Replace XX/NX handshakes with IK/NK

Author: ravi-signal

service/config/sample.yml

@@ -478,7 +478,6 @@ noiseTunnel:
   tlsKeyStoreEntryAlias: example.com
   tlsKeyStorePassword: secret://noiseTunnel.tlsKeyStorePassword
   noiseStaticPrivateKey: secret://noiseTunnel.noiseStaticPrivateKey
-  noiseRootPublicKeySignature: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
   recognizedProxySecret: secret://noiseTunnel.recognizedProxySecret
 
 externalRequestFilter:

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -933,7 +933,6 @@ protected void configureServer(final ServerBuilder<?> serverBuilder) {
         clientConnectionManager,
         clientPublicKeysManager,
         config.getNoiseWebSocketTunnelConfiguration().noiseStaticKeyPair(),
-        config.getNoiseWebSocketTunnelConfiguration().noiseRootPublicKeySignature(),
         authenticatedGrpcServerAddress,
         anonymousGrpcServerAddress,
         config.getNoiseWebSocketTunnelConfiguration().recognizedProxySecret().value());

service/src/main/java/org/whispersystems/textsecuregcm/configuration/NoiseWebSocketTunnelConfiguration.java

@@ -15,7 +15,6 @@ public record NoiseWebSocketTunnelConfiguration(@Positive int port,
                                                 @Nullable String tlsKeyStoreEntryAlias,
                                                 @Nullable SecretString tlsKeyStorePassword,
                                                 @NotNull SecretBytes noiseStaticPrivateKey,
-                                                @NotNull byte[] noiseRootPublicKeySignature,
                                                 @NotNull SecretString recognizedProxySecret) {
 
   public ECKeyPair noiseStaticKeyPair() throws InvalidKeyException {

service/src/main/java/org/whispersystems/textsecuregcm/grpc/net/AbstractNoiseHandshakeHandler.java

@@ -9,6 +9,7 @@
 import javax.crypto.BadPaddingException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.util.ExceptionUtils;
 
 /**
  * An error handler serves as a general backstop for exceptions elsewhere in the pipeline. If the client has completed a
@@ -38,7 +39,7 @@ protected void setWebsocketHandshakeComplete() {
   @Override
   public void exceptionCaught(final ChannelHandlerContext context, final Throwable cause) {
     if (websocketHandshakeComplete) {
-      final WebSocketCloseStatus webSocketCloseStatus = switch (cause) {
+      final WebSocketCloseStatus webSocketCloseStatus = switch (ExceptionUtils.unwrap(cause)) {
         case NoiseHandshakeException e -> ApplicationWebSocketCloseReason.NOISE_HANDSHAKE_ERROR.toWebSocketCloseStatus(e.getMessage());
         case ClientAuthenticationException ignored -> ApplicationWebSocketCloseReason.CLIENT_AUTHENTICATION_ERROR.toWebSocketCloseStatus("Not authenticated");
         case BadPaddingException ignored -> ApplicationWebSocketCloseReason.NOISE_ENCRYPTION_ERROR.toWebSocketCloseStatus("Noise encryption error");
@@ -51,6 +52,7 @@ public void exceptionCaught(final ChannelHandlerContext context, final Throwable
       context.writeAndFlush(new CloseWebSocketFrame(webSocketCloseStatus))
           .addListener(ChannelFutureListener.CLOSE_ON_FAILURE);
     } else {
+      log.debug("Error occurred before websocket handshake complete", cause);
       // We haven't completed a websocket handshake, so we can't really communicate errors in a semantically-meaningful
       // way; just close the connection instead.
       context.close();

service/src/main/java/org/whispersystems/textsecuregcm/grpc/net/ErrorHandler.java

@@ -48,12 +48,12 @@ public void channelRead(final ChannelHandlerContext context, final Object messag
 
   @Override
   public void userEventTriggered(final ChannelHandlerContext remoteChannelContext, final Object event) {
-    if (event instanceof NoiseHandshakeCompleteEvent noiseHandshakeCompleteEvent) {
+    if (event instanceof NoiseIdentityDeterminedEvent noiseIdentityDeterminedEvent) {
       // We assume that we'll only get a completed handshake event if the handshake met all authentication requirements
       // for the requested service. If the handshake doesn't have an authenticated device, we assume we're trying to
       // connect to the anonymous service. If it does have an authenticated device, we assume we're aiming for the
       // authenticated service.
-      final LocalAddress grpcServerAddress = noiseHandshakeCompleteEvent.authenticatedDevice().isPresent()
+      final LocalAddress grpcServerAddress = noiseIdentityDeterminedEvent.authenticatedDevice().isPresent()
           ? authenticatedGrpcServerAddress
           : anonymousGrpcServerAddress;
 
@@ -72,7 +72,7 @@ protected void initChannel(final LocalChannel localChannel) {
             if (localChannelFuture.isSuccess()) {
               clientConnectionManager.handleConnectionEstablished((LocalChannel) localChannelFuture.channel(),
                   remoteChannelContext.channel(),
-                  noiseHandshakeCompleteEvent.authenticatedDevice());
+                  noiseIdentityDeterminedEvent.authenticatedDevice());
 
               // Close the local connection if the remote channel closes and vice versa
               remoteChannelContext.channel().closeFuture().addListener(closeFuture -> localChannelFuture.channel().close());

service/src/main/java/org/whispersystems/textsecuregcm/grpc/net/EstablishLocalGrpcConnectionHandler.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.grpc.net;
+
+enum HandshakePattern {
+  NK("Noise_NK_25519_ChaChaPoly_BLAKE2b"),
+  IK("Noise_IK_25519_ChaChaPoly_BLAKE2b");
+
+  private final String protocol;
+
+  public String protocol() {
+    return protocol;
+  }
+
+
+  HandshakePattern(String protocol) {
+    this.protocol = protocol;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/grpc/net/HandshakePattern.java

