Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1 | /* |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 2 | Copyright (C) 2006-2010 Werner Dittmann |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 3 | |
| 4 | This program is free software: you can redistribute it and/or modify |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 5 | it under the terms of the GNU General Public License as published by |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 6 | the Free Software Foundation, either version 3 of the License, or |
| 7 | (at your option) any later version. |
| 8 | |
| 9 | This program is distributed in the hope that it will be useful, |
| 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | GNU General Public License for more details. |
| 13 | |
| 14 | You should have received a copy of the GNU General Public License |
| 15 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
| 16 | */ |
| 17 | |
| 18 | #ifndef _ZRTP_H_ |
| 19 | #define _ZRTP_H_ |
| 20 | /** |
| 21 | * @file ZRtp.h |
| 22 | * @brief The ZRTP main engine |
| 23 | * @defgroup GNU_ZRTP The GNU ZRTP C++ implementation |
| 24 | * @{ |
| 25 | */ |
| 26 | |
| 27 | #include <cstdlib> |
| 28 | |
| 29 | #include <libzrtpcpp/ZrtpPacketHello.h> |
| 30 | #include <libzrtpcpp/ZrtpPacketHelloAck.h> |
| 31 | #include <libzrtpcpp/ZrtpPacketCommit.h> |
| 32 | #include <libzrtpcpp/ZrtpPacketDHPart.h> |
| 33 | #include <libzrtpcpp/ZrtpPacketConfirm.h> |
| 34 | #include <libzrtpcpp/ZrtpPacketConf2Ack.h> |
| 35 | #include <libzrtpcpp/ZrtpPacketGoClear.h> |
| 36 | #include <libzrtpcpp/ZrtpPacketClearAck.h> |
| 37 | #include <libzrtpcpp/ZrtpPacketError.h> |
| 38 | #include <libzrtpcpp/ZrtpPacketErrorAck.h> |
| 39 | #include <libzrtpcpp/ZrtpPacketPing.h> |
| 40 | #include <libzrtpcpp/ZrtpPacketPingAck.h> |
| 41 | #include <libzrtpcpp/ZrtpPacketSASrelay.h> |
| 42 | #include <libzrtpcpp/ZrtpPacketRelayAck.h> |
| 43 | #include <libzrtpcpp/ZrtpCallback.h> |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 44 | #include <libzrtpcpp/ZIDRecord.h> |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 45 | |
| 46 | #ifndef SHA256_DIGEST_LENGTH |
| 47 | #define SHA256_DIGEST_LENGTH 32 |
| 48 | #endif |
| 49 | |
| 50 | // Prepare to support digest algorithms up to 512 bit (64 bytes) |
| 51 | #define MAX_DIGEST_LENGTH 64 |
| 52 | #define IMPL_MAX_DIGEST_LENGTH 64 |
| 53 | |
| 54 | class __EXPORT ZrtpStateClass; |
| 55 | class ZrtpDH; |
| 56 | |
| 57 | /** |
| 58 | * The main ZRTP class. |
| 59 | * |
| 60 | * This is the main class of the RTP/SRTP independent part of the GNU |
| 61 | * ZRTP. It handles the ZRTP HMAC, DH, and other data management. The |
| 62 | * user of this class needs to know only a few methods and needs to |
| 63 | * provide only a few external functions to connect to a Timer |
| 64 | * mechanism and to send data via RTP and SRTP. Refer to the |
| 65 | * ZrtpCallback class to get detailed information regading the |
| 66 | * callback methods required by GNU RTP. |
| 67 | * |
| 68 | * The class ZrtpQueue is the GNU ccRTP specific implementation that |
| 69 | * extends standard ccRTP RTP provide ZRTP support. Refer to the |
| 70 | * documentation of ZrtpQueue to get more information about the usage |
| 71 | * of ZRtp and associated classes. |
| 72 | * |
| 73 | * The main entry into the ZRTP class is the processExtensionHeader() |
| 74 | * method. |
| 75 | * |
| 76 | * This class does not directly handle the protocol states, timers, |
| 77 | * and packet resend. The protocol state engine is responsible for |
| 78 | * these actions. |
| 79 | * |
| 80 | * Example how to use ZRtp: |
| 81 | *<pre> |
| 82 | * zrtpEngine = new ZRtp((uint8_t*)ownZid, (ZrtpCallback*)this, idString); |
| 83 | * zrtpEngine->startZrtpEngine(); |
| 84 | *</pre> |
| 85 | * @see ZrtpCallback |
| 86 | * |
| 87 | * @author Werner Dittmann <Werner.Dittmann@t-online.de> |
| 88 | */ |
| 89 | class __EXPORT ZRtp { |
| 90 | |
| 91 | public: |
| 92 | |
| 93 | /** |
| 94 | * Constructor intializes all relevant data but does not start the |
| 95 | * engine. |
| 96 | */ |
| 97 | ZRtp(uint8_t* myZid, ZrtpCallback* cb, std::string id, |
| 98 | ZrtpConfigure* config, bool mitmm= false, bool sasSignSupport= false); |
| 99 | |
| 100 | /** |
| 101 | * Destructor cleans up. |
| 102 | */ |
| 103 | ~ZRtp(); |
| 104 | |
| 105 | /** |
| 106 | * Kick off the ZRTP protocol engine. |
| 107 | * |
| 108 | * This method calls the ZrtpStateClass#evInitial() state of the state |
| 109 | * engine. After this call we are able to process ZRTP packets |
| 110 | * from our peer and to process them. |
| 111 | */ |
| 112 | void startZrtpEngine(); |
| 113 | |
| 114 | /** |
| 115 | * Stop ZRTP security. |
| 116 | * |
| 117 | */ |
| 118 | void stopZrtp(); |
| 119 | |
| 120 | /** |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 121 | * Process RTP extension header. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 122 | * |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 123 | * This method expects to get a pointer to the extension header of |
| 124 | * a RTP packet. The method checks if this is really a ZRTP |
| 125 | * packet. If this check fails the method returns 0 (false) in |
| 126 | * case this is not a ZRTP packet. We return a 1 if we processed |
| 127 | * the ZRTP extension header and the caller may process RTP data |
| 128 | * after the extension header as usual. The method return -1 the |
| 129 | * call shall dismiss the packet and shall not forward it to |
| 130 | * further RTP processing. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 131 | * |
| 132 | * @param extHeader |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 133 | * A pointer to the first byte of the extension header. Refer to |
| 134 | * RFC3550. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 135 | * @param peerSSRC |
| 136 | * The peer's SSRC. |
| 137 | * @return |
| 138 | * Code indicating further packet handling, see description above. |
| 139 | */ |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 140 | void processZrtpMessage(uint8_t *extHeader, uint32_t peerSSRC); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 141 | |
| 142 | /** |
| 143 | * Process a timeout event. |
| 144 | * |
| 145 | * We got a timeout from the timeout provider. Forward it to the |
| 146 | * protocol state engine. |
| 147 | * |
| 148 | */ |
| 149 | void processTimeout(); |
| 150 | |
| 151 | /** |
