1 /*
2 * libZRTP SDK library, implements the ZRTP secure VoIP protocol.
3 * Copyright (c) 2006-2009 Philip R. Zimmermann. All rights reserved.
4 * Contact: http://philzimmermann.com
5 * For licensing and other legal details, see the file zrtp_legal.c.
6 *
7 * Viktor Krykun <v.krikun at zfoneproject.com>
8 */
9
10 #include "zrtp.h"
11
12 #define _ZTU_ "zrtp responder"
13
14 extern zrtp_status_t _zrtp_machine_start_initiating_secure(zrtp_stream_t *stream);
15
16 /* These functions construct packets for further replies. */
17 static zrtp_status_t _prepare_dhpart1(zrtp_stream_t *stream);
18 static zrtp_status_t _prepare_confirm1(zrtp_stream_t *stream);
19
20 /* Functions which are used to answer the Initiator's requests */
21 static void _send_dhpart1(zrtp_stream_t *stream);
22 static void _send_confirm1(zrtp_stream_t *stream);
23
24 /*
25 * Parses crypto-components list chosen by the initiator. doesn't perform any
26 * tests. Commit was fully checked by previous call of _zrtp_machine_preparse_commit().
27 * \exception: Handles all exceptions -- informs user and switches to CLEAR.
28 * (zrtp_error_XXX_unsp and zrtp_error_software errors.)
29 */
30 static zrtp_status_t _zrtp_machine_process_commit( zrtp_stream_t* stream,
31 zrtp_rtp_info_t* packet);
32
33 /*
34 * Parses DH packet: check for MitM1, MitM2 attacks and makes a copy of it for further usage.
35 * \exception: (MITM attacks, SOFTWARE) Informs user and switches to CLEAR.
36 */
37 static zrtp_status_t _zrtp_machine_process_dhpart2( zrtp_stream_t *stream,
38 zrtp_rtp_info_t *packet);
39
40 /*
41 * Just a wrapper over the protocol::_zrtp_machine_process_confirm().
42 * \exception: (AUTH attacks, SOFTWARE) Informs user and switches to CLEAR.
43 */
44 static zrtp_status_t _zrtp_machine_process_confirm2( zrtp_stream_t *stream,
45 zrtp_rtp_info_t *packet);
46
47
48 /*===========================================================================*/
49 /* State handlers */
50 /*===========================================================================*/
51
52 /*---------------------------------------------------------------------------*/
_zrtp_machine_process_while_in_pendingsecure(zrtp_stream_t * stream,zrtp_rtp_info_t * packet)53 zrtp_status_t _zrtp_machine_process_while_in_pendingsecure( zrtp_stream_t* stream,
54 zrtp_rtp_info_t* packet)
55 {
56 zrtp_status_t s = zrtp_status_ok;
57
58 switch (packet->type)
59 {
60 case ZRTP_COMMIT:
61 _send_dhpart1(stream);
62 break;
63
64 case ZRTP_DHPART2:
65 s = _zrtp_machine_process_dhpart2(stream, packet);
66 if (zrtp_status_ok != s) {
67 break;
68 }
69
70 /* Perform Keys generation according to draft 5.6 */
71 s = _zrtp_set_public_value(stream, 0);
72 if (zrtp_status_ok != s) {
73 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_software, 1);
74 break;
75 }
76
77 s = _prepare_confirm1(stream);
78 if (zrtp_status_ok != s) {
79 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_software, 1);
80 break;
81 }
82
83 _zrtp_change_state(stream, ZRTP_STATE_WAIT_CONFIRM2);
84 _send_confirm1(stream);
85 break;
86
87 case ZRTP_NONE:
88 s = zrtp_status_drop;
89 break;
90
91 default:
92 break;
93 }
94
95 return s;
96 }
97
98
99 /*---------------------------------------------------------------------------*/
