Secret Chats are one-on-one chats wherein messages are encrypted with a key held only by the chat’s participants. Note that the schema for these end-to-end encrypted Secret Chats is different from what is used for cloud chats:
+Secret Chats are one-on-one chats wherein messages are encrypted with a key held only by the chat's participants. Note that the schema for these end-to-end encrypted Secret Chats is different from what is used for cloud chats:
Executing this method before each new key generation procedure is of vital importance. It makes sense to cache the values of the parameters together with the version in order to avoid having to receive all of the values every time. If the version stored on the client is still up-to-date, the server will return the constructor messages.dhConfigNotModified.
Client is expected to check whether p is a safe 2048-bit prime (meaning that both p and (p-1)/2 are prime, and that 2^2047 < p < 2^2048), and that g generates a cyclic subgroup of prime order (p-1)/2, i.e. is a quadratic residue mod p. Since g is always equal to 2, 3, 4, 5, 6 or 7, this is easily done using quadratic reciprocity law, yielding a simple condition on p mod 4g -- namely, p mod 8 = 7 for g = 2; p mod 3 = 2 for g = 3; no extra condition for g = 4; p mod 5 = 1 or 4 for g = 5; p mod 24 = 19 or 23 for g = 6; and p mod 7 = 3, 5 or 6 for g = 7. After g and p have been checked by the client, it makes sense to cache the result, so as to avoid repeating lengthy computations in future. This cache might be shared with one used for Authorization Key generation.
If the client needs additional entropy for the random number generator, it can pass the random_length parameter (random_length> 0) so the server generates its own random sequence random of the appropriate length. -Important: using the server’s random sequence in its raw form may be unsafe, it must be combined with a client sequence.
-Client A computes a 2048-bit number a (using sufficient entropy or the server’s random; see above) and executes messages.requestEncryption after passing in g_a := pow(g, a) mod dh_prime.
Client A computes a 2048-bit number a (using sufficient entropy or the server's random; see above) and executes messages.requestEncryption after passing in g_a := pow(g, a) mod dh_prime.
User B receives the update updateEncryption for all associated authorization keys (all authorized devices) with the chat constructor encryptedChatRequested. The user must be shown basic information about User A and must be prompted to accept or reject the request.
Both clients are to check that g, g_a and g_b are greater than one and smaller than p-1. We recommend checking that g_a and g_b are between 2^{2048-64} and p - 2^{2048-64} as well.
Note 1: in this particular case SHA1 is used here even for MTProto 2.0 secret chats.
Note 2: this fingerprint is used as a sanity check for the key exchange procedure to detect bugs when developing client software — it is not connected to the key visualization used on the clients as means of external authentication in secret chats. Key visualizations on the clients are generated using the first 128 bits of SHA1(initial key) followed by the first 160 bits of SHA256(key used when secret chat was updated to layer 46).
Client B executes messages.acceptEncryption after passing it g_b := pow(g, b) mod dh_prime and key_fingerprint.
For all of Client B’s authorized devices, except the current one, updateEncryption updates are sent with the constructor encryptedChatDiscarded. Thereafter, the only device that will be able to access the secret chat is Device B, which made the call to messages.acceptEncryption.
+For all of Client B's authorized devices, except the current one, updateEncryption updates are sent with the constructor encryptedChatDiscarded. Thereafter, the only device that will be able to access the secret chat is Device B, which made the call to messages.acceptEncryption.
User A will be sent an updateEncryption update with the constructor encryptedChat, for the authorization key that initiated the chat.
With g_b from the update, Client A can also compute the shared key key = (pow(g_b, a) mod dh_prime). If key length < 256 bytes, add several leading zero bytes as padding — so that the key is exactly 256 bytes long. If the fingerprint for the received key is identical to the one that was passed to encryptedChat, incoming messages can be sent and processed. Otherwise, messages.discardEncryption must be executed and the user notified.
Encrypted data is embedded into a messages.sendEncrypted API call and passed to Telegram server for delivery to the other party of the Secret Chat.
As soon as both parties in a secret chat are using at least Layer 73, they should only use MTProto 2.0 for all outgoing messages. Some of the first received messages may use MTProto 1.0, if a sufficiently high starting layer has not been negotiated during the creation of the secret chat. After the first message encrypted with MTProto 2.0 (or the first message with Layer 73 or higher) is received, all messages with higher sequence numbers must be encrypted with MTProto 2.0 as well.
-As long as the current layer is lower than 73, each party should try to decrypt received messages with MTProto 1.0, and if this is not successfull (msg_key does not match), try MTProto 2.0. Once the first MTProto 2.0-encrypted message arrives (or the layer is upgraded to 73), there is no need to try MTProto 1.0 decryption for any of the further messages (unless the client is still waiting for some gaps to be closed).
+As long as the current layer is lower than 73, each party should try to decrypt received messages with MTProto 1.0, and if this is not successful (msg_key does not match), try MTProto 2.0. Once the first MTProto 2.0-encrypted message arrives (or the layer is upgraded to 73), there is no need to try MTProto 1.0 decryption for any of the further messages (unless the client is still waiting for some gaps to be closed).
The steps above are performed in reverse order. When an encrypted message is received, you must check that msg_key is in fact equal to the 128 middle bits of the SHA256 hash of the decrypted message, prepended by 32 bytes taken from the shared key. @@ -137,7 +137,7 @@ If the message layer is greater than the one supported by the client, the user m
Please note that your client must support sequence numbers in Secret Chats to be compatible with official Telegram clients.
All files sent to secret chats are encrypted with one-time keys that are in no way related to the chat’s shared key. Before an encrypted file is sent, it is assumed that the encrypted file’s address will be attached to the outside of an encrypted message using the file parameter of the messages.sendEncryptedFile method and that the key for direct decryption will be sent in the body of the message (the key parameter in the constructors decryptedMessageMediaPhoto, decryptedMessageMediaVideo and decryptedMessageMediaFile.
+All files sent to secret chats are encrypted with one-time keys that are in no way related to the chat's shared key. Before an encrypted file is sent, it is assumed that the encrypted file's address will be attached to the outside of an encrypted message using the file parameter of the messages.sendEncryptedFile method and that the key for direct decryption will be sent in the body of the message (the key parameter in the constructors decryptedMessageMediaPhoto, decryptedMessageMediaVideo and decryptedMessageMediaFile.
Prior to a file being sent to a secret chat, 2 random 256-bit numbers are computed which will serve as the AES key and initialization vector used to encrypt the file. AES-256 encryption with infinite garble extension (IGE) is used in like manner.
The key fingerprint is computed as follows:
Incoming and outgoing encrypted files can be forwarded to other secret chats using the constructor inputEncryptedFile to avoid saving the same content on the server twice.
Secret chats are associated with specific devices (or rather with authorization keys), not users. A conventional message box, which uses pts to describe the client’s status, is not suitable, because it is designed for long-term message storage and message access from different devices.
+Secret chats are associated with specific devices (or rather with authorization keys), not users. A conventional message box, which uses pts to describe the client's status, is not suitable, because it is designed for long-term message storage and message access from different devices.
An additional temporary message queue is introduced as a solution to this problem. When an update regarding a message from a secret chat is sent, a new value of qts is sent, which helps reconstruct the difference if there has been a long break in the connection or in case of loss of an update.
As the number of events increases, the value of qts increases by 1 with each new event. The initial value may not (and will not) be equal to 0.
The fact that events from the temporary queue have been received and stored by the client is acknowledged explicitly by a call to the messages.receivedQueue method or implicitly by a call to updates.getDifference (the value of qts passed, not the final state). All messages acknowledged as delivered by the client, as well as any messages older than 7 days, may (and will) be deleted from the server.
@@ -164,7 +164,7 @@ A subsequent call to messages.sendEThere are two cases when your client must notify the remote client about its local layer:
Secret Chats are one-on-one chats wherein messages are encrypted with a key held only by the chat’s participants. Please note that the schema for end-to-end encrypted Secret Chats is different from what is used for cloud chats:
+Secret Chats are one-on-one chats wherein messages are encrypted with a key held only by the chat's participants. Please note that the schema for end-to-end encrypted Secret Chats is different from what is used for cloud chats:
Executing this method before each new key generation procedure is of vital importance. It makes sense to cache the values of the parameters together with the version in order to avoid having to receive all of the values every time. If the version stored on the client is still up-to-date, the server will return the constructor messages.dhConfigNotModified.
Client is expected to check whether p is a safe 2048-bit prime (meaning that both p and (p-1)/2 are prime, and that 2^2047 < p < 2^2048), and that g generates a cyclic subgroup of prime order (p-1)/2, i.e. is a quadratic residue mod p. Since g is always equal to 2, 3, 4, 5, 6 or 7, this is easily done using quadratic reciprocity law, yielding a simple condition on p mod 4g -- namely, p mod 8 = 7 for g = 2; p mod 3 = 2 for g = 3; no extra condition for g = 4; p mod 5 = 1 or 4 for g = 5; p mod 24 = 19 or 23 for g = 6; and p mod 7 = 3, 5 or 6 for g = 7. After g and p have been checked by the client, it makes sense to cache the result, so as to avoid repeating lengthy computations in future. This cache might be shared with one used for Authorization Key generation.
If the client has an inadequate random number generator, it makes sense to pass the random_length parameter (random_length> 0) so the server generates its own random sequence random of the appropriate length.
-Important: using the server’s random sequence in its raw form may be unsafe. It must be combined with a client sequence, for example, by generating a client random number of the same length (client_random) and using final_random := random XOR client_random.
Client A computes a 2048-bit number a (using sufficient entropy or the server’s random; see above) and executes messages.requestEncryption after passing in g_a := pow(g, a) mod dh_prime.
final_random := random XOR client_random.
+Client A computes a 2048-bit number a (using sufficient entropy or the server's random; see above) and executes messages.requestEncryption after passing in g_a := pow(g, a) mod dh_prime.
User B receives the update updateEncryption for all associated authorization keys (all authorized devices) with the chat constructor encryptedChatRequested. The user must be shown basic information about User A and must be prompted to accept or reject the request.
Both clients are to check that g, g_a and g_b are greater than one and smaller than p-1. We recommend checking that g_a and g_b are between 2^{2048-64} and p - 2^{2048-64} as well.
Having received g_a from the update with encryptedChatRequested, it can immediately generate the final shared key: key = (pow(g_a, b) mod dh_prime). If key length < 256 bytes, add several leading zero bytes as padding — so that the key is exactly 256 bytes long. Its fingerprint, key_fingerprint, is equal to the 64 last bits of SHA1 (key).
Note: this fingerprint is used as a sanity check for the key exchange procedure to detect bugs while developing client software — it is not connected to the key visualization used on the clients as means of external authentication in secret chats. Key visualizations on the clients are generated using the first 128 bits of SHA1(initial key) followed by the first 160 bits of SHA256(key used when secret chat was updated to layer 46).
Client B executes messages.acceptEncryption after passing it g_b := pow(g, b) mod dh_prime and key_fingerprint.
For all of Client B’s authorized devices, except the current one, updateEncryption updates are sent with the constructor encryptedChatDiscarded. Thereafter, the only device that will be able to access the secret chat is Device B, which made the call to messages.acceptEncryption.
+For all of Client B's authorized devices, except the current one, updateEncryption updates are sent with the constructor encryptedChatDiscarded. Thereafter, the only device that will be able to access the secret chat is Device B, which made the call to messages.acceptEncryption.
User A will be sent an updateEncryption update with the constructor encryptedChat, for the authorization key that initiated the chat.
With g_b from the update, Client A can also receive the shared key key = (pow(g_b, a) mod dh_prime). If key length < 256 bytes, add several leading zero bytes as padding — so that the key is exactly 256 bytes long. If the fingerprint for the received key is identical to the one that was passed to encryptedChat, incoming messages can be sent and processed. Otherwise, messages.discardEncryption must be executed and the user notified.
Please note that your client must support sequence numbers in Secret Chats to be compatible with official Telegram clients.
All files sent to secret chats are encrypted with one-time keys that are in no way related to the chat’s shared key. Before an encrypted file is sent, it is assumed that the encrypted file’s address will be attached to the outside of an encrypted message using the file parameter of the messages.sendEncryptedFile method and that the key for direct decryption will be sent in the body of the message (the key parameter in the constructors decryptedMessageMediaPhoto, decryptedMessageMediaVideo and decryptedMessageMediaFile.
