pocket-messaging

/** * A four way client-server handshake, as excellently described in * https://ssbc.github.io/scuttlebutt-protocol-guide/ with a few additions: * * This protocols has one added version byte, one added difficulty byte, 4 byte added nonce bytes, * and a 6 byte added clock timestamp and added optional client/server data exchange for * swapping application parameters of default maximum 2048 bytes. * * The added difficulty byte can be used to force the client to calculate a nonce to match the * difficulty level set by the server for the handshake to complete. */ import sodium from "libsodium-wrappers"; import {ClientInterface, ByteSize} from "pocket-sockets"; import { HandshakeResult, } from "./types"; type KeyPair = { publicKey: Buffer, secretKey: Buffer }; // Single byte depicting the version of the handshake protocol. const Version = Buffer.from([1]); export function writeUInt64BE(target: Buffer, nr: bigint) { if (typeof(nr) !== "bigint") { throw new Error("expecting nr type bigint"); } if (nr < BigInt(0) || nr > 0xffffffffffffffffn) { throw new Error("64 bit integer out of bounds"); } const binary = nr.toString(2).padStart(64, "0"); const msb32 = parseInt(binary.slice(0, 32), 2); const lsb32 = parseInt(binary.slice(32), 2); target.writeUInt32BE(msb32, 0); target.writeUInt32BE(lsb32, 4); } export function readUInt64BE(source: Buffer): bigint { const high32b = source.readUInt32BE(0); const low32b = source.readUInt32BE(4); const binary = high32b.toString(2).padStart(32, "0") + low32b.toString(2).padStart(32, "0"); const value = BigInt("0b" + binary); return value; } // Compare two buffers in constant time function Equals(a: Buffer, b: Buffer): boolean { if (a.length !== b.length) { // Cannot compare buffers of different lengths in constant time return false; } let result = 0; // == buffers are equal. for (let i=0; i<a.length; i++) { result |= a[i] ^ b[i]; } return result === 0; // true if buffers are equal } function createEphemeralKeys(): KeyPair { const keyPair = sodium.crypto_box_keypair(); return { publicKey: Buffer.from(keyPair.publicKey), secretKey: Buffer.from(keyPair.privateKey) }; } function hmac(msg: Buffer, key: Buffer): Buffer { const hmac = sodium.crypto_auth(msg, key); return Buffer.from(hmac); } function assertHmac(clientHmac: Buffer, msg: Buffer, key: Buffer): boolean { const hmac2 = hmac(msg, key); return Equals(hmac2, clientHmac); } function clientSharedSecret_ab(clientEphemeralSk: Buffer, serverEphemeralPk: Buffer): Buffer { return Buffer.from(sodium.crypto_scalarmult(clientEphemeralSk, serverEphemeralPk)); } function serverSharedSecret_ab(serverEphemeralSk: Buffer, clientEphemeralPk: Buffer): Buffer { return Buffer.from(sodium.crypto_scalarmult(serverEphemeralSk, clientEphemeralPk)); } function clientSharedSecret_aB(clientEphemeralPk: Buffer, serverLongtermPk: Buffer): Buffer { return Buffer.from(sodium.crypto_scalarmult(clientEphemeralPk, sodium.crypto_sign_ed25519_pk_to_curve25519(serverLongtermPk))); } function serverSharedSecret_aB(serverLongtermSk: Buffer, clientEphemeralPk: Buffer): Buffer { return Buffer.from(sodium.crypto_scalarmult(sodium.crypto_sign_ed25519_sk_to_curve25519(serverLongtermSk), clientEphemeralPk)); } function clientSharedSecret_Ab(clientLongtermSk: Buffer, serverEphemeralPk: Buffer): Buffer { return Buffer.from(sodium.crypto_scalarmult(sodium.crypto_sign_ed25519_sk_to_curve25519(clientLongtermSk), serverEphemeralPk)); } function serverSharedSecret_Ab(serverEphemeralSk: Buffer, clientLongtermPk: Buffer): Buffer { return Buffer.from(sodium.crypto_scalarmult(serverEphemeralSk, sodium.crypto_sign_ed25519_pk_to_curve25519(clientLongtermPk))); } function signDetached(msg: Buffer, secretKey: Buffer): Buffer { return Buffer.from(sodium.crypto_sign_detached(msg, secretKey)); } function signVerifyDetached(msg: Buffer, sig: Buffer, publicKey: Buffer): boolean { return sodium.crypto_sign_verify_detached(sig, msg, publicKey); } function secretBox(msg: Buffer, nonce: Buffer, key: Buffer): Buffer { return Buffer.from(sodium.crypto_secretbox_easy(msg, nonce, key)); } function