static int verify_sas(struct re_printf *pf, void *arg)
{
const struct cmd_arg *carg = arg;
(void)pf;
if (str_isset(carg->prm)) {
char rzid[ZRTP_STRING16] = "";
zrtp_status_t s;
zrtp_string16_t remote_zid = ZSTR_INIT_EMPTY(remote_zid);
if (str_len(carg->prm) != 24) {
warning("zrtp: invalid remote ZID (%s)\n", carg->prm);
return EINVAL;
}
(void) str2hex(carg->prm, (int) str_len(carg->prm),
rzid, sizeof(rzid));
zrtp_zstrncpyc(ZSTR_GV(remote_zid), (const char*)rzid,
sizeof(zrtp_zid_t));
s = zrtp_cache_set_verified(zrtp_global->cache,
ZSTR_GV(remote_zid),
true);
if (s == zrtp_status_ok)
info("zrtp: SAS for peer %s verified\n", carg->prm);
else {
warning("zrtp: zrtp_cache_set_verified"
" failed (status = %d)\n", s);
return EINVAL;
}
}
return 0;
}
/*---------------------------------------------------------------------------*/
static zrtp_status_t _derive_s0(zrtp_stream_t* stream, int is_initiator)
{
static const zrtp_string32_t zrtp_kdf_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_KDF_STR);
static const zrtp_string32_t zrtp_sess_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_SESS_STR);
static const zrtp_string32_t zrtp_multi_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_MULTI_STR);
static const zrtp_string32_t zrtp_presh_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_PRESH_STR);
zrtp_session_t *session = stream->session;
zrtp_secrets_t* secrets = &session->secrets;
zrtp_proto_crypto_t* cc = stream->protocol->cc;
void* hash_ctx = NULL;
char print_buff[256];
switch (stream->mode)
{
/*
* S0 computing for FULL DH exchange
* S0 computing. s0 is the master shared secret used for all
* cryptographic operations. In particular, note the inclusion
* of "total_hash", a hash of all packets exchanged up to this
* point. This belatedly detects any tampering with earlier
* packets, e.g. bid-down attacks.
*
* s0 = hash( 1 | DHResult | "ZRTP-HMAC-KDF" | ZIDi | ZIDr |
* total_hash | len(s1) | s1 | len(s2) | s2 | len(s3) | s3 )
* The constant 1 and all lengths are 32 bits big-endian values.
* The fields without length prefixes are fixed-witdh:
* - DHresult is fixed to the width of the DH prime.
* - The hash type string and ZIDs are fixed width.
* - total_hash is fixed by the hash negotiation.
* The constant 1 is per NIST SP 800-56A section 5.8.1, and is
* a counter which can be incremented to generate more than 256
* bits of key material.
* ========================================================================
*/
case ZRTP_STREAM_MODE_DH:
{
zrtp_proto_secret_t *C[3] = { 0, 0, 0};
int i = 0;
uint32_t comp_length = 0;
zrtp_stringn_t *zidi = NULL, *zidr = NULL;
struct BigNum dhresult;
#if (defined(ZRTP_USE_STACK_MINIM) && (ZRTP_USE_STACK_MINIM == 1))
zrtp_uchar1024_t* buffer = zrtp_sys_alloc( sizeof(zrtp_uchar1024_t) );
if (!buffer) {
return zrtp_status_alloc_fail;
}
#else
zrtp_uchar1024_t holder;
zrtp_uchar1024_t* buffer = &holder;
#endif
ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 from DH exchange and RS secrets...\n"));
ZRTP_LOG(3,(_ZTU_,"\t my rs1ID:%s\n", hex2str(cc->rs1.id.buffer, cc->rs1.id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his rs1ID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his rs1ID comp:%s\n", hex2str(cc->rs1.peer_id.buffer, cc->rs1.peer_id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t my rs2ID:%s\n", hex2str(cc->rs2.id.buffer, cc->rs2.id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his rs2ID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his rs2ID comp:%s\n", hex2str(cc->rs2.peer_id.buffer, cc->rs2.peer_id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t my pbxsID:%s\n", hex2str(cc->pbxs.id.buffer, cc->pbxs.id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his pbxsID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.pbxsID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\this pbxsID comp:%s\n", hex2str(cc->pbxs.peer_id.buffer, cc->pbxs.peer_id.length, print_buff, sizeof(print_buff))));
hash_ctx = session->hash->hash_begin(session->hash);
if (0 == hash_ctx) {
ZRTP_LOG(1,(_ZTU_, "\tERROR! can't start hash calculation for S0 computing. ID=%u.\n", stream->id));
return zrtp_status_fail;
}
/*
* NIST requires a 32-bit big-endian integer counter to be included
* in the hash each time the hash is computed, which we have set to
* the fixed value of 1, because we only compute the hash once.