+All files sent to secret chats are encrypted with one-time keys that are in no way related to the chat's shared key. Before an encrypted file is sent, it is assumed that the encrypted file's address will be attached to the outside of an encrypted message using the file parameter of the messages.sendEncryptedFile method and that the key for direct decryption will be sent in the body of the message (the key parameter in the constructors decryptedMessageMediaPhoto, decryptedMessageMediaVideo and decryptedMessageMediaFile.
Prior to a file being sent to a secret chat, 2 random 256-bit numbers are computed which will serve as the AES key and initialization vector used to encrypt the file. AES-256 encryption with infinite garble extension (IGE) is used in like manner.
The key fingerprint is computed as follows:
Incoming and outgoing encrypted files can be forwarded to other secret chats using the constructor inputEncryptedFile to avoid saving the same content on the server twice.
Secret chats are associated with specific devices (or rather with authorization keys), not users. A conventional message box, which uses pts to describe the client’s status, is not suitable, because it is designed for long-term message storage and message access from different devices.
+Secret chats are associated with specific devices (or rather with authorization keys), not users. A conventional message box, which uses pts to describe the client's status, is not suitable, because it is designed for long-term message storage and message access from different devices.
An additional temporary message queue is introduced as a solution to this problem. When an update regarding a message from a secret chat is sent, a new value of qts is sent, which helps reconstruct the difference if there has been a long break in the connection or in case of loss of an update.
As the number of events increases, the value of qts increases monotonically (not always by 1). The initial value may not (and will not) be equal to 0.
The fact that events from the temporary queue have been received and stored by the client is acknowledged explicitly by a call to the messages.receivedQueue method or implicitly by a call to updates.getDifference (the value of qts passed, not the final state). All messages acknowledged as delivered by the client, as well as any messages older than 7 days, may (and will) be deleted from the server.
@@ -145,7 +145,7 @@ A subsequent call to messages.sendENote that all pending obsolete layer messages must be sent prior to the layer update notification (more on this in Handling Sequence numbers).
diff --git a/data/corefork.telegram.org/api/errors.html b/data/corefork.telegram.org/api/errors.html index 86cc14b2a0..dd9e8cd6c6 100644 --- a/data/corefork.telegram.org/api/errors.html +++ b/data/corefork.telegram.org/api/errors.html @@ -46,7 +46,7 @@Error Type
A string literal in the form of
/[A-Z_0-9]+/, which summarizes the problem. For example,AUTH_KEY_UNREGISTERED. This is an optional parameter.Error Database
-A full machine-readable JSON list of RPC errors that can be returned by all methods in the API can be found here », what follows is a description of its fields:
+A full machine-readable JSON list of RPC errors that can be returned by all methods in the API can be found here », what follows is a description of its fields:
errors- All error messages and codes for each method (object).-
- Keys: Error codes as strings (numeric strings)
@@ -103,7 +103,7 @@- NETWORK_MIGRATE_X: the source IP address is associated with a different data center (for registration)
- USER_MIGRATE_X: the user whose identity is being used to execute queries is associated with a different data center (for registration)
In all these cases, the error description’s string literal contains the number of the data center (instead of the X) to which the repeated query must be sent. +
In all these cases, the error description's string literal contains the number of the data center (instead of the X) to which the repeated query must be sent. More information about redirects between data centers »
400 BAD_REQUEST
The query contains errors. In the event that a request was created using a form and contains user generated data, the user should be notified that the data must be corrected before the query is repeated.
diff --git a/data/corefork.telegram.org/api/files.html b/data/corefork.telegram.org/api/files.html index 6282ab0f8c..1cfd414551 100644 --- a/data/corefork.telegram.org/api/files.html +++ b/data/corefork.telegram.org/api/files.html @@ -41,7 +41,7 @@-diff --git a/data/corefork.telegram.org/constructor/inputFile.html b/data/corefork.telegram.org/constructor/inputFile.html index 98f9c6c817..004317d7ac 100644 --- a/data/corefork.telegram.org/constructor/inputFile.html +++ b/data/corefork.telegram.org/constructor/inputFile.html @@ -89,7 +89,7 @@When working with the API, it is sometimes necessary to send a relatively large file to the server. For example, when sending a message with a photo/video attachment or when setting the current user’s profile picture.
+When working with the API, it is sometimes necessary to send a relatively large file to the server. For example, when sending a message with a photo/video attachment or when setting the current user's profile picture.
Uploading files
There are a number of API methods to save files. The schema of the types and methods used is presented below:
inputFile#f52ff27f id:long parts:int name:string md5_checksum:string = InputFile; @@ -71,7 +71,7 @@ upload.saveFilePart#b304a621 file_id:long file_part:int bytes:bytes = Bool; upload.saveBigFilePart#de7b673d file_id:long file_part:int file_total_parts:int bytes:bytes = Bool;Before transmitting the contents of the file itself, the file has to be assigned a unique 64-bit client identifier: file_id.
-The file’s binary content is then split into parts. All parts must have the same size ( part_size ) and the following conditions must be met:
+The file's binary content is then split into parts. All parts must have the same size ( part_size ) and the following conditions must be met:
part_size % 1024 = 0(divisible by 1KB)- @@ -100,7 +100,7 @@ After the entire file is successfully saved, the final method may be called and
524288 % part_size = 0(512KB must be evenly divisible by part_size)
- FILE_PARTS_INVALID: The number of file parts is invalid The value is not between 1 and 3,000.
- FILE_PART_Х_MISSING: Part X (where X is a number) of the file is missing from storage. Try repeating the method call to resave the part.
-- MD5_CHECKSUM_INVALID: The file’s checksum did not match the md5_checksum parameter
+- MD5_CHECKSUM_INVALID: The file's checksum did not match the md5_checksum parameter
Albums, grouped media
inputMediaUploadedPhoto#1e287d04 flags:# file:InputFile stickers:flags.0?Vector<InputDocument> ttl_seconds:flags.1?int = InputMedia; diff --git a/data/corefork.telegram.org/api/optimisation.html b/data/corefork.telegram.org/api/optimisation.html index 35d3848e85..84e975b2dc 100644 --- a/data/corefork.telegram.org/api/optimisation.html +++ b/data/corefork.telegram.org/api/optimisation.html @@ -42,10 +42,10 @@Simplified Acknowledgment of Message Delivery
An outgoing message may be considered sent once the server has assigned it an identifier. Normally, a client would learn of this from the result of the messages.sendMessage method. The MTProto server provides a mechanism for “quick acknowledgments". Upon receiving such an acknowledgment, the client may be certain that the call to the send message method has at least been fully received by the server and placed in a processing queue, and can inform the user that the delivery was successful. -It is possible that the server’s actual response will never be received by the client (an interrupted connection; or the app restarts at exactly the wrong time). To correctly handle these situations, you can use a special type of notification generated by the server when updates.getDifference is called: updateMessageID. When processing this notification, the client can use the random_id identifier to associate the previously transmitted message with the one delivered to the server. +It is possible that the server's actual response will never be received by the client (an interrupted connection; or the app restarts at exactly the wrong time). To correctly handle these situations, you can use a special type of notification generated by the server when updates.getDifference is called: updateMessageID. When processing this notification, the client can use the random_id identifier to associate the previously transmitted message with the one delivered to the server. If such a notification is not issued when updates.getDifference is called for one of the previously sent messages, the message must be marked as undelivered.
Server Salt
-Server salt is a 64-bit number added to every outgoing and incoming message. At present, a single salt’s lifespan is 1 hour, following which it is considered invalid and the server will return an error for all the messages that contain it. The error message will contain the correct salt, which may be immediately used for sending. Given this approach, there will always be a period of waiting before the client receives a new salt if it connects to the server less frequently than once an hour. +
Server salt is a 64-bit number added to every outgoing and incoming message. At present, a single salt's lifespan is 1 hour, following which it is considered invalid and the server will return an error for all the messages that contain it. The error message will contain the correct salt, which may be immediately used for sending. Given this approach, there will always be a period of waiting before the client receives a new salt if it connects to the server less frequently than once an hour. For improved performance, there is a special get_future_salts method, which fetches in advance a list of the salts that will be valid during the course of a specified period of time following the call (1 day, for example). A start time and an end time are specified for each salt. The salts overlap one another by half an hour. We recommend always using the record with the longest remaining lifespan.
Downloading Files and Uploading Data to the Server
We recommend that separate connections and sessions be created for these tasks. Remember that the extra sessions must be deleted when no longer needed. diff --git a/data/corefork.telegram.org/api/passport.html b/data/corefork.telegram.org/api/passport.html index 2185be64fc..0189667ff9 100644 --- a/data/corefork.telegram.org/api/passport.html +++ b/data/corefork.telegram.org/api/passport.html @@ -41,7 +41,7 @@
-+Telegram Passport is a unified authorization method for services that require personal identification. Users can upload their documents once, then instantly share their data with services that require real-world ID (finance, ICOs, etc.). Telegram doesn‘t have access to the users’ personal information thanks to end-to-end encryption.
+Telegram Passport is a unified authorization method for services that require personal identification. Users can upload their documents once, then instantly share their data with services that require real-world ID (finance, ICOs, etc.). Telegram doesn‘t have access to the users' personal information thanks to end-to-end encryption.
This page describes the request flow that client apps must used to send the requested data to the service.
Overview
From the perspective of a service that requires real-world ID, the process looks like this:
diff --git a/data/corefork.telegram.org/api/srp.html b/data/corefork.telegram.org/api/srp.html index 94f2217ee9..29a2712695 100644 --- a/data/corefork.telegram.org/api/srp.html +++ b/data/corefork.telegram.org/api/srp.html @@ -112,7 +112,7 @@ The client is expected to check whether p is a safe 2048-bit prk_v := (k * v) mod pFinally, the key exchange process starts on both parties.
-The client computes a 2048-bit number a (using sufficient entropy or the server’s random; see above) and generates:
+The client computes a 2048-bit number a (using sufficient entropy or the server's random; see above) and generates:
diff --git a/data/corefork.telegram.org/constructor/encryptedMessage.html b/data/corefork.telegram.org/constructor/encryptedMessage.html index 62cd050073..a0e48bb2eb 100644 --- a/data/corefork.telegram.org/constructor/encryptedMessage.html +++ b/data/corefork.telegram.org/constructor/encryptedMessage.html @@ -81,7 +81,7 @@
g_a := pow(g, a) mod p.bytes bytes -TL-serialising of DecryptedMessage type, encrypted with the key creatied at stage of chat initialization +TL-serialization of DecryptedMessage type, encrypted with the key created at chat initialization file diff --git a/data/corefork.telegram.org/constructor/encryptedMessageService.html b/data/corefork.telegram.org/constructor/encryptedMessageService.html index 8121e556d2..6523b748a4 100644 --- a/data/corefork.telegram.org/constructor/encryptedMessageService.html +++ b/data/corefork.telegram.org/constructor/encryptedMessageService.html @@ -81,7 +81,7 @@diff --git a/data/corefork.telegram.org/constructor/inputChatUploadedPhoto.html b/data/corefork.telegram.org/constructor/inputChatUploadedPhoto.html index 8f06f3165a..2bb18387a9 100644 --- a/data/corefork.telegram.org/constructor/inputChatUploadedPhoto.html +++ b/data/corefork.telegram.org/constructor/inputChatUploadedPhoto.html @@ -89,7 +89,7 @@ bytes bytes -TL-serialising of DecryptedMessage type, encrypted with the key creatied at stage of chat initialization +TL-serialization of the DecryptedMessage type, encrypted with the key created at chat initialization Related pages
upload.saveFilePart
-Saves a part of file for futher sending to one of the methods.
Saves a part of file for further sending to one of the methods.
Related pages
upload.saveFilePart
-Saves a part of file for futher sending to one of the methods.
