Freedom-Club-Sec
diff --git a/‎logic/background_worker.py‎
Lines changed: 0 additions & 1 deletion b/‎logic/background_worker.py‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎logic/contacts.py‎
Lines changed: 8 additions & 13 deletions b/‎logic/contacts.py‎
Lines changed: 8 additions & 13 deletions
diff --git a/‎logic/get_user.py‎
Lines changed: 9 additions & 13 deletions b/‎logic/get_user.py‎
Lines changed: 9 additions & 13 deletions
diff --git a/‎logic/message.py‎
Lines changed: 32 additions & 25 deletions b/‎logic/message.py‎
Lines changed: 32 additions & 25 deletions
@@ -1,7 +1,6 @@
 from core.requests import http_request
 from logic.storage import save_account_data
 from logic.contacts import save_contact
-from logic.get_user import get_target_lt_public_key
 from logic.smp import smp_unanswered_questions, smp_data_handler
 from logic.pfs import pfs_data_handler
 from logic.message import messages_data_handler
 
@@ -29,19 +29,21 @@ def generate_random_nickname(user_data: dict, user_data_lock, contact_id: str, n
             return nickname
 
 
-def save_contact(user_data: dict, user_data_lock, contact_id: str, contact_public_key: bytes) -> None:
+def save_contact(user_data: dict, user_data_lock, contact_id: str) -> None:
     with user_data_lock:
         if contact_id in user_data["contacts"]:
             raise ValueError("Contact already saved!")
 
-        for i, v in user_data["contacts"].items():
-            if v["lt_sign_public_key"] == contact_public_key:
-                raise ValueError("Contact long-term auth signing public-key is duplicated, and we have no idea why")
-       
 
         user_data["contacts"][contact_id] = {
                 "nickname": None,
-                "lt_sign_public_key": contact_public_key,
+                "lt_sign_keys": {
+                    "contact_public_key": None,
+                    "our_keys": {
+                            "private_key": None,
+                            "public_key": None        
+                        }
+                    },
                 "lt_sign_key_smp": {
                     "verified": False,
                     "pending_verification": False,
@@ -63,13 +65,6 @@ def save_contact(user_data: dict, user_data_lock, contact_id: str, contact_publi
                     "contact_hash_chain": None
 
                 },
-                "message_sign_keys": {
-                    "contact_public_key": None,
-                    "our_keys": {
-                        "private_key": None,
-                        "public_key": None        
-                    }
-                },
                 "our_pads": {
                     "replay_protection_number": None,
                     "pads": None
 
@@ -1,28 +1,24 @@
-from base64 import b64decode
 from core.requests import http_request
 
-def get_target_lt_public_key(user_data: dict, target_id: str) -> bytes:
-    url = user_data["server_url"]
+def check_if_contact_exists(user_data: dict, user_data_lock, contact_id: str) -> bool:
+    with user_data_lock:
+        url = user_data["server_url"]
 
     try:
-        response = http_request(f"{url}/get_user?user_id={target_id}", "GET")
+        response = http_request(f"{url}/get_user?user_id={contact_id}", "GET")
     except:
         raise ValueError("Could not connect to server, try again")
 
     if not "status" in response:
-        raise ValueError("Server gave a malformed response! This could be a malicious act, we suggest you retry and if problem persists use another server")
+        raise ValueError("Server gave a malformed response")
 
-    if response["status"] == "failure" or not response.get("public_key"):
+    if response["status"] == "failure":
         if not 'error' in response:
-            raise ValueError("Server gave a malformed response! This could be a malicious act, we suggest you retry and if problem persists use another server")
+            raise ValueError("Server gave a malformed response")
         else:
             raise ValueError(response["error"][:1024])
 
     if response["status"] == "success":
+        return True 
 
-        # Dry run to validate server's base64. Helps prevents denial-of-service startup crashes -
-        # when client first reads parses their account file
-        try:
-            return b64decode(response["public_key"], validate=True)
-        except:
-            raise ValueError("Server gave a malformed public_key! This could be a malicious act, we suggest you retry and if problem persists use another server")
+    return False
@@ -1,6 +1,6 @@
 from core.requests import http_request
 from logic.storage import save_account_data
-from logic.pfs import send_new_ephemeral_keys, rotate_ephemeral_keys
+from logic.pfs import send_new_ephemeral_keys
 from core.crypto import *
 from core.constants import *
 from base64 import b64decode, b64encode
@@ -74,10 +74,12 @@ def send_message_processor(user_data, user_data_lock, contact_id: str, message:
 
 
         contact_kyber_public_key = user_data["contacts"][contact_id]["ephemeral_keys"]["contact_public_key"]
-        our_d5_private_key       = user_data["contacts"][contact_id]["message_sign_keys"]["our_keys"]["private_key"]
+        our_lt_private_key       = user_data["contacts"][contact_id]["lt_sign_keys"]["our_keys"]["private_key"]
 
 
-    if (not contact_kyber_public_key) or (not our_d5_private_key):
+     
+    if (not contact_kyber_public_key):
+        logger.debug("This shouldn't usually happen, contact kyber keys are not initialized even once yet???")
         ui_queue.put({
                 "type": "showwarning",
                 "title": f"Warning for {contact_id[:32]}",
@@ -88,41 +90,46 @@ def send_message_processor(user_data, user_data_lock, contact_id: str, message:
         return False
 