@@ -0,0 +1,34 @@
+package org.whispersystems.textsecuregcm.grpc.net;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import java.util.Optional;
+import java.util.concurrent.CompletableFuture;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+
+/**
+ * A NoiseAnonymousHandler is a netty pipeline element that handles the responder side of an unauthenticated handshake
+ * and noise encryption/decryption.
+ * <p>
+ * A noise NK handshake must be used for unauthenticated connections. Optionally, the initiator can also include an
+ * initial request in their payload. If provided, this allows the server to begin processing the request without an
+ * initial message delay (fast open).
+ * <p>
+ * Once the handler receives the handshake initiator message, it will fire a {@link NoiseIdentityDeterminedEvent}
+ * indicating that initiator connected anonymously.
+ */
+class NoiseAnonymousHandler extends NoiseHandler {
+
+  public NoiseAnonymousHandler(final ECKeyPair ecKeyPair) {
+    super(new NoiseHandshakeHelper(HandshakePattern.NK, ecKeyPair));
+  }
+
+  @Override
+  CompletableFuture<HandshakeResult> handleHandshakePayload(final ChannelHandlerContext context,
+      final Optional<byte[]> initiatorPublicKey, final ByteBuf handshakePayload) {
+    return CompletableFuture.completedFuture(new HandshakeResult(
+        handshakePayload,
+        Optional.empty()
+    ));
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/grpc/net/NoiseAnonymousHandler.java

@@ -0,0 +1,96 @@
+package org.whispersystems.textsecuregcm.grpc.net;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.util.ReferenceCountUtil;
+import java.security.MessageDigest;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.concurrent.CompletableFuture;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.whispersystems.textsecuregcm.auth.grpc.AuthenticatedDevice;
+import org.whispersystems.textsecuregcm.storage.ClientPublicKeysManager;
+import org.whispersystems.textsecuregcm.util.ExceptionUtils;
+
+/**
+ * A NoiseAuthenticatedHandler is a netty pipeline element that handles the responder side of an authenticated handshake
+ * and noise encryption/decryption. Authenticated handshakes are noise IK handshakes where the initiator's static public
+ * key is authenticated by the responder.
+ * <p>
+ * The authenticated handshake requires the initiator to provide a payload with their first handshake message that
+ * includes their account identifier and device id in network byte-order. Optionally, the initiator can also include an
+ * initial request in their payload. If provided, this allows the server to begin processing the request without an
+ * initial message delay (fast open).
+ * <pre>
+ * +-----------------+----------------+------------------------+
+ * |    UUID (16)    |  deviceId (1)  |     request bytes (N)  |
+ * +-----------------+----------------+------------------------+
+ * </pre>
+ * <p>
+ * For a successful handshake, the static key provided in the handshake message must match the server's stored public
+ * key for the device identified by the provided ACI and deviceId.
+ * <p>
+ * As soon as the handler authenticates the caller, it will fire a {@link NoiseIdentityDeterminedEvent}.
+ */
+class NoiseAuthenticatedHandler extends NoiseHandler {
+
+  private final ClientPublicKeysManager clientPublicKeysManager;
+
+  NoiseAuthenticatedHandler(final ClientPublicKeysManager clientPublicKeysManager,
+      final ECKeyPair ecKeyPair) {
+    super(new NoiseHandshakeHelper(HandshakePattern.IK, ecKeyPair));
+    this.clientPublicKeysManager = clientPublicKeysManager;
+  }
+
+  @Override
+  CompletableFuture<HandshakeResult> handleHandshakePayload(
+      final ChannelHandlerContext context,
+      final Optional<byte[]> initiatorPublicKey,
+      final ByteBuf handshakePayload) throws NoiseHandshakeException {
+    if (handshakePayload.readableBytes() < 17) {
+      throw new NoiseHandshakeException("Invalid handshake payload");
+    }
+
+    final byte[] publicKeyFromClient = initiatorPublicKey
+        .orElseThrow(() -> new IllegalStateException("No remote public key"));
+
+    // Advances the read index by 16 bytes
+    final UUID accountIdentifier = parseUUID(handshakePayload);
+
+    // Advances the read index by 1 byte
+    final byte deviceId = handshakePayload.readByte();
+
+    final ByteBuf fastOpenRequest = handshakePayload.slice();
+    return clientPublicKeysManager
+        .findPublicKey(accountIdentifier, deviceId)
+        .handleAsync((storedPublicKey, throwable) -> {
+          if (throwable != null) {
+            ReferenceCountUtil.release(fastOpenRequest);
+            throw ExceptionUtils.wrap(throwable);
+          }
+          final boolean valid = storedPublicKey
+              .map(spk -> MessageDigest.isEqual(publicKeyFromClient, spk.getPublicKeyBytes()))
+              .orElse(false);
+          if (!valid) {
+            throw ExceptionUtils.wrap(new ClientAuthenticationException());
+          }
+          return new HandshakeResult(
+              fastOpenRequest,
+              Optional.of(new AuthenticatedDevice(accountIdentifier, deviceId)));
+        }, context.executor());
+  }
+
+  /**
+   * Parse a {@link UUID} out of bytes, advancing the readerIdx by 16
+   *
+   * @param bytes The {@link ByteBuf} to read from
+   * @return The parsed UUID
+   * @throws NoiseHandshakeException If a UUID could not be parsed from bytes
+   */
+  private UUID parseUUID(final ByteBuf bytes) throws NoiseHandshakeException {
+    if (bytes.readableBytes() < 16) {
+      throw new NoiseHandshakeException("Could not parse account identifier");
+    }
+    return new UUID(bytes.readLong(), bytes.readLong());
+  }
+}