+Saves a part of file for further sending to one of the methods.
diff --git a/data/corefork.telegram.org/constructor/inputPeerChat.html b/data/corefork.telegram.org/constructor/inputPeerChat.html index daf77cbfd4..3d253fc819 100644 --- a/data/corefork.telegram.org/constructor/inputPeerChat.html +++ b/data/corefork.telegram.org/constructor/inputPeerChat.html @@ -66,7 +66,7 @@diff --git a/data/corefork.telegram.org/constructor/messageActionChannelMigrateFrom.html b/data/corefork.telegram.org/constructor/messageActionChannelMigrateFrom.html index e2fd9651d8..f1e603bb25 100644 --- a/data/corefork.telegram.org/constructor/messageActionChannelMigrateFrom.html +++ b/data/corefork.telegram.org/constructor/messageActionChannelMigrateFrom.html @@ -66,7 +66,7 @@ chat_id long -Chat idientifier +Chat identifier title string -The old chat tite +The old chat title chat_id diff --git a/data/corefork.telegram.org/constructor/messageActionChatEditPhoto.html b/data/corefork.telegram.org/constructor/messageActionChatEditPhoto.html index 001d1a193a..de1ee890c8 100644 --- a/data/corefork.telegram.org/constructor/messageActionChatEditPhoto.html +++ b/data/corefork.telegram.org/constructor/messageActionChatEditPhoto.html @@ -66,7 +66,7 @@diff --git a/data/corefork.telegram.org/constructor/messages.dhConfig b/data/corefork.telegram.org/constructor/messages.dhConfig index 089a96d996..0ec99cb23e 100644 --- a/data/corefork.telegram.org/constructor/messages.dhConfig +++ b/data/corefork.telegram.org/constructor/messages.dhConfig @@ -76,7 +76,7 @@ photo Photo -New group pofile photo +New group profile photo version int -Vestion of set of parameters +Version of set of parameters random diff --git a/data/corefork.telegram.org/constructor/replyKeyboardForceReply.html b/data/corefork.telegram.org/constructor/replyKeyboardForceReply.html index 3ea0291314..354820f010 100644 --- a/data/corefork.telegram.org/constructor/replyKeyboardForceReply.html +++ b/data/corefork.telegram.org/constructor/replyKeyboardForceReply.html @@ -76,7 +76,7 @@selective flags.2?true -Use this parameter if you want to show the keyboard to specific users only. Targets: 1) users that are @mentioned in the text of the Message object; 2) if the bot's message is a reply (has reply_to_message_id), sender of the original message. +
Example: A user requests to change the bot‘s language, bot replies to the request with a keyboard to select the new language. Other users in the group don’t see the keyboard.Use this parameter if you want to show the keyboard to specific users only. Targets: 1) users that are @mentioned in the text of the Message object; 2) if the bot's message is a reply (has reply_to_message_id), sender of the original message.
Example: A user requests to change the bot‘s language, bot replies to the request with a keyboard to select the new language. Other users in the group don't see the keyboard.placeholder diff --git a/data/corefork.telegram.org/constructor/replyKeyboardMarkup.html b/data/corefork.telegram.org/constructor/replyKeyboardMarkup.html index 25c5c2a1b3..2e53fb3100 100644 --- a/data/corefork.telegram.org/constructor/replyKeyboardMarkup.html +++ b/data/corefork.telegram.org/constructor/replyKeyboardMarkup.html @@ -81,7 +81,7 @@selective flags.2?true -Use this parameter if you want to show the keyboard to specific users only. Targets: 1) users that are @mentioned in the text of the Message object; 2) if the bot's message is a reply (has reply_to_message_id), sender of the original message. +
Example: A user requests to change the bot‘s language, bot replies to the request with a keyboard to select the new language. Other users in the group don’t see the keyboard.Use this parameter if you want to show the keyboard to specific users only. Targets: 1) users that are @mentioned in the text of the Message object; 2) if the bot's message is a reply (has reply_to_message_id), sender of the original message.
Example: A user requests to change the bot‘s language, bot replies to the request with a keyboard to select the new language. Other users in the group don't see the keyboard.rows diff --git a/data/corefork.telegram.org/method/invokeAfterMsg.html b/data/corefork.telegram.org/method/invokeAfterMsg.html index d4f6ccbb99..9177d6a482 100644 --- a/data/corefork.telegram.org/method/invokeAfterMsg.html +++ b/data/corefork.telegram.org/method/invokeAfterMsg.html @@ -4,10 +4,10 @@invokeAfterMsg - + - + @@ -39,7 +39,7 @@invokeAfterMsg
-Invokes a query after successfull completion of one of the previous queries.
+Invokes a query after successful completion of one of the previous queries.
- diff --git a/data/corefork.telegram.org/method/invokeAfterMsgs.html b/data/corefork.telegram.org/method/invokeAfterMsgs.html index 12d1580407..5a0e61071f 100644 --- a/data/corefork.telegram.org/method/invokeAfterMsgs.html +++ b/data/corefork.telegram.org/method/invokeAfterMsgs.html @@ -4,10 +4,10 @@
invokeAfterMsgs - + - + @@ -39,7 +39,7 @@invokeAfterMsgs
-Invokes a query after a successfull completion of previous queries
+Invokes a query after a successful completion of previous queries
diff --git a/data/corefork.telegram.org/method/upload.saveFilePart b/data/corefork.telegram.org/method/upload.saveFilePart index d0a6bfa059..69ed3331a0 100644 --- a/data/corefork.telegram.org/method/upload.saveFilePart +++ b/data/corefork.telegram.org/method/upload.saveFilePart @@ -4,10 +4,10 @@
- diff --git a/data/corefork.telegram.org/method/photos.uploadProfilePhoto b/data/corefork.telegram.org/method/photos.uploadProfilePhoto index 36394663f7..0a976e4742 100644 --- a/data/corefork.telegram.org/method/photos.uploadProfilePhoto +++ b/data/corefork.telegram.org/method/photos.uploadProfilePhoto @@ -143,7 +143,7 @@
Related pages
upload.saveFilePart
-Saves a part of file for futher sending to one of the methods.
+Saves a part of file for further sending to one of the methods.
Uploading and Downloading Files
How to transfer large data batches correctly.
upload.saveFilePart - + - + @@ -39,7 +39,7 @@upload.saveFilePart
-diff --git a/data/corefork.telegram.org/mtproto/service_messages_about_messages.html b/data/corefork.telegram.org/mtproto/service_messages_about_messages.html index d271a6e13d..9fb9074f53 100644 --- a/data/corefork.telegram.org/mtproto/service_messages_about_messages.html +++ b/data/corefork.telegram.org/mtproto/service_messages_about_messages.html @@ -68,7 +68,7 @@ bad_server_salt#edab447b bad_msg_id:long bad_msg_seqno:int error_code:int new_seSaves a part of file for futher sending to one of the methods.
+Saves a part of file for further sending to one of the methods.
+
- diff --git a/data/corefork.telegram.org/mtproto.html b/data/corefork.telegram.org/mtproto.html index 430aa6a267..84cd3607ad 100644 --- a/data/corefork.telegram.org/mtproto.html +++ b/data/corefork.telegram.org/mtproto.html @@ -128,15 +128,15 @@ MTProto v1.0 (described here for reference) is depreca
For a technical specification, see Mobile Protocol: Detailed Description
The first thing a client application must do is create an authorization key which is normally generated when it is first run and almost never changes.
-The protocol’s principal drawback is that an intruder passively intercepting messages and then somehow appropriating the authorization key (for example, by stealing a device) will be able to decrypt all the intercepted messages post factum. This probably is not too much of a problem (by stealing a device, one could also gain access to all the information cached on the device without decrypting anything); however, the following steps could be taken to overcome this weakness:
+The protocol's principal drawback is that an intruder passively intercepting messages and then somehow appropriating the authorization key (for example, by stealing a device) will be able to decrypt all the intercepted messages post factum. This probably is not too much of a problem (by stealing a device, one could also gain access to all the information cached on the device without decrypting anything); however, the following steps could be taken to overcome this weakness:
- Session keys generated using the Diffie-Hellman protocol and used in conjunction with the authorization and the message keys to select AES parameters. To create these, the first thing a client must do after creating a new session is send a special RPC query to the server (“generate session key”) to which the server will respond, whereupon all subsequent messages within the session are encrypted using the session key as well.
- Protecting the key stored on the client device with a (text) password; this password is never stored in memory and is entered by a user when starting the application or more frequently (depending on application settings).
- Data stored (cached) on the user device can also be protected by encryption using an authorization key which, in turn, is to be password-protected. Then, a password will be required to gain access even to that data.
Time Synchronization
-If client time diverges widely from server time, a server may start ignoring client messages, or vice versa, because of an invalid message identifier (which is closely related to creation time). Under these circumstances, the server will send the client a special message containing the correct time and a certain 128-bit salt (either explicitly provided by the client in a special RPC synchronization request or equal to the key of the latest message received from the client during the current session). This message could be the first one in a container that includes other messages (if the time discrepancy is significant but does not as yet result in the client’s messages being ignored).
-Having received such a message or a container holding it, the client first performs a time synchronization (in effect, simply storing the difference between the server’s time and its own to be able to compute the “correct” time in the future) and then verifies that the message identifiers for correctness.
+If client time diverges widely from server time, a server may start ignoring client messages, or vice versa, because of an invalid message identifier (which is closely related to creation time). Under these circumstances, the server will send the client a special message containing the correct time and a certain 128-bit salt (either explicitly provided by the client in a special RPC synchronization request or equal to the key of the latest message received from the client during the current session). This message could be the first one in a container that includes other messages (if the time discrepancy is significant but does not as yet result in the client's messages being ignored).
+Having received such a message or a container holding it, the client first performs a time synchronization (in effect, simply storing the difference between the server's time and its own to be able to compute the “correct” time in the future) and then verifies that the message identifiers for correctness.
Where a correction has been neglected, the client will have to generate a new session to assure the monotonicity of message identifiers.
MTProto transport
Before being sent using the selected transport protocol, the payload has to be wrapped in a secondary protocol header, defined by the appropriate MTProto transport protocol.
diff --git a/data/corefork.telegram.org/mtproto/TL-abstract-types.html b/data/corefork.telegram.org/mtproto/TL-abstract-types.html index 79f5d13c1a..b12b4f4c98 100644 --- a/data/corefork.telegram.org/mtproto/TL-abstract-types.html +++ b/data/corefork.telegram.org/mtproto/TL-abstract-types.html @@ -4,10 +4,10 @@Binary serialization and abstract TL types - + - + @@ -39,10 +39,10 @@Binary serialization and abstract TL types
-diff --git a/data/corefork.telegram.org/mtproto/description.html b/data/corefork.telegram.org/mtproto/description.html index f1fffd7c32..7946155646 100644 --- a/data/corefork.telegram.org/mtproto/description.html +++ b/data/corefork.telegram.org/mtproto/description.html @@ -126,7 +126,7 @@ MTProto v.1.0 is deprecated and is currently being phased out.TL Language defines abstract data types in the spirit of a general theory of types (more accurately, Martin-Löf’s theories of dependent intuitionistic types) without specifying the values of these types should be represented in memory, when saved to disk, or transmitted over a network. In contrast, the article on binary serialization discusses the problem of effective serialization of values of abstract types. To this end, the concept of a concrete or serialized type has been defined as the sets of serializations of all possible values of the corresponding abstract type. In this case, the serializations take values in the set A of words in the alphabet A*, which consists of 2^32 characters -- 32-bit integers.
+diff --git a/data/corefork.telegram.org/mtproto/TL-combinators.html b/data/corefork.telegram.org/mtproto/TL-combinators.html index db917e56e8..865ce9ec91 100644 --- a/data/corefork.telegram.org/mtproto/TL-combinators.html +++ b/data/corefork.telegram.org/mtproto/TL-combinators.html @@ -82,13 +82,13 @@ Combinators in TL are…">TL Language defines abstract data types in the spirit of a general theory of types (more accurately, Martin-Löf's theories of dependent intuitionistic types) without specifying the values of these types should be represented in memory, when saved to disk, or transmitted over a network. In contrast, the article on binary serialization discusses the problem of effective serialization of values of abstract types. To this end, the concept of a concrete or serialized type has been defined as the sets of serializations of all possible values of the corresponding abstract type. In this case, the serializations take values in the set A of words in the alphabet A*, which consists of 2^32 characters -- 32-bit integers.
In order to use a TL schema (e.g. “program”) in the TL language to describe the serialization of values of abstract types, we should explain how the concrete type [T] (subset [T] of A^) is associated with the abstract type T (defined in TL), and how the values of the abstract type T correspond to the values of the concrete type [T] (i.e. the elements of [T]*).
