# Client-to-Client Protocol Wormhole clients do not talk directly to each other (at least at first): they only connect directly to the Mailbox Server. They ask this server to convey messages to the other client (via the `add` command and the `message` response). This document explains the format of these client-to-client messages. Each such message contains a "phase" string, and a hex-encoded binary "body". Any phase which is purely numeric (`^\d+$`) is reserved for encrypted application data. The Mailbox server may deliver these messages multiple times, or out-of-order, but the wormhole client will deliver the corresponding decrypted data to the application in strict numeric order. All other (non-numeric) phases are reserved for the Wormhole client itself. Clients will ignore any phase they do not recognize. Immediately upon opening the mailbox, clients send the `pake` phase, which contains the binary SPAKE2 message (the one computed as `X+M*pw` or `Y+N*pw`). Upon receiving their peer's `pake` phase, clients compute and remember the shared key. They derive the "verifier" (a hash of the shared key) and deliver it to the application by calling `got_verifier`: applications can display this to users who want additional assurance (by manually comparing the values from both sides: they ought to be identical). At this point clients also send the encrypted `version` phase, whose plaintext payload is a UTF-8-encoded JSON-encoded dictionary of metadata. This allows the two Wormhole instances to signal their ability to do other things (like "dilate" the wormhole). The version data will also include an `app_versions` key which contains a dictionary of metadata provided by the application, allowing apps to perform similar negotiation. At this stage, the client knows the supposed shared key, but has not yet seen evidence that the peer knows it too. When the first peer message arrives (i.e. the first message with a `.side` that does not equal our own), it will be decrypted: we use authenticated encryption (`nacl.SecretBox`), so if this decryption succeeds, then we're confident that *somebody* used the same wormhole code as us. This event pushes the client mood from "lonely" to "happy". This might be triggered by the peer's `version` message, but if we had to re-establish the Mailbox Server connection, we might get peer messages out of order and see some application-level message first. When a `version` message is successfully decrypted, the application is signaled with `got_version`. When any application message is successfully decrypted, `received` is signaled. Application messages are delivered strictly in-order: if we see phases 3 then 2 then 1, all three will be delivered in sequence after phase 1 is received. If any message cannot be successfully decrypted, the mood is set to "scary", and the wormhole is closed. All pending Deferreds will be errbacked with a `WrongPasswordError` (a subclass of `WormholeError`), the nameplate/mailbox will be released, and the WebSocket connection will be dropped. If the application calls `close()`, the resulting Deferred will not fire until deallocation has finished and the WebSocket is closed, and then it will fire with an errback. Both `version` and all numeric (app-specific) phases are encrypted. The message body will be the hex-encoded output of a NaCl `SecretBox`, keyed by a phase+side -specific key (computed with HKDF-SHA256, using the shared PAKE key as the secret input, and `wormhole:phase:%s%s % (SHA256(side), SHA256(phase))` as the CTXinfo), with a random nonce.