_zrtp_machine_process_while_in_waitconfirm2(zrtp_stream_t * stream,zrtp_rtp_info_t * packet)100 zrtp_status_t _zrtp_machine_process_while_in_waitconfirm2( zrtp_stream_t* stream,
101 zrtp_rtp_info_t* packet)
102 {
103 zrtp_status_t status = zrtp_status_ok;
104
105 switch (packet->type)
106 {
107 case ZRTP_DHPART2:
108 if (ZRTP_IS_STREAM_DH(stream)) {
109 _send_confirm1(stream);
110 }
111 break;
112
113 case ZRTP_COMMIT:
114 if (ZRTP_IS_STREAM_FAST(stream)) {
115 _send_confirm1(stream);
116 }
117 break;
118
119 case ZRTP_CONFIRM2:
120 status = _zrtp_machine_process_confirm2(stream, packet);
121 if (zrtp_status_ok == status) {
122 _zrtp_packet_send_message(stream, ZRTP_CONFIRM2ACK, NULL);
123 status = _zrtp_machine_enter_secure(stream);
124 }
125 break;
126
127 case ZRTP_NONE:
128 status = zrtp_status_drop;
129 break;
130
131 default:
132 break;
133 }
134
135 return status;
136 }
137
138
139 /*===========================================================================*/
140 /* States switchers */
141 /*===========================================================================*/
142
143 /*---------------------------------------------------------------------------*/
_zrtp_machine_enter_pendingsecure(zrtp_stream_t * stream,zrtp_rtp_info_t * packet)144 zrtp_status_t _zrtp_machine_enter_pendingsecure( zrtp_stream_t* stream,
145 zrtp_rtp_info_t* packet)
146 {
147 zrtp_status_t s = zrtp_status_ok;
148
149 ZRTP_LOG(3,(_ZTU_,"\tENTER STATE PENDING SECURE for ID=%u mode=%s state=%s.\n",
150 stream->id, zrtp_log_mode2str(stream->mode), zrtp_log_state2str(stream->state)));
151
152 do
153 {
154 if (!ZRTP_IS_STREAM_MULT(stream)) {
155 zrtp_packet_Commit_t *commit = (zrtp_packet_Commit_t*) packet->message;
156
157 stream->session->hash = zrtp_comp_find( ZRTP_CC_HASH,
158 zrtp_comp_type2id(ZRTP_CC_HASH, (char*)commit->hash_type),
159 stream->zrtp);
160 stream->session->blockcipher = zrtp_comp_find( ZRTP_CC_CIPHER,
161 zrtp_comp_type2id(ZRTP_CC_CIPHER, (char*)commit->cipher_type),
162 stream->zrtp);
163 stream->session->authtaglength = zrtp_comp_find( ZRTP_CC_ATL,
164 zrtp_comp_type2id(ZRTP_CC_ATL, (char*)commit->auth_tag_length),
165 stream->zrtp);
166 stream->session->sasscheme = zrtp_comp_find( ZRTP_CC_SAS,
167 zrtp_comp_type2id(ZRTP_CC_SAS, (char*)commit->sas_type),
168 stream->zrtp);
169
170 ZRTP_LOG(3,(_ZTU_,"\tRemote COMMIT specified following options:\n"));
171 ZRTP_LOG(3,(_ZTU_,"\t Hash: %.4s\n", commit->hash_type));
172 ZRTP_LOG(3,(_ZTU_,"\t Cipher: %.4s\n", commit->cipher_type));
173 ZRTP_LOG(3,(_ZTU_,"\t ATL: %.4s\n", commit->auth_tag_length));
174 ZRTP_LOG(3,(_ZTU_,"\t PK scheme: %.4s\n", commit->public_key_type));
175 ZRTP_LOG(3,(_ZTU_,"\tVAD scheme: %.4s\n", commit->sas_type));
176 }
177
178 if (ZRTP_IS_STREAM_DH(stream)) {
179 _zrtp_change_state(stream, ZRTP_STATE_PENDINGSECURE);
180
181 /*
182 * If stream->concurrent is set this means that we stopped a concurrent
183 * DH stream to break a tie. This can happen when Commit messages are
184 * sent by both ZRTP endpoints at the same time, but are received in
185 * different media streams. Now current stream has finished DH setup and
186 * we can resume the other one.
