/*---------------------------------------------------------------------------*/
zrtp_status_t zrtp_signaling_hash_get( zrtp_stream_t* stream,
char *hash_buff,
uint32_t hash_buff_length)
{
zrtp_string32_t hash_str = ZSTR_INIT_EMPTY(hash_str);
zrtp_hash_t *hash = NULL;
if (!stream || !hash_buff) {
return zrtp_status_bad_param;
}
if (ZRTP_SIGN_ZRTP_HASH_LENGTH > hash_buff_length) {
return zrtp_status_buffer_size;
}
if (stream->state < ZRTP_STATE_ACTIVE) {
return zrtp_status_wrong_state;
}
hash = zrtp_comp_find(ZRTP_CC_HASH, ZRTP_HASH_SHA256, stream->zrtp);
hash->hash_c( hash,
(const char*)&stream->messages.hello.hdr,
zrtp_ntoh16(stream->messages.hello.hdr.length) * 4,
ZSTR_GV(hash_str) );
hex2str(hash_str.buffer, ZRTP_MESSAGE_HASH_SIZE, hash_buff, hash_buff_length);
return zrtp_status_ok;
}
static int verify_sas(struct re_printf *pf, void *arg)
{
const struct cmd_arg *carg = arg;
(void)pf;
if (str_isset(carg->prm)) {
char rzid[ZRTP_STRING16] = "";
zrtp_status_t s;
zrtp_string16_t remote_zid = ZSTR_INIT_EMPTY(remote_zid);
if (str_len(carg->prm) != 24) {
warning("zrtp: invalid remote ZID (%s)\n", carg->prm);
return EINVAL;
}
(void) str2hex(carg->prm, (int) str_len(carg->prm),
rzid, sizeof(rzid));
zrtp_zstrncpyc(ZSTR_GV(remote_zid), (const char*)rzid,
sizeof(zrtp_zid_t));
s = zrtp_cache_set_verified(zrtp_global->cache,
ZSTR_GV(remote_zid),
true);
if (s == zrtp_status_ok)
info("zrtp: SAS for peer %s verified\n", carg->prm);
else {
warning("zrtp: zrtp_cache_set_verified"
" failed (status = %d)\n", s);
return EINVAL;
}
}
return 0;
}
/*----------------------------------------------------------------------------*/
static zrtp_status_t _create_sasrelay( zrtp_stream_t *stream,
zrtp_sas_id_t transf_sas_scheme,
zrtp_string32_t* transf_sas_value,
uint8_t transf_ac_flag,
uint8_t transf_d_flag,
zrtp_packet_SASRelay_t* sasrelay )
{
zrtp_session_t *session = stream->session;
zrtp_status_t s = zrtp_status_fail;
void* cipher_ctx = NULL;
/* (padding + sig_len + flags) + SAS scheme and SASHash */
const uint8_t encrypted_body_size = (2 + 1 + 1) + 4 + 32;
zrtp_memset(sasrelay, 0, sizeof(zrtp_packet_SASRelay_t));
/* generate a random initialization vector for CFB cipher */
if (ZRTP_CFBIV_SIZE != zrtp_randstr(session->zrtp, sasrelay->iv, ZRTP_CFBIV_SIZE)) {
return zrtp_status_rp_fail;
}
sasrelay->flags |= (session->profile.disclose_bit || transf_d_flag) ? 0x01 : 0x00;
sasrelay->flags |= (session->profile.allowclear && transf_ac_flag) ? 0x02 : 0x00;
sasrelay->flags |= 0x04;
zrtp_memcpy( sasrelay->sas_scheme,
zrtp_comp_id2type(ZRTP_CC_SAS, transf_sas_scheme),
ZRTP_COMP_TYPE_SIZE );
if (transf_sas_value)
zrtp_memcpy(sasrelay->sashash, transf_sas_value->buffer, transf_sas_value->length);
/* Then we need to encrypt Confirm before computing Hmac. Use AES CFB */
do {
cipher_ctx = session->blockcipher->start( session->blockcipher,
(uint8_t*)stream->cc.zrtp_key.buffer,
NULL,
ZRTP_CIPHER_MODE_CFB );
if (!cipher_ctx) {
break;
}
s = session->blockcipher->set_iv( session->blockcipher,
cipher_ctx,
(zrtp_v128_t*)sasrelay->iv);
if (zrtp_status_ok != s) {
break;
}
s = session->blockcipher->encrypt( session->blockcipher,
cipher_ctx,
(uint8_t*)&sasrelay->pad,
encrypted_body_size );
} while(0);
if (cipher_ctx) {
session->blockcipher->stop(session->blockcipher, cipher_ctx);
}
if (zrtp_status_ok != s) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! Failed to encrypt SASRELAY Message status=%d. ID=%u\n", s, stream->id));
return s;
}
/* Compute Hmac over encrypted part of Confirm */
{
zrtp_string128_t hmac = ZSTR_INIT_EMPTY(hmac);
s = session->hash->hmac_c( session->hash,
stream->cc.hmackey.buffer,
stream->cc.hmackey.length,
(const char*)&sasrelay->pad,
encrypted_body_size,
ZSTR_GV(hmac) );
if (zrtp_status_ok != s) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! Failed to compute CONFIRM hmac status=%d. ID=%u\n", s, stream->id));
return s;
}
zrtp_memcpy(sasrelay->hmac, hmac.buffer, ZRTP_HMAC_SIZE);
}
return s;
}
/*---------------------------------------------------------------------------*/
zrtp_status_t zrtp_register_with_trusted_mitm(zrtp_stream_t* stream)
{
zrtp_session_t *session = stream->session;
zrtp_status_t s = zrtp_status_bad_param;
if (!stream) {
return zrtp_status_bad_param;
}
ZRTP_LOG(3,(_ZTU_,"MARKING this call as REGISTRATION ID=%u\n", stream->id));
if (NULL == stream->zrtp->cb.cache_cb.on_get_mitm) {
ZRTP_LOG(2,(_ZTU_,"WARNING: Can't use MiTM Functions with no ZRTP Cache.\n"));
return zrtp_status_notavailable;
}
if (!stream->protocol) {
return zrtp_status_bad_param;
}
