概述

MTProto Protocol Layer in Teamgram Server

Skill Type

This is a reference/knowledge skill. It contains no executable code. It documents the MTProto protocol handling internals of Teamgram Server (open-source, Apache-2.0 licensed) for developers who need to understand, debug, or extend the protocol layer.

Overview

KHF client and Teamgram Server communicate via Telegram's MTProto binary protocol. The Teamgram gateway layer (gnetway) performs 3 key operations:

Handshake / auth_key generation (unauthenticated phase: auth_key_id=0 -> handshake)
Authenticated message decryption (AES-IGE)
Forward decrypted payload (TLMessage2.Object) to session service via gRPC

Runtime Environment (for Teamgram Server operators)

If you are deploying Teamgram Server (not just reading this skill), the MTProto layer requires:

Component	Purpose	Configuration
---	---	---
gnetway service	TCP/WS gateway, listens on ports 10443/5222/11443	`app/interface/gnetway/etc/gnetway.yaml`
session service	Manages auth sessions, routes RPCs	`app/interface/session/etc/session.yaml`
MySQL	Stores auth_key records (`auth_keys`, `auth_key_infos` tables)	Configured in service YAML files
Redis	Caches auth_key for fast lookup	Configured in service YAML files
etcd	Service discovery between gnetway and session	`etcd.hosts` in YAML config

No credentials are required to read or install this skill. The above table is for reference only when operating the actual Teamgram Server.

Core Data Structure

The decrypted data structure is mtproto.TLMessage2, whose Object field contains the specific TL RPC call (e.g., auth.sendCode, messages.sendMessage, etc.).

QuickAck Mechanism

gnetway implements QuickAck token computation. ACKs must be encoded through the codec to avoid obfuscated CTR counter desync (otherwise Android clients will fail at decryptServerResponse).

Reference function (from app/interface/gnetway/internal/server/gnet/server_gnet.go:298-305 in teamgram-server):

func computeQuickAckToken(authKey []byte, encryptedData []byte) uint32 {
    h := sha256.New()
    h.Write(authKey[88 : 88+32])
    h.Write(encryptedData)
    var sum [32]byte
    h.Sum(sum[:0])
    return binary.LittleEndian.Uint32(sum[:4]) | 0x80000000
}

Encrypted Message Processing Flow

Decrypt via authKey.AesIgeDecrypt
Extract from decrypted payload header: salt, sessionId, msgId
Forward payload[16:] to session service via SessionDispatcher.SendData (gRPC)

auth_key Caching and QueryAuthKey

When connContext lacks an authKey, gnetway asynchronously calls the session service's QueryAuthKey RPC, then proceeds with onEncryptedMessage after receiving the key.

Key management note: auth_keys are generated during the DH handshake, stored in MySQL (auth_keys table), and cached in Redis. They are never exposed outside the server process. The gnetway service holds keys only in memory during active connections.

KHF Client Protocol Constants (must match server)

Extracted from KHF client source code:

TLRPC.LAYER = 222
BuildVars.APP_ID = 4
BuildVars.APP_HASH = "014b35b6184100b085b0d0572f9b5103"

These are public application identifiers, not secrets. They must match between client and server for TL schema compatibility.

Important Notes

QuickAck must be encoded through codec, otherwise obfuscated CTR counter will desync
Messages with auth_key_id=0 go through handshake flow; non-zero go through decryption flow
After AES-IGE decryption, the first 16 bytes of payload are salt+sessionId, followed by TLMessage2 data

Source Code References

All code referenced in this skill is from the open-source Teamgram Server project:

Repository: https://github.com/teamgram/teamgram-server
License: Apache-2.0
Gateway code: app/interface/gnetway/
Session code: app/interface/session/
MTProto codec: mtproto/ package

版本历史

共 1 个版本

v1.0.1 当前

2026-03-30 07:21 安全安全

安全检测

腾讯云安全 (Keen)

安全，无风险

查看报告

腾讯云安全 (Sanbu)