187 */
188 if (stream->concurrent) {
189 zrtp_stream_t* tctx = stream->concurrent;
190 stream->concurrent = NULL;
191 ZRTP_LOG(3,(_ZTU_,"\tRelease2 Concurrent stream=%u ID=%u\n", tctx->id, stream->id));
192 _zrtp_machine_start_initiating_secure(tctx);
193 }
194
195 s = _zrtp_protocol_init(stream, 0, &stream->protocol);
196 if (zrtp_status_ok != s) {
197 break;
198 }
199
200 s = _zrtp_machine_process_commit(stream, packet); /* doesn't throw exception */
201 if (zrtp_status_ok != s) {
202 break; /* Software error */
203 }
204
205 s = _prepare_dhpart1(stream);
206 if (zrtp_status_ok != s) {
207 break; /* EH: Always successful */
208 }
209
210 _zrtp_machine_process_while_in_pendingsecure(stream, packet);
211
212 if (stream->zrtp->cb.event_cb.on_zrtp_protocol_event) {
213 stream->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_IS_PENDINGSECURE);
214 }
215 }
216 else
217 {
218 _zrtp_change_state(stream, ZRTP_STATE_WAIT_CONFIRM2);
219
220 s = _zrtp_protocol_init(stream, 0, &stream->protocol);
221 if (zrtp_status_ok != s) {
222 break;
223 }
224
225 s = _zrtp_machine_process_commit(stream, packet); /* doesn't throw exception */
226 if (zrtp_status_ok != s) {
227 break; /* Software error */
228 }
229
230 s = _zrtp_set_public_value(stream, 0);
231 if (zrtp_status_ok != s) {
232 break; /* Software error */
233 }
234
235 s = _prepare_confirm1(stream);
236 if (zrtp_status_ok != s) {
237 break; /* Software error */
238 }
239
240 _send_confirm1(stream);
241 }
242 } while (0);
243
244 if (zrtp_status_ok != s) {
245 if (stream->protocol) {
246 _zrtp_protocol_destroy(stream->protocol);
247 stream->protocol = NULL;
248 }
249 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_software, 1);
250 }
251
252 return s;
253 }
254
255
256 /*===========================================================================*/
257 /* Packets handlers */
258 /*===========================================================================*/
259
260 /*---------------------------------------------------------------------------*/
_check_commit(zrtp_stream_t * stream,zrtp_packet_Commit_t * commit)261 static zrtp_status_t _check_commit(zrtp_stream_t *stream, zrtp_packet_Commit_t *commit)
262 {
263 do {
264 /* check PUBLIC KEY TYPE */
265 if (0 > zrtp_profile_find( &stream->session->profile,
266 ZRTP_CC_PKT,
267 zrtp_comp_type2id(ZRTP_CC_PKT, (char*)commit->public_key_type)))
268 {
269 /* Can't talk to them. ZRTP public key type not supported by current profile */
270 ZRTP_LOG(2,(_ZTU_,"\tINFO: PKExch %.4s isn't supported by profile. ID=%u\n",
271 commit->public_key_type, stream->id));
272 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_pktype_unsp, 1);
273 break;
274 }
275
276 /* check HASH scheme */
277 if ( 0 > zrtp_profile_find( &stream->session->profile,
278 ZRTP_CC_HASH,
279 zrtp_comp_type2id(ZRTP_CC_HASH, (char*)commit->hash_type)) )
280 {
281 /* Can't talk to them. ZRTP hash type not supported by current profile */
282 ZRTP_LOG(2,(_ZTU_,"\tINFO: Hash %.4s isn't supported by profile. ID=%u\n",
283 commit->hash_type, stream->id));
284 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_hash_unsp, 1);
285 break;
286 }
287
288 /* check CIPHER type */
289 if ( 0 > zrtp_profile_find( &stream->session->profile,
290 ZRTP_CC_CIPHER,
291 zrtp_comp_type2id(ZRTP_CC_CIPHER, (char*)commit->cipher_type)) )
292 {