secretBoxOpen(ciphertext: Buffer, nonce: Buffer, key: Buffer): Buffer { const unboxed = sodium.crypto_secretbox_open_easy(ciphertext, nonce, key); if (!unboxed) { throw new Error("Could not open box"); } return Buffer.from(unboxed); } function calcClientToServerKey(discriminator: Buffer, sharedSecret_ab: Buffer, sharedSecret_aB: Buffer, sharedSecret_Ab: Buffer, serverLongtermPk: Buffer, serverEphemeralPk: Buffer): [Buffer, Buffer] { const inner = hashFn(hashFn(Buffer.concat([discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab]))); const clientToServerKey = hashFn(Buffer.concat([inner, serverLongtermPk])); const clientNonce = hmac(serverEphemeralPk, discriminator).slice(0, 24); return [clientToServerKey, clientNonce]; } function calcServerToClientKey(discriminator: Buffer, sharedSecret_ab: Buffer, sharedSecret_aB: Buffer, sharedSecret_Ab: Buffer, clientLongtermPk: Buffer, clientEphemeralPk: Buffer): [Buffer, Buffer] { const inner = hashFn(hashFn(Buffer.concat([discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab]))); const serverToClientKey = hashFn(Buffer.concat([inner, clientLongtermPk])); const serverNonce = hmac(clientEphemeralPk, discriminator).slice(0, 24); return [serverToClientKey, serverNonce]; } function hashFn(message: Buffer): Buffer { const digest = sodium.crypto_generichash(32, message); return Buffer.from(digest); } /** * Client creates message 1 (65 bytes). * * @return 1 byte version + 32 bytes hmac + 32 bytes clientEphemeralPk */ function message1(clientEphemeralPk: Buffer, discriminator: Buffer): Buffer { if (clientEphemeralPk.length !== 32) { throw new Error("clientEphemeralPk must be 32 bytes"); } if (discriminator.length !== 32) { throw new Error("Discriminator must be 32 bytes"); } const clientHmac = hmac(clientEphemeralPk, discriminator); return Buffer.concat([Version, clientHmac, clientEphemeralPk]); } /** * Server verifies client message 1. * @return client ephemeral public key on success, else throw exception. * @throws */ function verifyMessage1(msg1: Buffer, discriminator: Buffer): Buffer { if (msg1.length !== 65) { throw new Error("Incoming message 1 must be 65 bytes long"); } if (discriminator.length !== 32) { throw new Error("Discriminator must be 32 bytes"); } const version = msg1.slice(0, 1); // Check so versions match. if (!Equals(version, Version)) { throw new Error("Mismatching version of the handshake"); } const hmac = msg1.slice(1, 1+32); const clientEphemeralPk = msg1.slice(1+32, 1+32+32); if (assertHmac(hmac, clientEphemeralPk, discriminator)) { return clientEphemeralPk; } throw new Error("Non matching discriminators"); } /** * Server creates message 2 (65 bytes). * @return msg2: Buffer */ function message2(difficulty: Buffer, serverEphemeralPk: Buffer, discriminator: Buffer): Buffer { if (difficulty.length !== 1) { throw new Error("Difficulty must be of length 1 bytes"); } if (serverEphemeralPk.length !== 32) { throw new Error("ServerEphemeralPk must be of length 32 bytes"); } if (discriminator.length !== 32) { throw new Error("Discriminator must be 32 bytes"); } const serverHmac = hmac(Buffer.concat([difficulty, serverEphemeralPk]), discriminator); return Buffer.concat([serverHmac, difficulty, serverEphemeralPk]); } /** * Client verifies first server message (message 2: 65 bytes). * Return server ephemeral public key on success. * Throws on error. * @return serverEphemeralPk * @throws */ function verifyMessage2(msg2: Buffer, discriminator: Buffer): [Buffer, Buffer] { if (msg2.length !== 65) { throw new Error("Incoming message 2 must be of 65 bytes"); } if (discriminator.length !== 32) { throw new Error("Discriminator must be 32 bytes"); } const hmac = msg2.slice(0, 32); const difficulty = msg2.slice(32, 33); const serverEphemeralPk = msg2.slice(33, 65); if (assertHmac(hmac, Buffer.concat([difficulty, serverEphemeralPk]), discriminator)) { return [difficulty, serverEphemeralPk]; } throw new Error("Non matching discriminators"); } /** * Client creates its second message (message 3: variable length). * @return ciphertext: Buffer */ function message3(detachedSigA: Buffer, nonce: Buffer, discriminator: Buffer, clientLongtermPk: Buffer, sharedSecret_ab: Buffer, sharedSecret_aB: Buffer, clientClock: number, clientData?: Buffer): Buffer { if (detachedSigA.length !