 
-    with user_data_lock:
-        our_pads_empty = bool(user_data["contacts"][contact_id]["our_pads"]["pads"])
 
+    with user_data_lock:
+        our_pads = user_data["contacts"][contact_id]["our_pads"]["pads"]
 
-    # If we have keys, but not enough one-time-pads, we send new pads to the contact
-    if not our_pads_empty:
-        logger.debug("Not enough pads to send message")
+    # If we have keys, but no one-time-pads, we send new pads to the contact
+    if not our_pads:
+        logger.debug("We have no pads to send message")
 
-        if not generate_and_send_pads(user_data, user_data_lock, contact_id, contact_kyber_public_key, our_d5_private_key, ui_queue):
-            return False
-        
-       
         with user_data_lock:
-            # Increment the rotation_counter
-            user_data["contacts"][contact_id]["ephemeral_keys"]["rotation_counter"] += 1
-
+        
             rotation_counter = user_data["contacts"][contact_id]["ephemeral_keys"]["rotation_counter"]
             rotate_at        = user_data["contacts"][contact_id]["ephemeral_keys"]["rotate_at"]
 
-        
-        logger.debug("Incremented rotation_counter by 1. (%d)", rotation_counter)
 
-        # See if we should rotate our keys
+        # We rotate keys before generating and sending new batch of pads because
+        # ephemeral key exchanges always get processed before messages do.
+        # Which means if we generate and send pads with contact's, we would be using his old key, which would get overriden by the request, even if we send pads first
+        # This is because of our server archiecture which prioritizes PFS requests before messages.
+        #
         if rotation_counter == rotate_at:
             logger.info("We are rotating our ephemeral keys for contact (%s)", contact_id)
             ui_queue.put({"type": "showinfo", "title": "Perfect Forward Secrecy", "message": f"We are rotating our ephemeral keys for contact ({contact_id[:32]})"})
-            rotate_ephemeral_keys(user_data, user_data_lock, contact_id, ui_queue)
+            send_new_ephemeral_keys(user_data, user_data_lock, contact_id, ui_queue)
 
             save_account_data(user_data, user_data_lock)
             return False
+
+        if not generate_and_send_pads(user_data, user_data_lock, contact_id, contact_kyber_public_key, our_lt_private_key, ui_queue):
+            return False
 
+
+        with user_data_lock:
+            our_pads = user_data["contacts"][contact_id]["our_pads"]["pads"]
+
+            user_data["contacts"][contact_id]["ephemeral_keys"]["rotation_counter"] += 1
+
+        logger.debug("Incremented rotation_counter by 1. (%d)", rotation_counter)
 
 
     with user_data_lock:
-        our_pads = user_data["contacts"][contact_id]["our_pads"]["pads"]
         replay_protection_number = user_data["contacts"][contact_id]["our_pads"]["replay_protection_number"]
 
     message_encoded = message.encode("utf-8")
@@ -173,7 +180,7 @@ def send_message_processor(user_data, user_data_lock, contact_id: str, message:
             "replay_protection_number": replay_protection_number
         })
 
-    json_inner_payload_signature = create_signature("Dilithium5", json_inner_payload.encode("utf-8"), our_d5_private_key)
+    json_inner_payload_signature = create_signature("Dilithium5", json_inner_payload.encode("utf-8"), our_lt_private_key)
     json_inner_payload_signature = b64encode(json_inner_payload_signature).decode()
 
     payload = {
@@ -208,9 +215,9 @@ def messages_data_handler(user_data, user_data_lock, user_data_copied, ui_queue,
         return
 
 
-    contact_d5_public_key = user_data_copied["contacts"][contact_id]["message_sign_keys"]["contact_public_key"]
+    contact_public_key = user_data_copied["contacts"][contact_id]["lt_sign_keys"]["contact_public_key"]
 
-    if not contact_d5_public_key:
+    if not contact_public_key:
         logger.warning("Contact per-contact Dilithium5 public key is missing.. skipping message")
         return
 
@@ -219,7 +226,7 @@ def messages_data_handler(user_data, user_data_lock, user_data_copied, ui_queue,
 
     if message["msg_type"] == "new_otp_batch":
         payload_signature  = b64decode(message["payload_signature"], validate=True)
-        valid_signature = verify_signature("Dilithium5", message["json_payload"].encode("utf-8"), payload_signature, contact_d5_public_key)
+        valid_signature = verify_signature("Dilithium5", message["json_payload"].encode("utf-8"), payload_signature, contact_public_key)
         if not valid_signature:
             logger.debug("Invalid OTP batch signature.. possible MiTM ?")
             return
@@ -247,7 +254,7 @@ def messages_data_handler(user_data, user_data_lock, user_data_copied, ui_queue,
 
     elif message["msg_type"] == "new_message":
         payload_signature  = b64decode(message["payload_signature"], validate=True)
-        valid_signature = verify_signature("Dilithium5", message["json_payload"].encode("utf-8"), payload_signature, contact_d5_public_key)
+        valid_signature = verify_signature("Dilithium5", message["json_payload"].encode("utf-8"), payload_signature, contact_public_key)
         if not valid_signature:
             logger.debug("Invalid new message signature.. possible MiTM ?")
             return