Protocol versioning for BTP.

bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java

@@ -45,8 +45,10 @@ import static org.briarproject.bramble.api.invitation.InvitationConstants.CODE_B
 import static org.briarproject.bramble.api.keyagreement.KeyAgreementConstants.COMMIT_LENGTH;
 import static org.briarproject.bramble.api.transport.TransportConstants.TAG_LENGTH;
 import static org.briarproject.bramble.crypto.EllipticCurveConstants.PARAMETERS;
+import static org.briarproject.bramble.util.ByteUtils.INT_16_BYTES;
 import static org.briarproject.bramble.util.ByteUtils.INT_32_BYTES;
 import static org.briarproject.bramble.util.ByteUtils.INT_64_BYTES;
+import static org.briarproject.bramble.util.ByteUtils.MAX_16_BIT_UNSIGNED;
 import static org.briarproject.bramble.util.ByteUtils.MAX_32_BIT_UNSIGNED;
 
 class CryptoComponentImpl implements CryptoComponent {
@@ -412,8 +414,11 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	@Override
-	public void encodeTag(byte[] tag, SecretKey tagKey, long streamNumber) {
+	public void encodeTag(byte[] tag, SecretKey tagKey, int protocolVersion,
+			long streamNumber) {
 		if (tag.length < TAG_LENGTH) throw new IllegalArgumentException();
+		if (protocolVersion < 0 || protocolVersion > MAX_16_BIT_UNSIGNED)
+			throw new IllegalArgumentException();
 		if (streamNumber < 0 || streamNumber > MAX_32_BIT_UNSIGNED)
 			throw new IllegalArgumentException();
 		// Initialise the PRF
@@ -421,10 +426,14 @@ class CryptoComponentImpl implements CryptoComponent {
 		// The output of the PRF must be long enough to use as a tag
 		int macLength = prf.getDigestSize();
 		if (macLength < TAG_LENGTH) throw new IllegalStateException();
-		// The input is the stream number as a 64-bit integer
-		byte[] input = new byte[INT_64_BYTES];
-		ByteUtils.writeUint64(streamNumber, input, 0);
-		prf.update(input, 0, input.length);
+		// The input is the protocol version as a 16-bit integer, followed by
+		// the stream number as a 64-bit integer
+		byte[] protocolVersionBytes = new byte[INT_16_BYTES];
+		ByteUtils.writeUint16(protocolVersion, protocolVersionBytes, 0);
+		prf.update(protocolVersionBytes, 0, protocolVersionBytes.length);
+		byte[] streamNumberBytes = new byte[INT_64_BYTES];
+		ByteUtils.writeUint64(streamNumber, streamNumberBytes, 0);
+		prf.update(streamNumberBytes, 0, streamNumberBytes.length);
 		byte[] mac = new byte[macLength];
 		prf.doFinal(mac, 0);
 		// The output is the first TAG_LENGTH bytes of the MAC

bramble-core/src/main/java/org/briarproject/bramble/crypto/StreamDecrypterImpl.java

@@ -20,9 +20,11 @@ import static org.briarproject.bramble.api.transport.TransportConstants.FRAME_NO
 import static org.briarproject.bramble.api.transport.TransportConstants.MAC_LENGTH;
 import static org.briarproject.bramble.api.transport.TransportConstants.MAX_FRAME_LENGTH;
 import static org.briarproject.bramble.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
-import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_IV_LENGTH;
+import static org.briarproject.bramble.api.transport.TransportConstants.PROTOCOL_VERSION;
 import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_LENGTH;
 import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_NONCE_LENGTH;
+import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_PLAINTEXT_LENGTH;
+import static org.briarproject.bramble.util.ByteUtils.INT_16_BYTES;
 import static org.briarproject.bramble.util.ByteUtils.INT_64_BYTES;
 