== 64) { throw new Error("detachedSigA must be 64 bytes"); } if (nonce.length !== 4) { throw new Error("Nonce must be 4 bytes"); } if (discriminator.length !== 32) { throw new Error("Discriminator must be 32 bytes"); } if (clientLongtermPk.length !== 32) { throw new Error("ServerEphemeralPk must be of length 32 bytes"); } if (sharedSecret_ab.length !== 32) { throw new Error("sharedSecret_ab must be of length 32 bytes"); } if (sharedSecret_aB.length !== 32) { throw new Error("sharedSecret_aB must be of length 32 bytes"); } if (clientClock < 0) { throw new Error("clientClock must be zero or positive"); } if (!clientData) { clientData = Buffer.alloc(0); } if (clientData.length > 1024*60) { throw new Error("Client data cannot exceed 60 KiB"); } let packedClientClock = Buffer.alloc(8); writeUInt64BE(packedClientClock, BigInt(clientClock)); packedClientClock = packedClientClock.slice(2); // remove first two empty bytes const message = Buffer.concat([detachedSigA, nonce, clientLongtermPk, packedClientClock, clientData]); const boxNonce = Buffer.alloc(24).fill(0); const key = hashFn(Buffer.concat([discriminator, sharedSecret_ab, sharedSecret_aB])); const ciphertext = Buffer.from(secretBox(message, boxNonce, key)); const length = Buffer.alloc(2); // Prepend ciphertext with two bytes describing length length.writeUInt16BE(ciphertext.length, 0); return Buffer.concat([length, ciphertext]); } /** * Server verifies message 3. * Return client longterm public key, the detachedSigA, and the arbitrary variable length client data on success. * Throws exception on error. * @return [nonce, clientLongtermPk, detachedSigA, clientClock, clientData] * @throws */ function verifyMessage3(msg3: Buffer, serverLongtermPk: Buffer, discriminator: Buffer, sharedSecret_ab: Buffer, sharedSecret_aB: Buffer): [Buffer, Buffer, Buffer, number, Buffer] { if (serverLongtermPk.length !== 32) { throw new Error("serverLongtermPk must be of length 32 bytes"); } if (discriminator.length !== 32) { throw new Error("Discriminator must be 32 bytes"); } if (sharedSecret_ab.length !== 32) { throw new Error("sharedSecret_ab must be of length 32 bytes"); } if (sharedSecret_aB.length !== 32) { throw new Error("sharedSecret_aB must be of length 32 bytes"); } const length = msg3.readUInt16BE(0); const ciphertext = msg3.slice(2); if (ciphertext.length !== length) { throw new Error("Mismatching expected length of message 3"); } const boxNonce = Buffer.alloc(24).fill(0); const key = hashFn(Buffer.concat([discriminator, sharedSecret_ab, sharedSecret_aB])); const unboxed = secretBoxOpen(ciphertext, boxNonce, key); const detachedSigA = unboxed.slice(0, 64); const nonce = unboxed.slice(64, 64+4); const clientLongtermPk = unboxed.slice(64+4, 64+4+32); const packedClientClock = unboxed.slice(64+4+32, 64+4+32+6); const clientData = unboxed.slice(64+4+32+6); const msg = Buffer.concat([nonce, discriminator, serverLongtermPk, hashFn(sharedSecret_ab)]); if (!signVerifyDetached(msg, detachedSigA, clientLongtermPk)) { throw new Error("Signature does not match"); } const clientClock = Number(readUInt64BE(Buffer.concat([Buffer.alloc(2), packedClientClock]))); return [nonce, clientLongtermPk, detachedSigA, clientClock, clientData]; } /** * Server creates its second message (message 4) (176 bytes). */ function message4(discriminator: Buffer, detachedSigA: Buffer, clientLongtermPk: Buffer, sharedSecret_ab: Buffer, sharedSecret_aB: Buffer, sharedSecret_Ab: Buffer, serverLongtermSk: Buffer, serverClock: number, serverData?: Buffer): Buffer { if (discriminator.length !== 32) { throw new Error("Discriminator must be 32 bytes"); } if (detachedSigA.length !== 64) { throw new Error("detachedSigA must be 64 bytes"); } if (clientLongtermPk.length !== 32) { throw new Error("clientLongtermPk must be of length 32 bytes"); } if (sharedSecret_ab.length !== 32) { throw new Error("sharedSecret_ab must be of length 32 bytes"); } if (sharedSecret_aB.length !