| 152 | * Check for and handle GoClear ZRTP packet header. |
| 153 | * |
| 154 | * This method checks if this is a GoClear packet. If not, just return |
| 155 | * false. Otherwise handle it according to the specification. |
| 156 | * |
| 157 | * @param extHeader |
| 158 | * A pointer to the first byte of the extension header. Refer to |
| 159 | * RFC3550. |
| 160 | * @return |
| 161 | * False if not a GoClear, true otherwise. |
| 162 | */ |
| 163 | bool handleGoClear(uint8_t *extHeader); |
| 164 | |
| 165 | /** |
| 166 | * Set the auxilliary secret. |
| 167 | * |
| 168 | * Use this method to set the auxilliary secret data. Refer to ZRTP |
| 169 | * specification, chapter 4.3 ff |
| 170 | * |
| 171 | * @param data |
| 172 | * Points to the secret data. |
| 173 | * @param length |
| 174 | * Length of the auxilliary secrect in bytes |
| 175 | */ |
| 176 | void setAuxSecret(uint8_t* data, int32_t length); |
| 177 | |
| 178 | /** |
| 179 | * Check current state of the ZRTP state engine |
| 180 | * |
| 181 | * @param state |
| 182 | * The state to check. |
| 183 | * @return |
| 184 | * Returns true id ZRTP engine is in the given state, false otherwise. |
| 185 | */ |
| 186 | bool inState(int32_t state); |
| 187 | |
| 188 | /** |
| 189 | * Set SAS as verified. |
| 190 | * |
| 191 | * Call this method if the user confirmed (verfied) the SAS. ZRTP |
| 192 | * remembers this together with the retained secrets data. |
| 193 | */ |
| 194 | void SASVerified(); |
| 195 | |
| 196 | /** |
| 197 | * Reset the SAS verfied flag for the current active user's retained secrets. |
| 198 | * |
| 199 | */ |
| 200 | void resetSASVerified(); |
| 201 | |
| 202 | /** |
| 203 | * Get the ZRTP Hello Hash data. |
| 204 | * |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 205 | * Use this method to get the ZRTP Hello Hash data. The method |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 206 | * returns the data as a string containing the ZRTP protocol version and |
| 207 | * hex-digits. |
| 208 | * |
| 209 | * Refer to ZRTP specification, chapter 8. |
| 210 | * |
| 211 | * @return |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 212 | * a std:string containing the Hello hash value as hex-digits. The |
| 213 | * hello hash is available immediately after class instantiation. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 214 | */ |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 215 | std::string getHelloHash(); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 216 | |
| 217 | /** |
| 218 | * Get the peer's ZRTP Hello Hash data. |
| 219 | * |
| 220 | * Use this method to get the peer's ZRTP Hello Hash data. The method |
| 221 | * returns the data as a string containing the ZRTP protocol version and |
| 222 | * hex-digits. |
| 223 | * |
| 224 | * The peer's hello hash is available only after ZRTP received a hello. If |
| 225 | * no data is available the function returns an empty string. |
| 226 | * |
| 227 | * Refer to ZRTP specification, chapter 8. |
| 228 | * |
| 229 | * @return |
| 230 | * a std:string containing the Hello version and the hello hash as hex digits. |
| 231 | */ |
| 232 | std::string getPeerHelloHash(); |
| 233 | |
| 234 | /** |
| 235 | * Get Multi-stream parameters. |
| 236 | * |
| 237 | * Use this method to get the Multi-stream that were computed during |
| 238 | * the ZRTP handshake. An application may use these parameters to |
| 239 | * enable multi-stream processing for an associated SRTP session. |
| 240 | * |
| 241 | * Refer to chapter 4.4.2 in the ZRTP specification for further details |
| 242 | * and restriction how and when to use multi-stream mode. |
| 243 | * |
| 244 | * @return |
| 245 | * a string that contains the multi-stream parameters. The application |
| 246 | * must not modify the contents of this string, it is opaque data. The |
| 247 | * application may hand over this string to a new ZrtpQueue instance |
| 248 | * to enable multi-stream processing for this ZrtpQueue. |
| 249 | * If ZRTP was not started or ZRTP is not yet in secure state the method |
| 250 | * returns an empty string. |
| 251 | */ |
| 252 | std::string getMultiStrParams(); |
| 253 | |
| 254 | /** |
| 255 | * Set Multi-stream parameters. |
| 256 | * |
| 257 | * Use this method to set the parameters required to enable Multi-stream |
| 258 | * processing of ZRTP. The multi-stream parameters must be set before the |
| 259 | * application starts the ZRTP protocol engine. |
| 260 | * |
| 261 | * Refer to chapter 4.4.2 in the ZRTP specification for further details |
| 262 | * of multi-stream mode. |
| 263 | * |
| 264 | * @param parameters |
| 265 | * A string that contains the multi-stream parameters that this |
| 266 | * new ZrtpQueue instanace shall use. See also |
| 267 | * <code>getMultiStrParams()</code> |
| 268 | */ |
| 269 | void setMultiStrParams(std::string parameters); |
| 270 | |
| 271 | /** |
| 272 | * Check if this ZRTP session is a Multi-stream session. |
| 273 | * |
| 274 | * Use this method to check if this ZRTP instance uses multi-stream. |
| 275 | * Refer to chapters 4.2 and 4.4.2 in the ZRTP. |
| 276 | * |
| 277 | * @return |
| 278 | * True if multi-stream is used, false otherwise. |
| 279 | */ |
| 280 | bool isMultiStream(); |
| 281 | |
| 282 | /** |
| 283 | * Check if the other ZRTP client supports Multi-stream. |
| 284 | * |
| 285 | * Use this method to check if the other ZRTP client supports |
| 286 | * Multi-stream mode. |
| 287 | * |
| 288 | * @return |
| 289 | * True if multi-stream is available, false otherwise. |
| 290 | */ |
| 291 | bool isMultiStreamAvailable(); |
| 292 | |
| 293 | /** |
| 294 | * Accept a PBX enrollment request. |
| 295 | * |
| 296 | * If a PBX service asks to enroll the PBX trusted MitM key and the user |
| 297 | * accepts this request, for example by pressing an OK button, the client |
| 298 | * application shall call this method and set the parameter |
| 299 | * <code>accepted</code> to true. If the user does not accept the request |
| 300 | * set the parameter to false. |
| 301 | * |
| 302 | * @param accepted |
| 303 | * True if the enrollment request is accepted, false otherwise. |
| 304 | */ |
| 305 | void acceptEnrollment(bool accepted); |
| 306 | |
| 307 | /** |
| 308 | * Check the state of the enrollment mode. |
| 309 | * |
| 310 | * If true then we will set the enrollment flag (E) in the confirm |
| 311 | * packets and perform the enrollment actions. A MitM (PBX) enrollment service |