293 /* Can't talk to them. ZRTP cipher type not supported by current profile */
294 ZRTP_LOG(2,(_ZTU_,"\tINFO: Cipher %.4s isn't supported by profile. ID=%u\n",
295 commit->cipher_type, stream->id));
296 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_cipher_unsp, 1);
297 break;
298 }
299
300 /* check AUTH TAG LENGTH */
301 if ( 0 > zrtp_profile_find( &stream->session->profile,
302 ZRTP_CC_ATL,
303 zrtp_comp_type2id(ZRTP_CC_ATL, (char*)commit->auth_tag_length)) )
304 {
305 /* Can't talk to them. ZRTP auth tag length not supported by current profile */
306 ZRTP_LOG(2,(_ZTU_,"\tINFO: Authtag %.4s isn't supported by profile. ID=%u\n",
307 commit->auth_tag_length, stream->id));
308 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_auth_unsp, 1);
309 break;
310 }
311
312 /* check SAS scheme */
313 if ( 0 > zrtp_profile_find( &stream->session->profile,
314 ZRTP_CC_SAS,
315 zrtp_comp_type2id(ZRTP_CC_SAS, (char*)commit->sas_type)) )
316 {
317 /* Can't talk to them. ZRTP SAS scheme not supported by current profile */
318 ZRTP_LOG(2,(_ZTU_,"\tINFO: SAS %.4s isn't supported by profile. ID=%u\n",
319 commit->sas_type, stream->id));
320 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_sas_unsp, 1);
321 break;
322 }
323
324 return zrtp_status_ok;
325 } while (0);
326
327 return zrtp_status_fail;
328 }
329
330 /*---------------------------------------------------------------------------*/
_zrtp_machine_preparse_commit(zrtp_stream_t * stream,zrtp_rtp_info_t * packet)331 zrtp_statemachine_type_t _zrtp_machine_preparse_commit( zrtp_stream_t *stream,
332 zrtp_rtp_info_t* packet)
333 {
334 zrtp_packet_Commit_t *commit = (zrtp_packet_Commit_t*) packet->message;
335 zrtp_statemachine_type_t res = ZRTP_STATEMACHINE_RESPONDER;
336
337 zrtp_pktype_id_t his_pkt = zrtp_comp_type2id(ZRTP_CC_PKT, (char*)commit->public_key_type);
338 zrtp_stream_mode_t his_mode = (his_pkt == ZRTP_PKTYPE_PRESH) ? ZRTP_STREAM_MODE_PRESHARED : (his_pkt == ZRTP_PKTYPE_MULT) ? ZRTP_STREAM_MODE_MULT : ZRTP_STREAM_MODE_DH;
339
340 ZRTP_LOG(3,(_ZTU_,"\tPreparse incoming COMMIT. Remote peer wants %.4s:%d mode lic=%d peer M=%d.\n",
341 commit->public_key_type, his_mode, stream->zrtp->lic_mode, stream->peer_mitm_flag));
342
343 /*
344 * Checking crypto components chosen by other peer for stream establishment
345 */
346 if (zrtp_status_ok != _check_commit(stream, commit)) {
347 return ZRTP_STATEMACHINE_NONE;
348 }
349
350 /*
351 * Passive ZRTP endpoint can't talk to ZRTP MiTM endpoints.
352 */
353 if (!ZRTP_PASSIVE3_TEST(stream)) {
354 ZRTP_LOG(2,(_ZTU_,"\tERROR: The endpoint is in passive mode and can't handle"
355 " connections with MiTM endpoints. ID=%u\n", stream->id));
356 if (stream->zrtp->cb.event_cb.on_zrtp_protocol_event ) {
357 stream->zrtp->cb.event_cb.on_zrtp_protocol_event(stream, ZRTP_EVENT_IS_PASSIVE_RESTRICTION);
358 }
359 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_service_unavail, 1);
360 return ZRTP_STATEMACHINE_NONE;
361 }
362
363 /*
364 * Both sides are in "Initiating" state we need to break the tie:
365 * - if both sides wants to use the same scheme - side with lower vh switches to
366 * "Responder" state.
367 * - if both sides wants to use Preshared scheme and one of the sides are in MiTM mode it
368 * should switch to Responder state
369 * - if one side wants Preshared and onother one DH - DH should win.
