Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1 | /* |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 2 | Copyright (C) 2006-2013 Werner Dittmann |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 3 | |
| 4 | This program is free software: you can redistribute it and/or modify |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 5 | it under the terms of the GNU Lesser General Public License as published by |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 6 | the Free Software Foundation, either version 3 of the License, or |
| 7 | (at your option) any later version. |
| 8 | |
| 9 | This program is distributed in the hope that it will be useful, |
| 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | GNU General Public License for more details. |
| 13 | |
| 14 | You should have received a copy of the GNU General Public License |
| 15 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
| 16 | */ |
| 17 | |
| 18 | #ifndef _ZRTP_H_ |
| 19 | #define _ZRTP_H_ |
| 20 | /** |
| 21 | * @file ZRtp.h |
| 22 | * @brief The ZRTP main engine |
| 23 | * @defgroup GNU_ZRTP The GNU ZRTP C++ implementation |
| 24 | * @{ |
| 25 | */ |
| 26 | |
| 27 | #include <cstdlib> |
| 28 | |
| 29 | #include <libzrtpcpp/ZrtpPacketHello.h> |
| 30 | #include <libzrtpcpp/ZrtpPacketHelloAck.h> |
| 31 | #include <libzrtpcpp/ZrtpPacketCommit.h> |
| 32 | #include <libzrtpcpp/ZrtpPacketDHPart.h> |
| 33 | #include <libzrtpcpp/ZrtpPacketConfirm.h> |
| 34 | #include <libzrtpcpp/ZrtpPacketConf2Ack.h> |
| 35 | #include <libzrtpcpp/ZrtpPacketGoClear.h> |
| 36 | #include <libzrtpcpp/ZrtpPacketClearAck.h> |
| 37 | #include <libzrtpcpp/ZrtpPacketError.h> |
| 38 | #include <libzrtpcpp/ZrtpPacketErrorAck.h> |
| 39 | #include <libzrtpcpp/ZrtpPacketPing.h> |
| 40 | #include <libzrtpcpp/ZrtpPacketPingAck.h> |
| 41 | #include <libzrtpcpp/ZrtpPacketSASrelay.h> |
| 42 | #include <libzrtpcpp/ZrtpPacketRelayAck.h> |
| 43 | #include <libzrtpcpp/ZrtpCallback.h> |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 44 | #include <libzrtpcpp/ZIDCache.h> |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 45 | |
| 46 | #ifndef SHA256_DIGEST_LENGTH |
| 47 | #define SHA256_DIGEST_LENGTH 32 |
| 48 | #endif |
| 49 | |
| 50 | // Prepare to support digest algorithms up to 512 bit (64 bytes) |
| 51 | #define MAX_DIGEST_LENGTH 64 |
| 52 | #define IMPL_MAX_DIGEST_LENGTH 64 |
| 53 | |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 54 | // max. number of parallel supported ZRTP protocol versions. |
| 55 | #define MAX_ZRTP_VERSIONS 2 |
| 56 | |
| 57 | // currently only 1.10 supported |
| 58 | #define SUPPORTED_ZRTP_VERSIONS 1 |
| 59 | |
| 60 | // Integer representation of highest supported ZRTP protocol version |
| 61 | #define HIGHEST_ZRTP_VERION 12 |
| 62 | |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 63 | class __EXPORT ZrtpStateClass; |
| 64 | class ZrtpDH; |
| 65 | |
| 66 | /** |
| 67 | * The main ZRTP class. |
| 68 | * |
| 69 | * This is the main class of the RTP/SRTP independent part of the GNU |
| 70 | * ZRTP. It handles the ZRTP HMAC, DH, and other data management. The |
| 71 | * user of this class needs to know only a few methods and needs to |
| 72 | * provide only a few external functions to connect to a Timer |
| 73 | * mechanism and to send data via RTP and SRTP. Refer to the |
| 74 | * ZrtpCallback class to get detailed information regading the |
| 75 | * callback methods required by GNU RTP. |
| 76 | * |
| 77 | * The class ZrtpQueue is the GNU ccRTP specific implementation that |
| 78 | * extends standard ccRTP RTP provide ZRTP support. Refer to the |
| 79 | * documentation of ZrtpQueue to get more information about the usage |
| 80 | * of ZRtp and associated classes. |
| 81 | * |
| 82 | * The main entry into the ZRTP class is the processExtensionHeader() |
| 83 | * method. |
| 84 | * |
| 85 | * This class does not directly handle the protocol states, timers, |
| 86 | * and packet resend. The protocol state engine is responsible for |
