript'), " <> show (smpBlockSize - 16) <> ").encrypted") + let ((sk, nonce), _nextCk) = C.sbcHkdf sndCk + case C.sbDecrypt sk nonce tsResult of + Left e -> expectationFailure $ "decrypt failed: " <> show e + Right plain -> plain `shouldBe` msg + + describe "agent/protocol" $ do + describe "ProtocolServer binary" $ do + it "decodes Haskell-encoded server" $ do + let srv = SMPServer ("smp.example.com" :| ["smp2.example.com"]) "5223" (C.KeyHash $ B.pack [1..32]) + encoded = smpEncode srv + tsResult <- callNode $ impAgentProto + <> "const s = decodeProtocolServer(new Decoder(" <> jsUint8 encoded <> "));" + <> "const enc = new TextEncoder();" + <> jsOut ("new Uint8Array([s.hosts.length, ...s.keyHash, ...enc.encode(new TextDecoder().decode(s.port))])") + tsResult `shouldBe` B.pack ([2] ++ [1..32]) <> "5223" + + describe "ConnShortLink binary" $ do + it "decodes Haskell-encoded contact link" $ do + let srv = SMPServer ("relay.example.com" :| []) "" (C.KeyHash $ B.pack [1..32]) + linkKey = AP.LinkKey $ B.pack [50..81] + link = AP.CSLContact AP.SLSServer AP.CCTGroup srv linkKey + encoded = smpEncode link + tsResult <- callNode $ impAgentProto + <> "const l = decodeConnShortLink(new Decoder(" <> jsUint8 encoded <> "));" + <> jsOut ("new Uint8Array([l.mode === 'contact' ? 1 : 0, l.connType === 'group' ? 1 : 0, ...l.linkKey])") + tsResult `shouldBe` B.pack ([1, 1] ++ [50..81]) + + describe "ConnLinkData" $ do + it "decodes Haskell-encoded ContactLinkData with profile" $ do + let profileJson = "{\"displayName\":\"alice\",\"fullName\":\"Alice A\"}" + userData = AP.UserLinkData profileJson + ucd = AP.UserContactData {AP.direct = True, AP.owners = [], AP.relays = [], AP.userData = userData} + cld = AP.ContactLinkData (mkVersionRange (Version 1) (Version 3)) ucd :: AP.ConnLinkData 'AP.CMContact + encoded = smpEncode cld + tsResult <- callNode $ impAgentProto + <> "const r = decodeConnLinkData(new Decoder(" <> jsUint8 encoded <> "));" + <> "const p = parseProfile(r.userContactData.userData);" + <> "const enc = new TextEncoder();" + <> jsOut ("new Uint8Array([" + <> "r.agentVRange.min >> 8, r.agentVRange.min & 0xff," + <> "r.agentVRange.max >> 8, r.agentVRange.max & 0xff," + <> "r.userContactData.direct ? 1 : 0," + <> "r.userContactData.owners.length," + <> "r.userContactData.relays.length," + <> "...enc.encode(p.displayName)" + <> "])") + tsResult `shouldBe` B.pack [0, 1, 0, 3, 1, 0, 0] <> "alice" + + describe "ConnShortLink URI" $ do + it "parses simplex: contact link" $ do + let srv = SMPServer ("smp1.example.com" :| []) "" (C.KeyHash $ B.pack [1..32]) + linkKey = AP.LinkKey $ B.pack [100..131] + link = AP.CSLContact AP.SLSSimplex AP.CCTContact srv linkKey + uri = strEncode link + tsResult <- callNode $ impAgentProto + <> "const r = connShortLinkStrP(" <> jsStr uri <> ");" + <> jsOut ("new Uint8Array([...r.linkKey, ...r.server.keyHash])") + tsResult `shouldBe` (B.pack [100..131] <> B.pack [1..32]) + + it "parses https: contact link with port" $ do + let srv = SMPServer ("smp2.example.com" :| []) "5223" (C.KeyHash $ B.pack [50..81]) + linkKey = AP.LinkKey $ B.pack [200..231] + link = AP.CSLContact AP.SLSServer AP.CCTContact srv linkKey + uri = strEncode link + tsResult <- callNode $ impAgentProto + <> "const r = connShortLinkStrP(" <> jsStr uri <> ");" + <> "const enc = new TextEncoder();" + <> jsOut ("new Uint8Array([...r.linkKey, ...r.server.keyHash, ...enc.encode(r.server.port), 0, ...enc.encode(r.server.hosts.join(','))])") + let expected = B.pack [200..231] <> B.pack [50..81] <> "5223" <> B.singleton 0 <> "smp2.example.com" + tsResult `shouldBe` expected + + it "parses simplex: contact link with multiple hosts" $ do + let srv = SMPServer ("host1.example.com" :| ["host2.example.com"]) "" (C.KeyHash $ B.pack [1..32]) + linkKey = AP.LinkKey $ B.pack [10..41] + link = AP.CSLContact AP.SLSSimplex AP.CCTContact srv linkKey + uri = strEncode link + tsResult <- callNode $ impAgentProto + <> "const r = connShortLinkStrP(" <> jsStr uri <> ");" + <> "const enc = new TextEncoder();" + <> jsOut ("new Uint8Array([...r.linkKey, ...enc.encode(r.server.hosts.join(','))])") + tsResult `shouldBe` (B.pack [10..41] <> "host1.example.com,host2.example.com") + + it "parses group link type" $ do + let srv = SMPServer ("smp.example.com" :| []) "" (C.KeyHash $ B.pack [1..32]) + linkKey = AP.LinkKey $ B.pack [10..41] + link = AP.CSLContact AP.SLSSimplex AP.CCTGroup srv linkKey + uri = strEncode link + tsResult <- callNode $ impAgentProto + <> "const r = connShortLinkStrP(" <> jsStr uri <> ");" + <> "const enc = new TextEncoder();" + <> jsOut ("enc.encode(r.connType)") + tsResult `shouldBe` "group" + + it "round-trips: Haskell encode -> TypeScript parse -> fields match" $ do + let srv = SMPServer ("server1.simplex.im" :| ["server2.simplex.im"]) "443" (C.KeyHash $ B.pack [1..32]) + linkKey = AP.LinkKey $ B.pack [200..231] + link = AP.CSLContact AP.SLSServer AP.CCTContact srv linkKey + uri = strEncode link + -- TypeScript returns: mode, scheme, connType, host count, port, linkKey + tsResult <- callNode $ impAgentProto + <> "const r = connShortLinkStrP(" <> jsStr uri <> ");" + <> "const enc = new TextEncoder();" + <> jsOut ("new Uint8Array([" + <> "r.mode === 'contact' ? 1 : 0," + <> "r.scheme === 'https' ? 1 : 0," + <> "r.connType === 'contact' ? 1 : 0," + <> "r.server.hosts.length," + <> "...r.linkKey" + <> "])") + tsResult `shouldBe` B.pack ([1, 1, 1, 2] ++ [200..231]) + + describe "WebSocket handshake" $ do + it "TypeScript connects with block encryption, verifies identity, sends encrypted PING" $ do + let msType = ASType SQSMemory SMSJournal + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig (cfgWebOn msType testPort) (Just attachHTTP) $ \_ -> do + let C.KeyHash kh = testKeyHash + tsResult <- callNode $ impSodium <> impWS <> impProto + <> "import { sendEncryptedBlock, receiveEncryptedBlock } from './dist/transport/websockets.js';" + <> "try {" + <> "const conn = await connectSMP('wss://localhost:" <> testPort <> "', " <> jsUint8 kh <> ", {rejectUnauthorized: false, ALPNProtocols: ['http/1.1']});" + <> "if (!conn.sndKey || !conn.rcvKey) throw new Error('no block encryption keys');" + <> "const ping = tEncodeBatch1(null, encodeTransmission(new Uint8Array([0x31]), new Uint8Array(0), encodePING()));" + <> "sendEncryptedBlock(conn, ping);" + <> "const resp = await receiveEncryptedBlock(conn);" + <> "const ts = tParse(resp);" + <> "const t = ts[0];" + <> jsOut ("t.command") + <> "conn.ws.close(); setTimeout(() => process.exit(0), 100);" + <> "} catch(e) { process.stderr.write('ERROR: ' + e.message + '\\n'); process.exit(1); }" + tsResult `shouldBe` "PONG" + + describe "end-to-end" $ do + it "TypeScript fetches short link data via WebSocket" $ do + let msType = ASType SQSMemory SMSJournal + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig (cfgWebOn msType testPort) (Just attachHTTP) $ \_serverThread -> + withAgent 1 agentCfg initAgentServers testDB $ \a -> do + let testData = "hello from short link" + userData = UserLinkData testData + userCtData = UserContactData {direct = True, owners = [], relays = [], userData = userData} + newLinkData = UserContactLinkData userCtData + (_connId, (CCLink _connReq (Just shortLink), Nothing)) <- + runRight $ A.createConnection a NRMInteractive 1 True True AP.SCMContact (Just newLinkData) Nothing CR.IKPQOn SMSubscribe + let linkUri = strEncode shortLink + tsResult <- callNode $ impSodium <> impWS <> impAgentProto <> impProto_ <> impCryptoShortLink + <> "import { sendEncryptedBlock, receiveEncryptedBlock } from './dist/transport/websockets.js';" + <> "try {" + -- 1. Parse short link URI + <> "const link = connShortLinkStrP(" <> jsStr linkUri <> ");" + -- 2. Derive keys + <> "const {linkId, sbKey} = contactShortLinkKdf(link.linkKey);" + -- 3. Connect via WSS (with block encryption) + <> "const conn = await connectSMP('wss://localhost:" <> testPort <> "', " <> jsUint8 (C.unKeyHash testKeyHash) <> ", {rejectUnauthorized: false, ALPNProtocols: ['http/1.1']});" + -- 4. Send LGET (encrypted) + <> "const lget = tEncodeBatch1(null, encodeTransmission(new Uint8Array([0x31]), linkId, encodeLGET()));" + <> "sendEncryptedBlock(conn, lget);" + -- 5. Receive LNK response (encrypted) + <> "const resp = await receiveEncryptedBlock(conn);" + <> "const ts = tParse(resp);" + <> "const r = decodeResponse(new Decoder(ts[0].command));" + <> "if (r.type !== 'LNK') throw new Error('expected LNK, got ' + r.type);" + -- 6. Decrypt link data + <> "const dec = decryptLinkData(sbKey, r.response.encFixedData, r.response.encUserData);" + -- 7. Parse FixedLinkData (rootKey) and ConnLinkData (userData) + <> "const fld = decodeFixedLinkData(new Decoder(dec.fixedData));" + <> "const cld = decodeConnLinkData(new Decoder(dec.userData));" + -- Return rootKey length (44 = valid DER Ed25519) + userData + <> jsOut ("new Uint8Array([fld.rootKey.length, ...cld.userContactData.userData])") + <> "conn.ws.close(); setTimeout(() => process.exit(0), 100);" + <> "} catch(e) { process.stderr.write('ERROR: ' + e.message + '\\n'); process.exit(1); }" + -- First byte: rootKey DER length (44 for Ed25519), rest: userData + B.head tsResult `shouldBe` 44 + B.tail tsResult `shouldBe` testData + + describe "agent/message" $ do + describe "AMessage" $ do + it "HELLO encoding matches Haskell" $ do + let hsBytes = smpEncode AP.HELLO + tsBytes <- callNode $ impAgentMsg <> jsOut "encodeAMessage({type: 'HELLO'})" + tsBytes `shouldBe` hsBytes + + it "A_MSG encoding matches Haskell" $ do + let body = "hello world from agent" + hsBytes = smpEncode (AP.A_MSG body) + tsBytes <- callNode $ impAgentMsg <> jsOut ("encodeAMessage({type: 'A_MSG', body: new TextEncoder().encode('hello world from agent')})") + tsBytes `shouldBe` hsBytes + + it "EREADY encoding matches Haskell" $ do + let hsBytes = smpEncode (AP.EREADY 42) + tsBytes <- callNode $ impEnc <> impAgentMsg <> jsOut ("encodeAMessage({type: 'EREADY', lastDecryptedMsgId: 42n})") + tsBytes `shouldBe` hsBytes + + it "TypeScript decodes Haskell A_MSG" $ do + let body = "decode test" + hsBytes = smpEncode (AP.A_MSG body) + tsResult <- callNode $ impEnc <> impAgentMsg + <> "const msg = decodeAMessage(new Decoder(" <> jsUint8 hsBytes <> "));" + <> jsOut ("msg.body") + tsResult `shouldBe` body + + describe "APrivHeader" $ do + it "encoding matches Haskell" $ do + let hdr = AP.APrivHeader 1 (B.replicate 32 0xAB) + hsBytes = smpEncode hdr + tsBytes <- callNode $ impEnc <> impAgentMsg + <> jsOut ("encodeAPrivHeader({sndMsgId: 1n, prevMsgHash: " <> jsUint8 (B.replicate 32 0xAB) <> "})") + tsBytes `shouldBe` hsBytes + + describe "AgentMessage" $ do + it "M variant encoding matches Haskell" $ do + let hdr = AP.APrivHeader 5 (B.replicate 32 0) + msg = AP.AgentMessage hdr (AP.A_MSG "test body") + hsBytes = smpEncode msg + tsBytes <- callNode $ impEnc <> impAgentMsg + <> jsOut ("encodeAgentMessage({type: 'message', header: {sndMsgId: 5n, prevMsgHash: new Uint8Array(32)}, msg: {type: 'A_MSG', body: new TextEncoder().encode('test body')}})") + tsBytes `shouldBe` hsBytes + + it "TypeScript decodes Haskell AgentMessage M" $ do + let hdr = AP.APrivHeader 99 (B.pack [1..32]) + msg = AP.AgentMessage hdr (AP.A_MSG "cross-language message") + hsBytes = smpEncode msg + tsResult <- callNode $ impEnc <> impAgentMsg + <> "const m = decodeAgentMessage(new Decoder(" <> jsUint8 hsBytes <> "));" + <> "if (m.type !== 'message') throw new Error('expected message');" + <> "if (m.msg.type !== 'A_MSG') throw new Error('expected A_MSG');" + <> jsOut ("new Uint8Array([...new TextEncoder().encode(m.header.sndMsgId.toString()), 0, ...m.msg.body])") + let (idStr, rest) = B.break (== 0) tsResult + idStr `shouldBe` "99" + B.tail rest `shouldBe` "cross-language message" + + describe "AgentMsgEnvelope" $ do + it "M variant encoding matches Haskell" $ do + let env = AP.AgentMsgEnvelope {AP.agentVersion = AP.currentSMPAgentVersion, AP.encAgentMessage = "encrypted payload"} + hsBytes = smpEncode env + tsBytes <- callNode $ impEnc <> impAgentMsg + <> jsOut ("encodeAgentMsgEnvelope({type: 'envelope', agentVersion: 7, encAgentMessage: new TextEncoder().encode('encrypted payload')})") + tsBytes `shouldBe` hsBytes + + it "TypeScript decodes Haskell AgentMsgEnvelope M" $ do + let env = AP.AgentMsgEnvelope {AP.agentVersion = AP.currentSMPAgentVersion, AP.encAgentMessage = "decrypt me"} + hsBytes = smpEncode env + tsResult <- callNode $ impEnc <> impAgentMsg + <> "const e = decodeAgentMsgEnvelope(new Decoder(" <> jsUint8 hsBytes <> "));" + <> "if (e.type !