*/
comp_length = zrtp_hton32(1L);
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&comp_length, 4);
switch (stream->pubkeyscheme->base.id) {
case ZRTP_PKTYPE_DH2048:
case ZRTP_PKTYPE_DH3072:
case ZRTP_PKTYPE_DH4096:
comp_length = stream->pubkeyscheme->pv_length;
ZRTP_LOG(3,(_ZTU_,"DH comp_length=%u\n", comp_length));
break;
case ZRTP_PKTYPE_EC256P:
case ZRTP_PKTYPE_EC384P:
case ZRTP_PKTYPE_EC521P:
comp_length = stream->pubkeyscheme->pv_length/2;
ZRTP_LOG(3,(_ZTU_,"ECDH comp_length=%u\n", comp_length));
break;
default:
break;
}
bnBegin(&dhresult);
stream->pubkeyscheme->compute(stream->pubkeyscheme,
&stream->dh_cc,
&dhresult,
&stream->dh_cc.peer_pv);
bnExtractBigBytes(&dhresult, (uint8_t *)buffer, 0, comp_length);
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)buffer, comp_length);
bnEnd(&dhresult);
#if (defined(ZRTP_USE_STACK_MINIM) && (ZRTP_USE_STACK_MINIM == 1))
zrtp_sys_free(buffer);
#endif
/* Add "ZRTP-HMAC-KDF" to the S0 hash */
session->hash->hash_update( session->hash, hash_ctx,
(const int8_t*)&zrtp_kdf_label.buffer,
zrtp_kdf_label.length);
/* Then Initiator's and Responder's ZIDs */
if (stream->protocol->type == ZRTP_STATEMACHINE_INITIATOR) {
zidi = ZSTR_GV(stream->session->zrtp->zid);
zidr = ZSTR_GV(stream->session->peer_zid);
} else {
zidr = ZSTR_GV(stream->session->zrtp->zid);
zidi = ZSTR_GV(stream->session->peer_zid);
}
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&zidi->buffer, zidi->length);
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&zidr->buffer, zidr->length);
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&cc->mes_hash.buffer, cc->mes_hash.length);
/* If everything is OK - RS1 should much */
if (!zrtp_memcmp(cc->rs1.peer_id.buffer, stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE))
{
C[0] = &cc->rs1;
secrets->matches |= ZRTP_BIT_RS1;
}
/* If we have lost our RS1 - remote party should use backup (RS2) instead */
else if (!zrtp_memcmp(cc->rs1.peer_id.buffer, stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE))
{
C[0] = &cc->rs1;
secrets->matches |= ZRTP_BIT_RS1;
ZRTP_LOG(2,(_ZTU_,"\tINFO! We have lost our RS1 from previous broken exchange"
" - remote party will use RS2 backup. ID=%u\n", stream->id));
}
/* If remote party lost it's secret - we will use backup */
else if (!zrtp_memcmp(cc->rs2.peer_id.buffer, stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE))
{
C[0] = &cc->rs2;
cc->rs1 = cc->rs2;
secrets->matches |= ZRTP_BIT_RS1;
secrets->cached |= ZRTP_BIT_RS1;
ZRTP_LOG(2,(_ZTU_,"\tINFO! Remote party has lost it's RS1 - use RS2 backup. ID=%u\n", stream->id));
}
else
{
secrets->matches &= ~ZRTP_BIT_RS1;
zrtp_cache_set_verified(session->zrtp->cache, ZSTR_GV(session->peer_zid), 0);
zrtp_cache_reset_secure_since(session->zrtp->cache, ZSTR_GV(session->peer_zid));
ZRTP_LOG(2,(_ZTU_,"\tINFO! Our RS1 doesn't equal to other-side's one %s. ID=%u\n",