| 312 | * started this ZRTP session. Can be set to true only if mitmMode is also true. |
| 313 | * |
| 314 | * @return status of the enrollmentMode flag. |
| 315 | */ |
| 316 | bool isEnrollmentMode(); |
| 317 | |
| 318 | /** |
| 319 | * Set the state of the enrollment mode. |
| 320 | * |
| 321 | * If true then we will set the enrollment flag (E) in the confirm |
| 322 | * packets and perform the enrollment actions. A MitM (PBX) enrollment |
| 323 | * service must sets this mode to true. |
| 324 | * |
| 325 | * Can be set to true only if mitmMode is also true. |
| 326 | * |
| 327 | * @param enrollmentMode defines the new state of the enrollmentMode flag |
| 328 | */ |
| 329 | void setEnrollmentMode(bool enrollmentMode); |
| 330 | |
| 331 | /** |
| 332 | * Check if a peer's cache entry has a vaild MitM key. |
| 333 | * |
| 334 | * If true then the other peer ha a valid MtiM key, i.e. the peer has performed |
| 335 | * the enrollment procedure. A PBX ZRTP Back-2-Back application can use this function |
| 336 | * to check which of the peers is enrolled. |
| 337 | * |
| 338 | * @return True if the other peer has a valid Mitm key (is enrolled). |
| 339 | */ |
| 340 | bool isPeerEnrolled(); |
| 341 | |
| 342 | /** |
| 343 | * Send the SAS relay packet. |
| 344 | * |
| 345 | * The method creates and sends a SAS relay packet according to the ZRTP |
| 346 | * specifications. Usually only a MitM capable user agent (PBX) uses this |
| 347 | * function. |
| 348 | * |
| 349 | * @param sh the full SAS hash value, 32 bytes |
| 350 | * @param render the SAS rendering algorithm |
| 351 | */ |
| 352 | bool sendSASRelayPacket(uint8_t* sh, std::string render); |
| 353 | |
| 354 | /** |
| 355 | * Get the commited SAS rendering algorithm for this ZRTP session. |
| 356 | * |
| 357 | * @return the commited SAS rendering algorithm |
| 358 | */ |
| 359 | std::string getSasType(); |
| 360 | |
| 361 | /** |
| 362 | * Get the computed SAS hash for this ZRTP session. |
| 363 | * |
| 364 | * A PBX ZRTP back-to-Back function uses this function to get the SAS |
| 365 | * hash of an enrolled client to construct the SAS relay packet for |
| 366 | * the other client. |
| 367 | * |
| 368 | * @return a pointer to the byte array that contains the full |
| 369 | * SAS hash. |
| 370 | */ |
| 371 | uint8_t* getSasHash(); |
| 372 | |
| 373 | /** |
| 374 | * Set signature data. |
| 375 | * |
| 376 | * This functions stores signature data and transmitts it during ZRTP |
| 377 | * processing to the other party as part of the Confirm packets. Refer to |
| 378 | * chapters 5.7 and 7.2. |
| 379 | * |
| 380 | * The signature data must be set before ZRTP the application calls |
| 381 | * <code>start()</code>. |
| 382 | * |
| 383 | * @param data |
| 384 | * The signature data including the signature type block. The method |
| 385 | * copies this data into the Confirm packet at signature type block. |
| 386 | * @param length |
| 387 | * The length of the signature data in bytes. This length must be |
| 388 | * multiple of 4. |
| 389 | * @return |
| 390 | * True if the method stored the data, false otherwise. |
| 391 | */ |
| 392 | bool setSignatureData(uint8_t* data, int32_t length); |
| 393 | |
| 394 | /** |
| 395 | * Get signature data. |
| 396 | * |
| 397 | * This functions returns a pointer to the signature data that was receivied |
| 398 | * during ZRTP processing. Refer to chapters 5.7 and 7.2. |
| 399 | * |
| 400 | * The returned pointer points to volatile data that is valid only during the |
| 401 | * <code>checkSASSignature()</code> callback funtion. The application must copy |
| 402 | * the signature data if it will be used after the callback function returns. |
| 403 | * |
| 404 | * The signature data can be retrieved after ZRTP enters secure state. |
| 405 | * <code>start()</code>. |
| 406 | * |
| 407 | * @return |
| 408 | * Pointer to signature data. |
| 409 | */ |
| 410 | const uint8_t* getSignatureData(); |
| 411 | |
| 412 | /** |
| 413 | * Get length of signature data in number of bytes. |
| 414 | * |
| 415 | * This functions returns the length of signature data that was receivied |
| 416 | * during ZRTP processing. Refer to chapters 5.7 and 7.2. |
| 417 | * |
| 418 | * @return |
| 419 | * Length in bytes of the received signature data. The method returns |
| 420 | * zero if no signature data is avilable. |
| 421 | */ |
| 422 | int32_t getSignatureLength(); |
| 423 | |
| 424 | /** |
| 425 | * Emulate a Conf2Ack packet. |
| 426 | * |
| 427 | * This method emulates a Conf2Ack packet. According to ZRTP specification |
| 428 | * the first valid SRTP packet that the Initiator receives must switch |
| 429 | * on secure mode. Refer to chapter 4 in the specificaton |
| 430 | * |
| 431 | */ |
| 432 | void conf2AckSecure(); |
| 433 | |
| 434 | /** |
| 435 | * Get other party's ZID (ZRTP Identifier) data |
| 436 | * |
| 437 | * This functions returns the other party's ZID that was receivied |
| 438 | * during ZRTP processing. |
| 439 | * |
| 440 | * The ZID data can be retrieved after ZRTP receive the first Hello |
| 441 | * packet from the other party. The application may call this method |
| 442 | * for example during SAS processing in showSAS(...) user callback |
| 443 | * method. |
| 444 | * |
| 445 | * @param data |
| 446 | * Pointer to a data buffer. This buffer must have a size of |
| 447 | * at least 12 bytes (96 bit) (ZRTP Identifier, see chap. 4.9) |
| 448 | * @return |
| 449 | * Number of bytes copied into the data buffer - must be equivalent |
| 450 | * to 96 bit, usually 12 bytes. |
| 451 | */ |
| 452 | int32_t getPeerZid(uint8_t* data); |
| 453 | |
| 454 | private: |
| 455 | friend class ZrtpStateClass; |
| 456 | |
| 457 | /** |
| 458 | * The state engine takes care of protocol processing. |
| 459 | */ |
| 460 | ZrtpStateClass* stateEngine; |
| 461 | |
| 462 | /** |
| 463 | * This is my ZID that I send to the peer. |
| 464 | */ |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 465 | uint8_t zid[IDENTIFIER_LEN]; |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 466 | |
| 467 | /** |
| 468 | * The peer's ZID |
| 469 | */ |
| 470 | uint8_t peerZid[IDENTIFIER_LEN]; |
| 471 | |
| 472 | /** |
| 473 | * The callback class provides me with the interface to send |
| 474 | * data and to deal with timer management of the hosting system. |
| 475 | */ |
| 476 | ZrtpCallback* callback; |
| 477 | |