== 'envelope') throw new Error('expected envelope');" + <> jsOut ("e.encAgentMessage") + tsResult `shouldBe` "decrypt me" + + describe "protocol/e2e" $ do + describe "PubHeader" $ do + it "encoding without key matches Haskell" $ do + let h = PubHeader (VersionSMPC 19) Nothing + hsBytes = smpEncode h + tsBytes <- callNode $ impEnc <> impProtoE2E <> jsOut "encodePubHeader({phVersion: 19, phE2ePubDhKey: null})" + tsBytes `shouldBe` hsBytes + + it "encoding with key matches Haskell" $ do + g <- C.newRandom + (k, _) <- atomically $ C.generateKeyPair @'C.X25519 g + let derKey = C.encodePubKey k -- raw DER bytes without smpEncode length prefix + h = PubHeader (VersionSMPC 19) (Just k) + hsBytes = smpEncode h + tsBytes <- callNode $ impEnc <> impProtoE2E + <> jsOut ("encodePubHeader({phVersion: 19, phE2ePubDhKey: " <> jsUint8 derKey <> "})") + tsBytes `shouldBe` hsBytes + + describe "PrivHeader" $ do + it "PHEmpty encoding matches Haskell" $ do + let hsBytes = smpEncode PHEmpty + tsBytes <- callNode $ impProtoE2E <> jsOut "encodePrivHeader({type: 'PHEmpty'})" + tsBytes `shouldBe` hsBytes + + describe "ClientMessage" $ do + it "encoding matches Haskell" $ do + let body = "agent envelope bytes here" + msg = ClientMessage PHEmpty body + hsBytes = smpEncode msg + tsBytes <- callNode $ impEnc <> impProtoE2E + <> jsOut ("encodeClientMessage({privHeader: {type: 'PHEmpty'}, body: new TextEncoder().encode('agent envelope bytes here')})") + tsBytes `shouldBe` hsBytes + + describe "ClientMsgEnvelope" $ do + it "encoding matches Haskell" $ do + let nonce = C.cbNonce $ B.pack [1..24] + h = PubHeader (VersionSMPC 19) Nothing + env = ClientMsgEnvelope {cmHeader = h, cmNonce = nonce, cmEncBody = "encrypted body data"} + hsBytes = smpEncode env + tsBytes <- callNode $ impEnc <> impProtoE2E + <> jsOut ("encodeClientMsgEnvelope({cmHeader: {phVersion: 19, phE2ePubDhKey: null}, cmNonce: " <> jsUint8 (B.pack [1..24]) <> ", cmEncBody: new TextEncoder().encode('encrypted body data')})") + tsBytes `shouldBe` hsBytes + + it "TypeScript decodes Haskell-encoded" $ do + let nonce = C.cbNonce $ B.pack [10..33] + h = PubHeader (VersionSMPC 19) Nothing + env = ClientMsgEnvelope {cmHeader = h, cmNonce = nonce, cmEncBody = "test ciphertext"} + hsBytes = smpEncode env + tsResult <- callNode $ impEnc <> impProtoE2E + <> "const env = decodeClientMsgEnvelope(new Decoder(" <> jsUint8 hsBytes <> "));" + <> jsOut ("new Uint8Array([env.cmHeader.phVersion >> 8, env.cmHeader.phVersion & 0xff, env.cmHeader.phE2ePubDhKey === null ? 1 : 0, ...env.cmNonce, ...env.cmEncBody])") + let (version, rest1) = B.splitAt 2 tsResult + (nullByte, rest2) = B.splitAt 1 rest1 + (nonceBytes, bodyBytes) = B.splitAt 24 rest2 + version `shouldBe` B.pack [0, 19] + nullByte `shouldBe` B.singleton 1 + nonceBytes `shouldBe` B.pack [10..33] + bodyBytes `shouldBe` "test ciphertext" + + describe "per-queue E2E encrypt/decrypt" $ do + it "TypeScript encrypts, Haskell decrypts" $ do + -- Haskell generates receiver keypair + g <- C.newRandom + (rcvPub, rcvPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + let rcvPubRaw = C.pubKeyBytes rcvPub + -- TypeScript generates sender keypair, computes DH, encrypts + tsOutput <- callNode $ impSodium <> impEnc <> impProtoE2E + <> "import { generateX25519KeyPair, dh, encodePubKeyX25519 } from '@simplex-chat/xftp-web/dist/crypto/keys.js';" + <> "const sndKp = generateX25519KeyPair();" + <> "const rcvPub = " <> jsUint8 rcvPubRaw <> ";" + <> "const dhSecret = dh(rcvPub, sndKp.privateKey);" + <> "const clientMsg = encodeClientMessage({privHeader: {type: 'PHEmpty'}, body: new TextEncoder().encode('hello from typescript e2e')});" + <> "const encrypted = agentCbEncrypt(dhSecret, 19, null, clientMsg);" + -- Output: DER-encoded sndPubKey (ByteString-encoded: 1-byte len + DER) + encrypted + <> "const sndDer = encodePubKeyX25519(sndKp.publicKey);" + <> jsOut ("new Uint8Array([sndDer.length, ...sndDer, ...encrypted])") + -- Parse output: [1 byte len][DER sndPubKey][encrypted] + let sndDerLen = fromIntegral $ B.head tsOutput + (sndDerBytes, encrypted) = B.splitAt sndDerLen $ B.drop 1 tsOutput + -- Haskell decodes sender's DER public key and decrypts + let decoded = do + apk <- C.decodePubKey sndDerBytes + dhSecret <- case apk of + C.APublicKey C.SX25519 pk -> Right $ C.dh' pk rcvPriv + _ -> Left "not X25519" + cme <- smpDecode encrypted + plaintext <- first show $ C.cbDecrypt dhSecret (cmNonce cme) (cmEncBody cme) + cm <- smpDecode plaintext + case cm of + ClientMessage PHEmpty body -> Right body + _ -> Left "unexpected PrivHeader" + decoded `shouldBe` Right "hello from typescript e2e" + + describe "protocol/transmission" $ do + describe "sha512Hash" $ do + it "matches Haskell" $ do + let msg = "test message for hashing" + hsHash = C.sha512Hash msg + tsHash <- callNode $ impEnc + <> "import { sha512Hash } from './dist/crypto.js';" + <> jsOut ("sha512Hash(new TextEncoder().encode('test message for hashing'))") + tsHash `shouldBe` hsHash + + describe "cbAuthenticator" $ do + it "matches Haskell" $ do + g <- C.newRandom + (serverPub, _) <- atomically $ C.generateKeyPair @'C.X25519 g + (_, entityPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + let nonce = C.cbNonce $ B.pack [1..24] + msg = "transmission bytes to authenticate" + C.CbAuthenticator hsAuth = C.cbAuthenticate serverPub entityPriv nonce msg + C.PrivateKeyX25519 sk = entityPriv + entityPrivBytes = BA.convert sk :: B.ByteString + tsAuth <- callNode $ impSodium <> impEnc + <> "import { cbAuthenticator } from './dist/crypto.js';" + <> jsOut ("cbAuthenticator(" + <> jsUint8 (C.pubKeyBytes serverPub) <> "," + <> jsUint8 entityPrivBytes <> "," + <> jsUint8 (B.pack [1..24]) <> "," + <> "new TextEncoder().encode('transmission bytes to authenticate'))") + tsAuth `shouldBe` hsAuth + + describe "encodeTransmissionForAuth" $ do + it "matches Haskell" $ do + let sessId = B.pack [1..32] + corrId = B.pack [10..33] + entityId = B.pack [40..63] + command = "PING" + -- Haskell: tForAuth = sessionId <> encodeTransmission_(corrId, entityId, command) + -- tToSend = encodeTransmission_(corrId, entityId, command) [implySessId=true] + tToSend = smpEncode (corrId :: B.ByteString, entityId :: B.ByteString) <> command + tForAuth = smpEncode sessId <> tToSend + tsResult <- callNode $ impProto + <> "const r = encodeTransmissionForAuth(" + <> jsUint8 sessId <> "," + <> jsUint8 corrId <> "," + <> jsUint8 entityId <> "," + <> "new Uint8Array([0x50,0x49,0x4E,0x47]));" + <> jsOut ("new Uint8Array([...r.tForAuth, 0xFF, ...r.tToSend])") + let (tsTForAuth, rest) = B.break (== 0xFF) tsResult + tsTToSend = B.drop 1 rest + tsTForAuth `shouldBe` tForAuth + tsTToSend `shouldBe` tToSend + + describe "tEncodeBatch1" $ do + it "matches Haskell tEncodeBatch1" $ do + -- Haskell: tEncodeBatch1 serviceAuth=false (auth, tToSend) = lenEncode 1 `cons` Large(tEncodeAuth auth <> tToSend) + let tToSend = "corrId-entity-command-bytes" + -- No auth: tEncodeAuth Nothing = smpEncode "" = [0x00] + encoded = B.singleton 1 <> smpEncode (Large (smpEncode (B.empty :: B.ByteString) <> tToSend)) + tsEncoded <- callNode $ impProto + <> jsOut ("tEncodeBatch1(null, new TextEncoder().encode('corrId-entity-command-bytes'))") + tsEncoded `shouldBe` encoded + + describe "tParse" $ do + it "parses Haskell-encoded batch response" $ do + -- Build a batch with one transmission: count=1 + Large(auth + corrId + entityId + command) + let corrId = B.pack [1..24] + entityId = B.pack [30..53] + command = "PONG" + auth = B.empty -- empty auth + inner = smpEncode auth <> smpEncode corrId <> smpEncode entityId <> command + block = B.singleton 1 <> smpEncode (Large inner) + tsResult <- callNode $ impProto + <> "const ts = tParse(" <> jsUint8 block <> ");" + <> "if (ts.length !== 1) throw new Error('expected 1 transmission');" + <> jsOut ("new Uint8Array([...ts[0].corrId, ...ts[0].entityId, ...ts[0].command])") + tsResult `shouldBe` (corrId <> entityId <> command) + + describe "reverseNonce" $ do + it "matches Haskell" $ do + let nonce = B.pack [1..24] + hsReversed = B.reverse nonce + tsReversed <- callNode $ impProto + <> "import { reverseNonce } from './dist/crypto.js';" + <> jsOut ("reverseNonce(" <> jsUint8 nonce <> ")") + tsReversed `shouldBe` hsReversed + + describe "encodeProtocolServer" $ do + it "matches Haskell" $ do + let srv = SMPServer ("smp1.example.com" :| ["smp2.example.com"]) "5223" (C.KeyHash $ B.pack [1..32]) + hsEncoded = smpEncode srv + tsEncoded <- callNode $ impProto + <> jsOut ("encodeProtocolServer(['smp1.example.com','smp2.example.com'], '5223', " <> jsUint8 (B.pack [1..32]) <> ")") + tsEncoded `shouldBe` hsEncoded + + describe "encodePRXY" $ do + it "matches Haskell" $ do + let srv = SMPServer ("relay.example.com" :| []) "" (C.KeyHash $ B.pack [1..32]) + cmd = Cmd SProxiedClient $ PRXY srv Nothing + v = currentServerSMPRelayVersion + hsEncoded = encodeProtocol v cmd + tsEncoded <- callNode $ impProto + <> jsOut ("encodePRXY(['relay.example.com'], '', " <> jsUint8 (B.pack [1..32]) <> ", null)") + tsEncoded `shouldBe` hsEncoded + + describe "full-stack" $ do + it "Haskell encodes all layers, TypeScript decodes" $ do + g <- C.newRandom + let v = CR.currentE2EEncryptVersion + -- Alice (receiver) ratchet keys - extract raw private bytes for TypeScript + (alicePk1, alicePk2, Nothing, e2eAlice) <- CR.generateRcvE2EParams @'X448 g v CR.PQSupportOff + let C.PrivateKeyX448 sk1 = alicePk1; alicePriv1 = BA.convert sk1 :: B.ByteString + C.PrivateKeyX448 sk2 = alicePk2; alicePriv2 = BA.convert sk2 :: B.ByteString + -- Bob (sender) ratchet: X3DH + init + (bobPk1, bobPk2, Nothing, CR.AE2ERatchetParams _ e2eBob) <- CR.generateSndE2EParams @'X448 g v Nothing + Right bobInitParams <- pure $ CR.pqX3dhSnd bobPk1 bobPk2 Nothing e2eAlice + (_, bobDHRs) <- atomically $ C.generateKeyPair @'X448 g + let bobRatchet = CR.initSndRatchet (CR.RatchetVersions v v) (C.publicKey alicePk2) bobDHRs bobInitParams + bobE2EBytes = smpEncode e2eBob + -- Per-queue E2E: shared DH secret (pass raw bytes to both sides) + (_, e2eSndPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + (e2eRcvPub, _) <- atomically $ C.generateKeyPair @'C.X25519 g + let dhSecret = C.dh' e2eRcvPub e2eSndPriv + dhSecretBytes = C.dhBytes' dhSecret + -- Haskell: encode A_MSG through all layers + let aMsg = AP.AgentMessage (AP.APrivHeader 1 (B.replicate 32 0)) (AP.A_MSG "hello full stack") + agentMsgBytes = smpEncode aMsg + Right (mek, _) <- runExceptT $ CR.rcEncryptHeader bobRatchet Nothing CR.currentE2EEncryptVersion + Right encAgentMsg <- runExceptT $ CR.rcEncryptMsg mek (AP.e2eEncAgentMsgLength AP.currentSMPAgentVersion CR.PQSupportOff) agentMsgBytes + let envBytes = smpEncode $ AP.AgentMsgEnvelope {AP.agentVersion = AP.currentSMPAgentVersion, AP.encAgentMessage = encAgentMsg} + clientMsgBytes = smpEncode $ ClientMessage PHEmpty envBytes + cmNonce <- atomically $ C.randomCbNonce g + Right cmEncBody <- pure $ C.cbEncrypt dhSecret cmNonce clientMsgBytes 16000 + let cmeBytes = smpEncode $ ClientMsgEnvelope (PubHeader (VersionSMPC 19) Nothing) cmNonce cmEncBody + -- TypeScript: init alice ratchet + decode all layers + tsResult <- callNode $ impSodium <> impEnc <> impRatchet <> impAgentMsg <> impProtoE2E + <> "import { cbDecrypt } from '@simplex-chat/xftp-web/dist/crypto/secretbox.js';" + -- Init alice's receiver ratchet + <> "const a1Priv = " <> jsUint8 alicePriv1 <> ";" + <> "const a2Priv = " <> jsUint8 alicePriv2 <> ";" + <> "const rd = new Decoder(" <> jsUint8 bobE2EBytes <> ");" + <> "rd.anyByte(); rd.anyByte();" -- skip version + <> "const bpk1 = decodePubKeyX448(decodeBytes(rd));" + <> "const bpk2 = decodePubKeyX448(decodeBytes(rd));" + <> "const ap = pqX3dhRcv(a1Priv, a2Priv, bpk1, bpk2);" + <> "let alice = initRcvRatchet({current:3,maxSupported:3}, a2Priv, ap, null, false);" + <> "let sk = new Map();" + -- Layer 1: per-queue E2E decrypt + <> "const dhSecret = " <> jsUint8 dhSecretBytes <> ";" + <> "const {clientMessage} = agentCbDecrypt(dhSecret, " <> jsUint8 cmeBytes <> ");" + -- Layer 2: decode AgentMsgEnvelope + <> "const env = decodeAgentMsgEnvelope(new Decoder(clientMessage.body));" + <> "if (env.type !== 'envelope') throw new Error('expected envelope, got ' + env.type);" + -- Layer 3: ratchet decrypt + <> "const dec = rcDecrypt(alice, sk, env.encAgentMessage);" + -- Layer 4: decode AgentMessage + AMessage + <> "const agentMsg = decodeAgentMessage(new Decoder(dec.plaintext));" + <> "if (agentMsg.type !== 'message') throw new Error('expected message, got ' + agentMsg.type);" + <> "if (agentMsg.msg.type !