cc->rs1.secret->_cachedflag ? " - drop verified!" : "", stream->id));
}
if (!zrtp_memcmp(cc->rs2.peer_id.buffer, stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE)) {
secrets->matches |= ZRTP_BIT_RS2;
if (0 == C[0]) {
C[0] = &cc->rs2;
}
}
if (secrets->auxs &&
(!zrtp_memcmp(stream->messages.peer_dhpart.auxsID, cc->auxs.peer_id.buffer, ZRTP_RSID_SIZE)) ) {
C[1] =&cc->auxs;
secrets->matches |= ZRTP_BIT_AUX;
}
if ( secrets->pbxs &&
(!zrtp_memcmp(stream->messages.peer_dhpart.pbxsID, cc->pbxs.peer_id.buffer, ZRTP_RSID_SIZE)) ) {
C[2] = &cc->pbxs;
secrets->matches |= ZRTP_BIT_PBX;
}
/* Finally hashing matched shared secrets */
for (i=0; i<3; i++) {
/*
* Some of the shared secrets s1 through s5 may have lengths of zero
* if they are null (not shared), and are each preceded by a 4-octet
* length field. For example, if s4 is null, len(s4) is 00 00 00 00,
* and s4 itself would be absent from the hash calculation, which
* means len(s5) would immediately follow len(s4).
*/
comp_length = C[i] ? zrtp_hton32(ZRTP_RS_SIZE) : 0;
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&comp_length, 4);
if (C[i]) {
session->hash->hash_update( session->hash,
hash_ctx,
(const int8_t*)C[i]->secret->value.buffer,
C[i]->secret->value.length );
ZRTP_LOG(3,(_ZTU_,"\tUse S%d in calculations.\n", i+1));
}
}
session->hash->hash_end(session->hash, hash_ctx, ZSTR_GV(cc->s0));
} break; /* S0 for for DH and Preshared streams */
/*
* Compute all possible combinations of preshared_key:
* hash(len(rs1) | rs1 | len(auxsecret) | auxsecret | len(pbxsecret) | pbxsecret)
* Find matched preshared_key and derive S0 from it:
* s0 = KDF(preshared_key, "ZRTP Stream Key", KDF_Context, negotiated hash length)
*
* INFO: Take into account that RS1 and RS2 may be swapped.
* If no matched were found - generate DH commit.
* ========================================================================
*/
case ZRTP_STREAM_MODE_PRESHARED:
{
zrtp_status_t s = zrtp_status_ok;
zrtp_string32_t presh_key = ZSTR_INIT_EMPTY(presh_key);
ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 for PRESHARED from cached secret. ID=%u\n", stream->id));
/* Use the same hash as we used for Commitment */
if (is_initiator)
{
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(session->secrets.rs1->value),
(session->secrets.auxs->_cachedflag) ? ZSTR_GV(session->secrets.auxs->value) : NULL,
(session->secrets.pbxs->_cachedflag) ? ZSTR_GV(session->secrets.pbxs->value) : NULL,
ZSTR_GV(presh_key),
NULL);
if (zrtp_status_ok != s) {
return s;
}
secrets->matches |= ZRTP_BIT_RS1;
if (session->secrets.auxs->_cachedflag) {
secrets->matches |= ZRTP_BIT_AUX;
}
if (session->secrets.pbxs->_cachedflag) {
secrets->matches |= ZRTP_BIT_PBX;
}
}
/*
* Let's find appropriate hv key for Responder:
* <RS1, 0, 0>, <RS1, AUX, 0>, <RS1, 0, PBX>, <RS1, AUX, PBX>.
