void zrtp_zstrcpyc(zrtp_stringn_t *dst, const char *src) { dst->length = ZRTP_MIN(dst->max_length, strlen(src)); zrtp_memcpy(dst->buffer, src, dst->length); if (dst->length < dst->max_length) { dst->buffer[dst->length] = 0; } }
void zrtp_zstrncpyc(zrtp_stringn_t *dst, const char *src, uint16_t size) { dst->length = ZRTP_MIN(dst->max_length, size); zrtp_memcpy(dst->buffer, src, dst->length); if (dst->length < dst->max_length) { dst->buffer[dst->length] = 0; } }
void zrtp_zstrcat(zrtp_stringn_t *dst, const zrtp_stringn_t *src) { uint16_t count = ZRTP_MIN((dst->max_length - dst->length), src->length); zrtp_memcpy(dst->buffer + dst->length, src->buffer, count); dst->length += count; if (dst->length < dst->max_length) { dst->buffer[dst->length] = 0; } }
/*----------------------------------------------------------------------------*/ zrtp_status_t _zrtp_machine_process_confirm( zrtp_stream_t *stream, zrtp_packet_Confirm_t *confirm) { /* Compute Hmac over encrypted part of Confirm and reject malformed packets */ void* cipher_ctx = NULL; zrtp_status_t s = zrtp_status_fail; zrtp_session_t *session = stream->session; zrtp_string128_t hmac = ZSTR_INIT_EMPTY(hmac); /* hash + (padding + sig_len + flags) + ttl */ const uint8_t encrypted_body_size = ZRTP_MESSAGE_HASH_SIZE + (2 + 1 + 1) + 4; s = session->hash->hmac_c( session->hash, stream->cc.peer_hmackey.buffer, stream->cc.peer_hmackey.length, (const char*)&confirm->hash, encrypted_body_size, ZSTR_GV(hmac) ); if (zrtp_status_ok != s) { ZRTP_LOG(1,(_ZTU_,"\tERROR! failed to compute Incoming Confirm hmac. s=%d ID=%u\n", s, stream->id)); return zrtp_status_fail; } // MARK: TRACE CONFIRM HMAC ERROR #if 0 { char buff[512]; ZRTP_LOG(3,(_ZTU_,"HMAC TRACE. VERIFY\n")); ZRTP_LOG(3,(_ZTU_,"\tcipher text:%s. size=%u\n", hex2str((const char*)&confirm->hash, encrypted_body_size, buff, sizeof(buff)), encrypted_body_size)); ZRTP_LOG(3,(_ZTU_,"\t key:%s.\n", hex2str(stream->cc.peer_hmackey.buffer, stream->cc.peer_hmackey.length, buff, sizeof(buff)))); ZRTP_LOG(3,(_ZTU_,"\t comp hmac:%s.\n", hex2str(hmac.buffer, hmac.length, buff, sizeof(buff)))); ZRTP_LOG(3,(_ZTU_,"\t hmac:%s.\n", hex2str((const char*)confirm->hmac, ZRTP_HMAC_SIZE, buff, sizeof(buff)))); } #endif if (0 != zrtp_memcmp(confirm->hmac, hmac.buffer, ZRTP_HMAC_SIZE)) { /* * Weird. Perhaps a bug in our code or our peer's code. Or it could be an attacker * who doesn't realize that Man-In-The-Middling the Diffie-Hellman key generation * but allowing the correct rsIds to pass through accomplishes nothing more than * forcing us to fallback to cleartext mode. If this attacker had gone ahead and deleted * or replaced the rsIds, then he would have been able to stay in the middle (although * he would of course still face the threat of a Voice Authentication Check). On the * other hand if this attacker wanted to force us to fallback to cleartext mode, he could * have done that more simply, for example by intercepting our ZRTP HELLO packet and * replacing it with a normal non-ZRTP comfort noise packet. In any case, we'll do our * "switch to cleartext fallback" behavior. */ ZRTP_LOG(2,(_ZTU_,"\tWARNING!" ZRTP_VERIFIED_RESP_WARNING_STR "ID=%u\n", stream->id)); _zrtp_machine_enter_initiatingerror(stream, zrtp_error_auth_decrypt, 1); return zrtp_status_fail; } /* Then we need to decrypt Confirm body */ do { cipher_ctx = session->blockcipher->start( session->blockcipher, (uint8_t*)stream->cc.peer_zrtp_key.buffer, NULL, ZRTP_CIPHER_MODE_CFB); if (!cipher_ctx) { break; } s = session->blockcipher->set_iv( session->blockcipher, cipher_ctx, (zrtp_v128_t*)confirm->iv); if (zrtp_status_ok != s) { break; } s = session->blockcipher->decrypt( session->blockcipher, cipher_ctx, (uint8_t*)&confirm->hash, encrypted_body_size); } while(0); if (cipher_ctx) { session->blockcipher->stop(session->blockcipher, cipher_ctx); } if (zrtp_status_ok != s) { ZRTP_LOG(3,(_ZTU_,"\tERROR! failed to decrypt incoming Confirm. s=%d ID=%u\n", s, stream->id)); return s; } /* We have access to hash field and can check hmac of the previous message */ { zrtp_msg_hdr_t *hdr = NULL; char *key=NULL; zrtp_string32_t tmphash_str = ZSTR_INIT_EMPTY(tmphash_str); zrtp_hash_t *hash = zrtp_comp_find( ZRTP_CC_HASH, ZRTP_HASH_SHA256, stream->zrtp); if (ZRTP_IS_STREAM_DH(stream)) { hdr = &stream->messages.peer_dhpart.hdr; key = (char*)confirm->hash; } else { hash->hash_c(hash, (char*)confirm->hash, ZRTP_MESSAGE_HASH_SIZE, ZSTR_GV(tmphash_str)); if (ZRTP_STATEMACHINE_INITIATOR == stream->protocol->type) { hdr = &stream->messages.peer_hello.hdr; hash->hash_c( hash, tmphash_str.buffer, ZRTP_MESSAGE_HASH_SIZE, ZSTR_GV(tmphash_str) ); } else { hdr = &stream->messages.peer_commit.hdr; } key = tmphash_str.buffer; } if (0 != _zrtp_validate_message_hmac(stream, hdr, key)) { return zrtp_status_fail; } } /* Set evil bit if other-side shared session key */ stream->peer_disclose_bit = (confirm->flags & 0x01); /* Enable ALLOWCLEAR option if only both sides support it */ stream->allowclear = (confirm->flags & 0x02) && session->profile.allowclear; /* Drop RS1 VERIFIED flag if other side didn't verified key exchange */ if (0 == (confirm->flags & 0x04)) { ZRTP_LOG(2,(_ZTU_,"\tINFO: Other side Confirm V=0 - set verified to 0! ID=%u\n", stream->id)); zrtp_verified_set(session->zrtp, &session->zrtp->zid, &session->peer_zid, 0); } /* Look for Enrollment replay flag */ if (confirm->flags & 0x08) { ZRTP_LOG(2,(_ZTU_,"\tINFO: Confirm PBX Enrolled flag is set - it is a Registration call! ID=%u\n", stream->id)); if (stream->mitm_mode != ZRTP_MITM_MODE_CLIENT) { ZRTP_LOG(2,(_ZTU_,"\tERROR: PBX enrollment flag was received in wrong MiTM mode %s." " ID=%u\n", zrtp_log_mode2str(stream->mode), stream->id)); _zrtp_machine_enter_initiatingerror(stream, zrtp_error_invalid_packet, 1); return zrtp_status_fail; } /* Passive endpoint should ignore PBX Enrollment. */ if (ZRTP_LICENSE_MODE_PASSIVE != stream->zrtp->lic_mode) { stream->mitm_mode = ZRTP_MITM_MODE_REG_CLIENT; } else { ZRTP_LOG(2,(_ZTU_,"\tINFO: Ignore PBX Enrollment flag as we are Passive ID=%u\n", stream->id)); } } stream->cache_ttl = ZRTP_MIN(session->profile.cache_ttl, zrtp_ntoh32(confirm->expired_interval)); /* Copy packet for future hashing */ zrtp_memcpy(&stream->messages.peer_confirm, confirm, zrtp_ntoh16(confirm->hdr.length)*4); return zrtp_status_ok; }