| 478 | /** |
| 479 | * My active Diffie-Helman context |
| 480 | */ |
| 481 | ZrtpDH* dhContext; |
| 482 | |
| 483 | /** |
| 484 | * The computed DH shared secret |
| 485 | */ |
| 486 | uint8_t* DHss; |
| 487 | |
| 488 | /** |
| 489 | * My computed public key |
| 490 | */ |
| 491 | uint8_t pubKeyBytes[400]; |
| 492 | /** |
| 493 | * Length off public key |
| 494 | */ |
| 495 | // int32_t pubKeyLen; |
| 496 | /** |
| 497 | * My Role in the game |
| 498 | */ |
| 499 | Role myRole; |
| 500 | |
| 501 | /** |
| 502 | * The human readable SAS value |
| 503 | */ |
| 504 | std::string SAS; |
| 505 | |
| 506 | /** |
| 507 | * The SAS hash for signaling and alike. Refer to chapters |
| 508 | * 4.5 and 7 how sasHash, sasValue and the SAS string are derived. |
| 509 | */ |
| 510 | uint8_t sasHash[MAX_DIGEST_LENGTH]; |
| 511 | /** |
| 512 | * The ids for the retained and other shared secrets |
| 513 | */ |
| 514 | uint8_t rs1IDr[MAX_DIGEST_LENGTH]; |
| 515 | uint8_t rs2IDr[MAX_DIGEST_LENGTH]; |
| 516 | uint8_t auxSecretIDr[MAX_DIGEST_LENGTH]; |
| 517 | uint8_t pbxSecretIDr[MAX_DIGEST_LENGTH]; |
| 518 | |
| 519 | uint8_t rs1IDi[MAX_DIGEST_LENGTH]; |
| 520 | uint8_t rs2IDi[MAX_DIGEST_LENGTH]; |
| 521 | uint8_t auxSecretIDi[MAX_DIGEST_LENGTH]; |
| 522 | uint8_t pbxSecretIDi[MAX_DIGEST_LENGTH]; |
| 523 | |
| 524 | /** |
| 525 | * pointers to aux secret storage and length of aux secret |
| 526 | */ |
| 527 | uint8_t* auxSecret; |
| 528 | int32_t auxSecretLength; |
| 529 | |
| 530 | /** |
| 531 | * Record if valid rs1 and/or rs1 were found in the |
| 532 | * retaind secret cache. |
| 533 | */ |
| 534 | bool rs1Valid; |
| 535 | bool rs2Valid; |
| 536 | /** |
| 537 | * My hvi |
| 538 | */ |
| 539 | uint8_t hvi[MAX_DIGEST_LENGTH]; |
| 540 | |
| 541 | /** |
| 542 | * The peer's hvi |
| 543 | */ |
| 544 | uint8_t peerHvi[8*ZRTP_WORD_SIZE]; |
| 545 | |
| 546 | /** |
| 547 | * Context to compute the SHA256 hash of selected messages. |
| 548 | * Used to compute the s0, refer to chapter 4.4.1.4 |
| 549 | */ |
| 550 | void* msgShaContext; |
| 551 | /** |
| 552 | * Commited Hash, Cipher, and public key algorithms |
| 553 | */ |
| 554 | AlgorithmEnum* hash; |
| 555 | AlgorithmEnum* cipher; |
| 556 | AlgorithmEnum* pubKey; |
| 557 | /** |
| 558 | * The selected SAS type. |
| 559 | */ |
| 560 | AlgorithmEnum* sasType; |
| 561 | |
| 562 | /** |
| 563 | * The selected SAS type. |
| 564 | */ |
| 565 | AlgorithmEnum* authLength; |
| 566 | |
| 567 | /** |
| 568 | * The Hash images as defined in chapter 5.1.1 (H0 is a random value, |
| 569 | * not stored here). Need full SHA 256 lenght to store hash value but |
| 570 | * only the leftmost 128 bits are used in computations and comparisons. |
| 571 | */ |
| 572 | uint8_t H0[IMPL_MAX_DIGEST_LENGTH]; |
| 573 | uint8_t H1[IMPL_MAX_DIGEST_LENGTH]; |
| 574 | uint8_t H2[IMPL_MAX_DIGEST_LENGTH]; |
| 575 | uint8_t H3[IMPL_MAX_DIGEST_LENGTH]; |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 576 | uint8_t helloHash[IMPL_MAX_DIGEST_LENGTH]; |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 577 | |
| 578 | uint8_t peerHelloHash[IMPL_MAX_DIGEST_LENGTH]; |
| 579 | uint8_t peerHelloVersion[ZRTP_WORD_SIZE + 1]; // +1 for nul byte |
| 580 | |
| 581 | // We get the peer's H? from the message where length is defined as 8 words |
| 582 | uint8_t peerH0[8*ZRTP_WORD_SIZE]; |
| 583 | uint8_t peerH1[8*ZRTP_WORD_SIZE]; |
| 584 | uint8_t peerH2[8*ZRTP_WORD_SIZE]; |
| 585 | uint8_t peerH3[8*ZRTP_WORD_SIZE]; |
| 586 | |
| 587 | /** |
| 588 | * The SHA256 hash over selected messages |
| 589 | */ |
| 590 | uint8_t messageHash[MAX_DIGEST_LENGTH]; |
| 591 | |
| 592 | /** |
| 593 | * The s0 |
| 594 | */ |
| 595 | uint8_t s0[MAX_DIGEST_LENGTH]; |
| 596 | |
| 597 | /** |
| 598 | * The new Retained Secret |
| 599 | */ |
| 600 | uint8_t newRs1[MAX_DIGEST_LENGTH]; |
| 601 | |
| 602 | /** |
| 603 | * The GoClear HMAC keys and confirm HMAC key |
| 604 | */ |
| 605 | uint8_t hmacKeyI[MAX_DIGEST_LENGTH]; |
| 606 | uint8_t hmacKeyR[MAX_DIGEST_LENGTH]; |
| 607 | |
| 608 | /** |
| 609 | * The Initiator's srtp key and salt |
| 610 | */ |
| 611 | uint8_t srtpKeyI[MAX_DIGEST_LENGTH]; |
| 612 | uint8_t srtpSaltI[MAX_DIGEST_LENGTH]; |
| 613 | |
| 614 | /** |
| 615 | * The Responder's srtp key and salt |
| 616 | */ |
| 617 | uint8_t srtpKeyR[MAX_DIGEST_LENGTH]; |
| 618 | uint8_t srtpSaltR[MAX_DIGEST_LENGTH]; |
| 619 | |
| 620 | /** |
| 621 | * The keys used to encrypt/decrypt the confirm message |
| 622 | */ |
| 623 | uint8_t zrtpKeyI[MAX_DIGEST_LENGTH]; |
| 624 | uint8_t zrtpKeyR[MAX_DIGEST_LENGTH]; |
| 625 | |
| 626 | /** |
| 627 | * Pointers to negotiated hash and HMAC functions |
| 628 | */ |
| 629 | void (*hashFunction)(unsigned char *data, |
| 630 | unsigned int data_length, |
| 631 | unsigned char *digest); |
| 632 | |
| 633 | void (*hashListFunction)(unsigned char *data[], |
| 634 | unsigned int data_length[], |
| 635 | unsigned char *digest); |
| 636 | |
| 637 | void (*hmacFunction)(uint8_t* key, uint32_t key_length, |
| 638 | uint8_t* data, int32_t data_length, |
| 639 | uint8_t* mac, uint32_t* mac_length); |
| 640 | |
| 641 | void (*hmacListFunction)( uint8_t* key, uint32_t key_length, |
| 642 | uint8_t* data[], uint32_t data_length[], |
| 643 | uint8_t* mac, uint32_t* mac_length ); |
| 644 | |
| 645 | void* (*createHashCtx)(); |
| 646 | |
| 647 | void (*closeHashCtx)(void* ctx, unsigned char* digest); |
| 648 | |
| 649 | void (*hashCtxFunction)(void* ctx, unsigned char* data, |
| 650 | unsigned int dataLength); |
| 651 | |
| 652 | void (*hashCtxListFunction)(void* ctx, unsigned char* dataChunks[], |
| 653 | unsigned int dataChunkLength[]); |
| 654 | |
| 655 | int32_t hashLength; |
| 656 | |
| 657 | // Funtion pointers to implicit hash and hmac functions |
| 658 | void (*hashFunctionImpl)(unsigned char *data, |
| 659 | unsigned int data_length, |
| 660 | unsigned char *digest); |
| 661 | |
| 662 | void (*hashListFunctionImpl)(unsigned char *data[], |
| 663 | unsigned int data_length[], |
| 664 | unsigned char *digest); |
| 665 | |
| 666 | void (*hmacFunctionImpl)(uint8_t* key, uint32_t key_length, |
| 667 | uint8_t* data, int32_t data_length, |
| 668 | uint8_t* mac, uint32_t* mac_length); |
| 669 | |
| 670 | void (*hmacListFunctionImpl)( uint8_t* key, uint32_t key_length, |
| 671 | uint8_t* data[], uint32_t data_length[], |
| 672 | uint8_t* mac, uint32_t* mac_length ); |
| 673 | |
| 674 | int32_t hashLengthImpl; |
| 675 | |
| 676 | /** |
| 677 | * The ZRTP Session Key |
| 678 | * Refer to chapter 5.4.1.4 |
| 679 | */ |
| 680 | uint8_t zrtpSession[MAX_DIGEST_LENGTH]; |
| 681 | |
| 682 | /** |
| 683 | * True if this ZRTP instance uses multi-stream mode. |
| 684 | */ |
| 685 | bool multiStream; |
| 686 | |
| 687 | /** |
| 688 | * True if the other ZRTP client supports multi-stream mode. |
| 689 | */ |
| 690 | bool multiStreamAvailable; |
| 691 | |
| 692 | /** |
| 693 | * Enable MitM (PBX) enrollment |
| 694 | * |
| 695 | * If set to true then ZRTP honors the PBX enrollment flag in |
| 696 | * Commit packets and calls the appropriate user callback |
| 697 | * methods. If the parameter is set to false ZRTP ignores the PBX |
| 698 | * enrollment flags. |
| 699 | */ |
| 700 | bool enableMitmEnrollment; |
| 701 | |
| 702 | /** |
| 703 | * True if a valid trusted MitM key of the other peer is available, i.e. enrolled. |
| 704 | */ |
| 705 | bool peerIsEnrolled; |
| 706 | |
| 707 | /** |
| 708 | * Set to true if the Hello packet contained the M-flag (MitM flag). |
| 709 | * We use this later to check some stuff for SAS Relay processing |
| 710 | */ |
| 711 | bool mitmSeen; |
| 712 | |
| 713 | /** |
| 714 | * Temporarily store computed pbxSecret, if user accepts enrollment then |
| 715 | * it will copied to our ZID record of the PBX (MitM) |
| 716 | */ |
| 717 | uint8_t* pbxSecretTmp; |
| 718 | uint8_t pbxSecretTmpBuffer[MAX_DIGEST_LENGTH]; |
| 719 | |
| 720 | /** |
| 721 | * If true then we will set the enrollment flag (E) in the confirm |
| 722 | * packets. Set to true if the PBX enrollment service started this ZRTP |
| 723 | * session. Can be set to true only if mitmMode is also true. |
| 724 | */ |
| 725 | bool enrollmentMode; |
| 726 | |
| 727 | /** |
| 728 | * Configuration data which algorithms to use. |
| 729 | */ |
| 730 | ZrtpConfigure configureAlgos; |
| 731 | /** |
| 732 | * Pre-initialized packets. |
| 733 | */ |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 734 | ZrtpPacketHello zrtpHello; |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 735 | ZrtpPacketHelloAck zrtpHelloAck; |
| 736 | ZrtpPacketConf2Ack zrtpConf2Ack; |
| 737 | ZrtpPacketClearAck zrtpClearAck; |
| 738 | ZrtpPacketGoClear zrtpGoClear; |
| 739 | ZrtpPacketError zrtpError; |
| 740 | ZrtpPacketErrorAck zrtpErrorAck; |
| 741 | ZrtpPacketDHPart zrtpDH1; |
| 742 | ZrtpPacketDHPart zrtpDH2; |
| 743 | ZrtpPacketCommit zrtpCommit; |
| 744 | ZrtpPacketConfirm zrtpConfirm1; |
| 745 | ZrtpPacketConfirm zrtpConfirm2; |
| 746 | ZrtpPacketPingAck zrtpPingAck; |
| 747 | ZrtpPacketSASrelay zrtpSasRelay; |
| 748 | ZrtpPacketRelayAck zrtpRelayAck; |
| 749 | |
Alexandre Lision | 907ed2e | 2014-02-04 10:33:09 -0500 | [diff] [blame] | 750 | /** |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 751 | * Random IV data to encrypt the confirm data, 128 bit for AES |
| 752 | */ |
| 753 | uint8_t randomIV[16]; |
| 754 | |
| 755 | uint8_t tempMsgBuffer[1024]; |
| 756 | int32_t lengthOfMsgData; |
| 757 | |
| 758 | /** |
| 759 | * Variables to store signature data. Includes the signature type block |
| 760 | */ |
| 761 | const uint8_t* signatureData; // will be set when needed |
| 762 | int32_t signatureLength; // overall length in bytes |
| 763 | |
| 764 | /** |
| 765 | * Is true if the other peer signaled SAS signature support in its Hello packet. |
| 766 | */ |
| 767 | bool signSasSeen; |
| 768 | |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 769 | uint32_t peerSSRC; // peer's SSRC, required to setup PingAck packet |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 770 | |
| 771 | /** |
| 772 | * Enable or disable paranoid mode. |
| 773 | * |
| 774 | * The Paranoid mode controls the behaviour and handling of the SAS verify flag. If |
| 775 | * Panaoid mode is set to flase then ZRtp applies the normal handling. If Paranoid |
| 776 | * mode is set to true then the handling is: |
| 777 | * |
| 778 | * <ul> |
| 779 | * <li> Force the SAS verify flag to be false at srtpSecretsOn() callback. This gives |
| 780 | * the user interface (UI) the indication to handle the SAS as <b>not verified</b>. |
| 781 | * See implementation note below.</li> |
| 782 | * <li> Don't set the SAS verify flag in the <code>Confirm</code> packets, thus the other |
| 783 | * also must report the SAS as <b>not verified</b>.</li> |
| 784 | * <li> ignore the <code>SASVerified()</code> function, thus do not set the SAS to verified |
| 785 | * in the ZRTP cache. </li> |
| 786 | * <li> Disable the <b>Trusted PBX MitM</b> feature. Just send the <code>SASRelay</code> packet |
| 787 | * but do not process the relayed data. This protects the user from a malicious |
| 788 | * "trusted PBX".</li> |
| 789 | * </ul> |
| 790 | * ZRtp performs alls other steps during the ZRTP negotiations as usual, in particular it |
| 791 | * computes, compares, uses, and stores the retained secrets. This avoids unnecessary warning |
| 792 | * messages. The user may enable or disable the Paranoid mode on a call-by-call basis without |
| 793 | * breaking the key continuity data. |
| 794 | * |
| 795 | * <b>Implementation note:</b></br> |
| 796 | * An application shall always display the SAS code if the SAS verify flag is <code>false</code>. |
| 797 | * The application shall also use mechanisms to remind the user to compare the SAS code, for |
| 798 | * example useing larger fonts, different colours and other display features. |
| 799 | */ |
| 800 | bool paranoidMode; |
| 801 | |
| 802 | /** |
| 803 | * Find the best Hash algorithm that is offered in Hello. |
| 804 | * |
| 805 | * Find the best, that is the strongest, Hash algorithm that our peer |
| 806 | * offers in its Hello packet. |
| 807 | * |
| 808 | * @param hello |
| 809 | * The Hello packet. |
| 810 | * @return |
| 811 | * The Enum that identifies the best offered Hash algortihm. Return |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 812 | * <code>NumSupportedHashes</code> to signal that no matching Hash algorithm |
| 813 | * was found at all. |
| 814 | */ |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 815 | AlgorithmEnum* findBestHash(ZrtpPacketHello *hello); |
| 816 | |
| 817 | /** |
| 818 | * Find the best symmetric cipher algorithm that is offered in Hello. |
| 819 | * |
| 820 | * Find the best, that is the strongest, cipher algorithm that our peer |
| 821 | * offers in its Hello packet. |
| 822 | * |
| 823 | * @param hello |
| 824 | * The Hello packet. |
| 825 | * @param pk |
| 826 | * The id of the selected public key algorithm |
| 827 | * @return |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 828 | * The Enum that identifies the best offered Cipher algortihm. Return |
| 829 | * <code>NumSupportedSymCiphers</code> to signal that no matching Cipher algorithm |
| 830 | * was found at all. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 831 | */ |
| 832 | AlgorithmEnum* findBestCipher(ZrtpPacketHello *hello, AlgorithmEnum* pk); |
| 833 | |
| 834 | /** |
| 835 | * Find the best Public Key algorithm that is offered in Hello. |
| 836 | * |
| 837 | * Find the best, that is the strongest, public key algorithm that our peer |
| 838 | * offers in its Hello packet. |
| 839 | * |
| 840 | * @param hello |
| 841 | * The Hello packet. |
| 842 | * @return |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 843 | * The Enum that identifies the best offered Public Key algortihm. Return |
| 844 | * <code>NumSupportedPubKeys</code> to signal that no matching Public Key algorithm |
| 845 | * was found at all. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 846 | */ |
| 847 | AlgorithmEnum* findBestPubkey(ZrtpPacketHello *hello); |
| 848 | |
| 849 | /** |
| 850 | * Find the best SAS algorithm that is offered in Hello. |
| 851 | * |
| 852 | * Find the best, that is the strongest, SAS algorithm that our peer |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 853 | * offers in its Hello packet. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 854 | * |
| 855 | * @param hello |
| 856 | * The Hello packet. |
| 857 | * @return |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 858 | * The Enum that identifies the best offered SAS algortihm. Return |
| 859 | * <code>NumSupportedSASTypes</code> to signal that no matching SAS algorithm |
| 860 | * was found at all. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 861 | */ |
| 862 | AlgorithmEnum* findBestSASType(ZrtpPacketHello* hello); |
| 863 | |
| 864 | /** |
| 865 | * Find the best authentication length that is offered in Hello. |
| 866 | * |
| 867 | * Find the best, that is the strongest, authentication length that our peer |
| 868 | * offers in its Hello packet. |
| 869 | * |
| 870 | * @param hello |
| 871 | * The Hello packet. |
| 872 | * @return |
| 873 | * The Enum that identifies the best offered authentication length. Return |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 874 | * <code>NumSupportedAuthLenghts</code> to signal that no matching length |
| 875 | * was found at all. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 876 | */ |
| 877 | AlgorithmEnum* findBestAuthLen(ZrtpPacketHello* hello); |
| 878 | |
| 879 | /** |
| 880 | * Check if MultiStream mode is offered in Hello. |
| 881 | * |
| 882 | * Find the best, that is the strongest, authentication length that our peer |
| 883 | * offers in its Hello packet. |
| 884 | * |
| 885 | * @param hello |
| 886 | * The Hello packet. |
| 887 | * @return |
| 888 | * True if multi stream mode is available, false otherwise. |
| 889 | */ |
| 890 | bool checkMultiStream(ZrtpPacketHello* hello); |
| 891 | |
| 892 | /** |
| 893 | * Save the computed MitM secret to the ZID record of the peer |
| 894 | */ |
| 895 | void writeEnrollmentPBX(); |
| 896 | |
| 897 | /** |
| 898 | * Compute my hvi value according to ZRTP specification. |
| 899 | */ |
| 900 | void computeHvi(ZrtpPacketDHPart* dh, ZrtpPacketHello *hello); |
| 901 | |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 902 | void computeSharedSecretSet(ZIDRecord& zidRec); |
Alexandre Lision | 907ed2e | 2014-02-04 10:33:09 -0500 | [diff] [blame] | 903 | |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 904 | void computeSRTPKeys(); |
| 905 | |
| 906 | void KDF(uint8_t* key, uint32_t keyLength, uint8_t* label, int32_t labelLength, |
| 907 | uint8_t* context, int32_t contextLength, int32_t L, uint8_t* output); |
| 908 | |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 909 | void generateKeysInitiator(ZrtpPacketDHPart *dhPart, ZIDRecord& zidRec); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 910 | |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 911 | void generateKeysResponder(ZrtpPacketDHPart *dhPart, ZIDRecord& zidRec); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 912 | |
| 913 | void generateKeysMultiStream(); |
| 914 | |
| 915 | void computePBXSecret(); |
| 916 | |
| 917 | void setNegotiatedHash(AlgorithmEnum* hash); |
| 918 | |
| 919 | /* |
| 920 | * The following methods are helper functions for ZrtpStateClass. |
| 921 | * ZrtpStateClass calls them to prepare packets, send data, report |
| 922 | * problems, etc. |
| 923 | */ |
| 924 | /** |
| 925 | * Send a ZRTP packet. |
| 926 | * |
| 927 | * The state engines calls this method to send a packet via the RTP |
| 928 | * stack. |
| 929 | * |
| 930 | * @param packet |
| 931 | * Points to the ZRTP packet. |
| 932 | * @return |
| 933 | * zero if sending failed, one if packet was send |
| 934 | */ |
| 935 | int32_t sendPacketZRTP(ZrtpPacketBase *packet); |
| 936 | |
| 937 | /** |
| 938 | * Activate a Timer using the host callback. |
| 939 | * |
| 940 | * @param tm |
| 941 | * The time in milliseconds. |
| 942 | * @return |
| 943 | * zero if activation failed, one if timer was activated |
| 944 | */ |
| 945 | int32_t activateTimer(int32_t tm); |
| 946 | |
| 947 | /** |
| 948 | * Cancel the active Timer using the host callback. |
| 949 | * |
| 950 | * @return |
| 951 | * zero if activation failed, one if timer was activated |
| 952 | */ |
| 953 | int32_t cancelTimer(); |
| 954 | |
| 955 | /** |
| 956 | * Prepare a Hello packet. |
| 957 | * |
| 958 | * Just take the preinitialized Hello packet and return it. No |
| 959 | * further processing required. |
| 960 | * |
| 961 | * @return |
| 962 | * A pointer to the initialized Hello packet. |
| 963 | */ |
| 964 | ZrtpPacketHello* prepareHello(); |
| 965 | |
| 966 | /** |
| 967 | * Prepare a HelloAck packet. |
| 968 | * |
| 969 | * Just take the preinitialized HelloAck packet and return it. No |
| 970 | * further processing required. |
| 971 | * |
| 972 | * @return |
| 973 | * A pointer to the initialized HelloAck packet. |
| 974 | */ |
| 975 | ZrtpPacketHelloAck* prepareHelloAck(); |
| 976 | |
| 977 | /** |
| 978 | * Prepare a Commit packet. |
| 979 | * |
| 980 | * We have received a Hello packet from our peer. Check the offers |
| 981 | * it makes to us and select the most appropriate. Using the |
| 982 | * selected values prepare a Commit packet and return it to protocol |
| 983 | * state engine. |
| 984 | * |
| 985 | * @param hello |
| 986 | * Points to the received Hello packet |
| 987 | * @param errMsg |
| 988 | * Points to an integer that can hold a ZRTP error code. |
| 989 | * @return |
| 990 | * A pointer to the prepared Commit packet |
| 991 | */ |
| 992 | ZrtpPacketCommit* prepareCommit(ZrtpPacketHello *hello, uint32_t* errMsg); |
| 993 | |
| 994 | /** |
| 995 | * Prepare a Commit packet for Multi Stream mode. |
| 996 | * |
| 997 | * Using the selected values prepare a Commit packet and return it to protocol |
| 998 | * state engine. |
| 999 | * |
| 1000 | * @param hello |
| 1001 | * Points to the received Hello packet |
| 1002 | * @return |
| 1003 | * A pointer to the prepared Commit packet for multi stream mode |
| 1004 | */ |
| 1005 | ZrtpPacketCommit* prepareCommitMultiStream(ZrtpPacketHello *hello); |
| 1006 | |
| 1007 | /** |
| 1008 | * Prepare the DHPart1 packet. |
| 1009 | * |
| 1010 | * This method prepares a DHPart1 packet. The input to the method is always |
| 1011 | * a Commit packet received from the peer. Also we a in the role of the |
| 1012 | * Responder. |
| 1013 | * |
| 1014 | * When we receive a Commit packet we get the selected ciphers, hashes, etc |
| 1015 | * and cross-check if this is ok. Then we need to initialize a set of DH |
| 1016 | * keys according to the selected cipher. Using this data we prepare our DHPart1 |
| 1017 | * packet. |
| 1018 | */ |
| 1019 | ZrtpPacketDHPart* prepareDHPart1(ZrtpPacketCommit *commit, uint32_t* errMsg); |
| 1020 | |
| 1021 | /** |
| 1022 | * Prepare the DHPart2 packet. |
| 1023 | * |
| 1024 | * This method prepares a DHPart2 packet. The input to the method is always |
| 1025 | * a DHPart1 packet received from the peer. Our peer sends the DH1Part as |
| 1026 | * response to our Commit packet. Thus we are in the role of the |
| 1027 | * Initiator. |
| 1028 | * |
| 1029 | */ |
| 1030 | ZrtpPacketDHPart* prepareDHPart2(ZrtpPacketDHPart* dhPart1, uint32_t* errMsg); |
| 1031 | |
| 1032 | /** |
| 1033 | * Prepare the Confirm1 packet. |
| 1034 | * |
| 1035 | * This method prepare the Confirm1 packet. The input to this method is the |
| 1036 | * DHPart2 packect received from our peer. The peer sends the DHPart2 packet |
| 1037 | * as response of our DHPart1. Here we are in the role of the Responder |
| 1038 | * |
| 1039 | */ |
| 1040 | ZrtpPacketConfirm* prepareConfirm1(ZrtpPacketDHPart* dhPart2, uint32_t* errMsg); |
| 1041 | |
| 1042 | /** |
| 1043 | * Prepare the Confirm1 packet in multi stream mode. |
| 1044 | * |
| 1045 | * This method prepares the Confirm1 packet. The state engine call this method |
| 1046 | * if multi stream mode is selected and a Commit packet was received. The input to |
| 1047 | * this method is the Commit. |
| 1048 | * Here we are in the role of the Responder |
| 1049 | * |
| 1050 | */ |
| 1051 | ZrtpPacketConfirm* prepareConfirm1MultiStream(ZrtpPacketCommit* commit, uint32_t* errMsg); |
| 1052 | |
| 1053 | /** |
| 1054 | * Prepare the Confirm2 packet. |
| 1055 | * |
| 1056 | * This method prepare the Confirm2 packet. The input to this method is the |
| 1057 | * Confirm1 packet received from our peer. The peer sends the Confirm1 packet |
| 1058 | * as response of our DHPart2. Here we are in the role of the Initiator |
| 1059 | */ |
| 1060 | ZrtpPacketConfirm* prepareConfirm2(ZrtpPacketConfirm* confirm1, uint32_t* errMsg); |
| 1061 | |
| 1062 | /** |
| 1063 | * Prepare the Confirm2 packet in multi stream mode. |
| 1064 | * |
| 1065 | * This method prepares the Confirm2 packet. The state engine call this method if |
| 1066 | * multi stream mode is active and in state CommitSent. The input to this method is |
| 1067 | * the Confirm1 packet received from our peer. The peer sends the Confirm1 packet |
| 1068 | * as response of our Commit packet in multi stream mode. |
| 1069 | * Here we are in the role of the Initiator |
| 1070 | */ |
| 1071 | ZrtpPacketConfirm* prepareConfirm2MultiStream(ZrtpPacketConfirm* confirm1, uint32_t* errMsg); |
| 1072 | |
| 1073 | /** |
| 1074 | * Prepare the Conf2Ack packet. |
| 1075 | * |
| 1076 | * This method prepare the Conf2Ack packet. The input to this method is the |
| 1077 | * Confirm2 packet received from our peer. The peer sends the Confirm2 packet |
| 1078 | * as response of our Confirm1. Here we are in the role of the Initiator |
| 1079 | */ |
| 1080 | ZrtpPacketConf2Ack* prepareConf2Ack(ZrtpPacketConfirm* confirm2, uint32_t* errMsg); |
| 1081 | |
| 1082 | /** |
| 1083 | * Prepare the ErrorAck packet. |
| 1084 | * |
| 1085 | * This method prepares the ErrorAck packet. The input to this method is the |
| 1086 | * Error packet received from the peer. |
| 1087 | */ |
| 1088 | ZrtpPacketErrorAck* prepareErrorAck(ZrtpPacketError* epkt); |
| 1089 | |
| 1090 | /** |
| 1091 | * Prepare the Error packet. |
| 1092 | * |
| 1093 | * This method prepares the Error packet. The input to this method is the |
| 1094 | * error code to be included into the message. |
| 1095 | */ |
| 1096 | ZrtpPacketError* prepareError(uint32_t errMsg); |
| 1097 | |
| 1098 | /** |
| 1099 | * Prepare a ClearAck packet. |
| 1100 | * |
| 1101 | * This method checks if the GoClear message is valid. If yes then switch |
| 1102 | * off SRTP processing, stop sending of RTP packets (pause transmit) and |
| 1103 | * inform the user about the fact. Only if user confirms the GoClear message |
| 1104 | * normal RTP processing is resumed. |
| 1105 | * |
| 1106 | * @return |
| 1107 | * NULL if GoClear could not be authenticated, a ClearAck packet |
| 1108 | * otherwise. |
| 1109 | */ |
| 1110 | ZrtpPacketClearAck* prepareClearAck(ZrtpPacketGoClear* gpkt); |
| 1111 | |
| 1112 | /** |
| 1113 | * Prepare the ErrorAck packet. |
| 1114 | * |
| 1115 | * This method prepares the ErrorAck packet. The input to this method is the |
| 1116 | * Error packet received from the peer. |
| 1117 | */ |
| 1118 | ZrtpPacketPingAck* preparePingAck(ZrtpPacketPing* ppkt); |
| 1119 | |
| 1120 | /** |
| 1121 | * Prepare the RelayAck packet. |
| 1122 | * |
| 1123 | * This method prepares the RelayAck packet. The input to this method is the |
| 1124 | * SASrelay packet received from the peer. |
| 1125 | */ |
| 1126 | ZrtpPacketRelayAck* prepareRelayAck(ZrtpPacketSASrelay* srly, uint32_t* errMsg); |
| 1127 | |
| 1128 | /** |
| 1129 | * Prepare a GoClearAck packet w/o HMAC |
| 1130 | * |
| 1131 | * Prepare a GoCLear packet without a HMAC but with a short error message. |
| 1132 | * This type of GoClear is used if something went wrong during the ZRTP |
| 1133 | * negotiation phase. |
| 1134 | * |
| 1135 | * @return |
| 1136 | * A goClear packet without HMAC |
| 1137 | */ |
| 1138 | ZrtpPacketGoClear* prepareGoClear(uint32_t errMsg = 0); |
| 1139 | |
| 1140 | /** |
| 1141 | * Compare the hvi values. |
| 1142 | * |
| 1143 | * Compare a received Commit packet with our Commit packet and returns |
| 1144 | * which Commit packt is "more important". See chapter 5.2 to get further |
| 1145 | * information how to compare Commit packets. |
| 1146 | * |
| 1147 | * @param commit |
| 1148 | * Pointer to the peer's commit packet we just received. |
| 1149 | * @return |
| 1150 | * <0 if our Commit packet is "less important" |
| 1151 | * >0 if our Commit is "more important" |
| 1152 | * 0 shouldn't happen because we compare crypto hashes |
| 1153 | */ |
| 1154 | int32_t compareCommit(ZrtpPacketCommit *commit); |
| 1155 | |
| 1156 | /** |
| 1157 | * Verify the H2 hash image. |
| 1158 | * |
| 1159 | * Verifies the H2 hash contained in a received commit message. |
| 1160 | * This functions just verifies H2 but does not store it. |
| 1161 | * |
| 1162 | * @param commit |
| 1163 | * Pointer to the peer's commit packet we just received. |
| 1164 | * @return |
| 1165 | * true if H2 is ok and verified |
| 1166 | * false if H2 could not be verified |
| 1167 | */ |
| 1168 | bool verifyH2(ZrtpPacketCommit *commit); |
| 1169 | |
| 1170 | /** |
| 1171 | * Send information messages to the hosting environment. |
| 1172 | * |
| 1173 | * The ZRTP implementation uses this method to send information messages |
| 1174 | * to the host. Along with the message ZRTP provides a severity indicator |
| 1175 | * that defines: Info, Warning, Error, Alert. Refer to the MessageSeverity |
| 1176 | * enum in the ZrtpCallback class. |
| 1177 | * |
| 1178 | * @param severity |
| 1179 | * This defines the message's severity |
| 1180 | * @param subCode |
| 1181 | * The subcode identifying the reason. |
| 1182 | * @see ZrtpCodes#MessageSeverity |
| 1183 | */ |
| 1184 | void sendInfo(GnuZrtpCodes::MessageSeverity severity, int32_t subCode); |
| 1185 | |
| 1186 | /** |
| 1187 | * ZRTP state engine calls this if the negotiation failed. |
| 1188 | * |
| 1189 | * ZRTP calls this method in case ZRTP negotiation failed. The parameters |
| 1190 | * show the severity as well as some explanatory text. |
| 1191 | * |
| 1192 | * @param severity |
| 1193 | * This defines the message's severity |
| 1194 | * @param subCode |
| 1195 | * The subcode identifying the reason. |
| 1196 | * @see ZrtpCodes#MessageSeverity |
| 1197 | */ |
| 1198 | void zrtpNegotiationFailed(GnuZrtpCodes::MessageSeverity severity, int32_t subCode); |
| 1199 | |
| 1200 | /** |
| 1201 | * ZRTP state engine calls this method if the other side does not support ZRTP. |
| 1202 | * |
| 1203 | * If the other side does not answer the ZRTP <em>Hello</em> packets then |
| 1204 | * ZRTP calls this method, |
| 1205 | * |
| 1206 | */ |
| 1207 | void zrtpNotSuppOther(); |
| 1208 | |
| 1209 | /** |
| 1210 | * Signal SRTP secrets are ready. |
| 1211 | * |
| 1212 | * This method calls a callback method to inform the host that the SRTP |
| 1213 | * secrets are ready. |
| 1214 | * |
| 1215 | * @param part |
| 1216 | * Defines for which part (sender or receiver) to switch on security |
| 1217 | * @return |
| 1218 | * Returns false if something went wrong during initialization of SRTP |
| 1219 | * context. Propagate error back to state engine. |
| 1220 | */ |
| 1221 | bool srtpSecretsReady(EnableSecurity part); |
| 1222 | |
| 1223 | /** |
| 1224 | * Switch off SRTP secrets. |
| 1225 | * |
| 1226 | * This method calls a callback method to inform the host that the SRTP |
| 1227 | * secrets shall be cleared. |
| 1228 | * |
| 1229 | * @param part |
| 1230 | * Defines for which part (sender or receiver) to clear |
| 1231 | */ |
| 1232 | void srtpSecretsOff(EnableSecurity part); |
| 1233 | |
| 1234 | /** |
| 1235 | * ZRTP state engine calls these methods to enter or leave its |
| 1236 | * synchronization mutex. |
| 1237 | */ |
| 1238 | void synchEnter(); |
| 1239 | |
| 1240 | void synchLeave(); |
| 1241 | |
| 1242 | /** |
| 1243 | * Helper function to store ZRTP message data in a temporary buffer |
| 1244 | * |
| 1245 | * This functions first clears the temporary buffer, then stores |
| 1246 | * the packet's data to it. We use this to check the packet's HMAC |
| 1247 | * after we received the HMAC key in to following packet. |
| 1248 | * |
| 1249 | * @param data |
| 1250 | * Pointer to the packet's ZRTP message |
| 1251 | */ |
| 1252 | void storeMsgTemp(ZrtpPacketBase* pkt); |
| 1253 | |
| 1254 | /** |
| 1255 | * Helper function to check a ZRTP message HMAC |
| 1256 | * |
| 1257 | * This function gets a HMAC key and uses it to compute a HMAC |
| 1258 | * with this key and the stored data of a previous received ZRTP |
| 1259 | * message. It compares the computed HMAC and the HMAC stored in |
| 1260 | * the received message and returns the result. |
| 1261 | * |
| 1262 | * @param key |
| 1263 | * Pointer to the HMAC key. |
| 1264 | * @return |
| 1265 | * Returns true if the computed HMAC and the stored HMAC match, |
| 1266 | * false otherwise. |
| 1267 | */ |
| 1268 | bool checkMsgHmac(uint8_t* key); |
| 1269 | |
| 1270 | /** |
| 1271 | * Set the client ID for ZRTP Hello message. |
| 1272 | * |
| 1273 | * The user of ZRTP must set its id to identify itself in the |
| 1274 | * ZRTP HELLO message. The maximum length is 16 characters. Shorter |
| 1275 | * id string are allowed, they will be filled with blanks. A longer id |
| 1276 | * is truncated to 16 characters. |
| 1277 | * |
| 1278 | * The identifier is set in the Hello packet of ZRTP. Thus only after |
| 1279 | * setting the identifier ZRTP can compute the HMAC and the final |
| 1280 | * helloHash. |
| 1281 | * |
| 1282 | * @param id |
| 1283 | * The client's id |
| 1284 | */ |
Alexandre Lision | e24852d | 2014-02-04 13:13:02 -0500 | [diff] [blame^] | 1285 | void setClientId(std::string id); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1286 | }; |
| 1287 | |
| 1288 | /** |
| 1289 | * @} |
| 1290 | */ |
| 1291 | #endif // ZRTP |
| 1292 | |