Serialization is the process of constructing an element of [T] based on a value of the abstract type T. The reverse process is deserialization.
-Values of the abstract type T may be represented in a different way. Typically, some sort of trees or graphs are used in memory or, if desired, a set of nodes may be used, each of which contains a certain tag (“node type”) and several pointers to other nodes and/or values of built-in primitive types such as
+int. However, for general discussions it is useful to write the values of abstract type T as a string, more specifically, an S-expression. Recall that an S-expression is either an atom (the value of a primitive type, for example, an integer or a string constant in quotation marks; or an identifier that corresponds to a built-in or defined function) or a space-delimited list of S-expressions ending in parentheses. In our case, we use S-expressions, the first element of which is a combinator identifier, while the remaining elements (the number of which depends on the combinator's arity) are S-expressions representing elements of the chosen combinator's fields (or parameters). Moreover, the type of the arguments’ S-expressions and the type of the S-expressions of the result (e.g. the associated expression) must match.Values of the abstract type T may be represented in a different way. Typically, some sort of trees or graphs are used in memory or, if desired, a set of nodes may be used, each of which contains a certain tag (“node type”) and several pointers to other nodes and/or values of built-in primitive types such as
int. However, for general discussions it is useful to write the values of abstract type T as a string, more specifically, an S-expression. Recall that an S-expression is either an atom (the value of a primitive type, for example, an integer or a string constant in quotation marks; or an identifier that corresponds to a built-in or defined function) or a space-delimited list of S-expressions ending in parentheses. In our case, we use S-expressions, the first element of which is a combinator identifier, while the remaining elements (the number of which depends on the combinator's arity) are S-expressions representing elements of the chosen combinator's fields (or parameters). Moreover, the type of the arguments' S-expressions and the type of the S-expressions of the result (e.g. the associated expression) must match.For example, for the schema
pair x:int y:int = Pair; pnil = PairList; @@ -68,7 +68,7 @@ pcons hd:Pair tl:PairList = PairList;If we use [T] to denote the concrete type corresponding to the abstract T, and [E] to denote an element of [T] corresponding to the value E of type T, then the last rule may be written as:
-
- [T] is the combination, for each constructor of type C T1->T2->...->Tr->T (i.e. that returns a value of type T), of direct products {C} x [T1] x [T2] x ... x [Tr], where {C} is a single-element set consisting of the combinator number C. Because {C}<>{C'} when C<>C’, this defines a mutually single-valued mapping of the values of the abstract type T (written using S-expressions) to the set [T].
+- [T] is the combination, for each constructor of type C T1->T2->...->Tr->T (i.e. that returns a value of type T), of direct products {C} x [T1] x [T2] x ... x [Tr], where {C} is a single-element set consisting of the combinator number C. Because {C}<>{C'} when C<>C', this defines a mutually single-valued mapping of the values of the abstract type T (written using S-expressions) to the set [T].
Values of the built-in clothed types
IntandStringand serialized as if they were defined usingint x:int = Int;andstring s:string = String;, i.e. the serialization of integer constant or a string is preceded by number of theintorstringcombinator (constructor). In S-expressions, this may be written as(int 5)or(string "Test").However, what has been described above does not account for certain subtleties, such as the existence of naked types, or the difference between functions (active combinators whose application may be reduced, e.g. calculated) and constructors (passive combinators for which there are not and cannot be reduction rules). Furthermore, we have not explained how to handle polymorphic types and optional combinator parameters. We will attempt to explain this now.
@@ -87,7 +87,7 @@ pcons hd:Pair tl:PairList = PairList;In practice, we most frequently need constant values (for storage and passing any data structures, in particular, responses to RPC queries) and surface expressions (for example, as RPC queries: then the functional combinator of the outer level is the name of the RPC function that we want to call, while its parameters are the arguments, which are constant values, for invoking the function). In some cases, arbitrary functional expressions are helpful (for example, it we want to remotely transmit the result of one RPC query to a different RPC query).
We will use c(T) to denote a subtype of the abstract type T, whose values are constant expressions of type T. Clearly, c(T) possesses approximately the same constructors as T itself (with the types of all arguments Ti replaced by c(Ti), but it does not have functional combinators.
-Analogously, we will use f(T) to denote a subtype of T, whose values are surface expressions of type T. Clearly, the combinators of f(T) are essentially functional combinators of type T, but c() applies to the types of these combinators’ arguments: The combinator A : T1->...->Tr->T turns into A' : c(T1)->...->c(Tr)->f(T). (See the clarification of this rule below.)
+Analogously, we will use f(T) to denote a subtype of T, whose values are surface expressions of type T. Clearly, the combinators of f(T) are essentially functional combinators of type T, but c() applies to the types of these combinators' arguments: The combinator A : T1->...->Tr->T turns into A' : c(T1)->...->c(Tr)->f(T). (See the clarification of this rule below.)
Thus, we have defined two “functionals” c : Type -> Type and f : Type -> Type, such that forall T : Type, c(T) :- T and forall T : Type, f(T) :- T (writing T :- T' means that T is contained in T', or that T is a subtype of T').
We will assume that c and f are idempotent.
Naked types
@@ -107,12 +107,12 @@ pcons hd:Pair tl:PairList = PairList;-pair {X Y : Type} x:X y:Y = Pair X Y; // constructor seq_pair {X Y : Type} x:!X y:!Y = Pair X Y; // functional wrapper for sequential computation par_pair {X Y : Type} x:!X y:!Y = Pair X Y; // functional wrapper for parallel computationNow the RPC query
+(seq_pair (factorial 2) (factorial 3)) : Pair int intfirst calculates factorial 2, then factorial 3, and returns the pair(pair 2 6). In this case, the sequence of operations isn’t important, because they do not have side effects. It would have been just as well to use(par_pair (factorial 2) (factorial 3)). However, this is not always the case.Now the RPC query
(seq_pair (factorial 2) (factorial 3)) : Pair int intfirst calculates factorial 2, then factorial 3, and returns the pair(pair 2 6). In this case, the sequence of operations isn't important, because they do not have side effects. It would have been just as well to use(par_pair (factorial 2) (factorial 3)). However, this is not always the case.We can also define an analogy to a “comma” operation:
comma {X Y : Type} x:!X y:!Y = Y;For example, this operation could first calculate
x, then forget the result, calculatey, and returny.Note that the semantics of the
-seq_pair,par_pairandcommawrappers are indeed defined where they are implemented (like the semantics of all other functional combinators), not by their TL declaration.In principle, polymorphic wrappers like
+set_timeoutcan also be applied, for example, to “annotate” a RPC response’s constant values. For example, the server might return a response to a query together with the time it was calculated. However, a value of type !X must be constant, because that is what is expected as the enclosing expression’s value. In other words,set_timeout 239 Eis a constant/surface value of type X if and only if E is such itself.In principle, polymorphic wrappers like
set_timeoutcan also be applied, for example, to “annotate” a RPC response's constant values. For example, the server might return a response to a query together with the time it was calculated. However, a value of type !X must be constant, because that is what is expected as the enclosing expression's value. In other words,set_timeout 239 Eis a constant/surface value of type X if and only if E is such itself.
$modifierThe idempotent modifier
$permits the use of arbitrary functional values of an appropriate type in contexts where only constants or surface values are usually allowed. It recursively transforms all combinators for all of the types involved, canceling the action of%and affixing$to the parameter types and result of all combinators ($is also added to the front of the transformed combinators). Moreover, built-in types are also transformed (in the final stage):$int = Intand$string = String.This may be useful to create an RPC query that performs a “deep computation” of the expression passed to it:
@@ -122,9 +122,9 @@ par_pair {X Y : Type} x:!X y:!Y = Pair X Y; // functional wrapper for parallel c(Note that the three has become clothed; the combinator $factorial has type $int -> $int).
This is very powerful tool. It does not have to be implemented in very simple versions of TL.
$is not encountered in currently used TL schemas.More on modifiers
-In fact, at least in terms of its application to serialization, the TL language by default implies the c() modifier around all combinators’ parameter types and results, while
+!and$cancel it (more accurately,!only cancels, and in some sense$reverses the meaning). This is why there is no explicitc()modifier in TL and why it is assumed that all functions only accept constant values and return constant results, unless otherwise specified.In fact, at least in terms of its application to serialization, the TL language by default implies the c() modifier around all combinators' parameter types and results, while
!and$cancel it (more accurately,!only cancels, and in some sense$reverses the meaning). This is why there is no explicitc()modifier in TL and why it is assumed that all functions only accept constant values and return constant results, unless otherwise specified.You may think that some functional combinators may have a type such as
-partial_factorial n:int = $int;and that the RPC query(partial_factorial 3)might then unexpectedly return($product (int 3) ($product (int 2) ($product (int 1) (int 1)))) : $int...It is probably more correct to think about the
+!modifier as follows. All types initially include only constant values (and only constructors). The!modifier makes a new type (it’s twin) out of each type. This new type has no inherent constructors. Functional combinators differ from constructors in that!is implicitly added in front of their result’s type. After this, the (local or remote) process of calculating the expression can be represented using the polymorphic functioneval : !X -> X.It is probably more correct to think about the
!modifier as follows. All types initially include only constant values (and only constructors). The!modifier makes a new type (it's twin) out of each type. This new type has no inherent constructors. Functional combinators differ from constructors in that!is implicitly added in front of their result's type. After this, the (local or remote) process of calculating the expression can be represented using the polymorphic functioneval : !X -> X.Optional combinator parameters and their values
Any identifier that begins with an uppercase or lowercase letter and which does not contain references to a namespace can be a field (variable) identifier. Using uc-ident for identifiers of variable types and lc-indent for other variables is good practice.
- -
Next a combinator declaration contains the equals sign (
+=) and the result type (it may be composite or appearing for the first time). The result type may be polymorphic and/or dependent; any fields of the defined constructor’s fields of typeTypeor#may be returned (as subexpressions).Next a combinator declaration contains the equals sign (
=) and the result type (it may be composite or appearing for the first time). The result type may be polymorphic and/or dependent; any fields of the defined constructor's fields of typeTypeor#may be returned (as subexpressions).- -
A combinator declaration is terminated with a semicolon.
In what follows, a constructor’s fields, variables, and arguments mean the same thing.
+In what follows, a constructor's fields, variables, and arguments mean the same thing.
Optional field declarations
- @@ -122,7 +122,7 @@ Combinators in TL are…">
Required field declarations follow one after another, separated by spaces (by any number of whitespace symbols, to be more precise).
- -
The declared field’s type (type-expr) may use the declared combinator's previously defined variables (fields) as subexpressions (i.e. parameter values). For example:
+The declared field's type (type-expr) may use the declared combinator's previously defined variables (fields) as subexpressions (i.e. parameter values). For example:
nil {X:Type} = List X; cons {X:Type} hd:X tl:(list X) = List X; typed_list (X:Type) (l : list X) = TypedList;
@@ -143,13 +143,13 @@ typed_list (X:Type) (l : list X) = TypedList;The multiplicity field may be bypassed. In this case, the last preceding parameter of type
#from the enclosing combinator is used (it must be).- -
Functionally, the repetition field-id
+:multiplicity*[args]is equivalent to the declaration of the single field(field-id:%Tuple%AuxTypemultiplicity), whereaux_typeis an auxiliary type with a new name defined asaux_type *args* = AuxType. If any of the enclosing type’s fields are used within args, they are added to the auxiliary constructoraux_typeand to itsAuxTyperesult type as the first (optional) parameters.Functionally, the repetition field-id
:multiplicity*[args]is equivalent to the declaration of the single field(field-id:%Tuple%AuxTypemultiplicity), whereaux_typeis an auxiliary type with a new name defined asaux_type *args* = AuxType. If any of the enclosing type's fields are used within args, they are added to the auxiliary constructoraux_typeand to itsAuxTyperesult type as the first (optional) parameters.If args consists of one anonymous field of type some-type, then some-type can be used directly instead of
%AuxType.- -
If during implementation the repetitions are rewritten as indicated above, it is logical to use instead of
+aux_typeandAuxType, some identifiers that contain the name of the outer combinator being defined and the repetition’s index number inside its definition.If during implementation the repetitions are rewritten as indicated above, it is logical to use instead of
aux_typeandAuxType, some identifiers that contain the name of the outer combinator being defined and the repetition's index number inside its definition.Example:
diff --git a/data/corefork.telegram.org/mtproto/TL-polymorph.html b/data/corefork.telegram.org/mtproto/TL-polymorph.html index d37d6318ac..c7e6052faf 100644 --- a/data/corefork.telegram.org/mtproto/TL-polymorph.html +++ b/data/corefork.telegram.org/mtproto/TL-polymorph.html @@ -81,15 +81,15 @@ nil : forall (X:Type), X -> List X;- serialize the head of the list (hd) as a value of type X;
- serialize the tail of the list as a value of the polymorphic type List X.