/* Passive Client endpoint should NOT generate PBX Secret. */
if ((stream->mitm_mode == ZRTP_MITM_MODE_REG_CLIENT) &&
(ZRTP_LICENSE_MODE_PASSIVE == stream->zrtp->lic_mode)) {
ZRTP_LOG(2,(_ZTU_,"WARNING: Passive Client endpoint should NOT generate PBX Secret.\n"));
return zrtp_status_bad_param;
}
/*
* Generate new MitM cache:
* pbxsecret = KDF(ZRTPSess, "Trusted MiTM key", (ZIDi | ZIDr), negotiated hash length)
*/
if ( (stream->state == ZRTP_STATE_SECURE) &&
((stream->mitm_mode == ZRTP_MITM_MODE_REG_CLIENT) || (stream->mitm_mode == ZRTP_MITM_MODE_REG_SERVER)) )
{
zrtp_string32_t kdf_context = ZSTR_INIT_EMPTY(kdf_context);
static const zrtp_string32_t trusted_mitm_key_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_TRUSTMITMKEY_STR);
zrtp_string16_t *zidi, *zidr;
if (stream->protocol->type == ZRTP_STATEMACHINE_INITIATOR) {
zidi = &session->zid;
zidr = &session->peer_zid;
} else {
zidi = &session->peer_zid;
zidr = &session->zid;
}
zrtp_zstrcat(ZSTR_GV(kdf_context), ZSTR_GVP(zidi));
zrtp_zstrcat(ZSTR_GV(kdf_context), ZSTR_GVP(zidr));
_zrtp_kdf( stream,
ZSTR_GV(session->zrtpsess),
ZSTR_GV(trusted_mitm_key_label),
ZSTR_GV(kdf_context),
ZRTP_HASH_SIZE,
ZSTR_GV(session->secrets.pbxs->value));
session->secrets.pbxs->_cachedflag = 1;
session->secrets.pbxs->lastused_at = (uint32_t)(zrtp_time_now()/1000);
session->secrets.cached |= ZRTP_BIT_PBX;
session->secrets.matches |= ZRTP_BIT_PBX;
s = zrtp_status_ok;
if (session->zrtp->cb.cache_cb.on_put_mitm) {
s = session->zrtp->cb.cache_cb.on_put_mitm( ZSTR_GV(session->zid),
ZSTR_GV(session->peer_zid),
session->secrets.pbxs);
}
ZRTP_LOG(3,(_ZTU_,"Makring this call as REGISTRATION - DONE\n"));
}
return s;
}
/*----------------------------------------------------------------------------*/
zrtp_status_t _zrtp_machine_process_sasrelay(zrtp_stream_t *stream, zrtp_rtp_info_t *packet)
{
zrtp_session_t *session = stream->session;
zrtp_packet_SASRelay_t *sasrelay = (zrtp_packet_SASRelay_t*) packet->message;
void* cipher_ctx = NULL;
zrtp_sas_id_t rendering_id = ZRTP_COMP_UNKN;
zrtp_status_t s = zrtp_status_fail;
zrtp_string128_t hmac = ZSTR_INIT_EMPTY(hmac);
char zerosashash[32];
unsigned sas_scheme_did_change = 0;
unsigned sas_hash_did_change = 0;
/* (padding + sig_len + flags) + SAS scheme and SAS hash */
const uint8_t encrypted_body_size = (2 + 1 + 1) + 4 + 32;
zrtp_memset(zerosashash, 0, sizeof(zerosashash));
/* Check if the remote endpoint is assigned to relay the SAS values */
if (!stream->peer_mitm_flag) {
ZRTP_LOG(2,(_ZTU_, ZRTP_RELAYED_SAS_FROM_NONMITM_STR));
return zrtp_status_fail;
}
/* Check the HMAC */
s = session->hash->hmac_c( session->hash,
stream->cc.peer_hmackey.buffer,
stream->cc.peer_hmackey.length,
(const char*)&sasrelay->pad,
encrypted_body_size,
ZSTR_GV(hmac) );
if (zrtp_status_ok != s ) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! Failed to compute CONFIRM hmac. status=%d ID=%u\n", s, stream->id));
return zrtp_status_fail;
}
if (0 != zrtp_memcmp(sasrelay->hmac, hmac.buffer, ZRTP_HMAC_SIZE)) {
ZRTP_LOG(2,(_ZTU_, ZRTP_VERIFIED_RESP_WARNING_STR));
return zrtp_status_fail;
}
ZRTP_LOG(3,(_ZTU_, "\tHMAC value for the SASRELAY is correct - decrypting...\n"));
/* Then we need to decrypt Confirm body */
do
{
cipher_ctx = session->blockcipher->start( session->blockcipher,
(uint8_t*)stream->cc.peer_zrtp_key.buffer,
NULL,
ZRTP_CIPHER_MODE_CFB );
if (!cipher_ctx) {
break;
}
s = session->blockcipher->set_iv(session->blockcipher, cipher_ctx, (zrtp_v128_t*)sasrelay->iv);
if (zrtp_status_ok != s) {
break;
}
s = session->blockcipher->encrypt( session->blockcipher,
cipher_ctx,
(uint8_t*)&sasrelay->pad,
encrypted_body_size);
} while(0);
if (cipher_ctx) {
session->blockcipher->stop(session->blockcipher, cipher_ctx);
}
if (zrtp_status_ok != s) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! Failed to decrypt Confirm. status=%d ID=%u\n", s, stream->id));
return s;
}
ZRTP_LOG(2,(_ZTU_,"\tSasRelay FLAGS old/new A=%d/%d, D=%d/%d.\n",
stream->allowclear, (uint8_t)(sasrelay->flags & 0x02),
stream->peer_disclose_bit, (uint8_t)(sasrelay->flags & 0x01)));
/* Set evil bit if other-side disclosed session key */
stream->peer_disclose_bit = (sasrelay->flags & 0x01);
/* Enable ALLOWCLEAR option only if both sides support it */
stream->allowclear = (sasrelay->flags & 0x02) && session->profile.allowclear;
/*
* We don't handle verified flag in SASRelaying because it makes no
* sense in implementation of the ZRTP Internet Draft.
*/
/*
* Only enrolled users can do SAS transferring. (Non-enrolled users can
* only change the SAS rendering scheme).
