Decryption failure on first payload : Noise_XX_25519_AESGCM_SHA256

[assegaf]

Hello @rweather

• editted
  nevermind found the problem,
  well.

[rweather]

That's odd. Is the service in question on the public network? If you can make a test program for me that simulates the issue I can take a look to try to figure out what is going wrong. My direct e-mail address is in the README.md file for Noise-Java.

[assegaf]

hi ryhs, thanks for reply,
I sent info and java file for testing in the email, dont worry all data is not private, for testing only,

hopefully I missed something here,

[poma]

Can you tell what was the problem? I'm trying to implement WA noise handshake and have the same issue. I first send my ephemeral, then receive server ephemeral and static, and on static key I get bad tag error.

[rweather]

The problem was never solved by me. Noise-Java implements the current open Noise standard. There is no guarantee that WA is using Noise in exactly the same way. They might be using a prologue value, or they are using an older specification, or a different pattern, or anything. I cannot guess as to how to fix interoperability with such a closed system.

[poma]

From first post it looks like @assegaf has solved this problem. Probably he knows what was wrong,

[assegaf]

@poma wa dont use the same protocol and implementation as the same as rwheather implement, I tried to make server vs client in this rwheater implementation and its working, but when I tried to make a client my own and server to wa , its not working, not even fail login event. but for sure its using local private and public key now.

[ben221199]

Hmmm, I still have the same problem.

[ben221199]

When reading the message with a WhatsApp server, the temp variable is -1 at the following line:

noise-java/src/main/java/com/southernstorm/noise/protocol/AESGCMOnCtrCipherState.java

Line 303 in e5c4138

if ((temp & 0xFF) != 0)

[ben221199]

Also, when using the fallback CipherState, then the temp variable is -1 at the following line:

noise-java/src/main/java/com/southernstorm/noise/protocol/AESGCMFallbackCipherState.java

Line 247 in e5c4138

if ((temp & 0xFF) != 0)

[ben221199]

To fix it, I disabled the throwing of the exception. Then, when the temp is -1, I don't get an error. The data I get is valid protobuf data as expected.

[rweather]

Disabling that line removes the check of the authentication tag. If the decrypted data is correct, but the tag check fails, it usually indicates that key is right but the associated data is different to that which was used when the packet was encrypted. Check that you have the same associated data on both ends of the communication.

[ben221199]

Hmmm okay. Instead of connecting to the WhatsApp server, I made my own server now. I have to disable the same lines still to get it working. However, after the handshake I'm able to send and receive messages from both client and server. So, the things I need to fix are:

• Why do I need to disable the lines to get it working? Why does the MAC verification fail?
• Why does the WhatsApp server not respond after my ClientFinish handshake packet?

Also see: tgalal/yowsup#3037

[ben221199]

@rweather I don't use encryptWithAd and decryptWithAd during the handshake, but I use readMessage and writeMessage, so I'm not messing with any additional data (ad). After the handshake, I use encryptWithAd and decryptWithAd, but the error occurs already during the handshake.

[ben221199]

The encrypted data is 16 bytes longer than the unencrypted data. That extra 16 bytes is the authentication tag. However, checking that tag fails.

[ben221199]

@rweather Somebody found out what was the problem. In WhatsApp, you need a prologue BEFORE starting the handshake:

HandshakeState hs = new HandshakeState("Noise_XX_25519_AESGCM_SHA256",HandshakeState.INITIATOR);
hs.setPrologue(new byte[]{(byte)'W',(byte)'A',0x04,0x00},0,4);
hs.start();

After that,you will not get any errors and also receive FunXMPP from the server.

[y649950268]

@ben221199 I still got this error after setPrologue ...
byte[] keypair = AndroidBase64.decode("OEtgurKn+kBmTmF/YsMOFIpl+7YGzzCp4Kmf5tiTPEd+A4EOnfqtcFqvHnDVBPcFHwNJEyzGD5SItj4Y5/3GDA==", 0); byte[] pub = new byte[32]; byte[] pri = new byte[32]; System.arraycopy(keypair, 0, pub, 0, 32); System.arraycopy(keypair, 32, pri, 0, 32); noiseHandshakeState_ = new HandshakeState("Noise_XX_25519_AESGCM_SHA256", HandshakeState.INITIATOR); noiseHandshakeState_.getLocalKeyPair().setPublicKey(pub, 0); noiseHandshakeState_.getLocalKeyPair().setPrivateKey(pri, 0); noiseHandshakeState_.setPrologue(new byte[]{87, 65, 4, 1}, 0, 4); noiseHandshakeState_.start();
i disabled the exception but no response from whatsapp server!

[ben221199]

Maybe you can take a look at https://github.com/ben221199/WAPI (look for branch java). We can better discuss it there, because it isn't relevant to this package here.