== 32) { throw new Error("sharedSecret_aB must be of length 32 bytes"); } if (sharedSecret_Ab.length !== 32) { throw new Error("sharedSecret_Ab must be of length 32 bytes"); } if (serverLongtermSk.length !== 64) { throw new Error("serverLongtermSk must be of length 64 bytes"); } if (serverClock < 0) { throw new Error("serverClock must be zero or positive"); } if (!serverData) { serverData = Buffer.alloc(0); } let packedServerClock = Buffer.alloc(8); writeUInt64BE(packedServerClock, BigInt(serverClock)); packedServerClock = packedServerClock.slice(2); // remove first two empty bytes const detachedSigB = signDetached(Buffer.concat([discriminator, detachedSigA, clientLongtermPk, hashFn(sharedSecret_ab)]), serverLongtermSk); const boxNonce = Buffer.alloc(24).fill(0); const key = hashFn(Buffer.concat([discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab])); const ciphertext = secretBox(Buffer.concat([detachedSigB, packedServerClock, serverData]), boxNonce, key); const length = Buffer.alloc(2); // Prepend ciphertext with two bytes describing length length.writeUInt16BE(ciphertext.length, 0); return Buffer.concat([length, ciphertext]); } /** * Client verifies server message 2 (message 4). * @return [serverClock: number, serverData: Buffer] * serverClock in milliseconds * @throws on error */ function verifyMessage4(msg4: Buffer, detachedSigA: Buffer, clientLongtermPk: Buffer, serverLongtermPk: Buffer, discriminator: Buffer, sharedSecret_ab: Buffer, sharedSecret_aB: Buffer, sharedSecret_Ab: Buffer): [number, Buffer] { if (detachedSigA.length !== 64) { throw new Error("detachedSigA must be 64 bytes"); } if (clientLongtermPk.length !== 32) { throw new Error("clientLongtermPk must be of length 32 bytes"); } if (serverLongtermPk.length !== 32) { throw new Error("serverLongtermPk must be of length 32 bytes"); } if (discriminator.length !== 32) { throw new Error("Discriminator must be 32 bytes"); } if (sharedSecret_ab.length !== 32) { throw new Error("sharedSecret_ab must be of length 32 bytes"); } if (sharedSecret_aB.length !== 32) { throw new Error("sharedSecret_aB must be of length 32 bytes"); } if (sharedSecret_Ab.length !== 32) { throw new Error("sharedSecret_Ab must be of length 32 bytes"); } const length = msg4.readUInt16BE(0); const ciphertext = msg4.slice(2); if (ciphertext.length !== length) { throw new Error("Mismatching expected length of message 4"); } const boxNonce = Buffer.alloc(24).fill(0); const key = hashFn(Buffer.concat([discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab])); const unboxed = secretBoxOpen(ciphertext, boxNonce, key); const detachedSigB = unboxed.slice(0, 64); const packedServerClock = unboxed.slice(64, 70); const serverData = unboxed.slice(70); const msg = Buffer.concat([discriminator, detachedSigA, clientLongtermPk, hashFn(sharedSecret_ab)]); if (!signVerifyDetached(msg, detachedSigB, serverLongtermPk)) { throw new Error("Signature does not match"); } const serverClock = Number(readUInt64BE(Buffer.concat([Buffer.alloc(2), packedServerClock]))); return [serverClock, serverData]; } /** * @param difficulty number of nibbles to solve for */ function CalculateNonce(difficulty: number, serverEphemeralPk: Buffer): Buffer { const target = Buffer.from(serverEphemeralPk.toString("hex").slice(0, difficulty)); let n = 0; let nonce = Buffer.alloc(4); const b = Buffer.alloc(4); while (!Equals(target, Buffer.from(nonce.toString("hex").slice(0, difficulty)))) { n++; b.writeUInt32BE(n); nonce = hashFn(b).slice(0, 4); if (n>=0xffffffff) { throw new Error("Nonce overflow"); } } return nonce; } function VerifyNonce(difficulty: number, serverEphemeralPk: Buffer, nonce: Buffer): boolean { const target = Buffer.from(serverEphemeralPk.toString("hex").slice(0, difficulty)); return Equals(target, Buffer.from(nonce.toString("hex").slice(0, difficulty))); } /** * On successful handshake return a populated HandshakeResult object. * On unsuccessful throw exception. * @return Promise <HandshakeResult> * @throws */ export async function HandshakeAsClient( client: ClientInterface, clientLongtermSk: Buffer, clientLongtermPk: Buffer, serverLongtermPk: Buffer, discriminator: Buffer, clientData?: Buffer, clock?: number, maxServerDataSize: number = 2048, timeout: number = 3000): Promise<HandshakeResult> { clock = clock ?? Date.now(); // We need this to take a delta later to adjust the clock. // const initialTimestamp = Date.now(); await sodium.ready; // Make sure the discriminator is constant length discriminator = hashFn(discriminator); const clientEphemeralKeys = createEphemeralKeys(); const clientEphemeralPk = clientEphemeralKeys.publicKey; const clientEphemeralSk = clientEphemeralKeys.secretKey; // First message from client (message 1) const msg1 = message1(clientEphemeralPk, discriminator); client.send(msg1); // First response from server (message 2) const msg2 = await new ByteSize(client).read(65, timeout); // Before spending any more time, take the delta. // const delta = Date.now() - initialTimestamp; const [difficulty, serverEphemeralPk] = verifyMessage2(msg2, discriminator); const nonce = CalculateNonce(difficulty.readUInt8(0), serverEphemeralPk); const sharedSecret_ab = clientSharedSecret_ab(clientEphemeralSk, serverEphemeralPk); const sharedSecret_aB = clientSharedSecret_aB(clientEphemeralSk, serverLongtermPk); // Second message from client (message 3) // const clientClock = clock + delta; const detachedSigA = signDetached(Buffer.concat([nonce, discriminator, serverLongtermPk, hashFn(sharedSecret_ab)]), clientLongtermSk); const msg3 = message3(detachedSigA, nonce, discriminator, clientLongtermPk, sharedSecret_ab, sharedSecret_aB, clientClock, clientData); client.send(msg3); const sharedSecret_Ab = clientSharedSecret_Ab(clientLongtermSk, serverEphemeralPk); // Wait for second response from server (message 4) const lengthPrefix = await new ByteSize(client).read(2, timeout); const length = lengthPrefix.readUInt16BE(0); const FIXED_LENGTH = 70; // 64 byte signature + 6 byte clock if (length - FIXED_LENGTH > maxServerDataSize) { throw new Error("Server data length too big"); } const msg4_ciphertext = await new ByteSize(client).read(length, timeout); const msg4 = Buffer.concat([lengthPrefix, msg4_ciphertext]); const [serverClock, serverData] = verifyMessage4(msg4, detachedSigA, clientLongtermPk, serverLongtermPk, discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab); const [clientToServerKey, clientNonce] = calcClientToServerKey(discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab, serverLongtermPk, serverEphemeralPk); const [serverToClientKey, serverNonce] = calcServerToClientKey(discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab, clientLongtermPk, clientEphemeralPk); const handshakeParams = { longtermPk: clientLongtermPk, peerLongtermPk: serverLongtermPk, clientToServerKey, clientNonce, serverToClientKey, serverNonce, clockDiff: clientClock - serverClock, peerData: serverData, }; return handshakeParams; } /** * On successful handshake return a populated HandshakeResult object. * * On failed handshake throw exception. * * @param client to send and retrieve data on * @param serverLongtermSk this side's long term secret key * @param serverLongtermPk this side's long term public key * @param discriminator arbitrary data that must exactly match the client discriminator data * @param allowedClientKeys if Buffer array it contains all client public keys allowed to handshake. * If a function the function has to return true for the client to be allowed. * If undefined then allow all clients to handshake. * @param serverData optional data to pass to the client upon successful handshake. Its length cannot * exceed the client's maximum allowed length. * @param clock timestamp in milliseconds for when starting the handshake * This value will be adjusted upwards to be as near as possible for when the clock was sent * @param difficulty is the number of nibbles the client is required to calculate to mitigate ddos * attacks. Difficulty 6 is a lot. 8 is max. * If the client does not provide a requested nonce then the handshake is aborted after the clients * second message is retrieved. * @param