*/
rendering_id = zrtp_comp_type2id(ZRTP_CC_SAS, (char*)sasrelay->sas_scheme);
if (-1 == zrtp_profile_find(&session->profile, ZRTP_CC_SAS, rendering_id)) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! PBX Confirm packet with transferred SAS have unknown or"
" unsupported rendering scheme %.4s.ID=%u\n", sasrelay->sas_scheme, stream->id));
_zrtp_machine_enter_initiatingerror(stream, zrtp_error_invalid_packet, 1);
return zrtp_status_fail;
}
/* Check is SAS rendering did change */
if (rendering_id != session->sasscheme->base.id) {
session->sasscheme = zrtp_comp_find(ZRTP_CC_SAS, rendering_id, session->zrtp );
sas_scheme_did_change = 1;
ZRTP_LOG(3,(_ZTU_,"\tSasrelay: Rendering scheme was updated to %.4s.\n", session->sasscheme->base.type));
}
if (session->secrets.matches & ZRTP_BIT_PBX) {
if ( ( ((uint32_t) *sasrelay->sas_scheme) != (uint32_t)0x0L ) &&
(0 != zrtp_memcmp(sasrelay->sashash, zerosashash, sizeof(sasrelay->sashash))) )
{
char buff[256];
session->sasbin.length = ZRTP_MITM_SAS_SIZE;
/* First 32 bits if sashash includes sasvalue */
zrtp_memcpy(session->sasbin.buffer, sasrelay->sashash, session->sasbin.length);
stream->mitm_mode = ZRTP_MITM_MODE_RECONFIRM_CLIENT;
sas_hash_did_change = 1;
ZRTP_LOG(3,(_ZTU_,"\tSasRelay: SAS value was updated to bin=%s.\n",
hex2str(buff, sizeof(buff), session->sasbin.buffer, session->sasbin.length)));
}
} else if (0 != zrtp_memcmp(sasrelay->sashash, zerosashash, sizeof(sasrelay->sashash))) {
ZRTP_LOG(1,(_ZTU_,"\tWARNING! SAS Value was received from NOT Trusted MiTM. ID=%u\n", stream->id));
_zrtp_machine_enter_initiatingerror(stream, zrtp_error_possible_mitm3, 1);
return zrtp_status_fail;
} else {
ZRTP_LOG(1,(_ZTU_, "\rERROR! For SasRelay Other secret doesn't match. ID=%u\n", stream->id));
}
/* Generate new SAS if hash or rendering scheme did change.
* Note: latest libzrtp may send "empty" SasRelay with the same SAS rendering
* scheme and empty Hello hash for consistency reasons, we should ignore
* such packets.
*/
if (sas_scheme_did_change || sas_hash_did_change) {
s = session->sasscheme->compute(session->sasscheme, stream, session->hash, 1);
if (zrtp_status_ok != s) {
_zrtp_machine_enter_initiatingerror(stream, zrtp_error_software, 1);
return s;
}
ZRTP_LOG(3,(_ZTU_,"\tSasRelay: Updated SAS is <%s> <%s>.\n", session->sas1.buffer, session->sas2.buffer));
if (session->zrtp->cb.event_cb.on_zrtp_protocol_event) {
session->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_LOCAL_SAS_UPDATED);
}
}
return zrtp_status_ok;
}
/*----------------------------------------------------------------------------*/
zrtp_status_t zrtp_stream_attach(zrtp_session_t *session, zrtp_stream_t** stream)
{
uint32_t i = 0;
zrtp_status_t s = zrtp_status_fail;
zrtp_stream_t* new_stream = NULL;
ZRTP_LOG(3, (_ZTU_,"ATTACH NEW STREAM to sID=%d:\n", session->id));
/*
* Initialize first unused stream. If there are no available streams return error.
*/
zrtp_mutex_lock(session->streams_protector);
for (i=0; i<ZRTP_MAX_STREAMS_PER_SESSION; i++) {
if (ZRTP_STATE_NONE == session->streams[i].state) {
new_stream = &session->streams[i];
zrtp_memset(new_stream, 0, sizeof(zrtp_stream_t));
break;
}
}
zrtp_mutex_unlock(session->streams_protector);
if (!new_stream) {
ZRTP_LOG(1, (_ZTU_,"\tWARNING! Can't attach one more stream. Limit is reached."
" Use #ZRTP_MAX_STREAMS_PER_SESSION. sID=%u\n", session->id));
return zrtp_status_alloc_fail;
}
/*
* Initialize the private data stream with default initial values
*/
zrtp_mutex_init(&new_stream->stream_protector);
_zrtp_change_state(new_stream, ZRTP_STATE_ACTIVE);
new_stream->mode = ZRTP_STREAM_MODE_CLEAR;
new_stream->id = session->zrtp->streams_count++;
new_stream->session = session;
new_stream->zrtp = session->zrtp;
new_stream->mitm_mode = ZRTP_MITM_MODE_UNKN;
new_stream->is_hello_received = 0;
ZSTR_SET_EMPTY(new_stream->cc.hmackey);
ZSTR_SET_EMPTY(new_stream->cc.peer_hmackey);
ZSTR_SET_EMPTY(new_stream->cc.zrtp_key);
ZSTR_SET_EMPTY(new_stream->cc.peer_zrtp_key);
new_stream->dh_cc.initialized_with = ZRTP_COMP_UNKN;
bnBegin(&new_stream->dh_cc.peer_pv);
ZSTR_SET_EMPTY(new_stream->dh_cc.dhss);
ZRTP_LOG(3, (_ZTU_,"\tEmpty slot was found - initializing new stream with ID=%u.\n", new_stream->id));
do {
zrtp_string32_t hash_buff = ZSTR_INIT_EMPTY(hash_buff);
zrtp_hash_t *hash = zrtp_comp_find(ZRTP_CC_HASH, ZRTP_HASH_SHA256, new_stream->zrtp);
s = zrtp_status_algo_fail;
if (sizeof(uint16_t) != zrtp_randstr( new_stream->zrtp,
(uint8_t*)&new_stream->media_ctx.high_out_zrtp_seq,
sizeof(uint16_t))) {
break;
}
/*
* Compute and store message hashes to prevent DoS attacks.
* Generate H0 as a random nonce and compute H1, H2 and H3
* using the leftmost 128 bits from every hash.
* Then insert these directly into the message structures.