 @NotThreadSafe
@@ -117,7 +119,7 @@ class StreamDecrypterImpl implements StreamDecrypter {
 
 	private void readStreamHeader() throws IOException {
 		byte[] streamHeaderCiphertext = new byte[STREAM_HEADER_LENGTH];
-		byte[] streamHeaderPlaintext = new byte[SecretKey.LENGTH];
+		byte[] streamHeaderPlaintext = new byte[STREAM_HEADER_PLAINTEXT_LENGTH];
 		// Read the stream header
 		int offset = 0;
 		while (offset < STREAM_HEADER_LENGTH) {
@@ -126,21 +128,35 @@ class StreamDecrypterImpl implements StreamDecrypter {
 			if (read == -1) throw new EOFException();
 			offset += read;
 		}
-		// The nonce consists of the stream number followed by the IV
+		// Extract the nonce
 		byte[] streamHeaderNonce = new byte[STREAM_HEADER_NONCE_LENGTH];
-		ByteUtils.writeUint64(streamNumber, streamHeaderNonce, 0);
-		System.arraycopy(streamHeaderCiphertext, 0, streamHeaderNonce,
-				INT_64_BYTES, STREAM_HEADER_IV_LENGTH);
+		System.arraycopy(streamHeaderCiphertext, 0, streamHeaderNonce, 0,
+				STREAM_HEADER_NONCE_LENGTH);
 		// Decrypt and authenticate the stream header
 		try {
 			cipher.init(false, streamHeaderKey, streamHeaderNonce);
 			int decrypted = cipher.process(streamHeaderCiphertext,
-					STREAM_HEADER_IV_LENGTH, SecretKey.LENGTH + MAC_LENGTH,
+					STREAM_HEADER_NONCE_LENGTH,
+					STREAM_HEADER_PLAINTEXT_LENGTH + MAC_LENGTH,
 					streamHeaderPlaintext, 0);
-			if (decrypted != SecretKey.LENGTH) throw new RuntimeException();
+			if (decrypted != STREAM_HEADER_PLAINTEXT_LENGTH)
+				throw new RuntimeException();
 		} catch (GeneralSecurityException e) {
 			throw new FormatException();
 		}
-		frameKey = new SecretKey(streamHeaderPlaintext);
+		// Check the protocol version
+		int receivedProtocolVersion =
+				ByteUtils.readUint16(streamHeaderPlaintext, 0);
+		if (receivedProtocolVersion != PROTOCOL_VERSION)
+			throw new FormatException();
+		// Check the stream number
+		long receivedStreamNumber = ByteUtils.readUint64(streamHeaderPlaintext,
+				INT_16_BYTES);
+		if (receivedStreamNumber != streamNumber) throw new FormatException();
+		// Extract the frame key
+		byte[] frameKeyBytes = new byte[SecretKey.LENGTH];
+		System.arraycopy(streamHeaderPlaintext, INT_16_BYTES + INT_64_BYTES,
+				frameKeyBytes, 0, SecretKey.LENGTH);
+		frameKey = new SecretKey(frameKeyBytes);
 	}
 }

bramble-core/src/main/java/org/briarproject/bramble/crypto/StreamEncrypterFactoryImpl.java

@@ -13,7 +13,8 @@ import javax.annotation.concurrent.Immutable;
 import javax.inject.Inject;
 import javax.inject.Provider;
 
-import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_IV_LENGTH;
+import static org.briarproject.bramble.api.transport.TransportConstants.PROTOCOL_VERSION;
+import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_NONCE_LENGTH;
 import static org.briarproject.bramble.api.transport.TransportConstants.TAG_LENGTH;
 
 @Immutable
@@ -36,22 +37,22 @@ class StreamEncrypterFactoryImpl implements StreamEncrypterFactory {
 		AuthenticatedCipher cipher = cipherProvider.get();
 		long streamNumber = ctx.getStreamNumber();
 		byte[] tag = new byte[TAG_LENGTH];
-		crypto.encodeTag(tag, ctx.getTagKey(), streamNumber);
-		byte[] streamHeaderIv = new byte[STREAM_HEADER_IV_LENGTH];
-		crypto.getSecureRandom().nextBytes(streamHeaderIv);
+		crypto.encodeTag(tag, ctx.getTagKey(), PROTOCOL_VERSION, streamNumber);
+		byte[] streamHeaderNonce = new byte[STREAM_HEADER_NONCE_LENGTH];
+		crypto.getSecureRandom().nextBytes(streamHeaderNonce);
 		SecretKey frameKey = crypto.generateSecretKey();
 		return new StreamEncrypterImpl(out, cipher, streamNumber, tag,
-				streamHeaderIv, ctx.getHeaderKey(), frameKey);
+				streamHeaderNonce, ctx.getHeaderKey(), frameKey);
 	}
 