== 'A_MSG') throw new Error('expected A_MSG, got ' + agentMsg.msg.type);" + <> jsOut ("agentMsg.msg.body") + tsResult `shouldBe` "hello full stack" + + it "TypeScript encodes all layers, Haskell decodes" $ do + g <- C.newRandom + let v = CR.currentE2EEncryptVersion + -- Alice (receiver): Haskell generates ratchet rcv params + X25519 for per-queue E2E + (alicePk1, alicePk2, Nothing, e2eAlice) <- CR.generateRcvE2EParams @'X448 g v CR.PQSupportOff + let aliceE2EBytes = smpEncode e2eAlice + (e2eRcvPub, e2eRcvPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + -- TypeScript: init bob's sender ratchet, encode full stack, output keys + ciphertext + tsOutput <- callNode $ impSodium <> impEnc <> impRatchet <> impAgentMsg <> impProtoE2E + <> "import { generateX25519KeyPair, dh, encodePubKeyX25519 } from '@simplex-chat/xftp-web/dist/crypto/keys.js';" + -- Init bob's sender ratchet + <> "const d = new Decoder(" <> jsUint8 aliceE2EBytes <> ");" + <> "const aliceV = d.anyByte() * 256 + d.anyByte();" + <> "const alicePk1Raw = decodePubKeyX448(decodeBytes(d));" + <> "const alicePk2Raw = decodePubKeyX448(decodeBytes(d));" + <> "const b1 = generateX448KeyPair(), b2 = generateX448KeyPair(), b3 = generateX448KeyPair();" + <> "const bp = pqX3dhSnd(b1.privateKey, b2.privateKey, alicePk1Raw, alicePk2Raw);" + <> "let bob = initSndRatchet({current:3,maxSupported:3}, alicePk2Raw, b3.privateKey, bp, null);" + -- Layer 4: encode AgentMessage + <> "const agentMsg = encodeAgentMessage({type: 'message', header: {sndMsgId: 1n, prevMsgHash: new Uint8Array(32)}, msg: {type: 'A_MSG', body: new TextEncoder().encode('hello from ts full stack')}});" + -- Layer 3: ratchet encrypt + <> "const enc = rcEncrypt(bob, agentMsg, 15840);" + -- Layer 2: wrap in AgentMsgEnvelope + <> "const envBytes = encodeAgentMsgEnvelope({type: 'envelope', agentVersion: 7, encAgentMessage: enc.ciphertext});" + -- Layer 1: per-queue E2E encrypt + <> "const sndKp = generateX25519KeyPair();" + <> "const rcvPub = " <> jsUint8 (C.pubKeyBytes e2eRcvPub) <> ";" + <> "const dhSecret = dh(rcvPub, sndKp.privateKey);" + <> "const clientMsg = encodeClientMessage({privHeader: {type: 'PHEmpty'}, body: envBytes});" + <> "const cmeBytes = agentCbEncrypt(dhSecret, 19, null, clientMsg);" + -- Output: bob E2E params + snd DER pubkey + cmeBytes + <> "const bobE2E = new Uint8Array([...encodeWord16(3), ...encodeBytes(encodePubKeyX448(b1.publicKey)), ...encodeBytes(encodePubKeyX448(b2.publicKey)), 0x30]);" + <> "const sndDer = encodePubKeyX25519(sndKp.publicKey);" + <> "const out = new Uint8Array([" + <> " (bobE2E.length >> 8) & 0xff, bobE2E.length & 0xff, ...bobE2E," + <> " sndDer.length, ...sndDer," + <> " ...cmeBytes" + <> "]);" + <> jsOut ("out") + -- Parse TypeScript output + let (e2eLenBs, r1) = B.splitAt 2 tsOutput + bobE2ELen = fromIntegral (B.index e2eLenBs 0) * 256 + fromIntegral (B.index e2eLenBs 1) + (bobE2EBytes, r2) = B.splitAt bobE2ELen r1 + sndDerLen = fromIntegral $ B.head r2 + (sndDerBytes, cmeBytes) = B.splitAt sndDerLen $ B.drop 1 r2 + -- Haskell: init alice's receiver ratchet, decode all layers + Right (CR.AE2ERatchetParams _ bobE2E :: CR.AE2ERatchetParams 'X448) <- pure $ smpDecode bobE2EBytes + Right (aliceInitParams, _) <- runExceptT $ CR.pqX3dhRcv alicePk1 alicePk2 Nothing bobE2E + let aliceRatchet = CR.initRcvRatchet (CR.RatchetVersions v v) alicePk2 (aliceInitParams, Nothing) CR.PQSupportOff + -- Decode all layers using ExceptT to chain pure Either + IO + gAlice <- C.newRandom + result <- runExceptT $ do + -- Per-queue E2E decrypt (pure) + apk <- liftEither $ C.decodePubKey sndDerBytes + dhSecret <- case apk of + C.APublicKey C.SX25519 pk -> pure $ C.dh' pk e2eRcvPriv + _ -> throwError "not X25519" + cme <- liftEither $ smpDecode cmeBytes + plaintext <- liftEither $ first show $ C.cbDecrypt dhSecret (cmNonce cme) (cmEncBody cme) + cm <- liftEither $ smpDecode plaintext + envBody <- case cm of + ClientMessage PHEmpty b -> pure b + _ -> throwError "unexpected PrivHeader" + -- Decode envelope + env <- liftEither $ smpDecode envBody + encMsg <- case env of + AP.AgentMsgEnvelope {AP.encAgentMessage = m} -> pure m + _ -> throwError "unexpected AgentMsgEnvelope variant" + -- Ratchet decrypt (IO) + (msgBody_, _, _) <- withExceptT show $ CR.rcDecrypt gAlice aliceRatchet M.empty encMsg + liftEither $ first show msgBody_ + -- Decode agent message from result + agentMsgBytes <- either (error . ("decode failed: " <>)) pure result + Right (AP.AgentMessage _ (AP.A_MSG body)) <- pure $ smpDecode agentMsgBytes + body `shouldBe` "hello from ts full stack" + + describe "client" $ do + it "JS client REPL: PING/PONG via SMP server" $ do + let msType = ASType SQSMemory SMSJournal + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig (cfgWebOn msType testPort) (Just attachHTTP) $ \_ -> do + (hIn, hOut, ph) <- spawnJsClient + let C.KeyHash kh = testKeyHash + resp <- jsCmd hIn hOut $ "CONNECT wss://localhost:" <> testPort <> " " <> bsToHex kh <> " " <> "{\"rejectUnauthorized\":false,\"ALPNProtocols\":[\"http/1.1\"]}" + resp `shouldBe` "ok" + pingResp <- jsCmd hIn hOut "PING" + pingResp `shouldBe` "ok" + _ <- jsCmd hIn hOut "CLOSE" + terminateProcess ph + + it "authTransmission full batch block matches Haskell" $ do + g <- C.newRandom + -- Known inputs + let sessId = B.pack [1..48] -- 48-byte sessionId like real server + corrId = B.pack [50..73] -- 24-byte corrId/nonce + (serverPub, _serverPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + (_, entityPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + let C.PrivateKeyX25519 sk = entityPriv + entityPrivBytes = BA.convert sk :: B.ByteString + nonce = C.cbNonce corrId + -- Haskell: encodeTransmissionForAuth + tToSend = smpEncode (corrId :: B.ByteString, B.empty :: B.ByteString) <> "PING" + tForAuth = smpEncode sessId <> tToSend + -- Haskell: cbAuthenticate + hsAuth = C.cbAuthenticate serverPub entityPriv nonce tForAuth + C.CbAuthenticator hsAuthBytes = hsAuth + -- Haskell: tEncodeBatch1 (with serviceAuth=true: auth + Nothing serviceSig) + hsBlock = B.singleton 1 <> smpEncode (Large (smpEncode hsAuthBytes <> smpEncode (Nothing :: Maybe B.ByteString) <> tToSend)) + -- TypeScript: same computation + tsBlock <- callNode $ impSodium <> impProto + <> "const sessId = " <> jsUint8 sessId <> ";" + <> "const corrId = " <> jsUint8 corrId <> ";" + <> "const serverPub = " <> jsUint8 (C.pubKeyBytes serverPub) <> ";" + <> "const entityPriv = " <> jsUint8 entityPrivBytes <> ";" + <> "const {tForAuth, tToSend} = encodeTransmissionForAuth(sessId, corrId, new Uint8Array(0), encodePING());" + <> "const auth = authTransmission(serverPub, {type:'x25519', key:entityPriv}, corrId, tForAuth);" + <> jsOut ("tEncodeBatch1(auth, tToSend)") + tsBlock `shouldBe` hsBlock + + it "JS client REPL: create queue and send/receive message" $ do + let msType = ASType SQSMemory SMSJournal + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig (cfgWebOn msType testPort) (Just attachHTTP) $ \_ -> do + -- Generate auth keys (X25519 DH auth for v7+) + g <- C.newRandom + (rcvAuthPub, rcvAuthPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + let rcvAuthPubDer = C.encodePubKey rcvAuthPub + C.PrivateKeyX25519 sk = rcvAuthPriv + rcvAuthPrivBytes = BA.convert sk :: B.ByteString + (sndAuthPub, sndAuthPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + let sndAuthPubDer = C.encodePubKey sndAuthPub + C.PrivateKeyX25519 sndSk = sndAuthPriv + sndAuthPrivBytes = BA.convert sndSk :: B.ByteString + + -- Spawn receiver and sender clients + (rcvIn, rcvOut, rcvPh) <- spawnJsClient + (sndIn, sndOut, sndPh) <- spawnJsClient + let connectCmd = "CONNECT wss://localhost:" <> testPort <> " " <> bsToHex (C.unKeyHash testKeyHash) <> " {\"rejectUnauthorized\":false,\"ALPNProtocols\":[\"http/1.1\"]}" + "ok" <- jsCmd rcvIn rcvOut connectCmd + "ok" <- jsCmd sndIn sndOut connectCmd + + -- Receiver: create queue (REPL generates DH keypair internally) + newResp <- jsCmd rcvIn rcvOut $ "NEW " <> bsToHex rcvAuthPubDer <> " " <> bsToHex rcvAuthPrivBytes + let newParts = words newResp + when (head newParts /= "ok:") $ expectationFailure $ "NEW failed: " <> newResp + head newParts `shouldBe` "ok:" + let rcvIdHex = newParts !! 1 + sndIdHex = newParts !! 2 + -- Receiver: secure queue with sender's public key + keyResp <- jsCmd rcvIn rcvOut $ "KEY " <> rcvIdHex <> " " <> bsToHex rcvAuthPrivBytes <> " " <> bsToHex sndAuthPubDer + when (keyResp /= "ok") $ expectationFailure $ "KEY failed: " <> keyResp + -- Receiver: subscribe + subResp <- jsCmd rcvIn rcvOut $ "SUB " <> rcvIdHex <> " " <> bsToHex rcvAuthPrivBytes + when (subResp /= "ok") $ expectationFailure $ "SUB failed: " <> subResp + + -- Sender: send message (with auth) + let testMsg = "hello from sender" + "ok" <- jsCmd sndIn sndOut $ "SEND " <> sndIdHex <> " " <> bsToHex sndAuthPrivBytes <> " 1 " <> bsToHex testMsg + + -- Receiver: receive and decrypt message + recvResp <- jsCmd rcvIn rcvOut "RECV 5000" + let recvParts = words recvResp + head recvParts `shouldBe` "ok:" + length recvParts `shouldSatisfy` (>= 4) + let bodyHex = recvParts !! 3 + hexToBS bodyHex `shouldBe` testMsg + + -- Cleanup + _ <- jsCmd rcvIn rcvOut "CLOSE" + _ <- jsCmd sndIn sndOut "CLOSE" + terminateProcess rcvPh + terminateProcess sndPh + + it "cross-language: HS sender, JS receiver" $ do + let msType = ASType SQSMemory SMSJournal + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig (cfgWebOn msType testPort) (Just attachHTTP) $ \_ -> do + g <- C.newRandom + -- JS receiver: connect, create queue + (rcvIn, rcvOut, rcvPh) <- spawnJsClient + "ok" <- jsCmd rcvIn rcvOut $ "CONNECT wss://localhost:" <> testPort <> " " <> bsToHex (C.unKeyHash testKeyHash) <> " {\"rejectUnauthorized\":false,\"ALPNProtocols\":[\"http/1.1\"]}" + (rcvAuthPub, rcvAuthPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + let C.PrivateKeyX25519 sk = rcvAuthPriv + rcvAuthPrivBytes = BA.convert sk :: B.ByteString + newResp <- jsCmd rcvIn rcvOut $ "NEW " <> bsToHex (C.encodePubKey rcvAuthPub) <> " " <> bsToHex rcvAuthPrivBytes + let newParts = words newResp + when (head newParts /= "ok:") $ expectationFailure $ "NEW failed: " <> newResp + let sndIdHex = newParts !! 2 + rcvIdHex = newParts !! 1 + sndId = hexToBS sndIdHex + -- JS receiver: subscribe (no KEY — sender sends unsigned) + subResp <- jsCmd rcvIn rcvOut $ "SUB " <> rcvIdHex <> " " <> bsToHex rcvAuthPrivBytes + when (subResp /= "ok") $ expectationFailure $ "SUB failed: " <> subResp + -- HS sender: connect via TLS, send message + testSMPClient @TLS $ \sh -> do + let testMsg = "hello from haskell" + Resp _ _ ok <- sendRecv sh (Nothing, "1234", EntityId sndId, _SEND testMsg) + ok `shouldBe` OK + -- JS receiver: receive and decrypt + recvResp <- jsCmd rcvIn rcvOut "RECV 5000" + let recvParts = words recvResp + head recvParts `shouldBe` "ok:" + let bodyHex = recvParts !! 3 + hexToBS bodyHex `shouldBe` testMsg + _ <- jsCmd rcvIn rcvOut "CLOSE" + terminateProcess rcvPh + + it "cross-language: JS sender, HS receiver" $ do + let msType = ASType SQSMemory SMSJournal + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig (cfgWebOn msType testPort) (Just attachHTTP) $ \_ -> do + g <- C.newRandom + -- HS receiver: connect via TLS, create queue + testSMPClient @TLS $ \rh -> do + (rPub, rKey) <- atomically $ C.generateAuthKeyPair C.SEd448 g + (dhPub, dhPriv :: C.PrivateKeyX25519) <- atomically $ C.generateKeyPair g + Resp "abcd" _ (Ids _rId sId srvDh) <- signSendRecv rh rKey ("abcd", NoEntity, New rPub dhPub) + let dec = decryptMsgV3 $ C.dh' srvDh dhPriv + -- JS sender: connect via WebSocket, send message + (sndIn, sndOut, sndPh) <- spawnJsClient + "ok" <- jsCmd sndIn sndOut $ "CONNECT wss://localhost:" <> testPort <> " " <> bsToHex (C.unKeyHash testKeyHash) <> " {\"rejectUnauthorized\":false,\"ALPNProtocols\":[\"http/1.1\"]}" + let testMsg = "hello from typescript" + "ok" <- jsCmd sndIn sndOut $ "SEND " <> bsToHex (unEntityId sId) <> " none 1 " <> bsToHex testMsg + -- HS receiver: receive and decrypt + Resp "" _ (Msg mId1 msg1) <- tGet1 rh + dec mId1 msg1 `shouldBe` Right testMsg + Resp "bcda" _ OK <- signSendRecv rh rKey ("bcda", _rId, ACK mId1) + _ <- jsCmd sndIn sndOut "CLOSE" + terminateProcess sndPh + + it "cross-language: JS sends via proxy to HS receiver" $ do + let msType = ASType SQSMemory SMSJournal + -- Proxy server with WebSocket: enable proxy on the web-enabled config + proxyCfgWeb = updateCfg (cfgWebOn msType testPort) $ \cfg' -> + cfg' {allowSMPProxy = True} + -- Relay server on testPort2: standard config + relayCfg = journalCfg (cfgMS msType) testStoreLogFile2 testStoreMsgsDir2 + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig proxyCfgWeb (Just attachHTTP) $ \_ -> + withSmpServerConfigOn (transport @TLS) relayCfg testPort2 $ \_ -> do + g <- C.newRandom + -- HS receiver: create queue on RELAY server via TLS + let (h :| _) = testHost2 + testSMPClient_ @TLS h testPort2 supportedClientSMPRelayVRange $ \rh -> do + (rPub, rKey) <- atomically $ C.generateAuthKeyPair C.SEd448 g + (dhPub, dhPriv :: C.PrivateKeyX25519) <- atomically $ C.generateKeyPair g + Resp "abcd" _ (Ids _rId sId srvDh) <- signSendRecv rh rKey ("abcd", NoEntity, New rPub dhPub) + let dec = decryptMsgV3 $ C.dh' srvDh dhPriv + -- JS sender: connect to PROXY via WebSocket, send PRXY for relay + (sndIn, sndOut, sndPh) <- spawnJsClient + "ok" <- jsCmd sndIn sndOut $ "CONNECT wss://localhost:" <> testPort <> " " <> bsToHex (C.unKeyHash testKeyHash) <> " {\"rejectUnauthorized\":false,\"ALPNProtocols\":[\"http/1.1\"]}" + -- Connect to relay via proxy + prxyResp <- jsCmd sndIn sndOut $ "PRXY localhost " <> testPort2 <> " " <> bsToHex (C.unKeyHash testKeyHash) + when (not $ "ok:" `isPrefixOf` prxyResp) $ expectationFailure $ "PRXY failed: " <> prxyResp + -- Send message via proxy + let testMsg = "hello via proxy" + sendResp <- jsCmd sndIn sndOut $ "PSEND " <> bsToHex (unEntityId sId) <> " none 1 " <> bsToHex testMsg + when (sendResp /= "ok") $ expectationFailure $ "PSEND failed: " <> sendResp + -- HS receiver: receive and decrypt + Resp "" _ (Msg mId1 msg1) <- tGet1 rh + dec mId1 msg1 `shouldBe` Right testMsg + _ <- jsCmd sndIn sndOut "CLOSE" + terminateProcess sndPh + + it "JS batch subscribe: create 3 queues, batch subscribe, receive messages" $ do + let msType = ASType SQSMemory SMSJournal + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig (cfgWebOn msType testPort) (Just attachHTTP) $ \_ -> do + g <- C.newRandom + -- JS receiver + (rcvIn, rcvOut, rcvPh) <- spawnJsClient + "ok" <- jsCmd rcvIn rcvOut $ "CONNECT wss://localhost:" <> testPort <> " " <> bsToHex (C.unKeyHash testKeyHash) <> " {\"rejectUnauthorized\":false,\"ALPNProtocols\":[\"http/1.1\"]}" + -- Create 3 queues + sndIds <- forM [1..3 :: Int] $ \_ -> do + (authPub, authPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + let C.PrivateKeyX25519 sk = authPriv + privBytes = BA.convert sk :: B.ByteString + newResp <- jsCmd rcvIn rcvOut $ "NEW " <> bsToHex (C.encodePubKey authPub) <> " " <> bsToHex privBytes + let newParts = words newResp + when (head newParts /= "ok:") $ expectationFailure $ "NEW failed: " <> newResp + pure (newParts !! 1, newParts !! 2, bsToHex privBytes) -- rcvIdHex, sndIdHex, privKeyHex + -- Batch subscribe + let bsubArg = unwords [rcvId <> ":" <> pk | (rcvId, _, pk) <- sndIds] + bsubResp <- jsCmd rcvIn rcvOut $ "BSUB " <> bsubArg + when (bsubResp /= "ok") $ expectationFailure $ "BSUB failed: " <> bsubResp + -- HS sender: send a message to each queue + testSMPClient @TLS $ \sh -> do + forM_ (zip [1..] sndIds) $ \(i :: Int, (_, sndIdHex, _)) -> do + let sndId = hexToBS sndIdHex + msg = "batch msg " <> BC.pack (show i) + Resp _ _ OK <- sendRecv sh (Nothing, BC.pack (show i), EntityId sndId, _SEND msg) + pure () + -- JS receiver: receive 3 messages + forM_ [1..3 :: Int] $ \i -> do + recvResp <- jsCmd rcvIn rcvOut "RECV 5000" + let recvParts = words recvResp + head recvParts `shouldBe` "ok:" + let bodyHex = recvParts !! 3 + hexToBS bodyHex `shouldBe` ("batch msg " <> BC.pack (show i)) + _ <- jsCmd rcvIn rcvOut "CLOSE" + terminateProcess rcvPh + + it "cross-language: HS sends via proxy to JS receiver (one server)" $ do + let msType = ASType SQSMemory SMSJournal + -- One server: WebSocket + proxy enabled (like oneServer in SMPProxyTests) + proxyCfgWeb = updateCfg (cfgWebOn msType testPort) $ \cfg' -> + cfg' {allowSMPProxy = True} + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig proxyCfgWeb (Just attachHTTP) $ \_ -> do + g <- C.newRandom + -- JS receiver: create queue on server via WebSocket + (rcvIn, rcvOut, rcvPh) <- spawnJsClient + "ok" <- jsCmd rcvIn rcvOut $ "CONNECT wss://localhost:" <> testPort <> " " <> bsToHex (C.unKeyHash testKeyHash) <> " {\"rejectUnauthorized\":false,\"ALPNProtocols\":[\"http/1.1\"]}" + (rcvAuthPub, rcvAuthPriv) <- atomically $ C.generateKeyPair @'C.X25519 g + let C.PrivateKeyX25519 sk = rcvAuthPriv + rcvAuthPrivBytes = BA.convert sk :: B.ByteString + newResp <- jsCmd rcvIn rcvOut $ "NEW " <> bsToHex (C.encodePubKey rcvAuthPub) <> " " <> bsToHex rcvAuthPrivBytes + let newParts = words newResp + when (head newParts /= "ok:") $ expectationFailure $ "NEW failed: " <> newResp + let sndIdHex = newParts !! 2 + rcvIdHex = newParts !! 1 + sndId = hexToBS sndIdHex + -- JS receiver: subscribe + subResp <- jsCmd rcvIn rcvOut $ "SUB " <> rcvIdHex <> " " <> bsToHex rcvAuthPrivBytes + when (subResp /= "ok") $ expectationFailure $ "SUB failed: " <> subResp + -- HS sender: connect via TLS, use proxy to send to SAME server + let srv = SMPServer ("localhost" :| []) testPort testKeyHash + ts <- getCurrentTime + Right pc <- getProtocolClient g NRMInteractive (1, srv, Nothing) + defaultSMPClientConfig {serverVRange = mkVersionRange minServerSMPRelayVersion currentClientSMPRelayVersion} + [] Nothing ts (\_ -> pure ()) + -- Connect proxy session to same server + sess <- runRight $ connectSMPProxiedRelay pc NRMInteractive srv Nothing + -- Send via proxy + let testMsg = "hello from haskell via proxy" + Right (Right ()) <- runExceptT $ proxySMPMessage pc NRMInteractive sess Nothing (EntityId sndId) noMsgFlags testMsg + -- JS receiver: receive and decrypt + recvResp <- jsCmd rcvIn rcvOut "RECV 5000" + let recvParts = words recvResp + head recvParts `shouldBe` "ok:" + let bodyHex = recvParts !! 3 + hexToBS bodyHex `shouldBe` testMsg + closeProtocolClient pc + _ <- jsCmd rcvIn rcvOut "CLOSE" + terminateProcess rcvPh + diff --git a/tests/ServerTests.hs b/tests/ServerTests.hs index b2c2d997c9..44e86c2a70 100644 --- a/tests/ServerTests.hs +++ b/tests/ServerTests.hs @@ -23,6 +23,7 @@ import Control.Concurrent.Async (concurrently_) import Control.Concurrent.STM import Control.Exception (SomeException, throwIO, try) import Control.Monad +import Control.Monad.Except (runExceptT) import Control.Monad.IO.Class import CoreTests.MsgStoreTests (testJournalStoreCfg) import Data.Bifunctor (first) @@ -42,6 +43,7 @@ import Simplex.Messaging.Encoding import Simplex.Messaging.Encoding.String import Simplex.Messaging.Parsers (parseAll, parseString) import Simplex.Messaging.Protocol +import Simplex.Messaging.Client (chooseTransportHost, defaultNetworkConfig) import Simplex.Messaging.Server (exportMessages) import Simplex.Messaging.Server.Env.STM (AStoreType (..), MsgStore (..), ServerConfig (..), ServerStoreCfg (..), readWriteQueueStore) import Simplex.Messaging.Server.Expiration @@ -50,6 +52,11 @@ import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), QSType (..), import Simplex.Messaging.Server.Stats (PeriodStatsData (..), ServerStatsData (..)) import Simplex.Messaging.Server.StoreLog (StoreLogRecord (..), closeStoreLog) import Simplex.Messaging.Transport +import Simplex.Messaging.Transport.Client (TransportClientConfig (..), defaultTransportClientConfig, runTLSTransportClient) +import Simplex.Messaging.Transport.WebSockets (WS) +import Simplex.Messaging.Transport.Server (loadFileFingerprint) +import Simplex.Messaging.Server.Web (attachStaticAndWS) +import Data.X509.Validation (Fingerprint (..)) import Simplex.Messaging.Util (whenM) import Simplex.Messaging.Version (mkVersionRange) import System.Directory (doesDirectoryExist, doesFileExist, removeDirectoryRecursive, removeFile) @@ -101,6 +108,7 @@ serverTests = do describe "Short links" $ do testInvQueueLinkData testContactQueueLinkData + describe "WebSocket and TLS on same port" testWebSocketAndTLS pattern Resp :: CorrId -> QueueId -> BrokerMsg -> Transmission (Either ErrorType BrokerMsg) pattern Resp corrId queueId command <- (corrId, queueId, Right command) @@ -1484,3 +1492,41 @@ serverSyntaxTests (ATransport t) = do (Maybe TAuthorizations, ByteString, ByteString, BrokerMsg) -> Expectation command >#> response = withFrozenCallStack $ smpServerTest t command `shouldReturn` response + +-- | Test that both native TLS and WebSocket clients can connect to the same port. +-- Native TLS uses useSNI=False, WebSocket uses useSNI=True for routing. +testWebSocketAndTLS :: SpecWith (ASrvTransport, AStoreType) +testWebSocketAndTLS = + it "native TLS and WebSocket clients work on same port" $ \(_t, msType) -> do + Fingerprint fpHTTP <- loadFileFingerprint "tests/fixtures/web_ca.crt" + let httpKeyHash = C.KeyHash fpHTTP + attachStaticAndWS "tests/fixtures" $ \attachHTTP -> + withSmpServerConfig (cfgWebOn msType testPort) (Just attachHTTP) $ \_ -> do + g <- C.newRandom + (rPub, rKey) <- atomically $ C.generateAuthKeyPair C.SEd25519 g + (sPub, sKey) <- atomically $ C.generateAuthKeyPair C.SEd25519 g + (dhPub, dhPriv :: C.PrivateKeyX25519) <- atomically $ C.generateKeyPair g + + -- Connect via native TLS (useSNI=False, default) and create a queue + (sId, rId, srvDh) <- testSMPClient @TLS $ \rh -> do + Resp "1" _ (Ids rId sId srvDh) <- signSendRecv rh rKey ("1", NoEntity, New rPub dhPub) + Resp "2" _ OK <- signSendRecv rh rKey ("2", rId, KEY sPub) + pure (sId, rId, srvDh) + let dec = decryptMsgV3 $ C.dh' srvDh dhPriv + + -- Connect via WebSocket (useSNI=True) and send a message + Right useHost <- pure $ chooseTransportHost defaultNetworkConfig testHost + let wsTcConfig = defaultTransportClientConfig {useSNI = True} :: TransportClientConfig + runTLSTransportClient defaultSupportedParamsHTTPS Nothing wsTcConfig Nothing useHost testPort (Just httpKeyHash) $ \(h :: WS 'TClient) -> + runExceptT (smpClientHandshake h Nothing testKeyHash supportedClientSMPRelayVRange False Nothing) >>= \case + Right sh -> do + Resp "3" _ OK <- signSendRecv sh sKey ("3", sId, _SEND "hello from websocket") + pure () + Left e -> error $ show e + + -- Verify message received via native TLS + testSMPClient @TLS $ \rh -> do + (Resp "4" _ (SOK Nothing), Resp "" _ (Msg mId msg)) <- signSendRecv2 rh rKey ("4", rId, SUB) + dec mId msg `shouldBe` Right "hello from websocket" + Resp "5" _ OK <- signSendRecv rh rKey ("5", rId, ACK mId) + pure () diff --git a/tests/Test.hs b/tests/Test.hs index 69b6c60a7b..a72e766e5a 100644 --- a/tests/Test.hs +++ b/tests/Test.hs @@ -39,6 +39,7 @@ import Simplex.FileTransfer.Server.Store (SFSType (..)) import XFTPServerTests (xftpServerTests) import WebTests (webTests) import XFTPWebTests (xftpWebTests) +import SMPWebTests (smpWebTests) #if defined(dbPostgres) import Fixtures @@ -175,6 +176,7 @@ main = do #else describe "XFTP Web Client" $ xftpWebTests (pure ()) #endif + describe "SMP Web Client" smpWebTests describe "XRCP" remoteControlTests describe "Web" webTests describe "Server CLIs" cliTests diff --git a/tests/XFTPWebTests.hs b/tests/XFTPWebTests.hs index c9a98eef1c..1d23b7ea51 100644 --- a/tests/XFTPWebTests.hs +++ b/tests/XFTPWebTests.hs @@ -11,7 +11,7 @@ -- -- Prerequisites: cd xftp-web && npm install && npm run build -- Run: cabal test --test-option=--match="/XFTP Web Client/" -module XFTPWebTests (xftpWebTests) where +module XFTPWebTests (xftpWebTests, callNode_, jsOut, jsUint8, redirectConsole) where import Control.Concurrent (forkIO, newEmptyMVar, putMVar, takeMVar) import Control.Monad (replicateM, when) @@ -61,9 +61,9 @@ xftpWebDir = "xftp-web" redirectConsole :: String redirectConsole = "console.log = console.warn = (...a) => process.stderr.write(a.map(String).join(' ') + '\\n');" --- | Run an inline ES module script via node, return stdout as ByteString. -callNode :: String -> IO B.ByteString -callNode script = do +-- | Run an inline ES module script via node in a given directory, return stdout as ByteString. +callNode_ :: FilePath -> String -> IO B.ByteString +callNode_ dir script = do baseEnv <- getEnvironment let nodeEnv = ("NODE_TLS_REJECT_UNAUTHORIZED", "0") : baseEnv (_, Just hout, Just herr, ph) <- @@ -71,7 +71,7 @@ callNode script = do (proc "node" ["--input-type=module", "-e", redirectConsole <> script]) { std_out = CreatePipe, std_err = CreatePipe, - cwd = Just xftpWebDir, + cwd = Just dir, env = Just nodeEnv } errVar <- newEmptyMVar @@ -84,6 +84,9 @@ callNode script = do "node " <> show ec <> "\nstderr: " <> map (toEnum . fromIntegral) (B.unpack err) pure out +callNode :: String -> IO B.ByteString +callNode = callNode_ xftpWebDir + -- | Format a ByteString as a JS Uint8Array constructor. jsUint8 :: B.ByteString -> String jsUint8 bs = "new Uint8Array([" <> intercalate "," (map show (B.unpack bs)) <> "])" diff --git a/xftp-web/.gitignore b/xftp-web/.gitignore index 507b50d80c..1c8c596337 100644 --- a/xftp-web/.gitignore +++ b/xftp-web/.gitignore @@ -2,3 +2,4 @@ node_modules/ dist/ dist-web/ package-lock.json +test-results diff --git a/xftp-web/src/protocol/commands.ts b/xftp-web/src/protocol/commands.ts index 3ca43541fc..0bb4d6f597 100644 --- a/xftp-web/src/protocol/commands.ts +++ b/xftp-web/src/protocol/commands.ts @@ -81,7 +81,7 @@ export function encodePING(): Uint8Array { return ascii("PING") } // -- Response decoding -function readTag(d: Decoder): string { +export function readTag(d: Decoder): string { const start = d.offset() while (d.remaining() > 0) { if (d.buf[d.offset()] === 0x20 || d.buf[d.offset()] === 0x0a) break @@ -92,7 +92,7 @@ function readTag(d: Decoder): string { return s } -function readSpace(d: Decoder): void { +export function readSpace(d: Decoder): void { if (d.anyByte() !== 0x20) throw new Error("expected space") }