*/
zrtp_memset(&new_stream->messages, 0, sizeof(new_stream->messages));
ZSTR_SET_EMPTY(new_stream->messages.h0);
ZSTR_SET_EMPTY(new_stream->messages.signaling_hash);
/* Generate Random nonce, compute H1 and store in the DH packet */
new_stream->messages.h0.length = (uint16_t)zrtp_randstr( new_stream->zrtp,
(unsigned char*)new_stream->messages.h0.buffer,
ZRTP_MESSAGE_HASH_SIZE);
if (ZRTP_MESSAGE_HASH_SIZE != new_stream->messages.h0.length) {
break;
}
s = hash->hash(hash, ZSTR_GV(new_stream->messages.h0), ZSTR_GV(hash_buff));
if (zrtp_status_ok != s) {
break;
}
zrtp_memcpy(new_stream->messages.dhpart.hash, hash_buff.buffer, ZRTP_MESSAGE_HASH_SIZE);
/* Compute H2 for the Commit */
s = hash->hash_c(hash, (char*)new_stream->messages.dhpart.hash, ZRTP_MESSAGE_HASH_SIZE, ZSTR_GV(hash_buff));
if (zrtp_status_ok != s) {
break;
}
zrtp_memcpy(new_stream->messages.commit.hash, hash_buff.buffer, ZRTP_MESSAGE_HASH_SIZE);
/* Compute H3 for the Hello message */
s = hash->hash_c(hash, (char*)new_stream->messages.commit.hash, ZRTP_MESSAGE_HASH_SIZE, ZSTR_GV(hash_buff));
if (zrtp_status_ok != s) {
break;
}
zrtp_memcpy(new_stream->messages.hello.hash, hash_buff.buffer, ZRTP_MESSAGE_HASH_SIZE);
s = zrtp_status_ok;
} while (0);
if (zrtp_status_ok != s) {
ZRTP_LOG(1, (_ZTU_,"\tERROR! Fail to compute messages hashes <%s>.\n", zrtp_log_status2str(s)));
return s;
}
/*
* Preparing HELLO based on user's profile
*/
ZRTP_LOG(3, (_ZTU_,"\tPreparing ZRTP Hello according to the Session profile.\n"));
{
zrtp_packet_Hello_t* hello = &new_stream->messages.hello;
uint8_t i = 0;
int8_t* comp_ptr = NULL;
/* Set Protocol Version and ClientID */
zrtp_memcpy(hello->version, ZRTP_PROTOCOL_VERSION, ZRTP_VERSION_SIZE);
zrtp_memcpy(hello->cliend_id, session->zrtp->client_id.buffer, session->zrtp->client_id.length);
/* Set flags. */
hello->pasive = (ZRTP_LICENSE_MODE_PASSIVE == session->zrtp->lic_mode) ? 1 : 0;
hello->uflag = (ZRTP_LICENSE_MODE_UNLIMITED == session->zrtp->lic_mode) ? 1 : 0;
hello->mitmflag = session->zrtp->is_mitm;
hello->sigflag = 0;
zrtp_memcpy(hello->zid, session->zid.buffer, session->zid.length);
comp_ptr = (int8_t*)hello->comp;
i = 0;
while ( session->profile.hash_schemes[i]) {
zrtp_memcpy( comp_ptr,
zrtp_comp_id2type(ZRTP_CC_HASH, session->profile.hash_schemes[i++]),
ZRTP_COMP_TYPE_SIZE );
comp_ptr += ZRTP_COMP_TYPE_SIZE;
}
hello->hc = i;
i = 0;
while (session->profile.cipher_types[i]) {
zrtp_memcpy( comp_ptr,
zrtp_comp_id2type(ZRTP_CC_CIPHER, session->profile.cipher_types[i++]),
ZRTP_COMP_TYPE_SIZE );
comp_ptr += ZRTP_COMP_TYPE_SIZE;
}
hello->cc = i;
i = 0;
while (session->profile.auth_tag_lens[i] ) {
zrtp_memcpy( comp_ptr,
zrtp_comp_id2type(ZRTP_CC_ATL, session->profile.auth_tag_lens[i++]),
ZRTP_COMP_TYPE_SIZE );
comp_ptr += ZRTP_COMP_TYPE_SIZE;
}
hello->ac = i;
i = 0;
while (session->profile.pk_schemes[i] ) {
zrtp_memcpy( comp_ptr,
zrtp_comp_id2type(ZRTP_CC_PKT, session->profile.pk_schemes[i++]),
ZRTP_COMP_TYPE_SIZE );
comp_ptr += ZRTP_COMP_TYPE_SIZE;
}
hello->kc = i;
i = 0;
while (session->profile.sas_schemes[i]) {
zrtp_memcpy( comp_ptr,
zrtp_comp_id2type(ZRTP_CC_SAS, session->profile.sas_schemes[i++]),
ZRTP_COMP_TYPE_SIZE );
comp_ptr += ZRTP_COMP_TYPE_SIZE;
}
hello->sc = i;
/*
* Hmac will appear at the end of the message, after the dynamic portion.
* i is the length of the dynamic part.
*/
i = (hello->hc + hello->cc + hello->ac + hello->kc + hello->sc) * ZRTP_COMP_TYPE_SIZE;
_zrtp_packet_fill_msg_hdr( new_stream,
ZRTP_HELLO,
ZRTP_HELLO_STATIC_SIZE + i + ZRTP_HMAC_SIZE,
&hello->hdr);
}
*stream = new_stream;
ZRTP_LOG(3, (_ZTU_,"ATTACH NEW STREAM - DONE.\n"));
return zrtp_status_ok;
}
/*---------------------------------------------------------------------------*/
static zrtp_status_t _derive_s0(zrtp_stream_t* stream, int is_initiator)
{
static const zrtp_string32_t zrtp_kdf_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_KDF_STR);
static const zrtp_string32_t zrtp_sess_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_SESS_STR);
static const zrtp_string32_t zrtp_multi_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_MULTI_STR);
static const zrtp_string32_t zrtp_presh_label = ZSTR_INIT_WITH_CONST_CSTRING(ZRTP_PRESH_STR);
zrtp_session_t *session = stream->session;
zrtp_secrets_t* secrets = &session->secrets;
zrtp_proto_crypto_t* cc = stream->protocol->cc;
void* hash_ctx = NULL;
char print_buff[256];
switch (stream->mode)
{
/*
* S0 computing for FULL DH exchange
* S0 computing. s0 is the master shared secret used for all
* cryptographic operations. In particular, note the inclusion
* of "total_hash", a hash of all packets exchanged up to this
* point. This belatedly detects any tampering with earlier
* packets, e.g. bid-down attacks.
*
* s0 = hash( 1 | DHResult | "ZRTP-HMAC-KDF" | ZIDi | ZIDr |
* total_hash | len(s1) | s1 | len(s2) | s2 | len(s3) | s3 )
* The constant 1 and all lengths are 32 bits big-endian values.
* The fields without length prefixes are fixed-witdh:
* - DHresult is fixed to the width of the DH prime.
* - The hash type string and ZIDs are fixed width.
* - total_hash is fixed by the hash negotiation.