 	@Override
 	public StreamEncrypter createInvitationStreamEncrypter(OutputStream out,
 			SecretKey headerKey) {
 		AuthenticatedCipher cipher = cipherProvider.get();
-		byte[] streamHeaderIv = new byte[STREAM_HEADER_IV_LENGTH];
-		crypto.getSecureRandom().nextBytes(streamHeaderIv);
+		byte[] streamHeaderNonce = new byte[STREAM_HEADER_NONCE_LENGTH];
+		crypto.getSecureRandom().nextBytes(streamHeaderNonce);
 		SecretKey frameKey = crypto.generateSecretKey();
-		return new StreamEncrypterImpl(out, cipher, 0, null, streamHeaderIv,
+		return new StreamEncrypterImpl(out, cipher, 0, null, streamHeaderNonce,
 				headerKey, frameKey);
 	}
 }

bramble-core/src/main/java/org/briarproject/bramble/crypto/StreamEncrypterImpl.java

@@ -18,9 +18,11 @@ import static org.briarproject.bramble.api.transport.TransportConstants.FRAME_NO
 import static org.briarproject.bramble.api.transport.TransportConstants.MAC_LENGTH;
 import static org.briarproject.bramble.api.transport.TransportConstants.MAX_FRAME_LENGTH;
 import static org.briarproject.bramble.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
-import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_IV_LENGTH;
+import static org.briarproject.bramble.api.transport.TransportConstants.PROTOCOL_VERSION;
 import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_LENGTH;
 import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_NONCE_LENGTH;
+import static org.briarproject.bramble.api.transport.TransportConstants.STREAM_HEADER_PLAINTEXT_LENGTH;
+import static org.briarproject.bramble.util.ByteUtils.INT_16_BYTES;
 import static org.briarproject.bramble.util.ByteUtils.INT_64_BYTES;
 
 @NotThreadSafe
@@ -33,7 +35,7 @@ class StreamEncrypterImpl implements StreamEncrypter {
 	private final long streamNumber;
 	@Nullable
 	private final byte[] tag;
-	private final byte[] streamHeaderIv;
+	private final byte[] streamHeaderNonce;
 	private final byte[] frameNonce, frameHeader;
 	private final byte[] framePlaintext, frameCiphertext;
 
@@ -41,13 +43,13 @@ class StreamEncrypterImpl implements StreamEncrypter {
 	private boolean writeTag, writeStreamHeader;
 
 	StreamEncrypterImpl(OutputStream out, AuthenticatedCipher cipher,
-			long streamNumber, @Nullable byte[] tag, byte[] streamHeaderIv,
+			long streamNumber, @Nullable byte[] tag, byte[] streamHeaderNonce,
 			SecretKey streamHeaderKey, SecretKey frameKey) {
 		this.out = out;
 		this.cipher = cipher;
 		this.streamNumber = streamNumber;
 		this.tag = tag;
-		this.streamHeaderIv = streamHeaderIv;
+		this.streamHeaderNonce = streamHeaderNonce;
 		this.streamHeaderKey = streamHeaderKey;
 		this.frameKey = frameKey;
 		frameNonce = new byte[FRAME_NONCE_LENGTH];
@@ -114,22 +116,23 @@ class StreamEncrypterImpl implements StreamEncrypter {
 	}
 