-In the first step, the natural question is which string exactly will be used to calculate the CRC32. It is proposed to take "
+cons X:Type hd:X tl:List X = List X” without the terminating semicolon and without any parentheses (closed type expressions are unambiguously reconstructed based on their construction’s prefix).In the first step, the natural question is which string exactly will be used to calculate the CRC32. It is proposed to take "
cons X:Type hd:X tl:List X = List X” without the terminating semicolon and without any parentheses (closed type expressions are unambiguously reconstructed based on their construction's prefix).In the last step, we recursively resolve the very same problem of serializing a value of type List X; we will consider it resolved based on the assumption of induction in the construction of the value being serialized. We will similarly consider the third step understandable (induction in the construction of the value being serialized).
-We still need to describe how to transmit (serialize) types, e.g. values of type Type. Types in TL schemas currently appear only as constructors’ optional parameters and are therefore never serialized explicitly. Rather, their values are inferred from the previously known type of the value being serialized.
+We still need to describe how to transmit (serialize) types, e.g. values of type Type. Types in TL schemas currently appear only as constructors' optional parameters and are therefore never serialized explicitly. Rather, their values are inferred from the previously known type of the value being serialized.
For completeness we will describe how it would be possible to serialize types (values of type Type). However, keep in mind that for now this information is not useful. See Type serialization.
Optional arguments in polymorphic constructors
-It was stated above that any subset of (the first few) parameters of any constructor can be identified as optional (by enclosing their declarations in curly brackets), but this is not actually entirely accurate. First, these optional parameters can only be of type
-Typeor#(natural numbers). Second, optional parameters must share the return value’s type, otherwise their value cannot be determined.Note that @'''constr-id''' means the constructor’s “full form” (in which all optional parameters become required), while '''constr-id'’ denotes its abbreviated form (without the optional arguments). If there are no optional arguments, then these two forms are the same. Constructors’ full forms are never used at present.
+It was stated above that any subset of (the first few) parameters of any constructor can be identified as optional (by enclosing their declarations in curly brackets), but this is not actually entirely accurate. First, these optional parameters can only be of type
+Typeor#(natural numbers). Second, optional parameters must share the return value's type, otherwise their value cannot be determined.Note that @'''constr-id''' means the constructor's “full form” (in which all optional parameters become required), while '''constr-id'' denotes its abbreviated form (without the optional arguments). If there are no optional arguments, then these two forms are the same. Constructors' full forms are never used at present.
Bare polymorphic types
-There is a small problem: if we want to serialize the value of the bare type ‘%pair string int’ or ‘%pair string Y’ (which in TL is usually denoted simply as “pair”, though the form “%Pair” is preferable), we cannot simultaneously use both the full constructor @pair and the partial pair, because the constructor’s name will not be serialized. Therefore, we must differentiate the bare types %@pair (type X, type Y, value x:X, and value y:Y are serialized) and %pair (only x:X and y:Y are serialized; types X and Y are known from the context). In practice, we nearly almost always need the bare type %pair, and this is precisely what “pair” means in the type’s context in TL. Therefore,
+There is a small problem: if we want to serialize the value of the bare type ‘%pair string int' or ‘%pair string Y' (which in TL is usually denoted simply as “pair”, though the form “%Pair” is preferable), we cannot simultaneously use both the full constructor @pair and the partial pair, because the constructor's name will not be serialized. Therefore, we must differentiate the bare types %@pair (type X, type Y, value x:X, and value y:Y are serialized) and %pair (only x:X and y:Y are serialized; types X and Y are known from the context). In practice, we nearly almost always need the bare type %pair, and this is precisely what “pair” means in the type's context in TL. Therefore,
record name:string map:(List (pair int string)) = Record;will be serialized approximately like we want it to be (the serialization of list elements will consist of the serialization of int and the serialization of string, without any additional headers, types, or combinator names). Incidentally, when calculating the “record” combinator's name 'record' in the example given above, the CRC32 of
diff --git a/data/corefork.telegram.org/mtproto/TL-tl.html b/data/corefork.telegram.org/mtproto/TL-tl.html index 6eb37b1df6..81942ff457 100644 --- a/data/corefork.telegram.org/mtproto/TL-tl.html +++ b/data/corefork.telegram.org/mtproto/TL-tl.html @@ -97,8 +97,8 @@ tls.typeExpr name:int flags:int children_num:# children:children_num*[tls.Expr]record name:string map:List pair int string = Recordwill be computed.Schema serialization (version 2) always begins with the index number of the
tls.schema_v2constructor fortls.Schema. Because the CRC32 of the string-tls.schema_v2 version:int date:int types_num:# types:types_num*[ tls.Type ] constructor_num:# constructors:constructor_num*[ tls.Combinator ] functions_num:# functions:functions_num*[ tls.Combinator ] = tls.Schemais 0x3a2f9be2, this constant is in fact the magic number for tlo files in the current version’s format. -If the format is extended in the future (for example, if TL’s additional features are supported), then a
+tls.schema_v3constructor with a different number will appear.is 0x3a2f9be2, this constant is in fact the magic number for tlo files in the current version's format. +If the format is extended in the future (for example, if TL's additional features are supported), then a
tls.schema_v3constructor with a different number will appear.Example
If one adds declarations for the used built-in types (like
int ? = Int;) from the filecommon.tlbeforetl.tland serialize the resulting schema, the following binary data is obtained (tl.tlo):diff --git a/data/corefork.telegram.org/mtproto/TL-types.html b/data/corefork.telegram.org/mtproto/TL-types.html index 28c1e276c4..a5edce8017 100644 --- a/data/corefork.telegram.org/mtproto/TL-types.html +++ b/data/corefork.telegram.org/mtproto/TL-types.html @@ -44,8 +44,8 @@ It remains to describe how types, e.g. values of type Type, are transmitted (serdiff --git a/data/corefork.telegram.org/mtproto/auth_key.html b/data/corefork.telegram.org/mtproto/auth_key.html index 32dc7a40dd..6aa9af42c0 100644 --- a/data/corefork.telegram.org/mtproto/auth_key.html +++ b/data/corefork.telegram.org/mtproto/auth_key.html @@ -41,100 +41,152 @@See Polymorphism in TL and TL Language.
It remains to describe how types, e.g. values of type Type, are transmitted (serialized). In general, there is nothing unexpected going on here: we have type constructors of various arities (for example, List is an arity-1 constructor, but IntList is a 0-arity constructor); and if we know that a 32-bit “name” is assigned to each type constructor, there are no further questions -- values of type Type are serialized exactly like values of any other recursive type with a defined set of constructors of differing arity.
How can a 32-bit “name” be assigned to a type (a type constructor, to be more exact) such as List or IntList? -It is proposed to use the sum of the names of all of its constructors, plus the CRC32 of the string with the designation of the type's name and all of its parameters such as “IntList = Type” or “List X:Type = Type”. This way, the List constructor’s “name” is the sum of the CRC32s of the three strings "List X:Type = Type", "cons X:Type hd:X tl:List X = List X", and "nil X:Type = List X". -For “bare” types (which, formally speaking, are subtypes of the corresponding “boxed” type), the situation is somewhat more complicated; the logical negation of the corresponding constructor’s name is used. For built-in bareand boxed types (for example, int and Int), a pseudo-declaration is used (for example, int ? = Int").
+It is proposed to use the sum of the names of all of its constructors, plus the CRC32 of the string with the designation of the type's name and all of its parameters such as “IntList = Type” or “List X:Type = Type”. This way, the List constructor's “name” is the sum of the CRC32s of the three strings "List X:Type = Type", "cons X:Type hd:X tl:List X = List X", and "nil X:Type = List X". +For “bare” types (which, formally speaking, are subtypes of the corresponding “boxed” type), the situation is somewhat more complicated; the logical negation of the corresponding constructor's name is used. For built-in bareand boxed types (for example, int and Int), a pseudo-declaration is used (for example, int ? = Int").
- This description is somewhat outdated and may be updated in the future. Specifically, how to treat the
!modifier has not been explained.*+The query format is described using Binary Data Serialization and the TL Language. All large numbers are transmitted as strings containing the required sequence of bytes in big endian order. Hash functions, such as SHA1, return strings (of 20 bytes) which can also be interpreted as big endian numbers. Small numbers (
int,long,int128,int256) are normally little endian; however, if they are part of SHA1, the bytes are not rearranged. This way, iflongxis the 64 lower-order bits of SHA1 of strings, then the final 8 bytes of 20-byte stringSHA1(s)are taken and interpreted as a 64-bit integer.Prior to sending off unencrypted messages (required in this instance to generate an authorization key), the client must undergo (p,q) authorization as follows.
-DH exchange initiation
-1) Client sends query to server
-+req_pq_multi#be7e8ef1 nonce:int128 = ResPQ;DH exchange initiation
++
- +
+Client sends query to server
+req_pq_multi#be7e8ef1 nonce:int128 = ResPQ;
+The value of nonce is selected randomly by the client (random number) and identifies the client within this communication. Following this step, it is known to all.
-2) Server sends response of the form
-+resPQ#05162463 nonce:int128 server_nonce:int128 pq:string server_public_key_fingerprints:Vector long = ResPQ;+
- +
+Server sends response of the form
+resPQ#05162463 nonce:int128 server_nonce:int128 pq:string server_public_key_fingerprints:Vector long = ResPQ;
+Here, string pq is a representation of a natural number (in binary big endian format). This number is the product of two different odd prime numbers. Normally, pq is less than or equal to 2^63-1. The value of server_nonce is selected randomly by the server; following this step, it is known to all.
server_public_key_fingerprintsis a list of public RSA key fingerprints (64 lower-order bits of SHA1 (server_public_key); the public key is represented as a bare typersa_public_key n:string e:string = RSAPublicKey, where, as usual, n and е are numbers in big endian format serialized as strings of bytes, following which SHA1 is computed) received by the server.All subsequent messages contain the pair (nonce, server_nonce) both in the plain-text, and the encrypted portions which makes it possible to identify a “temporary session” — one run of the key generation protocol described on this page that uses the same (nonce, server_nonce) pair. An intruder could not create a parallel session with the server with the same parameters and reuse parts of server- or client-encrypted messages for its own purposes in such a parallel session, because a different server_nonce would be selected by the server for any new “temporary session”.
-Proof of work
-3) Client decomposes pq into prime factors such that p < q.
+Proof of work
++
- Client decomposes pq into prime factors such that p < q.
+This starts a round of Diffie-Hellman key exchanges.
-Presenting proof of work; Server authentication
-4) Client sends query to server
-+req_DH_params#d712e4be nonce:int128 server_nonce:int128 p:string q:string public_key_fingerprint:long encrypted_data:string = Server_DH_ParamsPresenting proof of work; Server authentication
++
- +
+Client sends query to server
+req_DH_params#d712e4be nonce:int128 server_nonce:int128 p:string q:string public_key_fingerprint:long encrypted_data:string = Server_DH_Params
+Here, encrypted_data is obtained as follows:
-
-- new_nonce := another (good) random number generated by the client; after this query, it is known to both client and server;
-data := a serialization of
+- +
+new_nonce := another (good) random number generated by the client; after this query, it is known to both client and server;
+- +
-data := a serialization of
p_q_inner_data_dc#a9f55f95 pq:string p:string q:string nonce:int128 server_nonce:int128 new_nonce:int256 dc:int = P_Q_inner_data;or of
p_q_inner_data_temp_dc#56fddf88 pq:string p:string q:string nonce:int128 server_nonce:int128 new_nonce:int256 dc:int expires_in:int = P_Q_inner_data;encrypted_data := RSA_PAD (data, server_public_key), where RSA_PAD is a version of RSA with a variant of OAEP+ padding explained below in 4.1).