* The constant 1 is per NIST SP 800-56A section 5.8.1, and is
* a counter which can be incremented to generate more than 256
* bits of key material.
* ========================================================================
*/
case ZRTP_STREAM_MODE_DH:
{
zrtp_proto_secret_t *C[3] = { 0, 0, 0};
int i = 0;
uint32_t comp_length = 0;
zrtp_stringn_t *zidi = NULL, *zidr = NULL;
struct BigNum dhresult;
#if (defined(ZRTP_USE_STACK_MINIM) && (ZRTP_USE_STACK_MINIM == 1))
zrtp_uchar1024_t* buffer = zrtp_sys_alloc( sizeof(zrtp_uchar1024_t) );
if (!buffer) {
return zrtp_status_alloc_fail;
}
#else
zrtp_uchar1024_t holder;
zrtp_uchar1024_t* buffer = &holder;
#endif
ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 from DH exchange and RS secrets...\n"));
ZRTP_LOG(3,(_ZTU_,"\t my rs1ID:%s\n", hex2str(cc->rs1.id.buffer, cc->rs1.id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his rs1ID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his rs1ID comp:%s\n", hex2str(cc->rs1.peer_id.buffer, cc->rs1.peer_id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t my rs2ID:%s\n", hex2str(cc->rs2.id.buffer, cc->rs2.id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his rs2ID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his rs2ID comp:%s\n", hex2str(cc->rs2.peer_id.buffer, cc->rs2.peer_id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t my pbxsID:%s\n", hex2str(cc->pbxs.id.buffer, cc->pbxs.id.length, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\t his pbxsID:%s\n", hex2str((const char*)stream->messages.peer_dhpart.pbxsID, ZRTP_RSID_SIZE, print_buff, sizeof(print_buff))));
ZRTP_LOG(3,(_ZTU_,"\this pbxsID comp:%s\n", hex2str(cc->pbxs.peer_id.buffer, cc->pbxs.peer_id.length, print_buff, sizeof(print_buff))));
hash_ctx = session->hash->hash_begin(session->hash);
if (0 == hash_ctx) {
ZRTP_LOG(1,(_ZTU_, "\tERROR! can't start hash calculation for S0 computing. ID=%u.\n", stream->id));
return zrtp_status_fail;
}
/*
* NIST requires a 32-bit big-endian integer counter to be included
* in the hash each time the hash is computed, which we have set to
* the fixed value of 1, because we only compute the hash once.
*/
comp_length = zrtp_hton32(1L);
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&comp_length, 4);
switch (stream->pubkeyscheme->base.id) {
case ZRTP_PKTYPE_DH2048:
case ZRTP_PKTYPE_DH3072:
case ZRTP_PKTYPE_DH4096:
comp_length = stream->pubkeyscheme->pv_length;
ZRTP_LOG(3,(_ZTU_,"DH comp_length=%u\n", comp_length));
break;
case ZRTP_PKTYPE_EC256P:
case ZRTP_PKTYPE_EC384P:
case ZRTP_PKTYPE_EC521P:
comp_length = stream->pubkeyscheme->pv_length/2;
ZRTP_LOG(3,(_ZTU_,"ECDH comp_length=%u\n", comp_length));
break;
default:
break;
}
bnBegin(&dhresult);
stream->pubkeyscheme->compute(stream->pubkeyscheme,
&stream->dh_cc,
&dhresult,
&stream->dh_cc.peer_pv);
bnExtractBigBytes(&dhresult, (uint8_t *)buffer, 0, comp_length);
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)buffer, comp_length);
bnEnd(&dhresult);
#if (defined(ZRTP_USE_STACK_MINIM) && (ZRTP_USE_STACK_MINIM == 1))
zrtp_sys_free(buffer);
#endif
/* Add "ZRTP-HMAC-KDF" to the S0 hash */
session->hash->hash_update( session->hash, hash_ctx,
(const int8_t*)&zrtp_kdf_label.buffer,
zrtp_kdf_label.length);
/* Then Initiator's and Responder's ZIDs */
if (stream->protocol->type == ZRTP_STATEMACHINE_INITIATOR) {
zidi = ZSTR_GV(stream->session->zrtp->zid);
zidr = ZSTR_GV(stream->session->peer_zid);
} else {
zidr = ZSTR_GV(stream->session->zrtp->zid);
zidi = ZSTR_GV(stream->session->peer_zid);
}
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&zidi->buffer, zidi->length);
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&zidr->buffer, zidr->length);
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&cc->mes_hash.buffer, cc->mes_hash.length);
/* If everything is OK - RS1 should much */
if (!zrtp_memcmp(cc->rs1.peer_id.buffer, stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE))
{
C[0] = &cc->rs1;
secrets->matches |= ZRTP_BIT_RS1;
}
/* If we have lost our RS1 - remote party should use backup (RS2) instead */
else if (!zrtp_memcmp(cc->rs1.peer_id.buffer, stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE))
{
C[0] = &cc->rs1;
secrets->matches |= ZRTP_BIT_RS1;
ZRTP_LOG(2,(_ZTU_,"\tINFO! We have lost our RS1 from previous broken exchange"
" - remote party will use RS2 backup. ID=%u\n", stream->id));
}
/* If remote party lost it's secret - we will use backup */
else if (!zrtp_memcmp(cc->rs2.peer_id.buffer, stream->messages.peer_dhpart.rs1ID, ZRTP_RSID_SIZE))
{
C[0] = &cc->rs2;
cc->rs1 = cc->rs2;
secrets->matches |= ZRTP_BIT_RS1;
secrets->cached |= ZRTP_BIT_RS1;
ZRTP_LOG(2,(_ZTU_,"\tINFO! Remote party has lost it's RS1 - use RS2 backup. ID=%u\n", stream->id));
}
else
{
secrets->matches &= ~ZRTP_BIT_RS1;
zrtp_cache_set_verified(session->zrtp->cache, ZSTR_GV(session->peer_zid), 0);
zrtp_cache_reset_secure_since(session->zrtp->cache, ZSTR_GV(session->peer_zid));
ZRTP_LOG(2,(_ZTU_,"\tINFO! Our RS1 doesn't equal to other-side's one %s. ID=%u\n",
cc->rs1.secret->_cachedflag ? " - drop verified!" : "", stream->id));
}
if (!zrtp_memcmp(cc->rs2.peer_id.buffer, stream->messages.peer_dhpart.rs2ID, ZRTP_RSID_SIZE)) {
secrets->matches |= ZRTP_BIT_RS2;
if (0 == C[0]) {
C[0] = &cc->rs2;
}
}
if (secrets->auxs &&
(!zrtp_memcmp(stream->messages.peer_dhpart.auxsID, cc->auxs.peer_id.buffer, ZRTP_RSID_SIZE)) ) {
C[1] =&cc->auxs;
secrets->matches |= ZRTP_BIT_AUX;
}
if ( secrets->pbxs &&
(!zrtp_memcmp(stream->messages.peer_dhpart.pbxsID, cc->pbxs.peer_id.buffer, ZRTP_RSID_SIZE)) ) {
C[2] = &cc->pbxs;
secrets->matches |= ZRTP_BIT_PBX;
}
/* Finally hashing matched shared secrets */
for (i=0; i<3; i++) {
/*
* Some of the shared secrets s1 through s5 may have lengths of zero
* if they are null (not shared), and are each preceded by a 4-octet
* length field. For example, if s4 is null, len(s4) is 00 00 00 00,
* and s4 itself would be absent from the hash calculation, which
* means len(s5) would immediately follow len(s4).