370 * - rest of the combinations (DH - Multistream, Preshared - Multistream) are deperecated by the RFC
371 */
372 if (ZRTP_STATE_INITIATINGSECURE == stream->state)
373 {
374 zrtp_pktype_id_t my_pkt = stream->pubkeyscheme->base.id;
375 zrtp_stream_mode_t my_mode = (my_pkt == ZRTP_PKTYPE_PRESH) ? ZRTP_STREAM_MODE_PRESHARED : (my_pkt == ZRTP_PKTYPE_MULT) ? ZRTP_STREAM_MODE_MULT : ZRTP_STREAM_MODE_DH;
376
377 ZRTP_LOG(2,(_ZTU_,"\tBoth sides are in INITIATINGSECURE State - BREACK the TIE. ID=%u\n", stream->id));
378
379 if (his_mode == my_mode) {
380 if ( (his_mode == ZRTP_STREAM_MODE_PRESHARED) && (stream->peer_mitm_flag || stream->zrtp->is_mitm)) {
381 if (stream->peer_mitm_flag) {
382 ZRTP_LOG(3,(_ZTU_,"\tWe running in Gneral ZRTP Endpoint mode, but the"
383 " remote side is in MiTM - stay Initiating state.\n"));
384 res = ZRTP_STATEMACHINE_INITIATOR;
385 }
386 } else {
387 if (zrtp_memcmp( stream->protocol->cc->hv.buffer,
388 commit->hv,
389 (his_mode == ZRTP_STREAM_MODE_DH) ? ZRTP_HV_SIZE : ZRTP_HV_NONCE_SIZE) > 0) {
390 ZRTP_LOG(3,(_ZTU_,"\tWe have Commit with greater HV so stay Initiating state.\n"));
391 res = ZRTP_STATEMACHINE_INITIATOR;
392 }
393 }
394 } else {
395 if (my_mode == ZRTP_STREAM_MODE_DH) {
396 ZRTP_LOG(3,(_ZTU_,"\tOther peer sent Non DH Commit but we want DH - stay Initiating state.\n"));
397 res = ZRTP_STATEMACHINE_INITIATOR;
398 }
399 }
400 }
401
402 if (res == ZRTP_STATEMACHINE_RESPONDER)
403 {
404 /*
405 * If other peer wants to switch "Preshared" we must be ready for this. Check
406 * for secrets availability and if we can't use "Preshared" we should force other
407 * peer to switch to "DH" mode. For this purpose we use our own Commit with DHxK
408 * in it. Such Commit should win competition in any case.
409 */
410 if ((his_mode == ZRTP_STREAM_MODE_PRESHARED) && !stream->session->secrets.rs1->_cachedflag) {
411 ZRTP_LOG(3,(_ZTU_, "\tOther peer wants Preshared mode but we have no secrets.\n"));
412 res = ZRTP_STATEMACHINE_INITIATOR;
413 }
414
415 /*
416 * If other peer wants to switch "Multistream" we must be ready for this. Check
417 * for ZRTPSess key availability. If we can't use "Multistream" we should force other
418 * peer to switch to "DH" mode. For this purpose we use our own Commit with DHxK
419 * in it. Such Commit should win competition in any case.
420 */
421 if ((his_mode == ZRTP_STREAM_MODE_MULT) && !stream->session->zrtpsess.length) {
422 ZRTP_LOG(3,(_ZTU_,"\tOther peer wants Preshared mode but we have no secrets.\n"));
423 res = ZRTP_STATEMACHINE_INITIATOR;
424 }
425
426 /*
427 * If other peer wants "Full DH" exchange but ZRTP Session key have been already
428 * computed - there is no sense in doing this. What is more, ZRTP Specification
429 * doesn't allow doing this.
430 */
431 if ((his_mode == ZRTP_STREAM_MODE_DH) && (stream->session->zrtpsess.length > 0)) {
432 ZRTP_LOG(3,(_ZTU_,"\tOther peer wants DH mode but we have ZRTP session and ready for Multistream.\n"));
433 res = ZRTP_STATEMACHINE_NONE;
434 }
435 }
436
437 /*
438 * If we decided to use Responder's state-machine - only one DH or Preshared stream
439 * can be run at the moment so check states.