| 87 | * these actions. |
| 88 | * |
| 89 | * Example how to use ZRtp: |
| 90 | *<pre> |
| 91 | * zrtpEngine = new ZRtp((uint8_t*)ownZid, (ZrtpCallback*)this, idString); |
| 92 | * zrtpEngine->startZrtpEngine(); |
| 93 | *</pre> |
| 94 | * @see ZrtpCallback |
| 95 | * |
| 96 | * @author Werner Dittmann <Werner.Dittmann@t-online.de> |
| 97 | */ |
| 98 | class __EXPORT ZRtp { |
| 99 | |
| 100 | public: |
| 101 | |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 102 | typedef enum _secrets { |
| 103 | Rs1 = 1, |
| 104 | Rs2 = 2, |
| 105 | Pbx = 4, |
| 106 | Aux = 8 |
| 107 | } secrets; |
| 108 | |
| 109 | typedef struct _zrtpInfo { |
| 110 | int32_t secretsCached; |
| 111 | int32_t secretsMatched; |
| 112 | int32_t secretsMatchedDH; |
| 113 | const char *hash; |
| 114 | const char *cipher; |
| 115 | const char *pubKey; |
| 116 | const char *sasType; |
| 117 | const char *authLength; |
| 118 | } zrtpInfo; |
| 119 | |
| 120 | /** |
| 121 | * Faster access to Hello packets with different versions. |
| 122 | */ |
| 123 | typedef struct _HelloPacketVersion { |
| 124 | int32_t version; |
| 125 | ZrtpPacketHello* packet; |
| 126 | uint8_t helloHash[IMPL_MAX_DIGEST_LENGTH]; |
| 127 | } HelloPacketVersion; |
| 128 | |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 129 | /** |
| 130 | * Constructor intializes all relevant data but does not start the |
| 131 | * engine. |
| 132 | */ |
| 133 | ZRtp(uint8_t* myZid, ZrtpCallback* cb, std::string id, |
| 134 | ZrtpConfigure* config, bool mitmm= false, bool sasSignSupport= false); |
| 135 | |
| 136 | /** |
| 137 | * Destructor cleans up. |
| 138 | */ |
| 139 | ~ZRtp(); |
| 140 | |
| 141 | /** |
| 142 | * Kick off the ZRTP protocol engine. |
| 143 | * |
| 144 | * This method calls the ZrtpStateClass#evInitial() state of the state |
| 145 | * engine. After this call we are able to process ZRTP packets |
| 146 | * from our peer and to process them. |
| 147 | */ |
| 148 | void startZrtpEngine(); |
| 149 | |
| 150 | /** |
| 151 | * Stop ZRTP security. |
| 152 | * |
| 153 | */ |
| 154 | void stopZrtp(); |
| 155 | |
| 156 | /** |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 157 | * Process ZRTP message. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 158 | * |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 159 | * The method takes the data and forwards it to the ZRTP state engine for further |
| 160 | * processing. It's the caller's duty to check the ZRTP CRC and the ZRTP magic |
| 161 | * cookie before calling this function. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 162 | * |
| 163 | * @param extHeader |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 164 | * A pointer to the first byte of the ZRTP message. Refer to RFC6189. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 165 | * @param peerSSRC |
| 166 | * The peer's SSRC. |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 167 | * @param length |
| 168 | * of the received data packet, this includes the RTP like header |
| 169 | * and the ZRTP CRC field - used to do santity checks. |
| 170 | * |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 171 | * @return |
| 172 | * Code indicating further packet handling, see description above. |
| 173 | */ |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 174 | void processZrtpMessage(uint8_t *extHeader, uint32_t peerSSRC, size_t length); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 175 | |
| 176 | /** |
| 177 | * Process a timeout event. |
| 178 | * |
| 179 | * We got a timeout from the timeout provider. Forward it to the |
| 180 | * protocol state engine. |
| 181 | * |
| 182 | */ |
| 183 | void processTimeout(); |
| 184 | |
| 185 | /** |
| 186 | * Check for and handle GoClear ZRTP packet header. |
| 187 | * |
| 188 | * This method checks if this is a GoClear packet. If not, just return |
| 189 | * false. Otherwise handle it according to the specification. |
| 190 | * |
| 191 | * @param extHeader |
| 192 | * A pointer to the first byte of the extension header. Refer to |
| 193 | * RFC3550. |
| 194 | * @return |
| 195 | * False if not a GoClear, true otherwise. |
| 196 | */ |
| 197 | bool handleGoClear(uint8_t *extHeader); |
| 198 | |
| 199 | /** |
| 200 | * Set the auxilliary secret. |
| 201 | * |
| 202 | * Use this method to set the auxilliary secret data. Refer to ZRTP |
| 203 | * specification, chapter 4.3 ff |
| 204 | * |
| 205 | * @param data |
| 206 | * Points to the secret data. |
| 207 | * @param length |
| 208 | * Length of the auxilliary secrect in bytes |
| 209 | */ |
| 210 | void setAuxSecret(uint8_t* data, int32_t length); |
| 211 | |
| 212 | /** |
| 213 | * Check current state of the ZRTP state engine |
| 214 | * |
| 215 | * @param state |
| 216 | * The state to check. |
| 217 | * @return |
| 218 | * Returns true id ZRTP engine is in the given state, false otherwise. |
| 219 | */ |
| 220 | bool inState(int32_t state); |
| 221 | |
| 222 | /** |
| 223 | * Set SAS as verified. |
| 224 | * |
| 225 | * Call this method if the user confirmed (verfied) the SAS. ZRTP |
| 226 | * remembers this together with the retained secrets data. |
| 227 | */ |
| 228 | void SASVerified(); |
| 229 | |
| 230 | /** |
| 231 | * Reset the SAS verfied flag for the current active user's retained secrets. |
| 232 | * |
| 233 | */ |
| 234 | void resetSASVerified(); |
| 235 | |
| 236 | /** |
| 237 | * Get the ZRTP Hello Hash data. |
| 238 | * |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 239 | * Use this method to get the ZRTP Hello hash data. The method |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 240 | * returns the data as a string containing the ZRTP protocol version and |
| 241 | * hex-digits. |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 242 | * |
| 243 | * The index defines which Hello packet to use. Each supported ZRTP procol version |
| 244 | * uses a different Hello packet and thus computes different hashes. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 245 | * |
| 246 | * Refer to ZRTP specification, chapter 8. |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 247 | * |
| 248 | * @param index |
| 249 | * Hello hash of the Hello packet identfied by index. Index must be 0 <= index < MAX_ZRTP_VERSIONS. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 250 | * |
| 251 | * @return |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 252 | * a std::string formatted according to RFC6189 section 8 without the leading 'a=zrtp-hash:' |
| 253 | * SDP attribute identifier. The hello hash is available immediately after class instantiation. |
| 254 | * |
| 255 | * @see getNumberSupportedVersions() |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 256 | */ |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 257 | std::string getHelloHash(int index); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 258 | |
| 259 | /** |
| 260 | * Get the peer's ZRTP Hello Hash data. |
| 261 | * |
| 262 | * Use this method to get the peer's ZRTP Hello Hash data. The method |
| 263 | * returns the data as a string containing the ZRTP protocol version and |
| 264 | * hex-digits. |
| 265 | * |
| 266 | * The peer's hello hash is available only after ZRTP received a hello. If |
| 267 | * no data is available the function returns an empty string. |
| 268 | * |
| 269 | * Refer to ZRTP specification, chapter 8. |
| 270 | * |
| 271 | * @return |
| 272 | * a std:string containing the Hello version and the hello hash as hex digits. |
| 273 | */ |
| 274 | std::string getPeerHelloHash(); |
| 275 | |
| 276 | /** |
| 277 | * Get Multi-stream parameters. |
| 278 | * |
| 279 | * Use this method to get the Multi-stream that were computed during |
| 280 | * the ZRTP handshake. An application may use these parameters to |
| 281 | * enable multi-stream processing for an associated SRTP session. |
| 282 | * |
| 283 | * Refer to chapter 4.4.2 in the ZRTP specification for further details |
| 284 | * and restriction how and when to use multi-stream mode. |
| 285 | * |
| 286 | * @return |
| 287 | * a string that contains the multi-stream parameters. The application |
| 288 | * must not modify the contents of this string, it is opaque data. The |
| 289 | * application may hand over this string to a new ZrtpQueue instance |
| 290 | * to enable multi-stream processing for this ZrtpQueue. |
| 291 | * If ZRTP was not started or ZRTP is not yet in secure state the method |
| 292 | * returns an empty string. |
| 293 | */ |
| 294 | std::string getMultiStrParams(); |
| 295 | |
| 296 | /** |
| 297 | * Set Multi-stream parameters. |
| 298 | * |
| 299 | * Use this method to set the parameters required to enable Multi-stream |
| 300 | * processing of ZRTP. The multi-stream parameters must be set before the |
| 301 | * application starts the ZRTP protocol engine. |
| 302 | * |
| 303 | * Refer to chapter 4.4.2 in the ZRTP specification for further details |
| 304 | * of multi-stream mode. |
| 305 | * |
| 306 | * @param parameters |
| 307 | * A string that contains the multi-stream parameters that this |
| 308 | * new ZrtpQueue instanace shall use. See also |
| 309 | * <code>getMultiStrParams()</code> |
| 310 | */ |
| 311 | void setMultiStrParams(std::string parameters); |
| 312 | |
| 313 | /** |
| 314 | * Check if this ZRTP session is a Multi-stream session. |
| 315 | * |
| 316 | * Use this method to check if this ZRTP instance uses multi-stream. |
| 317 | * Refer to chapters 4.2 and 4.4.2 in the ZRTP. |
| 318 | * |
| 319 | * @return |
| 320 | * True if multi-stream is used, false otherwise. |
| 321 | */ |
| 322 | bool isMultiStream(); |
| 323 | |
| 324 | /** |
| 325 | * Check if the other ZRTP client supports Multi-stream. |
| 326 | * |
| 327 | * Use this method to check if the other ZRTP client supports |
| 328 | * Multi-stream mode. |
| 329 | * |
| 330 | * @return |
| 331 | * True if multi-stream is available, false otherwise. |
| 332 | */ |
| 333 | bool isMultiStreamAvailable(); |
| 334 | |
| 335 | /** |
| 336 | * Accept a PBX enrollment request. |
| 337 | * |
| 338 | * If a PBX service asks to enroll the PBX trusted MitM key and the user |
| 339 | * accepts this request, for example by pressing an OK button, the client |
| 340 | * application shall call this method and set the parameter |
| 341 | * <code>accepted</code> to true. If the user does not accept the request |
| 342 | * set the parameter to false. |
| 343 | * |
| 344 | * @param accepted |
| 345 | * True if the enrollment request is accepted, false otherwise. |
| 346 | */ |
| 347 | void acceptEnrollment(bool accepted); |
| 348 | |
| 349 | /** |
| 350 | * Check the state of the enrollment mode. |
| 351 | * |
| 352 | * If true then we will set the enrollment flag (E) in the confirm |
| 353 | * packets and perform the enrollment actions. A MitM (PBX) enrollment service |
| 354 | * started this ZRTP session. Can be set to true only if mitmMode is also true. |
| 355 | * |
| 356 | * @return status of the enrollmentMode flag. |
| 357 | */ |
| 358 | bool isEnrollmentMode(); |
| 359 | |
| 360 | /** |
| 361 | * Set the state of the enrollment mode. |
| 362 | * |
| 363 | * If true then we will set the enrollment flag (E) in the confirm |
| 364 | * packets and perform the enrollment actions. A MitM (PBX) enrollment |
| 365 | * service must sets this mode to true. |
| 366 | * |
| 367 | * Can be set to true only if mitmMode is also true. |
| 368 | * |
| 369 | * @param enrollmentMode defines the new state of the enrollmentMode flag |
| 370 | */ |
| 371 | void setEnrollmentMode(bool enrollmentMode); |
| 372 | |
| 373 | /** |
| 374 | * Check if a peer's cache entry has a vaild MitM key. |
| 375 | * |
| 376 | * If true then the other peer ha a valid MtiM key, i.e. the peer has performed |
| 377 | * the enrollment procedure. A PBX ZRTP Back-2-Back application can use this function |
| 378 | * to check which of the peers is enrolled. |
| 379 | * |
| 380 | * @return True if the other peer has a valid Mitm key (is enrolled). |
| 381 | */ |
| 382 | bool isPeerEnrolled(); |