*/
comp_length = C[i] ? zrtp_hton32(ZRTP_RS_SIZE) : 0;
session->hash->hash_update(session->hash, hash_ctx, (const int8_t*)&comp_length, 4);
if (C[i]) {
session->hash->hash_update( session->hash,
hash_ctx,
(const int8_t*)C[i]->secret->value.buffer,
C[i]->secret->value.length );
ZRTP_LOG(3,(_ZTU_,"\tUse S%d in calculations.\n", i+1));
}
}
session->hash->hash_end(session->hash, hash_ctx, ZSTR_GV(cc->s0));
} break; /* S0 for for DH and Preshared streams */
/*
* Compute all possible combinations of preshared_key:
* hash(len(rs1) | rs1 | len(auxsecret) | auxsecret | len(pbxsecret) | pbxsecret)
* Find matched preshared_key and derive S0 from it:
* s0 = KDF(preshared_key, "ZRTP Stream Key", KDF_Context, negotiated hash length)
*
* INFO: Take into account that RS1 and RS2 may be swapped.
* If no matched were found - generate DH commit.
* ========================================================================
*/
case ZRTP_STREAM_MODE_PRESHARED:
{
zrtp_status_t s = zrtp_status_ok;
zrtp_string32_t presh_key = ZSTR_INIT_EMPTY(presh_key);
ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 for PRESHARED from cached secret. ID=%u\n", stream->id));
/* Use the same hash as we used for Commitment */
if (is_initiator)
{
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(session->secrets.rs1->value),
(session->secrets.auxs->_cachedflag) ? ZSTR_GV(session->secrets.auxs->value) : NULL,
(session->secrets.pbxs->_cachedflag) ? ZSTR_GV(session->secrets.pbxs->value) : NULL,
ZSTR_GV(presh_key),
NULL);
if (zrtp_status_ok != s) {
return s;
}
secrets->matches |= ZRTP_BIT_RS1;
if (session->secrets.auxs->_cachedflag) {
secrets->matches |= ZRTP_BIT_AUX;
}
if (session->secrets.pbxs->_cachedflag) {
secrets->matches |= ZRTP_BIT_PBX;
}
}
/*
* Let's find appropriate hv key for Responder:
* <RS1, 0, 0>, <RS1, AUX, 0>, <RS1, 0, PBX>, <RS1, AUX, PBX>.
*/
else
{
int res=-1;
char* peer_key_id = (char*)stream->messages.peer_commit.hv+ZRTP_HV_NONCE_SIZE;
zrtp_string8_t key_id = ZSTR_INIT_EMPTY(key_id);
do {
/* RS1 MUST be available at this stage.*/
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(secrets->rs1->value),
NULL,
NULL,
ZSTR_GV(presh_key),
ZSTR_GV(key_id));
if (zrtp_status_ok == s) {
res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE);
if (0 == res) {
secrets->matches |= ZRTP_BIT_RS1;
break;
}
}
if (session->secrets.pbxs->_cachedflag)
{
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(secrets->rs1->value),
NULL,
ZSTR_GV(secrets->pbxs->value),
ZSTR_GV(presh_key),
ZSTR_GV(key_id));
if (zrtp_status_ok == s) {
res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE);
if (0 == res) {
secrets->matches |= ZRTP_BIT_PBX;
break;
}
}
}
if (session->secrets.auxs->_cachedflag)
{
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(secrets->rs1->value),
ZSTR_GV(secrets->auxs->value),
NULL,
ZSTR_GV(presh_key),
ZSTR_GV(key_id));
if (zrtp_status_ok == s) {
res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE);
if (0 == res) {
secrets->matches |= ZRTP_BIT_AUX;
break;
}
}
}
if ((session->secrets.pbxs->_cachedflag) && (session->secrets.auxs->_cachedflag))
{
s = _zrtp_compute_preshared_key( session,
ZSTR_GV(secrets->rs1->value),
ZSTR_GV(secrets->auxs->value),
ZSTR_GV(secrets->pbxs->value),
ZSTR_GV(presh_key),
ZSTR_GV(key_id));
if (zrtp_status_ok == s) {
res = zrtp_memcmp(peer_key_id, key_id.buffer, ZRTP_HV_KEY_SIZE);
if (0 == res) {
secrets->matches |= ZRTP_BIT_AUX;
secrets->matches |= ZRTP_BIT_PBX;
break;
}
}
}
} while (0);
if (0 != res) {
ZRTP_LOG(3,(_ZTU_,"\tINFO! Matched Key wasn't found - initate DH exchange.\n"));
secrets->cached = 0;
secrets->rs1->_cachedflag = 0;
_zrtp_machine_start_initiating_secure(stream);
return zrtp_status_ok;
}
}
ZRTP_LOG(3,(_ZTU_,"\tUse RS1, %s, %s in calculations.\n",
(session->secrets.matches & ZRTP_BIT_AUX) ? "AUX" : "NULL",
(session->secrets.matches & ZRTP_BIT_PBX) ? "PBX" : "NULL"));
_zrtp_kdf( stream,
ZSTR_GV(presh_key),
ZSTR_GV(zrtp_presh_label),
ZSTR_GV(stream->protocol->cc->kdf_context),
session->hash->digest_length,
ZSTR_GV(cc->s0));
} break;
/*
* For FAST Multistream:
* s0n = KDF(ZRTPSess, "ZRTP Multistream Key", KDF_Context, negotiated hash length)
* ========================================================================
*/
case ZRTP_STREAM_MODE_MULT:
{
ZRTP_LOG(3,(_ZTU_,"\tDERIVE S0 for MULTISTREAM from ZRTP Session key... ID=%u\n", stream->id));
_zrtp_kdf( stream,
ZSTR_GV(session->zrtpsess),
ZSTR_GV(zrtp_multi_label),
ZSTR_GV(stream->protocol->cc->kdf_context),
session->hash->digest_length,
ZSTR_GV(cc->s0));
} break;
default: break;
}
/*
* Compute ZRTP session key for FULL streams only:
* ZRTPSess = KDF(s0, "ZRTP Session Key", KDF_Context, negotiated hash length)
*/
if (!ZRTP_IS_STREAM_MULT(stream)) {
if (session->zrtpsess.length == 0) {
_zrtp_kdf( stream,
ZSTR_GV(cc->s0),
ZSTR_GV(zrtp_sess_label),
ZSTR_GV(stream->protocol->cc->kdf_context),
session->hash->digest_length,
ZSTR_GV(session->zrtpsess));