440 */
441 if ((res == ZRTP_STATEMACHINE_RESPONDER) && !_zrtp_can_start_stream(stream, &stream->concurrent, his_mode))
442 {
443 ZRTP_LOG(3,(_ZTU_,"\tCan't handle COMMIT another DH with ID=%u is in progress.\n", stream->concurrent->id));
444
445 if ( (stream->concurrent->state <= ZRTP_STATE_INITIATINGSECURE) &&
446 (zrtp_memcmp(stream->concurrent->protocol->cc->hv.buffer, commit->hv, ZRTP_HV_SIZE) < 0) )
447 {
448 ZRTP_LOG(3,(_ZTU_,"\tPossible DEADLOCK Resolving. STOP CONCURRENT"
449 " Stream with ID=%u\n",stream->concurrent->id));
450 _zrtp_cancel_send_packet_later(stream->concurrent, ZRTP_NONE);
451 } else {
452 res = ZRTP_STATEMACHINE_NONE;
453 }
454 }
455
456 if (res == ZRTP_STATEMACHINE_RESPONDER) {
457 ZRTP_LOG(3,(_ZTU_,"\tChosen Responder State-Machine. Change Mode to %s,"
458 " pkt to %.4s\n", zrtp_log_mode2str(his_mode), commit->public_key_type));
459 stream->mode = his_mode;
460 stream->pubkeyscheme = zrtp_comp_find(ZRTP_CC_PKT, his_pkt, stream->zrtp);
461 } else {
462 ZRTP_LOG(3,(_ZTU_,"\tChosen Initiator State-Machine. Stay in current Mode\n"));
463 }
464
465 return res;
466 }
467
468 /*---------------------------------------------------------------------------*/
_zrtp_machine_process_commit(zrtp_stream_t * stream,zrtp_rtp_info_t * packet)469 zrtp_status_t _zrtp_machine_process_commit(zrtp_stream_t* stream, zrtp_rtp_info_t* packet)
470 {
471 zrtp_packet_Commit_t *commit = (zrtp_packet_Commit_t*) packet->message;
472
473 switch (stream->mode)
474 {
475 case ZRTP_STREAM_MODE_DH:
476 zrtp_zstrncpyc( ZSTR_GV(stream->protocol->cc->peer_hv),
477 (const char*)commit->hv,
478 ZRTP_HV_SIZE);
479 break;
480 case ZRTP_STREAM_MODE_PRESHARED:
481 zrtp_zstrncpyc( ZSTR_GV(stream->protocol->cc->peer_hv),
482 (const char*)commit->hv + ZRTP_HV_NONCE_SIZE,
483 ZRTP_HV_NONCE_SIZE);
484 case ZRTP_STREAM_MODE_MULT:
485 zrtp_zstrncpyc( ZSTR_GV(stream->protocol->cc->peer_hv),
486 (const char*)commit->hv,
487 ZRTP_HV_NONCE_SIZE);
488 break;
489 default: break;
490 }
491
492 /* Copy Commit packet for further hashing */
493 zrtp_memcpy(&stream->messages.peer_commit, commit, zrtp_ntoh16(commit->hdr.length)*4);
494
495 return zrtp_status_ok;
496 }
497
498
499 /*----------------------------------------------------------------------------*/
_zrtp_machine_process_dhpart2(zrtp_stream_t * stream,zrtp_rtp_info_t * packet)500 static zrtp_status_t _zrtp_machine_process_dhpart2( zrtp_stream_t *stream,
501 zrtp_rtp_info_t *packet)
502 {
503 zrtp_status_t s = zrtp_status_ok;
504 zrtp_proto_crypto_t* cc = stream->protocol->cc;
505 zrtp_packet_DHPart_t *dhpart2 = (zrtp_packet_DHPart_t*) packet->message;
506 void *hash_ctx = NULL;
507
508 /*
509 * Verify hash commitment. (Compare hvi calculated from DH with peer hvi from COMMIT)
510 * According to the last version of the internet draft 04a. Hvi should be
511 * computed as: hvi=hash(initiator's DHPart2 message | responder's Hello message)
512 */
513 hash_ctx = stream->session->hash->hash_begin(stream->session->hash);
514 if (!hash_ctx) {
515 return zrtp_status_fail;
516 }
517
518 stream->session->hash->hash_update( stream->session->hash,
519 hash_ctx,
520 (const int8_t*)dhpart2,
521 zrtp_ntoh16(dhpart2->hdr.length)*4);
522 stream->session->hash->hash_update( stream->session->hash,
523 hash_ctx,
524 (const int8_t*)&stream->messages.hello,
525 zrtp_ntoh16(stream->messages.hello.hdr.length)*4);
526 stream->session->hash->hash_end( stream->session->hash,
527 hash_ctx,