+- +
encrypted_data := RSA_PAD (data, server_public_key), where RSA_PAD is a version of RSA with a variant of OAEP+ padding explained below in 4.1).
Someone might intercept the query and replace it with their own, independently decomposing pq into factors instead of the client. The only field that it makes sense to modify is new_nonce which would be the one an intruder would have to re-generate (because an intruder cannot decrypt the encrypted data sent by the client). Since all subsequent messages are encrypted using new_nonce or contain new_nonce_hash, they will not be processed by the client (an intruder would not be able to make it look as though they had been generated by the server because they would not contain new_nonce). Therefore, this intercept will only result in the intruder’s completing the authorization key generation protocol in place of the client and creating a new key (that has nothing to do with the client); however, the same effect could be achieved simply by creating a new key in one's own name.
+Someone might intercept the query and replace it with their own, independently decomposing pq into factors instead of the client. The only field that it makes sense to modify is new_nonce which would be the one an intruder would have to re-generate (because an intruder cannot decrypt the encrypted data sent by the client). Since all subsequent messages are encrypted using new_nonce or contain new_nonce_hash, they will not be processed by the client (an intruder would not be able to make it look as though they had been generated by the server because they would not contain new_nonce). Therefore, this intercept will only result in the intruder's completing the authorization key generation protocol in place of the client and creating a new key (that has nothing to do with the client); however, the same effect could be achieved simply by creating a new key in one's own name.
An alternative form of inner data (
p_q_inner_data_temp_dc) is used to create temporary keys, that are only stored in the server RAM and are discarded after at mostexpires_inseconds. The server is free to discard its copy earlier. In all other respects the temporary key generation protocol is the same. After a temporary key is created, the client usually binds it to its principal authorisation key by means of the auth.bindTempAuthKey method, and uses it for all client-server communication until it expires; then a new temporary key is generated. Thus Perfect Forward Secrecy (PFS) in client-server communication is achieved. Read more about PFS »4.1) RSA_PAD(data, server_public_key) mentioned above is implemented as follows:
-
-- data_with_padding := data + random_padding_bytes; — where random_padding_bytes are chosen so that the resulting length of data_with_padding is precisely 192 bytes, and data is the TL-serialized data to be encrypted as before. One has to check that data is not longer than 144 bytes.
-- data_pad_reversed := BYTE_REVERSE(data_with_padding); — is obtained from data_with_padding by reversing the byte order.
+- data_with_padding := data + random_padding_bytes; -- where random_padding_bytes are chosen so that the resulting length of data_with_padding is precisely 192 bytes, and data is the TL-serialized data to be encrypted as before. One has to check that data is not longer than 144 bytes.
+- data_pad_reversed := BYTE_REVERSE(data_with_padding); -- is obtained from data_with_padding by reversing the byte order.
- a random 32-byte temp_key is generated.
-- data_with_hash := data_pad_reversed + SHA256(temp_key + data_with_padding); — after this assignment, data_with_hash is exactly 224 bytes long.
-- aes_encrypted := AES256_IGE(data_with_hash, temp_key, 0); — AES256-IGE encryption with zero IV.
-- temp_key_xor := temp_key XOR SHA256(aes_encrypted); — adjusted key, 32 bytes
-- key_aes_encrypted := temp_key_xor + aes_encrypted; — exactly 256 bytes (2048 bits) long
+- data_with_hash := data_pad_reversed + SHA256(temp_key + data_with_padding); -- after this assignment, data_with_hash is exactly 224 bytes long.
+- aes_encrypted := AES256_IGE(data_with_hash, temp_key, 0); -- AES256-IGE encryption with zero IV.
+- temp_key_xor := temp_key XOR SHA256(aes_encrypted); -- adjusted key, 32 bytes
+- key_aes_encrypted := temp_key_xor + aes_encrypted; -- exactly 256 bytes (2048 bits) long
- The value of key_aes_encrypted is compared with the RSA-modulus of server_pubkey as a big-endian 2048-bit (256-byte) unsigned integer. If key_aes_encrypted turns out to be greater than or equal to the RSA modulus, the previous steps starting from the generation of new random temp_key are repeated. Otherwise the final step is performed:
-- encrypted_data := RSA(key_aes_encrypted, server_pubkey); — 256-byte big-endian integer is elevated to the requisite power from the RSA public key modulo the RSA modulus, and the result is stored as a big-endian integer consisting of exactly 256 bytes (with leading zero bytes if required).
+- encrypted_data := RSA(key_aes_encrypted, server_pubkey); -- 256-byte big-endian integer is elevated to the requisite power from the RSA public key modulo the RSA modulus, and the result is stored as a big-endian integer consisting of exactly 256 bytes (with leading zero bytes if required).
5) Server responds with:
-+server_DH_params_ok#d0e8075c nonce:int128 server_nonce:int128 encrypted_answer:string = Server_DH_Params;+
- +
+Server responds with:
+server_DH_params_ok#d0e8075c nonce:int128 server_nonce:int128 encrypted_answer:string = Server_DH_Params;
+If the query is incorrect, the server returns a
-404error and the handshake must be restarted (any subsequent request also returns-404, even if it is correct).Here, encrypted_answer is obtained as follows:
-
- new_nonce_hash := 128 lower-order bits of SHA1 (new_nonce);
-answer := serialization
+- +
+new_nonce_hash := 128 lower-order bits of SHA1 (new_nonce);
+- +
-answer := serialization
server_DH_inner_data#b5890dba nonce:int128 server_nonce:int128 g:int dh_prime:string g_a:string server_time:int = Server_DH_inner_data;answer_with_hash := SHA1(answer) + answer + (0-15 random bytes); such that the length be divisible by 16;
+- +
+answer_with_hash := SHA1(answer) + answer + (0-15 random bytes); such that the length be divisible by 16;
+- +
+tmp_aes_key := SHA1(new_nonce + server_nonce) + substr (SHA1(server_nonce + new_nonce), 0, 12);
+- +
+tmp_aes_iv := substr (SHA1(server_nonce + new_nonce), 12, 8) + SHA1(new_nonce + new_nonce) + substr (new_nonce, 0, 4);
+- +
-encrypted_answer := AES256_ige_encrypt (answer_with_hash, tmp_aes_key, tmp_aes_iv); here, tmp_aes_key is a 256-bit key, and tmp_aes_iv is a 256-bit initialization vector. The same as in all the other instances that use AES encryption, the encrypted data is padded with random bytes to a length divisible by 16 immediately prior to encryption.
- tmp_aes_key := SHA1(new_nonce + server_nonce) + substr (SHA1(server_nonce + new_nonce), 0, 12);
-- tmp_aes_iv := substr (SHA1(server_nonce + new_nonce), 12, 8) + SHA1(new_nonce + new_nonce) + substr (new_nonce, 0, 4);
-- encrypted_answer := AES256_ige_encrypt (answer_with_hash, tmp_aes_key, tmp_aes_iv); here, tmp_aes_key is a 256-bit key, and tmp_aes_iv is a 256-bit initialization vector. The same as in all the other instances that use AES encryption, the encrypted data is padded with random bytes to a length divisible by 16 immediately prior to encryption.
Following this step, new_nonce is still known to client and server only. The client is certain that it is the server that responded and that the response was generated specifically in response to client query req_DH_params, since the response data are encrypted using new_nonce.
-Client is expected to check whether p = dh_prime is a safe 2048-bit prime (meaning that both p and (p-1)/2 are prime, and that 22047 < p < 22048), and that g generates a cyclic subgroup of prime order (p-1)/2, i.e. is a quadratic residue mod p. Since g is always equal to 2, 3, 4, 5, 6 or 7, this is easily done using quadratic reciprocity law, yielding a simple condition on p mod 4g — namely, p mod 8 = 7 for g = 2; p mod 3 = 2 for g = 3; no extra condition for g = 4; p mod 5 = 1 or 4 for g = 5; p mod 24 = 19 or 23 for g = 6; and p mod 7 = 3, 5 or 6 for g = 7. After g and p have been checked by the client, it makes sense to cache the result, so as not to repeat lengthy computations in future.
-If the verification takes too long time (which is the case for older mobile devices), one might initially run only 15 Miller—Rabin iterations for verifying primeness of p and (p - 1)/2 with error probability not exceeding one billionth, and do more iterations later in the background.
-Another optimization is to embed into the client application code a small table with some known “good” couples (g,p) (or just known safe primes p, since the condition on g is easily verified during execution), checked during code generation phase, so as to avoid doing such verification during runtime altogether. Server changes these values rarely, thus one usually has to put the current value of server's dh_prime into such a table. For example, current value of dh_prime equals (in big-endian byte order)
+Client is expected to check whether p = dh_prime is a safe 2048-bit prime (meaning that both p and (p-1)/2 are prime, and that 2^2047 < p < 2^2048), and that g generates a cyclic subgroup of prime order (p-1)/2, i.e. is a quadratic residue mod p. Since g is always equal to 2, 3, 4, 5, 6 or 7, this is easily done using quadratic reciprocity law, yielding a simple condition on p mod 4g -- namely, p mod 8 = 7 for g = 2; p mod 3 = 2 for g = 3; no extra condition for g = 4; p mod 5 = 1 or 4 for g = 5; p mod 24 = 19 or 23 for g = 6; and p mod 7 = 3, 5 or 6 for g = 7. After g and p have been checked by the client, it makes sense to cache the result, so as not to repeat lengthy computations in future.
+If the verification takes too long time (which is the case for older mobile devices), one might initially run only 15 Miller--Rabin iterations for verifying primeness of p and (p - 1)/2 with error probability not exceeding one billionth, and do more iterations later in the background.
+Another optimization is to embed into the client application code a small table with some known "good" couples (g,p) (or just known safe primes p, since the condition on g is easily verified during execution), checked during code generation phase, so as to avoid doing such verification during runtime altogether. Server changes these values rarely, thus one usually has to put the current value of server's dh_prime into such a table. For example, current value of dh_prime equals (in big-endian byte order)
-C7 1C AE B9 C6 B1 C9 04 8E 6C 52 2F 70 F1 3F 73 98 0D 40 23 8E 3E 21 C1 49 34 D0 37 56 3D 93 0F 48 19 8A 0A A7 C1 40 58 22 94 93 D2 25 30 F4 DB FA 33 6F 6E 0A C9 25 13 95 43 AE D4 4C CE 7C 37 20 FD 51 F6 94 58 70 5A C6 8C D4 FE 6B 6B 13 AB DC 97 46 51 29 69 32 84 54 F1 8F AF 8C 59 5F 64 24 77 FE 96 BB 2A 94 1D 5B CD 1D 4A C8 CC 49 88 07 08 FA 9B 37 8E 3C 4F 3A 90 60 BE E6 7C F9 A4 A4 A6 95 81 10 51 90 7E 16 27 53 B5 6B 0F 6B 41 0D BA 74 D8 A8 4B 2A 14 B3 14 4E 0E F1 28 47 54 FD 17 ED 95 0D 59 65 B4 B9 DD 46 58 2D B1 17 8D 16 9C 6B C4 65 B0 D6 FF 9C A3 92 8F EF 5B 9A E4 E4 18 FC 15 E8 3E BE A0 F8 7F A9 FF 5E ED 70 05 0D ED 28 49 F4 7B F9 59 D9 56 85 0C E9 29 85 1F 0D 81 15 F6 35 B1 05 EE 2E 4E 15 D0 4B 24 54 BF 6F 4F AD F0 34 B1 04 03 11 9C D8 E3 B9 2F CC 5B6) Client computes random 2048-bit number b (using a sufficient amount of entropy) and sends the server a message
-+set_client_DH_params#f5045f1f nonce:int128 server_nonce:int128 encrypted_data:string = Set_client_DH_params_answer;+
- +
+Client computes random 2048-bit number b (using a sufficient amount of entropy) and sends the server a message
+set_client_DH_params#f5045f1f nonce:int128 server_nonce:int128 encrypted_data:string = Set_client_DH_params_answer;
+Here, encrypted_data is obtained thus:
-
- g_b := pow(g, b) mod dh_prime;
-data := serialization
+- +
+g_b := pow(g, b) mod dh_prime;
+- +
-data := serialization
client_DH_inner_data#6643b654 nonce:int128 server_nonce:int128 retry_id:long g_b:string = Client_DH_Inner_Datadata_with_hash := SHA1(data) + data + (0-15 random bytes); such that length be divisible by 16;
+- +
+data_with_hash := SHA1(data) + data + (0-15 random bytes); such that length be divisible by 16;
+- +
-encrypted_data := AES256_ige_encrypt (data_with_hash, tmp_aes_key, tmp_aes_iv);
- encrypted_data := AES256_ige_encrypt (data_with_hash, tmp_aes_key, tmp_aes_iv);
The retry_id field is equal to zero at the time of the first attempt; otherwise, it is equal to auth_key_aux_hash from the previous failed attempt (see Item 9).