}
}
return zrtp_status_ok;
}
/*----------------------------------------------------------------------------*/
zrtp_status_t _zrtp_machine_process_confirm( zrtp_stream_t *stream,
zrtp_packet_Confirm_t *confirm)
{
/* Compute Hmac over encrypted part of Confirm and reject malformed packets */
void* cipher_ctx = NULL;
zrtp_status_t s = zrtp_status_fail;
zrtp_session_t *session = stream->session;
zrtp_string128_t hmac = ZSTR_INIT_EMPTY(hmac);
/* hash + (padding + sig_len + flags) + ttl */
const uint8_t encrypted_body_size = ZRTP_MESSAGE_HASH_SIZE + (2 + 1 + 1) + 4;
s = session->hash->hmac_c( session->hash,
stream->cc.peer_hmackey.buffer,
stream->cc.peer_hmackey.length,
(const char*)&confirm->hash,
encrypted_body_size,
ZSTR_GV(hmac) );
if (zrtp_status_ok != s) {
ZRTP_LOG(1,(_ZTU_,"\tERROR! failed to compute Incoming Confirm hmac. s=%d ID=%u\n", s, stream->id));
return zrtp_status_fail;
}
// MARK: TRACE CONFIRM HMAC ERROR
#if 0
{
char buff[512];
ZRTP_LOG(3,(_ZTU_,"HMAC TRACE. VERIFY\n"));
ZRTP_LOG(3,(_ZTU_,"\tcipher text:%s. size=%u\n",
hex2str((const char*)&confirm->hash, encrypted_body_size, buff, sizeof(buff)), encrypted_body_size));
ZRTP_LOG(3,(_ZTU_,"\t key:%s.\n",
hex2str(stream->cc.peer_hmackey.buffer, stream->cc.peer_hmackey.length, buff, sizeof(buff))));
ZRTP_LOG(3,(_ZTU_,"\t comp hmac:%s.\n",
hex2str(hmac.buffer, hmac.length, buff, sizeof(buff))));
ZRTP_LOG(3,(_ZTU_,"\t hmac:%s.\n",
hex2str((const char*)confirm->hmac, ZRTP_HMAC_SIZE, buff, sizeof(buff))));
}
#endif
if (0 != zrtp_memcmp(confirm->hmac, hmac.buffer, ZRTP_HMAC_SIZE)) {
/*
* Weird. Perhaps a bug in our code or our peer's code. Or it could be an attacker
* who doesn't realize that Man-In-The-Middling the Diffie-Hellman key generation
* but allowing the correct rsIds to pass through accomplishes nothing more than
* forcing us to fallback to cleartext mode. If this attacker had gone ahead and deleted
* or replaced the rsIds, then he would have been able to stay in the middle (although
* he would of course still face the threat of a Voice Authentication Check). On the
* other hand if this attacker wanted to force us to fallback to cleartext mode, he could
* have done that more simply, for example by intercepting our ZRTP HELLO packet and
* replacing it with a normal non-ZRTP comfort noise packet. In any case, we'll do our
* "switch to cleartext fallback" behavior.
*/
ZRTP_LOG(2,(_ZTU_,"\tWARNING!" ZRTP_VERIFIED_RESP_WARNING_STR "ID=%u\n", stream->id));
_zrtp_machine_enter_initiatingerror(stream, zrtp_error_auth_decrypt, 1);
return zrtp_status_fail;
}
/* Then we need to decrypt Confirm body */
do {
cipher_ctx = session->blockcipher->start( session->blockcipher,
(uint8_t*)stream->cc.peer_zrtp_key.buffer,
NULL,
ZRTP_CIPHER_MODE_CFB);
if (!cipher_ctx) {
break;
}
s = session->blockcipher->set_iv( session->blockcipher,
cipher_ctx,
(zrtp_v128_t*)confirm->iv);
if (zrtp_status_ok != s) {
break;
}
s = session->blockcipher->decrypt( session->blockcipher,
cipher_ctx,
(uint8_t*)&confirm->hash,
encrypted_body_size);
} while(0);
if (cipher_ctx) {
session->blockcipher->stop(session->blockcipher, cipher_ctx);
}
if (zrtp_status_ok != s) {
ZRTP_LOG(3,(_ZTU_,"\tERROR! failed to decrypt incoming Confirm. s=%d ID=%u\n", s, stream->id));
return s;
}
/* We have access to hash field and can check hmac of the previous message */
{
zrtp_msg_hdr_t *hdr = NULL;
char *key=NULL;
zrtp_string32_t tmphash_str = ZSTR_INIT_EMPTY(tmphash_str);
zrtp_hash_t *hash = zrtp_comp_find( ZRTP_CC_HASH, ZRTP_HASH_SHA256, stream->zrtp);
if (ZRTP_IS_STREAM_DH(stream)) {
hdr = &stream->messages.peer_dhpart.hdr;
key = (char*)confirm->hash;
} else {
hash->hash_c(hash, (char*)confirm->hash, ZRTP_MESSAGE_HASH_SIZE, ZSTR_GV(tmphash_str));
if (ZRTP_STATEMACHINE_INITIATOR == stream->protocol->type) {
hdr = &stream->messages.peer_hello.hdr;
hash->hash_c( hash,
tmphash_str.buffer,
ZRTP_MESSAGE_HASH_SIZE,
ZSTR_GV(tmphash_str) );
} else {
hdr = &stream->messages.peer_commit.hdr;
}
key = tmphash_str.buffer;
}
if (0 != _zrtp_validate_message_hmac(stream, hdr, key)) {
return zrtp_status_fail;
}
}
/* Set evil bit if other-side shared session key */
stream->peer_disclose_bit = (confirm->flags & 0x01);
/* Enable ALLOWCLEAR option if only both sides support it */
stream->allowclear = (confirm->flags & 0x02) && session->profile.allowclear;
/* Drop RS1 VERIFIED flag if other side didn't verified key exchange */
if (0 == (confirm->flags & 0x04)) {
ZRTP_LOG(2,(_ZTU_,"\tINFO: Other side Confirm V=0 - set verified to 0! ID=%u\n", stream->id));
zrtp_verified_set(session->zrtp, &session->zrtp->zid, &session->peer_zid, 0);
}
/* Look for Enrollment replay flag */
if (confirm->flags & 0x08)
{
ZRTP_LOG(2,(_ZTU_,"\tINFO: Confirm PBX Enrolled flag is set - it is a Registration call! ID=%u\n", stream->id));
if (stream->mitm_mode != ZRTP_MITM_MODE_CLIENT) {
ZRTP_LOG(2,(_ZTU_,"\tERROR: PBX enrollment flag was received in wrong MiTM mode %s."
" ID=%u\n", zrtp_log_mode2str(stream->mode), stream->id));
_zrtp_machine_enter_initiatingerror(stream, zrtp_error_invalid_packet, 1);
return zrtp_status_fail;
}
/* Passive endpoint should ignore PBX Enrollment. */
if (ZRTP_LICENSE_MODE_PASSIVE != stream->zrtp->lic_mode) {
stream->mitm_mode = ZRTP_MITM_MODE_REG_CLIENT;
} else {
ZRTP_LOG(2,(_ZTU_,"\tINFO: Ignore PBX Enrollment flag as we are Passive ID=%u\n", stream->id));
}
}
stream->cache_ttl = ZRTP_MIN(session->profile.cache_ttl, zrtp_ntoh32(confirm->expired_interval));
/* Copy packet for future hashing */
zrtp_memcpy(&stream->messages.peer_confirm, confirm, zrtp_ntoh16(confirm->hdr.length)*4);
return zrtp_status_ok;
}
/*----------------------------------------------------------------------------*/
zrtp_status_t _zrtp_machine_create_confirm( zrtp_stream_t *stream,
zrtp_packet_Confirm_t* confirm)
{
void* cipher_ctx = NULL;
zrtp_status_t s = zrtp_status_fail;
zrtp_session_t *session = stream->session;
uint32_t verifiedflag = 0;
/* hash + (padding + sig_len + flags) + ttl */
const uint8_t encrypted_body_size = ZRTP_MESSAGE_HASH_SIZE + (2 + 1 + 1) + 4;
/*
* Create the Confirm packet according to draft 6.7
* AES CFB vector at first, SIG length and flags octet and cache TTL at the end
* This version doesn't support signatures so sig_length=0
*/
if (ZRTP_CFBIV_SIZE != zrtp_randstr(session->zrtp, confirm->iv, ZRTP_CFBIV_SIZE)) {
return zrtp_status_fail;
}
zrtp_memcpy(confirm->hash, stream->messages.h0.buffer, ZRTP_MESSAGE_HASH_SIZE);
zrtp_cache_get_verified(session->zrtp->cache, ZSTR_GV(session->peer_zid), &verifiedflag);
confirm->expired_interval = zrtp_hton32(session->profile.cache_ttl);
confirm->flags = 0;
confirm->flags |= session->profile.disclose_bit ? 0x01 : 0x00;
confirm->flags |= session->profile.allowclear ? 0x02 : 0x00;
confirm->flags |= verifiedflag ? 0x04 : 0x00;
confirm->flags |= (ZRTP_MITM_MODE_REG_SERVER == stream->mitm_mode) ? 0x08 : 0x00;
/* Then we need to encrypt Confirm before Hmac computing. Use AES CFB */
do
{
cipher_ctx = session->blockcipher->start( session->blockcipher,
(uint8_t*)stream->cc.zrtp_key.buffer,
NULL,
ZRTP_CIPHER_MODE_CFB);
if (!cipher_ctx) {
break;
}
s = session->blockcipher->set_iv(session->blockcipher, cipher_ctx, (zrtp_v128_t*)confirm->iv);
if (zrtp_status_ok != s) {
break;
}
s = session->blockcipher->encrypt( session->blockcipher,
cipher_ctx,
(uint8_t*)&confirm->hash,
encrypted_body_size );
} while(0);
if (cipher_ctx) {
session->blockcipher->stop(session->blockcipher, cipher_ctx);
}
if (zrtp_status_ok != s) {
ZRTP_LOG(1,(_ZTU_,"ERROR! failed to encrypt Confirm. s=%d ID=%u\n", s, stream->id));
return s;
}
/* Compute Hmac over encrypted part of Confirm */
{
zrtp_string128_t hmac = ZSTR_INIT_EMPTY(hmac);
s = session->hash->hmac_c( session->hash,
stream->cc.hmackey.buffer,
stream->cc.hmackey.length,
(const char*)&confirm->hash,
encrypted_body_size,
ZSTR_GV(hmac) );
if (zrtp_status_ok != s) {
ZRTP_LOG(1,(_ZTU_,"ERROR! failed to compute Confirm hmac. s=%d ID=%u\n", s, stream->id));
return s;
}
zrtp_memcpy(confirm->hmac, hmac.buffer, ZRTP_HMAC_SIZE);
{
char buff[512];
ZRTP_LOG(3,(_ZTU_,"HMAC TRACE. COMPUTE.\n"));
ZRTP_LOG(3,(_ZTU_,"\tcipher text:%s. size=%u\n",
hex2str((const char*)&confirm->hash, encrypted_body_size, buff, sizeof(buff)), encrypted_body_size));
ZRTP_LOG(3,(_ZTU_,"\t key:%s.\n",
hex2str(stream->cc.hmackey.buffer, stream->cc.hmackey.length, buff, sizeof(buff))));
ZRTP_LOG(3,(_ZTU_,"\t comp hmac:%s.\n",
hex2str(hmac.buffer, hmac.length, buff, sizeof(buff))));
ZRTP_LOG(3,(_ZTU_,"\t hmac:%s.\n",
hex2str((const char*)confirm->hmac, ZRTP_HMAC_SIZE, buff, sizeof(buff))));
}
}
return zrtp_status_ok;
}