528 ZSTR_GV(cc->hv));
529
530 /* Truncate comuted hvi to 256 bit. The same length as transferred in Commit message.*/
531 cc->hv.length = ZRTP_HASH_SIZE;
532
533 if (0 != zrtp_zstrcmp(ZSTR_GV(cc->hv), ZSTR_GV(cc->peer_hv))) {
534 ZRTP_LOG(1,(_ZTU_,"\tERROR!" ZRTP_MIM2_WARNING_STR " ID=%u\n", stream->id));
535 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_possible_mitm2, 1);
536 return zrtp_status_fail;
537 }
538
539 /* Validate DH exchange (pvi is 1 or p-1). For DH streams only */
540 bnInsertBigBytes(&stream->dh_cc.peer_pv, dhpart2->pv, 0, stream->pubkeyscheme->pv_length);
541
542 s = stream->pubkeyscheme->validate(stream->pubkeyscheme, &stream->dh_cc.peer_pv);
543 if (zrtp_status_ok != s) {
544 ZRTP_LOG(1,(_ZTU_,"\tERROR!" ZRTP_MITM1_WARNING_STR " ID=%u\n", stream->id));
545 _zrtp_machine_enter_initiatingerror(stream, zrtp_error_possible_mitm1, 1);
546 return s;
547 }
548
549 /* Copy DH Part2 packet for future hashing */
550 zrtp_memcpy(&stream->messages.peer_dhpart, dhpart2, zrtp_ntoh16(dhpart2->hdr.length)*4);
551
552 return s;
553 }
554
555 /*----------------------------------------------------------------------------*/
_zrtp_machine_process_confirm2(zrtp_stream_t * stream,zrtp_rtp_info_t * packet)556 zrtp_status_t _zrtp_machine_process_confirm2( zrtp_stream_t *stream,
557 zrtp_rtp_info_t *packet)
558 {
559 zrtp_packet_Confirm_t *confirm2 = (zrtp_packet_Confirm_t*) packet->message;
560 return _zrtp_machine_process_confirm(stream, confirm2);
561 }
562
563
564 /*===========================================================================*/
565 /* Packets senders */
566 /*===========================================================================*/
567
568 /*----------------------------------------------------------------------------*/
_send_dhpart1(zrtp_stream_t * stream)569 static void _send_dhpart1(zrtp_stream_t *stream)
570 {
571 _zrtp_packet_send_message(stream, ZRTP_DHPART1, &stream->messages.dhpart);
572 }
573
_prepare_dhpart1(zrtp_stream_t * stream)574 static zrtp_status_t _prepare_dhpart1(zrtp_stream_t *stream)
575 {
576 zrtp_proto_crypto_t* cc = stream->protocol->cc;
577 zrtp_packet_DHPart_t *dh1 = &stream->messages.dhpart;
578 uint16_t dh_length = (uint16_t)stream->pubkeyscheme->pv_length;
579
580 zrtp_memcpy(dh1->rs1ID, cc->rs1.id.buffer, ZRTP_RSID_SIZE);
581 zrtp_memcpy(dh1->rs2ID, cc->rs2.id.buffer, ZRTP_RSID_SIZE);
582 zrtp_memcpy(dh1->auxsID, cc->auxs.id.buffer, ZRTP_RSID_SIZE);
583 zrtp_memcpy(dh1->pbxsID, cc->pbxs.id.buffer, ZRTP_RSID_SIZE);
584
585 bnExtractBigBytes(&stream->dh_cc.pv, dh1->pv, 0, dh_length);
586
587 _zrtp_packet_fill_msg_hdr( stream,
588 ZRTP_DHPART1,
589 dh_length + ZRTP_DH_STATIC_SIZE + ZRTP_HMAC_SIZE,
590 &dh1->hdr);
591
592 return zrtp_status_ok;
593 }
594
595 /*----------------------------------------------------------------------------*/
_send_confirm1(zrtp_stream_t * stream)596 static void _send_confirm1(zrtp_stream_t *stream)
597 {
598 _zrtp_packet_send_message(stream, ZRTP_CONFIRM1, &stream->messages.confirm);
599 }
600
_prepare_confirm1(zrtp_stream_t * stream)601 static zrtp_status_t _prepare_confirm1(zrtp_stream_t *stream)
602 {
603 zrtp_status_t s = _zrtp_machine_create_confirm(stream, &stream->messages.confirm);
604 if (zrtp_status_ok == s) {
605 s = _zrtp_packet_fill_msg_hdr( stream,
606 ZRTP_CONFIRM1,
607 sizeof(zrtp_packet_Confirm_t) - sizeof(zrtp_msg_hdr_t),
608 &stream->messages.confirm.hdr);
609 }
610
611 return s;
612 }
613