-7) Thereafter, auth_key equals
-pow(g, {ab}) mod dh_prime; on the server, it is computed aspow(g_b, a) mod dh_prime, and on the client as(g_a)^b mod dh_prime.8) auth_key_hash is computed := 64 lower-order bits of SHA1 (auth_key). The server checks whether there already is another key with the same auth_key_hash and responds in one of the following ways.
-DH key exchange complete
-9) Server responds in one of three ways:
-+dh_gen_fail#a69dae02 nonce:int128 server_nonce:int128 new_nonce_hash3:int128 = Set_client_DH_params_answer; + +dh_gen_ok#3bcbf734 nonce:int128 server_nonce:int128 new_nonce_hash1:int128 = Set_client_DH_params_answer; ++
+- +
+Thereafter, auth_key equals
+pow(g, {ab}) mod dh_prime; on the server, it is computed aspow(g_b, a) mod dh_prime, and on the client as(g_a)^b mod dh_prime.- +
+auth_key_hash is computed := 64 lower-order bits of SHA1 (auth_key). The server checks whether there already is another key with the same auth_key_hash and responds in one of the following ways.
+DH key exchange complete
++
- +
Server responds in one of three ways:
+dh_gen_ok#3bcbf734 nonce:int128 server_nonce:int128 new_nonce_hash1:int128 = Set_client_DH_params_answer; dh_gen_retry#46dc1fb9 nonce:int128 server_nonce:int128 new_nonce_hash2:int128 = Set_client_DH_params_answer; -dh_gen_fail#a69dae02 nonce:int128 server_nonce:int128 new_nonce_hash3:int128 = Set_client_DH_params_answer;
-
- new_nonce_hash1, new_nonce_hash2, and new_nonce_hash3 are obtained as the 128 lower-order bits of SHA1 of the byte string derived from the new_nonce string by adding a single byte with the value of 1, 2, or 3, and followed by another 8 bytes with auth_key_aux_hash. Different values are required to prevent an intruder from changing server response dh_gen_ok into dh_gen_retry.
- auth_key_aux_hash is the 64 higher-order bits of SHA1(auth_key). It must not be confused with auth_key_hash.
In the other case, the client goes to Item 6) generating a new b.
+
In the first case, the client and the server have negotiated auth_key, following which they forget all other temporary data, and the client creates another encrypted session using auth_key. At the same time, server_salt is initially set tosubstr(new_nonce, 0, 8) XOR substr(server_nonce, 0, 8). If required, the client stores the difference between server_time received in 5) and its local time, to be able always to have a good approximation of server time which is required to generate correct message identifiers.In the other case, the client goes to Item 6) generating a new b. +In the first case, the client and the server have negotiated auth_key, following which they forget all other temporary data, and the client creates another encrypted session using auth_key. At the same time, server_salt is initially set to
substr(new_nonce, 0, 8) XOR substr(server_nonce, 0, 8). If required, the client stores the difference between server_time received in 5) and its local time, to be able always to have a good approximation of server time which is required to generate correct message identifiers.IMPORTANT: Apart from the conditions on the Diffie-Hellman prime dh_prime and generator g, both sides are to check that g, g_a and g_b are greater than 1 and less than dh_prime - 1. We recommend checking that g_a and g_b are between 2^{2048-64} and dh_prime - 2^{2048-64} as well.
-Error Handling (Lost Queries and Responses)
+Error Handling (Lost Queries and Responses)
If the client fails to receive any response to its query from the server within a certain time interval, it may simply re-send the query. If the server has already sent a response to this query (exactly the same request and not just similar: all the parameters during the repeat request must take on the same values) but it did not get to the client, the server will simply re-send the same response. The server remembers the response for up to 10 minutes after having received the query in 1). If the server has already forgotten the response or the requisite temporary data, the client will have to start from the beginning.
The server may consider that if the client has already sent in the next query using the data from the previous server response to the specific client, the response is known to have been received by the client and may be forgotten by the server.
-Usage Example
-An example of a complete list of queries required to generate an authorization key is shown on a separate page.
-Usage Example
+An example of a complete list of queries required to generate an authorization key is shown on a separate page.
On top of this, msg_id values that belong over 30 seconds in the future or over 300 seconds in the past are to be ignored. This is especially important for the server. The client would also find this useful (to protect from a replay attack), but only if it is certain of its time (for example, if its time has been synchronized with that of the server).
Certain client-to-server service messages containing data sent by the client to the server (for example, msg_id of a recent client query) may, nonetheless, be processed on the client even if the time appears to be “incorrect”. This is especially true of messages to change server_salt and notifications of invalid client time. See Mobile Protocol: Service Messages.
Storing an Authorization Key on a Client Device
-It may be suggested to users concerned with security that they password protect the authorization key in approximately the same way as in ssh. This can be accomplished by prepending the value of cryptographic hash function, such as SHA-256, of the key to the front of the key, following which the entire string is encrypted using AES in CBC mode and a key equal to the user’s (text) password. When the user inputs the password, the stored protected password is decrypted and verified by checking the SHA-256 value. From the user’s standpoint, this is practically the same as using an application or a website password.
+It may be suggested to users concerned with security that they password protect the authorization key in approximately the same way as in ssh. This can be accomplished by prepending the value of cryptographic hash function, such as SHA-256, of the key to the front of the key, following which the entire string is encrypted using AES in CBC mode and a key equal to the user's (text) password. When the user inputs the password, the stored protected password is decrypted and verified by checking the SHA-256 value. From the user's standpoint, this is practically the same as using an application or a website password.
Unencrypted Messages
Special plain-text messages may be used to create an authorization key as well as to perform a time synchronization. They begin with auth_key_id = 0 (64 bits) which means that there is no auth_key. This is followed directly by the message body in serialized format without internal or external headers. A message identifier (64 bits) and body length in bytes (32 bytes) are added before the message body.
Only a very limited number of messages of special types can be transmitted as plain text.
diff --git a/data/corefork.telegram.org/mtproto/description_v1.html b/data/corefork.telegram.org/mtproto/description_v1.html index be348fa35a..6584530424 100644 --- a/data/corefork.telegram.org/mtproto/description_v1.html +++ b/data/corefork.telegram.org/mtproto/description_v1.html @@ -97,7 +97,7 @@ For information on encryption used in up-to-date Telegram clients, kindly see In addition, msg_id values that belong over 30 seconds in the future or over 300 seconds in the past are to be ignored. This is especially important for the server. The client would also find this useful (to protect from a replay attack), but only if it is certain of its time (for example, if its time has been synchronized with that of the server).Certain client-to-server service messages containing data sent by the client to the server (for example, msg_id of a recent client query) may, nonetheless, be processed on the client even if the time appears to be “incorrect”. This is especially true of messages to change server_salt and notifications of invalid client time. See Mobile Protocol: Service Messages.
Storing an Authorization Key on a Client Device
-It may be suggested to users concerned with security that they password protect the authorization key in approximately the same way as in ssh. This is accomplished by adding the SHA1 of the key to the front of the key, following which the entire string is encrypted using AES in CBC mode and a key equal to the user’s (text) password. When the user inputs the password, the stored protected password is decrypted and verified by being compared with SHA1. From the user’s standpoint, this is practically the same as using an application or a website password.
+It may be suggested to users concerned with security that they password protect the authorization key in approximately the same way as in ssh. This is accomplished by adding the SHA1 of the key to the front of the key, following which the entire string is encrypted using AES in CBC mode and a key equal to the user's (text) password. When the user inputs the password, the stored protected password is decrypted and verified by being compared with SHA1. From the user's standpoint, this is practically the same as using an application or a website password.
Unencrypted Messages
Special plain-text messages may be used to create an authorization key as well as to perform a time synchronization. They begin with auth_key_id = 0 (64 bits) which means that there is no auth_key. This is followed directly by the message body in serialized format without internal or external headers. A message identifier (64 bits) and body length in bytes (32 bytes) are added before the message body.
Only a very limited number of messages of special types can be transmitted as plain text.
diff --git a/data/corefork.telegram.org/mtproto/serialize.html b/data/corefork.telegram.org/mtproto/serialize.html index e2028a2386..5a3241c06b 100644 --- a/data/corefork.telegram.org/mtproto/serialize.html +++ b/data/corefork.telegram.org/mtproto/serialize.html @@ -49,7 +49,7 @@ The TL language is used to describe the data types to- Value, in this case, is the same as a string in Alphabet A, i. e. a finite (possibly, empty) sequence of 32-bit numbers. The set of all such sequences is designated as A*.
- Type, for our purposes, is the same as the set of legal values of a type, i. e. some set T which is a subset of A* and is a prefix code (i. e. no element of T may be a prefix for any other element). Therefore, any sequence from A* can contain no more than one prefix that is a member of T.
- Value of Type T is any sequence (value) which is a member of T as a subset of A*.
-- Compatible Types are the types T and T’ not intersecting as subsets of A*, such that the union of T and T' is a prefix code.
+- Compatible Types are the types T and T' not intersecting as subsets of A*, such that the union of T and T' is a prefix code.
- Coordinated System of Types is a finite or infinite set of types T_1, ..., T_n, ..., such that any two types from this set are compatible.
- Data Type is the same as type in the sense of the definition above.
- Functional Type is a type describing a function; it is not a type in the sense of the definition above. Initially, we ignore the existence of functional types and describe only the data types; however, in reality, functional types will later be implemented in some extension of this system using the so-called temporary combinators.
@@ -66,13 +66,13 @@ The TL language is used to describe the data types toCombinator identifier is an identifier beginning with a lowercase Roman letter that uniquely identifies a combinator.
- -
Combinator number or combinator name is a 32-bit number (i.e., an element of A) that uniquely identifies a combinator. Most often, it is CRC32 of the string containing the combinator description without the final semicolon, and with one space between contiguous lexemes. This always falls in the range from 0x01000000 to 0xffffff00. The highest 256 values are reserved for the so-called temporal-logic combinators used to transmit functions. We frequently denote as combinator the combinator name with single quotes: ‘combinator’.
+Combinator number or combinator name is a 32-bit number (i.e., an element of A) that uniquely identifies a combinator. Most often, it is CRC32 of the string containing the combinator description without the final semicolon, and with one space between contiguous lexemes. This always falls in the range from 0x01000000 to 0xffffff00. The highest 256 values are reserved for the so-called temporal-logic combinators used to transmit functions. We frequently denote as combinator the combinator name with single quotes: ‘combinator'.
Combinator description is a string of format
combinator_name type_arg_1 ... type_arg_N = type_res;whereNstands for the arity of the combinator,type_arg_iis the type of the i-th argument (or rather, a string with the combinator name), andtype_resis the combinator value type.- -
Constructor is a combinator that cannot be computed (reduced). This is used to represent composite data types. For example, combinator ‘int_tree’ with description
+int_tree IntTree int IntTree = IntTree, alongside combinatorempty_tree = IntTree, may be used to define a composite data type called “IntTree” that takes on values in the form of binary trees with integers as nodes.Constructor is a combinator that cannot be computed (reduced). This is used to represent composite data types. For example, combinator ‘int_tree' with description
int_tree IntTree int IntTree = IntTree, alongside combinatorempty_tree = IntTree, may be used to define a composite data type called “IntTree” that takes on values in the form of binary trees with integers as nodes.Function (functional combinator) is a combinator which may be computed (reduced) on condition that the requisite number of arguments of requisite types are provided. The result of the computation is an expression consisting of constructors and base type values only.
@@ -87,17 +87,17 @@ The TL language is used to describe the data types toType number or type name is a 32-bit number that uniquely identifies a type; it normally is the sum of the CRC32 values of the descriptions of the type constructors.