 	private void writeStreamHeader() throws IOException {
-		// The nonce consists of the stream number followed by the IV
-		byte[] streamHeaderNonce = new byte[STREAM_HEADER_NONCE_LENGTH];
-		ByteUtils.writeUint64(streamNumber, streamHeaderNonce, 0);
-		System.arraycopy(streamHeaderIv, 0, streamHeaderNonce, INT_64_BYTES,
-				STREAM_HEADER_IV_LENGTH);
-		byte[] streamHeaderPlaintext = frameKey.getBytes();
+		// The header contains the protocol version, stream number and frame key
+		byte[] streamHeaderPlaintext = new byte[STREAM_HEADER_PLAINTEXT_LENGTH];
+		ByteUtils.writeUint16(PROTOCOL_VERSION, streamHeaderPlaintext, 0);
+		ByteUtils.writeUint64(streamNumber, streamHeaderPlaintext,
+				INT_16_BYTES);
+		System.arraycopy(frameKey.getBytes(), 0, streamHeaderPlaintext,
+				INT_16_BYTES + INT_64_BYTES, SecretKey.LENGTH);
 		byte[] streamHeaderCiphertext = new byte[STREAM_HEADER_LENGTH];
-		System.arraycopy(streamHeaderIv, 0, streamHeaderCiphertext, 0,
-				STREAM_HEADER_IV_LENGTH);
-		// Encrypt and authenticate the frame key
+		System.arraycopy(this.streamHeaderNonce, 0, streamHeaderCiphertext, 0,
+				STREAM_HEADER_NONCE_LENGTH);
+		// Encrypt and authenticate the stream header key
 		try {
 			cipher.init(true, streamHeaderKey, streamHeaderNonce);
 			int encrypted = cipher.process(streamHeaderPlaintext, 0,
-					SecretKey.LENGTH, streamHeaderCiphertext,
-					STREAM_HEADER_IV_LENGTH);
-			if (encrypted != SecretKey.LENGTH + MAC_LENGTH)
+					STREAM_HEADER_PLAINTEXT_LENGTH, streamHeaderCiphertext,
+					STREAM_HEADER_NONCE_LENGTH);
+			if (encrypted != STREAM_HEADER_PLAINTEXT_LENGTH + MAC_LENGTH)
 				throw new RuntimeException();
 		} catch (GeneralSecurityException badCipher) {
 			throw new RuntimeException(badCipher);

bramble-core/src/main/java/org/briarproject/bramble/transport/TransportKeyManagerImpl.java

@@ -29,6 +29,7 @@ import javax.annotation.concurrent.ThreadSafe;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
 import static java.util.logging.Level.WARNING;
 import static org.briarproject.bramble.api.transport.TransportConstants.MAX_CLOCK_DIFFERENCE;
+import static org.briarproject.bramble.api.transport.TransportConstants.PROTOCOL_VERSION;
 import static org.briarproject.bramble.api.transport.TransportConstants.TAG_LENGTH;
 import static org.briarproject.bramble.util.ByteUtils.MAX_32_BIT_UNSIGNED;
 
@@ -126,7 +127,8 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 		for (long streamNumber : inKeys.getWindow().getUnseen()) {
 			TagContext tagCtx = new TagContext(c, inKeys, streamNumber);
 			byte[] tag = new byte[TAG_LENGTH];
-			crypto.encodeTag(tag, inKeys.getTagKey(), streamNumber);
+			crypto.encodeTag(tag, inKeys.getTagKey(),PROTOCOL_VERSION,
+					streamNumber);
 			inContexts.put(new Bytes(tag), tagCtx);
 		}
 	}
@@ -242,7 +244,8 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 			// Add tags for any stream numbers added to the window
 			for (long streamNumber : change.getAdded()) {
 				byte[] addTag = new byte[TAG_LENGTH];
-				crypto.encodeTag(addTag, inKeys.getTagKey(), streamNumber);
+				crypto.encodeTag(addTag, inKeys.getTagKey(), PROTOCOL_VERSION,
+						streamNumber);
 				inContexts.put(new Bytes(addTag), new TagContext(
 						tagCtx.contactId, inKeys, streamNumber));
 			}
@@ -250,7 +253,8 @@ class TransportKeyManagerImpl implements TransportKeyManager {
 			for (long streamNumber : change.getRemoved()) {
 				if (streamNumber == tagCtx.streamNumber) continue;
 				byte[] removeTag = new byte[TAG_LENGTH];
-				crypto.encodeTag(removeTag, inKeys.getTagKey(), streamNumber);
+				crypto.encodeTag(removeTag, inKeys.getTagKey(),
+						PROTOCOL_VERSION, streamNumber);
 				inContexts.remove(new Bytes(removeTag));
 			}
 			// Write the window back to the DB