maxClientDataSize the maximum length allowed for the client to pass its optional data. * @param timeout in milliseconds to wait for each message before aborting. * @return Promise<HandshakeResult> * @throws on error */ export async function HandshakeAsServer( client: ClientInterface, serverLongtermSk: Buffer, serverLongtermPk: Buffer, discriminator: Buffer, allowedClientKeys?: ((clientLongtermPk: Buffer) => boolean) | Buffer[], serverData?: Buffer, clock?: number, difficulty: number = 0, maxClientDataSize: number = 2048, timeout: number = 3000): Promise<HandshakeResult> { clock = clock ?? Date.now(); // We need this to take a delta later to adjust the clock. // const initialTimestamp = Date.now(); if (difficulty > 8) { // We support 8 nibbles of nonce. throw new Error("Too high difficulty requested, max 8"); } await sodium.ready; // Make sure the discriminator is constant length discriminator = hashFn(discriminator); const serverEphemeralKeys = createEphemeralKeys(); const serverEphemeralPk = serverEphemeralKeys.publicKey; const serverEphemeralSk = serverEphemeralKeys.secretKey; // Wait for first message from client (message 1) const msg1 = await new ByteSize(client).read(65, timeout); const clientEphemeralPk = verifyMessage1(msg1, discriminator); // Send first message from server (message 2) const msg2 = message2(Buffer.from([difficulty]), serverEphemeralPk, discriminator); client.send(msg2); const sharedSecret_ab = serverSharedSecret_ab(serverEphemeralSk, clientEphemeralPk); const sharedSecret_aB = serverSharedSecret_aB(serverLongtermSk, clientEphemeralPk); // Wait for second message from client (message 3) const lengthPrefix = await new ByteSize(client).read(2, timeout + difficulty * 30000); const length = lengthPrefix.readUInt16BE(0); const FIXED_LENGTH = 106; // incl. 6 byte clock if (length - FIXED_LENGTH > maxClientDataSize) { throw new Error("Client data length too big"); } const msg3_ciphertext = await new ByteSize(client).read(length, timeout); // Before spending any more time, take the delta. // const delta = Date.now() - initialTimestamp; const msg3 = Buffer.concat([lengthPrefix, msg3_ciphertext]); const [nonce, clientLongtermPk, detachedSigA, clientClock, clientData] = verifyMessage3(msg3, serverLongtermPk, discriminator, sharedSecret_ab, sharedSecret_aB); if (!VerifyNonce(difficulty, serverEphemeralPk, nonce)) { throw new Error("Nonce does not verify"); } // Verify permissioned handshake for client longterm pk if (allowedClientKeys) { if (typeof(allowedClientKeys) === "function") { if (!allowedClientKeys(clientLongtermPk)) { throw new Error(`Client longterm pk (${clientLongtermPk.toString("hex")} not allowed by function, IP: ${client.getRemoteAddress()}`); } } else if (Array.isArray(allowedClientKeys)) { if (!allowedClientKeys.find( (pk) => Equals(pk, clientLongtermPk) )) { throw new Error(`Client longterm pk (${clientLongtermPk.toString("hex")}) not in list of allowed public keys, IP: ${client.getRemoteAddress()}`); } } else { throw new Error("Unknown client longterm pk validator"); } } else { // WARNING: no allowedClientKeys means to allow all clients connecting // Fall through } const sharedSecret_Ab = serverSharedSecret_Ab(serverEphemeralSk, clientLongtermPk); // Send second message from server (message 4) // const serverClock = clock + delta; const msg4 = message4(discriminator, detachedSigA, clientLongtermPk, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab, serverLongtermSk, serverClock, serverData); client.send(msg4); const [clientToServerKey, clientNonce] = calcClientToServerKey(discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab, serverLongtermPk, serverEphemeralPk); const [serverToClientKey, serverNonce] = calcServerToClientKey(discriminator, sharedSecret_ab, sharedSecret_aB, sharedSecret_Ab, clientLongtermPk, clientEphemeralPk); const handshakeParams = { longtermPk: serverLongtermPk, peerLongtermPk: clientLongtermPk, clientToServerKey, clientNonce, serverToClientKey, clockDiff: serverClock - clientClock, serverNonce, peerData: clientData, }; // Done return handshakeParams; }