ferogram-mtproto 0.3.8

MTProto 2.0 session management, message framing, DH key exchange and transport abstractions
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

// Copyright (c) Ankit Chaubey <ankitchaubey.dev@gmail.com>
//
// ferogram: async Telegram MTProto client in Rust
// https://github.com/ankit-chaubey/ferogram
//
// Licensed under either the MIT License or the Apache License 2.0.
// See the LICENSE-MIT or LICENSE-APACHE file in this repository:
// https://github.com/ankit-chaubey/ferogram
//
// Feel free to use, modify, and share this code.
// Please keep this notice when redistributing.

use ferogram_crypto::{aes, derive_aes_key_iv_v1};
use sha1::{Digest, Sha1};

fn serialize_inner(
    nonce: i64,
    temp_auth_key_id: i64,
    perm_auth_key_id: i64,
    temp_session_id: i64,
    expires_at: i32,
) -> [u8; 40] {
    let mut out = [0u8; 40];
    out[0..4].copy_from_slice(&0x75a3f765_u32.to_le_bytes());
    out[4..12].copy_from_slice(&nonce.to_le_bytes());
    out[12..20].copy_from_slice(&temp_auth_key_id.to_le_bytes());
    out[20..28].copy_from_slice(&perm_auth_key_id.to_le_bytes());
    out[28..36].copy_from_slice(&temp_session_id.to_le_bytes());
    out[36..40].copy_from_slice(&expires_at.to_le_bytes());
    out
}

/// Build the `encrypted_message` bytes for `auth.bindTempAuthKey`.
pub fn encrypt_bind_inner(
    perm_auth_key: &[u8; 256],
    msg_id: i64,
    nonce: i64,
    temp_auth_key_id: i64,
    perm_auth_key_id: i64,
    temp_session_id: i64,
    expires_at: i32,
) -> Vec<u8> {
    let inner = serialize_inner(
        nonce,
        temp_auth_key_id,
        perm_auth_key_id,
        temp_session_id,
        expires_at,
    );

    let header_len = 32usize;
    let content_len = header_len + 40;
    let pad_len = (16 - content_len % 16) % 16;
    let total = content_len + pad_len;

    let mut rnd = [0u8; 24];
    getrandom::getrandom(&mut rnd).expect("getrandom");

    let mut plaintext = Vec::with_capacity(total);
    plaintext.extend_from_slice(&rnd[..8]);
    plaintext.extend_from_slice(&rnd[8..16]);
    plaintext.extend_from_slice(&msg_id.to_le_bytes());
    plaintext.extend_from_slice(&0i32.to_le_bytes());
    plaintext.extend_from_slice(&40u32.to_le_bytes());
    plaintext.extend_from_slice(&inner);
    plaintext.extend_from_slice(&rnd[16..16 + pad_len]);
    assert_eq!(plaintext.len(), total);

    let hash: [u8; 20] = {
        let mut h = Sha1::new();
        h.update(&plaintext[..content_len]);
        h.finalize().into()
    };
    let mut msg_key = [0u8; 16];
    msg_key.copy_from_slice(&hash[4..20]);

    let (aes_key, aes_iv) = derive_aes_key_iv_v1(perm_auth_key, &msg_key);
    aes::ige_encrypt(&mut plaintext, &aes_key, &aes_iv);

    let key_sha: [u8; 20] = {
        let mut h = Sha1::new();
        h.update(perm_auth_key);
        h.finalize().into()
    };

    let mut result = Vec::with_capacity(8 + 16 + plaintext.len());
    result.extend_from_slice(&key_sha[12..20]);
    result.extend_from_slice(&msg_key);
    result.extend_from_slice(&plaintext);
    result
}

/// Serialize `auth.bindTempAuthKey#cdd42a05` to raw TL bytes.
pub fn serialize_bind_temp_auth_key(
    perm_auth_key_id: i64,
    nonce: i64,
    expires_at: i32,
    encrypted_message: &[u8],
) -> Vec<u8> {
    let mut out = Vec::new();
    out.extend_from_slice(&0xcdd42a05_u32.to_le_bytes());
    out.extend_from_slice(&perm_auth_key_id.to_le_bytes());
    out.extend_from_slice(&nonce.to_le_bytes());
    out.extend_from_slice(&expires_at.to_le_bytes());
    tl_write_bytes(&mut out, encrypted_message);
    out
}

/// Returns the auth-key ID: SHA-1(key)[12..20] as little-endian i64.
pub fn auth_key_id_from_key(key: &[u8; 256]) -> i64 {
    use sha1::{Digest, Sha1};
    let hash: [u8; 20] = Sha1::new().chain_update(key).finalize().into();
    i64::from_le_bytes(hash[12..20].try_into().unwrap())
}

/// Generate a monotonic MTProto message ID from the current system clock.
///
/// The previous implementation used `nanos & !3` (clears bottom 2 bits), which
/// produces values in range 0..999_999_996. `EncryptedSession::next_msg_id` uses
/// `nanos << 2` (multiply by 4), range 0..3_999_999_996. At the same wall-clock
/// instant the old `gen_msg_id` output was 4x smaller in the lower 32 bits than
/// any msg_id already assigned by the session, triggering `bad_msg_notification`
/// code 16 (msg_id too low) from the server on the bind request.
/// Uses `nanos << 2` to match the session's scaling exactly.
pub fn gen_msg_id() -> i64 {
    use std::time::{SystemTime, UNIX_EPOCH};
    let now = SystemTime::now().duration_since(UNIX_EPOCH).unwrap();
    let secs = now.as_secs();
    let nanos = now.subsec_nanos() as u64;
    // Use same formula as EncryptedSession::next_msg_id: nanos << 2.
    // Bottom 2 bits are 0 (plaintext DH handshake message; not content-related).
    ((secs << 32) | (nanos << 2)) as i64
}

fn tl_write_bytes(out: &mut Vec<u8>, data: &[u8]) {
    let len = data.len();
    if len < 254 {
        out.push(len as u8);
        out.extend_from_slice(data);
        let pad = (4 - (1 + len) % 4) % 4;
        out.extend(std::iter::repeat_n(0u8, pad));
    } else {
        out.push(0xfe);
        out.push((len & 0xff) as u8);
        out.push(((len >> 8) & 0xff) as u8);
        out.push(((len >> 16) & 0xff) as u8);
        out.extend_from_slice(data);
        let pad = (4 - (4 + len) % 4) % 4;
        out.extend(std::iter::repeat_n(0u8, pad));
    }
}