- -
Description of (composite) Type T is a collection of the descriptions of all constructors that take on Type T values. This is normally written as text with each string containing the description of a single constructor. Here is a description of Type ‘IntTree’, for example:
+Description of (composite) Type T is a collection of the descriptions of all constructors that take on Type T values. This is normally written as text with each string containing the description of a single constructor. Here is a description of Type ‘IntTree', for example:
int_tree IntTree int IntTree = IntTree; empty_tree = IntTree;
- -
Polymorphic type is a type whose description contains parameters (type variables) in lieu of actual types; approximately, what would be a template in C++. Here is a description of Type
+List alphawhereListis a polymorphic type of arity 1 (i. e., dependent on a single argument), andalphais a type variable which appears as the constructor’s optional parameter (in curly braces):Polymorphic type is a type whose description contains parameters (type variables) in lieu of actual types; approximately, what would be a template in C++. Here is a description of Type
List alphawhereListis a polymorphic type of arity 1 (i. e., dependent on a single argument), andalphais a type variable which appears as the constructor's optional parameter (in curly braces):cons {alpha:Type} alpha (List alpha) = List alpha; nil {alpha:Type} = List alpha;
- -
Value of (composite) Type T is any sequence from A* in the format
+constr_num arg1 ... argN, where constr_num is the index number of some Constructor C which takes on values of Type T, and arg_i is a value of Type T_i which is the type of the i-th argument to Constructor C. For example, let Combinator int_tree have the index number 17, whereas Combinator empty_tree has the index number 239. Then, the value of TypeIntTreeis, for example,17 17 239 1 239 2 239which is more conveniently written as'int_tree' 'int_tree' 'empty_tree' 1 'empty_tree' 2 ‘empty_tree’. From the standpoint of a high-level language, this isint_tree (int_tree (empty_tree) 1 (empty_tree)) 2 (empty_tree): IntTree.Value of (composite) Type T is any sequence from A* in the format
constr_num arg1 ... argN, where constr_num is the index number of some Constructor C which takes on values of Type T, and arg_i is a value of Type T_i which is the type of the i-th argument to Constructor C. For example, let Combinator int_tree have the index number 17, whereas Combinator empty_tree has the index number 239. Then, the value of TypeIntTreeis, for example,17 17 239 1 239 2 239which is more conveniently written as'int_tree' 'int_tree' 'empty_tree' 1 'empty_tree' 2 ‘empty_tree'. From the standpoint of a high-level language, this isint_tree (int_tree (empty_tree) 1 (empty_tree)) 2 (empty_tree): IntTree.Schema is a collection of all the (composite) data type descriptions. This is used to define some agreed-to system of types.
diff --git a/data/corefork.telegram.org/mtproto/service_messages.html b/data/corefork.telegram.org/mtproto/service_messages.html index 7ef9827419..652f38acef 100644 --- a/data/corefork.telegram.org/mtproto/service_messages.html +++ b/data/corefork.telegram.org/mtproto/service_messages.html @@ -47,20 +47,20 @@ rpc_result#f35c6d01 req_msg_id:long…">A response to an RPC query is normally wrapped as follows:
rpc_result#f35c6d01 req_msg_id:long result:Object = RpcResult;Here req_msg_id is the identifier of the message sent by the other party and containing an RPC query. This way, the recipient knows that the result is a response to the specific RPC query in question. -At the same time, this response serves as acknowledgment of the other party’s receipt of the req_msg_id message.
+At the same time, this response serves as acknowledgment of the other party's receipt of the req_msg_id message.Note that the response to an RPC query must also be acknowledged. Most frequently, this coincides with the transmission of the next message (which may have a container attached to it carrying a service message with the acknowledgment).
RPC Error
The result field returned in response to any RPC query may also contain an error message in the following format:
rpc_error#2144ca19 error_code:int error_message:string = RpcError;Cancellation of an RPC Query
-In certain situations, the client does not want to receive a response to an already transmitted RPC query, for example because the response turns out to be long and the client has decided to do without it because of insufficient link capacity. Simply interrupting the TCP connection will not have any effect because the server would re-send the missing response at the first opportunity. Therefore, the client needs a way to cancel receipt of the RPC response message, actually acknowledging its receipt prior to it being in fact received, which will settle the server down and prevent it from re-sending the response. However, the client does not know the RPC response’s msg_id prior to receiving the response; the only thing it knows is the req_msg_id. i. e. the msg_id of the relevant RPC query. Therefore, a special query is used:
+In certain situations, the client does not want to receive a response to an already transmitted RPC query, for example because the response turns out to be long and the client has decided to do without it because of insufficient link capacity. Simply interrupting the TCP connection will not have any effect because the server would re-send the missing response at the first opportunity. Therefore, the client needs a way to cancel receipt of the RPC response message, actually acknowledging its receipt prior to it being in fact received, which will settle the server down and prevent it from re-sending the response. However, the client does not know the RPC response's msg_id prior to receiving the response; the only thing it knows is the req_msg_id. i. e. the msg_id of the relevant RPC query. Therefore, a special query is used:
rpc_drop_answer#58e4a740 req_msg_id:long = RpcDropAnswer;The response to this query returns as one of the following messages wrapped in rpc_result and requiring an acknowledgment:
-rpc_answer_unknown#5e2ad36e = RpcDropAnswer; rpc_answer_dropped_running#cd78e586 = RpcDropAnswer; rpc_answer_dropped#a43ad8b7 msg_id:long seq_no:int bytes:int = RpcDropAnswer;The first version of the response is used if the server remembers nothing of the incoming req_msg_id (if it has already been responded to, for example). The second version is used if the response was canceled while the RPC query was being processed (where the RPC query itself was still fully processed); in this case, the same rpc_answer_dropped_running is also returned in response to the original query, and both of these responses require an acknowledgment from the client. The final version means that the RPC response was removed from the server’s outgoing queue, and its msg_id, seq_no, and length in bytes are transmitted to the client.
-Note that rpc_answer_dropped_running and rpc_answer_dropped serve as acknowledgments of the server’s receipt of the original query (the same one, the response to which we wish to forget). In addition, same as for any RPC queries, any response to rpc_drop_answer is an acknowledgment for rpc_drop_answer itself.
+The first version of the response is used if the server remembers nothing of the incoming req_msg_id (if it has already been responded to, for example). The second version is used if the response was canceled while the RPC query was being processed (where the RPC query itself was still fully processed); in this case, the same rpc_answer_dropped_running is also returned in response to the original query, and both of these responses require an acknowledgment from the client. The final version means that the RPC response was removed from the server's outgoing queue, and its msg_id, seq_no, and length in bytes are transmitted to the client.
+Note that rpc_answer_dropped_running and rpc_answer_dropped serve as acknowledgments of the server's receipt of the original query (the same one, the response to which we wish to forget). In addition, same as for any RPC queries, any response to rpc_drop_answer is an acknowledgment for rpc_drop_answer itself.
As an alternative to using rpc_drop_answer, a new session may be created after the connection is reset and the old session is removed through destroy_session.
Messages associated with querying, changing, and receiving the status of other messages
See Mobile Protocol: Service Messages about Messages
@@ -69,7 +69,7 @@ rpc_answer_dropped#a43ad8b7 msg_id:long seq_no:int bytes:int = RpcDropAnswer;get_future_salts#b921bd04 num:int = FutureSalts; future_salt#0949d9dc valid_since:int valid_until:int salt:long = FutureSalt; future_salts#ae500895 req_msg_id:long now:int salts:vector<future_salt> = FutureSalts;-The client must check to see that the response’s req_msg_id in fact coincides with msg_id of the query for get_future_salts. The server returns a maximum of num future server salts (may return fewer). The response serves as the acknowledgment of the query and does not require an acknowledgment itself.
+The client must check to see that the response's req_msg_id in fact coincides with msg_id of the query for get_future_salts. The server returns a maximum of num future server salts (may return fewer). The response serves as the acknowledgment of the query and does not require an acknowledgment itself.
Ping Messages (PING/PONG)
ping#7abe77ec ping_id:long = Pong;A response is usually returned to the same connection:
@@ -84,7 +84,7 @@ future_salts#ae500895 req_msg_id:long now:int salts:vector<future_salt> = destroy_session_ok#e22045fc session_id:long = DestroySessionRes; destroy_session_none#62d350c9 session_id:long = DestroySessionRes;New Session Creation Notification
-The server notifies the client that a new session (from the server’s standpoint) had to be created to handle a client message. If, after this, the server receives a message with an even smaller msg_id within the same session, a similar notification will be generated for this msg_id as well. No such notifications are generated for high msg_id values.
+The server notifies the client that a new session (from the server's standpoint) had to be created to handle a client message. If, after this, the server receives a message with an even smaller msg_id within the same session, a similar notification will be generated for this msg_id as well. No such notifications are generated for high msg_id values.
new_session_created#9ec20908 first_msg_id:long unique_id:long server_salt:long = NewSessionThe unique_id parameter is generated by the server every time a session is (re-)created.
This notification must be acknowledged by the client. It is necessary, for instance, for the client to understand that there is, in fact, a “gap” in the stream of long poll notifications received from the server (the user may have failed to receive notifications during some period of time).
@@ -105,7 +105,7 @@ Clients should group acknowledgments, state requests and message resend requestsMessage Copies
In some situations, an old message with a msg_id that is no longer valid needs to be re-sent. Then, it is wrapped in a copy container:
-msg_copy#e06046b2 orig_message:Message = MessageCopy;Once received, the message is processed as if the wrapper were not there. However, if it is known for certain that the message orig_message.msg_id was received, then the new message is not processed (while at the same time, it and orig_message.msg_id are acknowledged). The value of orig_message.msg_id must be lower than the container’s msg_id.
+Once received, the message is processed as if the wrapper were not there. However, if it is known for certain that the message orig_message.msg_id was received, then the new message is not processed (while at the same time, it and orig_message.msg_id are acknowledged). The value of orig_message.msg_id must be lower than the container's msg_id.
This is not used at this time, because an old message can be wrapped in a simple container with the same result.
Packed Object
Used to replace any other object (or rather, a serialization thereof) with its archived (gzipped) representation:
@@ -119,7 +119,7 @@ Clients should group acknowledgments, state requests and message resend requestsAt the same time, the
max_delayparameter has higher priority thanwait_after, andmax_waithas higher priority thanmax_delay.This message does not require a response or an acknowledgement. If the container transmitted over HTTP carries several such messages, the behavior is undefined (in fact, the latest parameter will be used).
If no
-http_waitis present in container, default valuesmax_delay=0(milliseconds),wait_after=0(milliseconds), andmax_wait=25000(milliseconds) are used.If the client’s ping of the server takes a long time, it may make sense to set
max_delayto a value that is comparable in magnitude to ping time.If the client's ping of the server takes a long time, it may make sense to set
max_delayto a value that is comparable in magnitude to ping time.The intention is that error_code values are grouped (error_code >> 4): for example, the codes 0x40 - 0x4f correspond to errors in container decomposition.
Notifications of an ignored message do not require acknowledgment (i.e., are irrelevant).
-Important: if server_salt has changed on the server or if client time is incorrect, any query will result in a notification in the above format. The client must check that it has, in fact, recently sent a message with the specified msg_id, and if that is the case, update its time correction value (the difference between the client’s and the server’s clocks) and the server salt based on msg_id and the server_salt notification, so as to use these to (re)send future messages. In the meantime, the original message (the one that caused the error message to be returned) must also be re-sent with a better msg_id and/or server_salt.
+Important: if server_salt has changed on the server or if client time is incorrect, any query will result in a notification in the above format. The client must check that it has, in fact, recently sent a message with the specified msg_id, and if that is the case, update its time correction value (the difference between the client's and the server's clocks) and the server salt based on msg_id and the server_salt notification, so as to use these to (re)send future messages. In the meantime, the original message (the one that caused the error message to be returned) must also be re-sent with a better msg_id and/or server_salt.
In addition, the client can update the server_salt value used to send messages to the server, based on the values of RPC responses or containers carrying an RPC response, provided that this RPC response is actually a match for the query sent recently. (If there is doubt, it is best not to update since there is risk of a replay attack).
Request for Message Status Information
If either party has not received information on the status of its outgoing messages for a while, it may explicitly request it from the other party: