/*---------------------------------------------------------------------------*/ zrtp_status_t zrtp_register_with_trusted_mitm(zrtp_stream_t* stream) { zrtp_session_t *session = stream->session; zrtp_status_t s = zrtp_status_bad_param; if (!stream) { return zrtp_status_bad_param; } ZRTP_LOG(3,(_ZTU_,"MARKING this call as REGISTRATION ID=%u\n", stream->id)); if (NULL == stream->zrtp->cb.cache_cb.on_get_mitm) { ZRTP_LOG(2,(_ZTU_,"WARNING: Can't use MiTM Functions with no ZRTP Cache.\n")); return zrtp_status_notavailable; } if (!stream->protocol) { return zrtp_status_bad_param; } /* Passive Client endpoint should NOT generate PBX Secret. */ if ((stream->mitm_mode == ZRTP_MITM_MODE_REG_CLIENT) && (ZRTP_LICENSE_MODE_PASSIVE == stream->zrtp->lic_mode)) { ZRTP_LOG(2,(_ZTU_,"WARNING: Passive Client endpoint should NOT generate PBX Secret.\n")); return zrtp_status_bad_param; } /* * Generate new MitM cache: * pbxsecret = KDF(ZRTPSess, "Trusted MiTM key", (ZIDi | ZIDr), negotiated hash length) */ if ( (stream->state == ZRTP_STATE_SECURE) && ((stream->mitm_mode == ZRTP_MITM_MODE_REG_CLIENT) || (stream->mitm_mode == ZRTP_MITM_MODE_REG_SERVER)) ) { zrtp_string32_t kdf_context = ZSTR_INIT_EMPTY(kdf_context); static const zrtp_string32_t trusted_mitm_key_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_TRUSTMITMKEY_STR); zrtp_string16_t *zidi, *zidr; if (stream->protocol->type == ZRTP_STATEMACHINE_INITIATOR) { zidi = &session->zid; zidr = &session->peer_zid; } else { zidi = &session->peer_zid; zidr = &session->zid; } zrtp_zstrcat(ZSTR_GV(kdf_context), ZSTR_GVP(zidi)); zrtp_zstrcat(ZSTR_GV(kdf_context), ZSTR_GVP(zidr)); _zrtp_kdf( stream, ZSTR_GV(session->zrtpsess), ZSTR_GV(trusted_mitm_key_label), ZSTR_GV(kdf_context), ZRTP_HASH_SIZE, ZSTR_GV(session->secrets.pbxs->value)); session->secrets.pbxs->_cachedflag = 1; session->secrets.pbxs->lastused_at = (uint32_t)(zrtp_time_now()/1000); session->secrets.cached |= ZRTP_BIT_PBX; session->secrets.matches |= ZRTP_BIT_PBX; s = zrtp_status_ok; if (session->zrtp->cb.cache_cb.on_put_mitm) { s = session->zrtp->cb.cache_cb.on_put_mitm( ZSTR_GV(session->zid), ZSTR_GV(session->peer_zid), session->secrets.pbxs); } ZRTP_LOG(3,(_ZTU_,"Makring this call as REGISTRATION - DONE\n")); } return s; }
/*----------------------------------------------------------------------------*/ zrtp_status_t _zrtp_set_public_value( zrtp_stream_t *stream, int is_initiator) { /* * This function performs the following actions according to ZRTP draft 5.6 * a) Computes total hash; * b) Calculates DHResult; * c) Computes final stream key S0, based on DHSS and retained secrets; * d) Computes HMAC Key and ZRTP key; * e) Computes srtp keys and salts and creates srtp session. */ zrtp_session_t *session = stream->session; zrtp_proto_crypto_t* cc = stream->protocol->cc; void* hash_ctx = NULL; static const zrtp_string32_t hmac_keyi_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_INITIATOR_HMAKKEY_STR); static const zrtp_string32_t hmac_keyr_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_RESPONDER_HMAKKEY_STR); static const zrtp_string32_t srtp_mki_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_INITIATOR_KEY_STR); static const zrtp_string32_t srtp_msi_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_INITIATOR_SALT_STR); static const zrtp_string32_t srtp_mkr_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_RESPONDER_KEY_STR); static const zrtp_string32_t srtp_msr_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_RESPONDER_SALT_STR); static const zrtp_string32_t zrtp_keyi_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_INITIATOR_ZRTPKEY_STR); static const zrtp_string32_t zrtp_keyr_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_RESPONDER_ZRTPKEY_STR); uint32_t cipher_key_length = (ZRTP_CIPHER_AES128 == session->blockcipher->base.id) ? 16 : 32; const zrtp_string32_t *output_mk_label; const zrtp_string32_t *output_ms_label; const zrtp_string32_t *input_mk_label; const zrtp_string32_t *input_ms_label; const zrtp_string32_t *hmac_key_label; const zrtp_string32_t *peer_hmac_key_label; const zrtp_string32_t *zrtp_key_label; const zrtp_string32_t *peer_zrtp_key_label; /* Define roles and prepare structures */ if (is_initiator) { output_mk_label = &srtp_mki_label; output_ms_label = &srtp_msi_label; input_mk_label = &srtp_mkr_label; input_ms_label = &srtp_msr_label; hmac_key_label = &hmac_keyi_label; peer_hmac_key_label = &hmac_keyr_label; zrtp_key_label = &zrtp_keyi_label; peer_zrtp_key_label = &zrtp_keyr_label; } else { output_mk_label = &srtp_mkr_label; output_ms_label = &srtp_msr_label; input_mk_label = &srtp_mki_label; input_ms_label = &srtp_msi_label; hmac_key_label = &hmac_keyr_label; peer_hmac_key_label = &hmac_keyi_label; zrtp_key_label = &zrtp_keyr_label; peer_zrtp_key_label = &zrtp_keyi_label; } ZRTP_LOG(3, (_ZTU_,"---------------------------------------------------\n")); ZRTP_LOG(3,(_ZTU_,"\tSWITCHING TO SRTP. ID=%u\n", zrtp_log_mode2str(stream->mode), stream->id)); ZRTP_LOG(3,(_ZTU_,"\tI %s\n", is_initiator ? "Initiator" : "Responder")); /* * Compute total messages hash: * total_hash = hash(Hello of responder | Commit | DHPart1 | DHPart2) for DH streams * total_hash = hash(Hello of responder | Commit ) for Fast modes. */ { uint8_t* tok = NULL; uint16_t tok_len = 0; hash_ctx = session->hash->hash_begin(session->hash); if (0 == hash_ctx) { return zrtp_status_fail; } tok = is_initiator ? (uint8_t*)&stream->messages.peer_hello : (uint8_t*) &stream->messages.hello; tok_len = is_initiator ? stream->messages.peer_hello.hdr.length : stream->messages.hello.hdr.length; tok_len = zrtp_ntoh16(tok_len)*4; session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)tok, tok_len); tok = is_initiator ? (uint8_t*)&stream->messages.commit : (uint8_t*)&stream->messages.peer_commit; tok_len = is_initiator ? stream->messages.commit.hdr.length : stream->messages.peer_commit.hdr.length; tok_len = zrtp_ntoh16(tok_len)*4; session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)tok, tok_len); if (ZRTP_IS_STREAM_DH(stream)) { tok = (uint8_t*) (is_initiator ? &stream->messages.peer_dhpart : &stream->messages.dhpart); tok_len = is_initiator ? stream->messages.peer_dhpart.hdr.length : stream->messages.dhpart.hdr.length; tok_len = zrtp_ntoh16(tok_len)*4; session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)tok, tok_len); tok = (uint8_t*)(is_initiator ? &stream->messages.dhpart : &stream->messages.peer_dhpart); tok_len = is_initiator ? stream->messages.dhpart.hdr.length : stream->messages.peer_dhpart.hdr.length; tok_len = zrtp_ntoh16(tok_len)*4; session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)tok, tok_len); } session->hash->hash_end(session->hash, hash_ctx, ZSTR_GV(cc->mes_hash)); hash_ctx = NULL; } /* total hash computing */ /* Total Hash is ready and we can create KDF_Context */ zrtp_zstrcat(ZSTR_GV(cc->kdf_context), is_initiator ? ZSTR_GV(session->zrtp->zid) : ZSTR_GV(session->peer_zid)); zrtp_zstrcat(ZSTR_GV(cc->kdf_context), is_initiator ? ZSTR_GV(session->peer_zid) : ZSTR_GV(session->zrtp->zid)); zrtp_zstrcat(ZSTR_GV(cc->kdf_context), ZSTR_GV(cc->mes_hash)); /* Derive stream key S0 according to key exchange scheme */ if (zrtp_status_ok != _derive_s0(stream, is_initiator)) { return zrtp_status_fail; } /* * Compute HMAC keys. These values will be used after confirmation: * hmackeyi = KDF(s0, "Initiator HMAC key", KDF_Context, negotiated hash length) * hmackeyr = KDF(s0, "Responder HMAC key", KDF_Context, negotiated hash length) */ _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GVP(hmac_key_label), ZSTR_GV(stream->protocol->cc->kdf_context), session->hash->digest_length, ZSTR_GV(stream->cc.hmackey)); _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GVP(peer_hmac_key_label), ZSTR_GV(stream->protocol->cc->kdf_context), session->hash->digest_length, ZSTR_GV(stream->cc.peer_hmackey)); /* * Computing ZRTP keys for protection of the Confirm packet: * zrtpkeyi = KDF(s0, "Initiator ZRTP key", KDF_Context, negotiated AES key length) * zrtpkeyr = KDF(s0, "Responder ZRTP key", KDF_Context, negotiated AES key length) */ _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GVP(zrtp_key_label), ZSTR_GV(stream->protocol->cc->kdf_context), cipher_key_length, ZSTR_GV(stream->cc.zrtp_key)); _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GVP(peer_zrtp_key_label), ZSTR_GV(stream->protocol->cc->kdf_context), cipher_key_length, ZSTR_GV(stream->cc.peer_zrtp_key)); #if (defined(ZRTP_DEBUG_ZRTP_KEYS) && ZRTP_DEBUG_ZRTP_KEYS == 1) { char print_buff[256]; ZRTP_LOG(3,(_ZTU_,"\t Messages hash:%s\n", hex2str(cc->mes_hash.buffer, cc->mes_hash.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t S0:%s\n", hex2str(cc->s0.buffer, cc->s0.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t ZRTP Sess:%s\n", hex2str(session->zrtpsess.buffer, session->zrtpsess.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t hmackey:%s\n", hex2str(stream->cc.hmackey.buffer, stream->cc.hmackey.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t peer_hmackeyr:%s\n", hex2str(stream->cc.peer_hmackey.buffer, stream->cc.peer_hmackey.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t ZRTP key:%s\n", hex2str(stream->cc.zrtp_key.buffer, stream->cc.zrtp_key.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t Peer ZRTP key:%s\n", hex2str(stream->cc.peer_zrtp_key.buffer, stream->cc.peer_zrtp_key.length, print_buff, sizeof(print_buff)))); } #endif /* * Preparing SRTP crypto engine: * srtpkeyi = KDF(s0, "Initiator SRTP master key", KDF_Context, negotiated AES key length) * srtpsalti = KDF(s0, "Initiator SRTP master salt", KDF_Context, 112) * srtpkeyr = KDF(s0, "Responder SRTP master key", KDF_Context, negotiated AES key length) * srtpsaltr = KDF(s0, "Responder SRTP master salt", KDF_Context, 112) */ { zrtp_srtp_profile_t iprof; zrtp_srtp_profile_t oprof; ZSTR_SET_EMPTY(iprof.salt); ZSTR_SET_EMPTY(iprof.key); iprof.rtp_policy.cipher = session->blockcipher; iprof.rtp_policy.auth_tag_len = session->authtaglength; iprof.rtp_policy.hash = zrtp_comp_find(ZRTP_CC_HASH, ZRTP_SRTP_HASH_HMAC_SHA1, session->zrtp); iprof.rtp_policy.auth_key_len = 20; iprof.rtp_policy.cipher_key_len = cipher_key_length; zrtp_memcpy(&iprof.rtcp_policy, &iprof.rtp_policy, sizeof(iprof.rtcp_policy)); iprof.dk_cipher = session->blockcipher; zrtp_memcpy(&oprof, &iprof, sizeof(iprof)); _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GVP(input_mk_label), ZSTR_GV(stream->protocol->cc->kdf_context), cipher_key_length, ZSTR_GV(iprof.key)); _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GVP(input_ms_label), ZSTR_GV(stream->protocol->cc->kdf_context), 14, ZSTR_GV(iprof.salt)); _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GVP(output_mk_label), ZSTR_GV(stream->protocol->cc->kdf_context), cipher_key_length, ZSTR_GV(oprof.key)); _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GVP(output_ms_label), ZSTR_GV(stream->protocol->cc->kdf_context), 14, ZSTR_GV(oprof.salt)); stream->protocol->_srtp = zrtp_srtp_create(session->zrtp->srtp_global, &iprof, &oprof); /* Profiles and keys in them are not needed anymore - clear them */ zrtp_memset(&iprof, 0, sizeof(iprof)); zrtp_memset(&oprof, 0, sizeof(oprof)); if (!stream->protocol->_srtp) { ZRTP_LOG(1,(_ZTU_,"\tERROR! Can't initialize SRTP engine. ID=%u\n", stream->id)); return zrtp_status_fail; } } /* SRTP initialization */ return zrtp_status_ok; }
/*---------------------------------------------------------------------------*/ zrtp_status_t _zrtp_machine_enter_secure(zrtp_stream_t* stream) { /* * When switching to SECURE all ZRTP crypto values were already computed by * state-machine. Then we need to have logic to manage SAS value and shared * secrets only. So: we compute SAS, refresh secrets flags and save the * secrets to the cache after RS2 and RS1 swapping. We don't need any * crypto sources any longer - destroy them. */ zrtp_status_t s = zrtp_status_ok; zrtp_proto_crypto_t* cc = stream->protocol->cc; zrtp_session_t *session = stream->session; zrtp_secrets_t *secrets = &stream->session->secrets; uint8_t was_exp = 0; uint64_t exp_date = 0; ZRTP_LOG(3,(_ZTU_,"\tEnter state SECURE (%s).\n", zrtp_log_mode2str(stream->mode))); _zrtp_cancel_send_packet_later(stream, ZRTP_NONE); /* * Compute the SAS value if it isn't computed yet. If there are several * streams running in parallel - stream with the biggest hvi should * generate the SAS. */ if (!session->sas1.length) { s = session->sasscheme->compute(session->sasscheme, stream, session->hash, 0); if (zrtp_status_ok != s) { _zrtp_machine_enter_initiatingerror(stream, zrtp_error_software, 1); return s; } ZRTP_LOG(3,(_ZTU_,"\tThis is the very first stream in sID GENERATING SAS value.\n", session->id)); ZRTP_LOG(3,(_ZTU_,"\tSAS computed: <%.16s> <%.16s>.\n", session->sas1.buffer, session->sas2.buffer)); } /* * Compute a new value for RS1 and store the prevoious one. * Compute result secrets' flags. */ if (ZRTP_IS_STREAM_DH(stream)) { ZRTP_LOG(3,(_ZTU_,"\tCheck expiration interval: last_use=%u ttl=%u new_ttl=%u exp=%u now=%u\n", secrets->rs1->lastused_at, secrets->rs1->ttl, stream->cache_ttl, (secrets->rs1->lastused_at + secrets->rs1->ttl), zrtp_time_now()/1000)); if (secrets->rs1->ttl != 0xFFFFFFFF) { exp_date = secrets->rs1->lastused_at; exp_date += secrets->rs1->ttl; if (ZRTP_IS_STREAM_DH(stream) && (exp_date < zrtp_time_now()/1000)) { ZRTP_LOG(3,(_ZTU_,"\tUsing EXPIRED secrets: last_use=%u ttl=%u exp=%u now=%u\n", secrets->rs1->lastused_at, secrets->rs1->ttl, (secrets->rs1->lastused_at + secrets->rs1->ttl), zrtp_time_now()/1000)); was_exp = 1; } } if (!was_exp) { secrets->wrongs = secrets->matches ^ secrets->cached; secrets->wrongs &= ~ZRTP_BIT_RS2; secrets->wrongs &= ~ZRTP_BIT_PBX; } } /* * We going to update RS1 and change appropriate secrets flags. Let's back-up current values. * Back-upped values could be used in debug purposes and in the GUI to reflect current state of the call */ if (!ZRTP_IS_STREAM_MULT(stream)) { secrets->cached_curr = secrets->cached; secrets->matches_curr = secrets->matches; secrets->wrongs_curr = secrets->wrongs; } ZRTP_LOG(3,(_ZTU_,"\tFlags C=%x M=%x W=%x ID=%u\n", secrets->cached, secrets->matches, secrets->wrongs, stream->id)); _zrtp_change_state(stream, ZRTP_STATE_SECURE); /* * Alarm user if the following condition is TRUE for both RS1 and RS2: * "secret is wrong if it has been restored from the cache but hasn't matched * with the remote one". */ if (session->zrtp->cb.event_cb.on_zrtp_protocol_event) { session->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_IS_SECURE); } if (session->zrtp->cb.event_cb.on_zrtp_secure) { session->zrtp->cb.event_cb.on_zrtp_secure(stream); } /* Alarm user if possible MiTM attack detected */ if (secrets->wrongs) { session->mitm_alert_detected = 1; if (session->zrtp->cb.event_cb.on_zrtp_security_event) { session->zrtp->cb.event_cb.on_zrtp_security_event(stream, ZRTP_EVENT_MITM_WARNING); } } /* Check for unenrollemnt first */ if ((secrets->cached & ZRTP_BIT_PBX) && !(secrets->matches & ZRTP_BIT_PBX)) { ZRTP_LOG(2,(_ZTU_,"\tINFO! The user requires new un-enrolment - the nedpint may clear" " the cache or perform other action. ID=%u\n", stream->id)); if (session->zrtp->cb.event_cb.on_zrtp_protocol_event) { session->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_USER_UNENROLLED); } } /* * Handle PBX registration, if required: If PBX already had a shared secret * for the ZID it leaves the cache entry unmodified. Else, it computes a new * one. If the PBX detects cache entry for the static shared secret, but the * phone does not have a matching cache entry - the PBX generates a new one. */ if (ZRTP_MITM_MODE_REG_SERVER == stream->mitm_mode) { if (secrets->matches & ZRTP_BIT_PBX) { ZRTP_LOG(2,(_ZTU_,"\tINFO! User have been already registered - skip enrollment ritual. ID=%u\n", stream->id)); if (session->zrtp->cb.event_cb.on_zrtp_protocol_event) { session->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_USER_ALREADY_ENROLLED); } } else { ZRTP_LOG(2,(_ZTU_,"\tINFO! The user requires new enrolment - generate new MiTM secret. ID=%u\n", stream->id)); zrtp_register_with_trusted_mitm(stream); if (session->zrtp->cb.event_cb.on_zrtp_protocol_event) { stream->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_NEW_USER_ENROLLED); } } } else if (ZRTP_MITM_MODE_REG_CLIENT == stream->mitm_mode) { if (session->zrtp->cb.event_cb.on_zrtp_protocol_event) { session->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_IS_CLIENT_ENROLLMENT); } } /* * Compute new RS for FULL DH streams only. Don't update RS1 if cache TTL is 0 */ if (ZRTP_IS_STREAM_DH(stream)) { static const zrtp_string32_t rss_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_RS_STR); if (stream->cache_ttl > 0) { /* Replace RS2 with RS1 */ zrtp_sys_free(secrets->rs2); secrets->rs2 = secrets->rs1; secrets->rs1 = _zrtp_alloc_shared_secret(session); if (!secrets->rs1) { _zrtp_machine_enter_initiatingerror(stream, zrtp_error_software, 1); return zrtp_status_fail; } /* * Compute new RS1 based on previous one and S0: * rs1 = KDF(s0, "retained secret", KDF_Context, negotiated hash length) */ _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GV(rss_label), ZSTR_GV(cc->kdf_context), ZRTP_HASH_SIZE, ZSTR_GV(secrets->rs1->value)); /* * Mark secrets as cached: RS1 have been just generated and cached; * RS2 is cached if previous secret was cached as well. */ secrets->rs1->_cachedflag = 1; secrets->cached |= ZRTP_BIT_RS1; secrets->matches |= ZRTP_BIT_RS1; if (secrets->rs2->_cachedflag) { secrets->cached |= ZRTP_BIT_RS2; } /* Let's update the TTL interval for the new secret */ secrets->rs1->ttl = stream->cache_ttl; secrets->rs1->lastused_at = (uint32_t)(zrtp_time_now()/1000); /* If possible MiTM attach detected - postpone storing the cache until after the user verify the SAS */ if (!session->mitm_alert_detected) { zrtp_cache_put(session->zrtp->cache, ZSTR_GV(session->peer_zid), secrets->rs1); } { uint32_t verifiedflag = 0; char buff[128]; zrtp_cache_get_verified(session->zrtp->cache, ZSTR_GV(session->peer_zid), &verifiedflag); ZRTP_LOG(3,(_ZTU_,"\tNew secret was generated:\n")); ZRTP_LOG(3,(_ZTU_,"\t\tRS1 value:<%s>\n", hex2str(secrets->rs1->value.buffer, secrets->rs1->value.length, buff, sizeof(buff)))); ZRTP_LOG(3,(_ZTU_,"\t\tTTL=%u, flags C=%x M=%x W=%x V=%d\n", secrets->rs1->ttl, secrets->cached, secrets->matches, secrets->wrongs, verifiedflag)); } } /* for TTL > 0 only */ else { secrets->rs1->ttl = 0; zrtp_cache_put(session->zrtp->cache, ZSTR_GV(session->peer_zid), secrets->rs1); } } /* For DH mode only */ if (session->zrtp->cb.event_cb.on_zrtp_protocol_event) { session->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_IS_SECURE_DONE); } /* We have computed all subkeys from S0 and don't need it any longer. */ zrtp_wipe_zstring(ZSTR_GV(cc->s0)); /* Clear DH crypto context */ if (ZRTP_IS_STREAM_DH(stream)) { bnEnd(&stream->dh_cc.peer_pv); bnEnd(&stream->dh_cc.pv); bnEnd(&stream->dh_cc.sv); zrtp_wipe_zstring(ZSTR_GV(stream->dh_cc.dhss)); } /* * Now, let's check if the transition to CLEAR was caused by Active/Passive rules. * If local endpoint is a MitM and peer MiTM linked stream is Unlimited, we * could break the rules and send commit to Passive endpoint. */ if (stream->zrtp->is_mitm && stream->peer_super_flag) { if (stream->linked_mitm && stream->linked_mitm->peer_passive) { if (stream->linked_mitm->state == ZRTP_STATE_CLEAR) { ZRTP_LOG(2,(_ZTU_,"INFO: Linked Peer stream id=%u suspended in CLEAR-state due to" " Active/Passive restrictions, but we are running in MiTM mode and " "current peer endpoint is Super-Active. Let's Go Secure for the linked stream.\n", stream->id)); /* @note: don't use zrtp_secure_stream() wrapper as it checks for Active/Passive stuff. */ _zrtp_machine_start_initiating_secure(stream->linked_mitm); } } } /* * Increase calls counter for Preshared mode and reset it on DH */ uint32_t calls_counter = 0; zrtp_cache_get_presh_counter(session->zrtp->cache, ZSTR_GV(session->peer_zid), &calls_counter); if (ZRTP_IS_STREAM_DH(stream)) { zrtp_cache_set_presh_counter(session->zrtp->cache, ZSTR_GV(session->peer_zid), 0); } else if ZRTP_IS_STREAM_PRESH(stream) { zrtp_cache_set_presh_counter(session->zrtp->cache, ZSTR_GV(session->peer_zid), ++calls_counter); } clear_crypto_sources(stream); return zrtp_status_ok; }
/*---------------------------------------------------------------------------*/ static zrtp_status_t _derive_s0(zrtp_stream_t* stream, int is_initiator) { static const zrtp_string32_t zrtp_kdf_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_KDF_STR); static const zrtp_string32_t zrtp_sess_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_SESS_STR); static const zrtp_string32_t zrtp_multi_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_MULTI_STR); static const zrtp_string32_t zrtp_presh_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_PRESH_STR); zrtp_session_t *session = stream->session; zrtp_secrets_t* secrets = &session->secrets; zrtp_proto_crypto_t* cc = stream->protocol->cc; void* hash_ctx = NULL; char print_buff[256]; switch (stream->mode) { /* * S0 computing for FULL DH exchange * S0 computing. s0 is the master shared secret used for all * cryptographic operations. In particular, note the inclusion * of "total_hash", a hash of all packets exchanged up to this * point. This belatedly detects any tampering with earlier * packets, e.g. bid-down attacks. * * s0 = hash( 1 | DHResult | "ZRTP-HMAC-KDF" | ZIDi | ZIDr | * total_hash | len(s1) | s1 | len(s2) | s2 | len(s3) | s3 ) * The constant 1 and all lengths are 32 bits big-endian values. * The fields without length prefixes are fixed-witdh: * - DHresult is fixed to the width of the DH prime. * - The hash type string and ZIDs are fixed width. * - total_hash is fixed by the hash negotiation. * The constant 1 is per NIST SP 800-56A section 5.8.1, and is * a counter which can be incremented to generate more than 256 * bits of key material. * ======================================================================== */ case ZRTP_STREAM_MODE_DH: { zrtp_proto_secret_t *C[3] = { 0, 0, 0}; int i = 0; uint32_t comp_length = 0; zrtp_stringn_t *zidi = NULL, *zidr = NULL; struct BigNum dhresult; #if (defined(ZRTP_USE_STACK_MINIM) && (ZRTP_USE_STACK_MINIM == 1)) zrtp_uchar1024_t* buffer = zrtp_sys_alloc( sizeof(zrtp_uchar1024_t) ); if (!buffer) { return zrtp_status_alloc_fail; } #else zrtp_uchar1024_t holder; zrtp_uchar1024_t* buffer = &holder; #endif ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 from DH exchange and RS secrets...\n")); ZRTP_LOG(3,(_ZTU_,"\t my rs1ID:%s\n", hex2str(cc->rs1.id.buffer, cc->rs1.id.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t his rs1ID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t his rs1ID comp:%s\n", hex2str(cc->rs1.peer_id.buffer, cc->rs1.peer_id.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t my rs2ID:%s\n", hex2str(cc->rs2.id.buffer, cc->rs2.id.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t his rs2ID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t his rs2ID comp:%s\n", hex2str(cc->rs2.peer_id.buffer, cc->rs2.peer_id.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t my pbxsID:%s\n", hex2str(cc->pbxs.id.buffer, cc->pbxs.id.length, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\t his pbxsID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.pbxsID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff)))); ZRTP_LOG(3,(_ZTU_,"\this pbxsID comp:%s\n", hex2str(cc->pbxs.peer_id.buffer, cc->pbxs.peer_id.length, print_buff, sizeof(print_buff)))); hash_ctx = session->hash->hash_begin(session->hash); if (0 == hash_ctx) { ZRTP_LOG(1,(_ZTU_, "\tERROR! can't start hash calculation for S0 computing. ID=%u.\n", stream->id)); return zrtp_status_fail; } /* * NIST requires a 32-bit big-endian integer counter to be included * in the hash each time the hash is computed, which we have set to * the fixed value of 1, because we only compute the hash once. */ comp_length = zrtp_hton32(1L); session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&comp_length, 4); switch (stream->pubkeyscheme->base.id) { case ZRTP_PKTYPE_DH2048: case ZRTP_PKTYPE_DH3072: case ZRTP_PKTYPE_DH4096: comp_length = stream->pubkeyscheme->pv_length; ZRTP_LOG(3,(_ZTU_,"DH comp_length=%u\n", comp_length)); break; case ZRTP_PKTYPE_EC256P: case ZRTP_PKTYPE_EC384P: case ZRTP_PKTYPE_EC521P: comp_length = stream->pubkeyscheme->pv_length/2; ZRTP_LOG(3,(_ZTU_,"ECDH comp_length=%u\n", comp_length)); break; default: break; } bnBegin(&dhresult); stream->pubkeyscheme->compute(stream->pubkeyscheme, &stream->dh_cc, &dhresult, &stream->dh_cc.peer_pv); bnExtractBigBytes(&dhresult, (uint8_t *)buffer, 0, comp_length); session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)buffer, comp_length); bnEnd(&dhresult); #if (defined(ZRTP_USE_STACK_MINIM) && (ZRTP_USE_STACK_MINIM == 1)) zrtp_sys_free(buffer); #endif /* Add "ZRTP-HMAC-KDF" to the S0 hash */ session->hash->hash_update( session->hash, hash_ctx, (const int8_t*)&zrtp_kdf_label.buffer, zrtp_kdf_label.length); /* Then Initiator's and Responder's ZIDs */ if (stream->protocol->type == ZRTP_STATEMACHINE_INITIATOR) { zidi = ZSTR_GV(stream->session->zrtp->zid); zidr = ZSTR_GV(stream->session->peer_zid); } else { zidr = ZSTR_GV(stream->session->zrtp->zid); zidi = ZSTR_GV(stream->session->peer_zid); } session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&zidi->buffer, zidi->length); session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&zidr->buffer, zidr->length); session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&cc->mes_hash.buffer, cc->mes_hash.length); /* If everything is OK - RS1 should much */ if (!zrtp_memcmp(cc->rs1.peer_id.buffer, stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE)) { C[0] = &cc->rs1; secrets->matches |= ZRTP_BIT_RS1; } /* If we have lost our RS1 - remote party should use backup (RS2) instead */ else if (!zrtp_memcmp(cc->rs1.peer_id.buffer, stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE)) { C[0] = &cc->rs1; secrets->matches |= ZRTP_BIT_RS1; ZRTP_LOG(2,(_ZTU_,"\tINFO! We have lost our RS1 from previous broken exchange" " - remote party will use RS2 backup. ID=%u\n", stream->id)); } /* If remote party lost it's secret - we will use backup */ else if (!zrtp_memcmp(cc->rs2.peer_id.buffer, stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE)) { C[0] = &cc->rs2; cc->rs1 = cc->rs2; secrets->matches |= ZRTP_BIT_RS1; secrets->cached |= ZRTP_BIT_RS1; ZRTP_LOG(2,(_ZTU_,"\tINFO! Remote party has lost it's RS1 - use RS2 backup. ID=%u\n", stream->id)); } else { secrets->matches &= ~ZRTP_BIT_RS1; zrtp_cache_set_verified(session->zrtp->cache, ZSTR_GV(session->peer_zid), 0); zrtp_cache_reset_secure_since(session->zrtp->cache, ZSTR_GV(session->peer_zid)); ZRTP_LOG(2,(_ZTU_,"\tINFO! Our RS1 doesn't equal to other-side's one %s. ID=%u\n", cc->rs1.secret->_cachedflag ? " - drop verified!" : "", stream->id)); } if (!zrtp_memcmp(cc->rs2.peer_id.buffer, stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE)) { secrets->matches |= ZRTP_BIT_RS2; if (0 == C[0]) { C[0] = &cc->rs2; } } if (secrets->auxs && (!zrtp_memcmp(stream->messages.peer_dhpart.auxsID, cc->auxs.peer_id.buffer, ZRTP_RSID_SIZE)) ) { C[1] =&cc->auxs; secrets->matches |= ZRTP_BIT_AUX; } if ( secrets->pbxs && (!zrtp_memcmp(stream->messages.peer_dhpart.pbxsID, cc->pbxs.peer_id.buffer, ZRTP_RSID_SIZE)) ) { C[2] = &cc->pbxs; secrets->matches |= ZRTP_BIT_PBX; } /* Finally hashing matched shared secrets */ for (i=0; i<3; i++) { /* * Some of the shared secrets s1 through s5 may have lengths of zero * if they are null (not shared), and are each preceded by a 4-octet * length field. For example, if s4 is null, len(s4) is 00 00 00 00, * and s4 itself would be absent from the hash calculation, which * means len(s5) would immediately follow len(s4). */ comp_length = C[i] ? zrtp_hton32(ZRTP_RS_SIZE) : 0; session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&comp_length, 4); if (C[i]) { session->hash->hash_update( session->hash, hash_ctx, (const int8_t*)C[i]->secret->value.buffer, C[i]->secret->value.length ); ZRTP_LOG(3,(_ZTU_,"\tUse S%d in calculations.\n", i+1)); } } session->hash->hash_end(session->hash, hash_ctx, ZSTR_GV(cc->s0)); } break; /* S0 for for DH and Preshared streams */ /* * Compute all possible combinations of preshared_key: * hash(len(rs1) | rs1 | len(auxsecret) | auxsecret | len(pbxsecret) | pbxsecret) * Find matched preshared_key and derive S0 from it: * s0 = KDF(preshared_key, "ZRTP Stream Key", KDF_Context, negotiated hash length) * * INFO: Take into account that RS1 and RS2 may be swapped. * If no matched were found - generate DH commit. * ======================================================================== */ case ZRTP_STREAM_MODE_PRESHARED: { zrtp_status_t s = zrtp_status_ok; zrtp_string32_t presh_key = ZSTR_INIT_EMPTY(presh_key); ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 for PRESHARED from cached secret. ID=%u\n", stream->id)); /* Use the same hash as we used for Commitment */ if (is_initiator) { s = _zrtp_compute_preshared_key( session, ZSTR_GV(session->secrets.rs1->value), (session->secrets.auxs->_cachedflag) ? ZSTR_GV(session->secrets.auxs->value) : NULL, (session->secrets.pbxs->_cachedflag) ? ZSTR_GV(session->secrets.pbxs->value) : NULL, ZSTR_GV(presh_key), NULL); if (zrtp_status_ok != s) { return s; } secrets->matches |= ZRTP_BIT_RS1; if (session->secrets.auxs->_cachedflag) { secrets->matches |= ZRTP_BIT_AUX; } if (session->secrets.pbxs->_cachedflag) { secrets->matches |= ZRTP_BIT_PBX; } } /* * Let's find appropriate hv key for Responder: * <RS1, 0, 0>, <RS1, AUX, 0>, <RS1, 0, PBX>, <RS1, AUX, PBX>. */ else { int res=-1; char* peer_key_id = (char*)stream->messages.peer_commit.hv+ZRTP_HV_NONCE_SIZE; zrtp_string8_t key_id = ZSTR_INIT_EMPTY(key_id); do { /* RS1 MUST be available at this stage.*/ s = _zrtp_compute_preshared_key( session, ZSTR_GV(secrets->rs1->value), NULL, NULL, ZSTR_GV(presh_key), ZSTR_GV(key_id)); if (zrtp_status_ok == s) { res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE); if (0 == res) { secrets->matches |= ZRTP_BIT_RS1; break; } } if (session->secrets.pbxs->_cachedflag) { s = _zrtp_compute_preshared_key( session, ZSTR_GV(secrets->rs1->value), NULL, ZSTR_GV(secrets->pbxs->value), ZSTR_GV(presh_key), ZSTR_GV(key_id)); if (zrtp_status_ok == s) { res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE); if (0 == res) { secrets->matches |= ZRTP_BIT_PBX; break; } } } if (session->secrets.auxs->_cachedflag) { s = _zrtp_compute_preshared_key( session, ZSTR_GV(secrets->rs1->value), ZSTR_GV(secrets->auxs->value), NULL, ZSTR_GV(presh_key), ZSTR_GV(key_id)); if (zrtp_status_ok == s) { res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE); if (0 == res) { secrets->matches |= ZRTP_BIT_AUX; break; } } } if ((session->secrets.pbxs->_cachedflag) && (session->secrets.auxs->_cachedflag)) { s = _zrtp_compute_preshared_key( session, ZSTR_GV(secrets->rs1->value), ZSTR_GV(secrets->auxs->value), ZSTR_GV(secrets->pbxs->value), ZSTR_GV(presh_key), ZSTR_GV(key_id)); if (zrtp_status_ok == s) { res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE); if (0 == res) { secrets->matches |= ZRTP_BIT_AUX; secrets->matches |= ZRTP_BIT_PBX; break; } } } } while (0); if (0 != res) { ZRTP_LOG(3,(_ZTU_,"\tINFO! Matched Key wasn't found - initate DH exchange.\n")); secrets->cached = 0; secrets->rs1->_cachedflag = 0; _zrtp_machine_start_initiating_secure(stream); return zrtp_status_ok; } } ZRTP_LOG(3,(_ZTU_,"\tUse RS1, %s, %s in calculations.\n", (session->secrets.matches & ZRTP_BIT_AUX) ? "AUX" : "NULL", (session->secrets.matches & ZRTP_BIT_PBX) ? "PBX" : "NULL")); _zrtp_kdf( stream, ZSTR_GV(presh_key), ZSTR_GV(zrtp_presh_label), ZSTR_GV(stream->protocol->cc->kdf_context), session->hash->digest_length, ZSTR_GV(cc->s0)); } break; /* * For FAST Multistream: * s0n = KDF(ZRTPSess, "ZRTP Multistream Key", KDF_Context, negotiated hash length) * ======================================================================== */ case ZRTP_STREAM_MODE_MULT: { ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 for MULTISTREAM from ZRTP Session key... ID=%u\n", stream->id)); _zrtp_kdf( stream, ZSTR_GV(session->zrtpsess), ZSTR_GV(zrtp_multi_label), ZSTR_GV(stream->protocol->cc->kdf_context), session->hash->digest_length, ZSTR_GV(cc->s0)); } break; default: break; } /* * Compute ZRTP session key for FULL streams only: * ZRTPSess = KDF(s0, "ZRTP Session Key", KDF_Context, negotiated hash length) */ if (!ZRTP_IS_STREAM_MULT(stream)) { if (session->zrtpsess.length == 0) { _zrtp_kdf( stream, ZSTR_GV(cc->s0), ZSTR_GV(zrtp_sess_label), ZSTR_GV(stream->protocol->cc->kdf_context), session->hash->digest_length, ZSTR_GV(session->zrtpsess)); } } return zrtp_status_ok; }