*/
else
{
int res=-1;
char* peer_key_id = (char*)stream->messages.peer_commit.hv+ZRTP_HV_NONCE_SIZE;
zrtp_string8_t key_id = ZSTR_INIT_EMPTY(key_id);
do {
/* RS1 MUST be available at this stage.*/
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(secrets->rs1->value),
NULL,
NULL,
ZSTR_GV(presh_key),
ZSTR_GV(key_id));
if (zrtp_status_ok == s) {
res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE);
if (0 == res) {
secrets->matches |= ZRTP_BIT_RS1;
break;
}
}
if (session->secrets.pbxs->_cachedflag)
{
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(secrets->rs1->value),
NULL,
ZSTR_GV(secrets->pbxs->value),
ZSTR_GV(presh_key),
ZSTR_GV(key_id));
if (zrtp_status_ok == s) {
res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE);
if (0 == res) {
secrets->matches |= ZRTP_BIT_PBX;
break;
}
}
}
if (session->secrets.auxs->_cachedflag)
{
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(secrets->rs1->value),
ZSTR_GV(secrets->auxs->value),
NULL,
ZSTR_GV(presh_key),
ZSTR_GV(key_id));
if (zrtp_status_ok == s) {
res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE);
if (0 == res) {
secrets->matches |= ZRTP_BIT_AUX;
break;
}
}
}
if ((session->secrets.pbxs->_cachedflag) && (session->secrets.auxs->_cachedflag))
{
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(secrets->rs1->value),
ZSTR_GV(secrets->auxs->value),
ZSTR_GV(secrets->pbxs->value),
ZSTR_GV(presh_key),
ZSTR_GV(key_id));
if (zrtp_status_ok == s) {
res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE);
if (0 == res) {
secrets->matches |= ZRTP_BIT_AUX;
secrets->matches |= ZRTP_BIT_PBX;
break;
}
}
}
} while (0);
if (0 != res) {
ZRTP_LOG(3,(_ZTU_,"\tINFO! Matched Key wasn't found - initate DH exchange.\n"));
secrets->cached = 0;
secrets->rs1->_cachedflag = 0;
_zrtp_machine_start_initiating_secure(stream);
return zrtp_status_ok;
}
}
ZRTP_LOG(3,(_ZTU_,"\tUse RS1, %s, %s in calculations.\n",
(session->secrets.matches & ZRTP_BIT_AUX) ? "AUX" : "NULL",
(session->secrets.matches & ZRTP_BIT_PBX) ? "PBX" : "NULL"));
_zrtp_kdf( stream,
ZSTR_GV(presh_key),
ZSTR_GV(zrtp_presh_label),
ZSTR_GV(stream->protocol->cc->kdf_context),
session->hash->digest_length,
ZSTR_GV(cc->s0));
} break;
/*
* For FAST Multistream:
* s0n = KDF(ZRTPSess, "ZRTP Multistream Key", KDF_Context, negotiated hash length)
* ========================================================================
*/
case ZRTP_STREAM_MODE_MULT:
{
ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 for MULTISTREAM from ZRTP Session key... ID=%u\n", stream->id));
_zrtp_kdf( stream,
ZSTR_GV(session->zrtpsess),
ZSTR_GV(zrtp_multi_label),
ZSTR_GV(stream->protocol->cc->kdf_context),
session->hash->digest_length,
ZSTR_GV(cc->s0));
} break;
default: break;
}
/*
* Compute ZRTP session key for FULL streams only:
* ZRTPSess = KDF(s0, "ZRTP Session Key", KDF_Context, negotiated hash length)
*/
if (!ZRTP_IS_STREAM_MULT(stream)) {
if (session->zrtpsess.length == 0) {
_zrtp_kdf( stream,
ZSTR_GV(cc->s0),
ZSTR_GV(zrtp_sess_label),
ZSTR_GV(stream->protocol->cc->kdf_context),
session->hash->digest_length,
ZSTR_GV(session->zrtpsess));
}
}
return zrtp_status_ok;
}