| 383 | |
| 384 | /** |
| 385 | * Send the SAS relay packet. |
| 386 | * |
| 387 | * The method creates and sends a SAS relay packet according to the ZRTP |
| 388 | * specifications. Usually only a MitM capable user agent (PBX) uses this |
| 389 | * function. |
| 390 | * |
| 391 | * @param sh the full SAS hash value, 32 bytes |
| 392 | * @param render the SAS rendering algorithm |
| 393 | */ |
| 394 | bool sendSASRelayPacket(uint8_t* sh, std::string render); |
| 395 | |
| 396 | /** |
| 397 | * Get the commited SAS rendering algorithm for this ZRTP session. |
| 398 | * |
| 399 | * @return the commited SAS rendering algorithm |
| 400 | */ |
| 401 | std::string getSasType(); |
| 402 | |
| 403 | /** |
| 404 | * Get the computed SAS hash for this ZRTP session. |
| 405 | * |
| 406 | * A PBX ZRTP back-to-Back function uses this function to get the SAS |
| 407 | * hash of an enrolled client to construct the SAS relay packet for |
| 408 | * the other client. |
| 409 | * |
| 410 | * @return a pointer to the byte array that contains the full |
| 411 | * SAS hash. |
| 412 | */ |
| 413 | uint8_t* getSasHash(); |
| 414 | |
| 415 | /** |
| 416 | * Set signature data. |
| 417 | * |
| 418 | * This functions stores signature data and transmitts it during ZRTP |
| 419 | * processing to the other party as part of the Confirm packets. Refer to |
| 420 | * chapters 5.7 and 7.2. |
| 421 | * |
| 422 | * The signature data must be set before ZRTP the application calls |
| 423 | * <code>start()</code>. |
| 424 | * |
| 425 | * @param data |
| 426 | * The signature data including the signature type block. The method |
| 427 | * copies this data into the Confirm packet at signature type block. |
| 428 | * @param length |
| 429 | * The length of the signature data in bytes. This length must be |
| 430 | * multiple of 4. |
| 431 | * @return |
| 432 | * True if the method stored the data, false otherwise. |
| 433 | */ |
| 434 | bool setSignatureData(uint8_t* data, int32_t length); |
| 435 | |
| 436 | /** |
| 437 | * Get signature data. |
| 438 | * |
| 439 | * This functions returns a pointer to the signature data that was receivied |
| 440 | * during ZRTP processing. Refer to chapters 5.7 and 7.2. |
| 441 | * |
| 442 | * The returned pointer points to volatile data that is valid only during the |
| 443 | * <code>checkSASSignature()</code> callback funtion. The application must copy |
| 444 | * the signature data if it will be used after the callback function returns. |
| 445 | * |
| 446 | * The signature data can be retrieved after ZRTP enters secure state. |
| 447 | * <code>start()</code>. |
| 448 | * |
| 449 | * @return |
| 450 | * Pointer to signature data. |
| 451 | */ |
| 452 | const uint8_t* getSignatureData(); |
| 453 | |
| 454 | /** |
| 455 | * Get length of signature data in number of bytes. |
| 456 | * |
| 457 | * This functions returns the length of signature data that was receivied |
| 458 | * during ZRTP processing. Refer to chapters 5.7 and 7.2. |
| 459 | * |
| 460 | * @return |
| 461 | * Length in bytes of the received signature data. The method returns |
| 462 | * zero if no signature data is avilable. |
| 463 | */ |
| 464 | int32_t getSignatureLength(); |
| 465 | |
| 466 | /** |
| 467 | * Emulate a Conf2Ack packet. |
| 468 | * |
| 469 | * This method emulates a Conf2Ack packet. According to ZRTP specification |
| 470 | * the first valid SRTP packet that the Initiator receives must switch |
| 471 | * on secure mode. Refer to chapter 4 in the specificaton |
| 472 | * |
| 473 | */ |
| 474 | void conf2AckSecure(); |
| 475 | |
| 476 | /** |
| 477 | * Get other party's ZID (ZRTP Identifier) data |
| 478 | * |
| 479 | * This functions returns the other party's ZID that was receivied |
| 480 | * during ZRTP processing. |
| 481 | * |
| 482 | * The ZID data can be retrieved after ZRTP receive the first Hello |
| 483 | * packet from the other party. The application may call this method |
| 484 | * for example during SAS processing in showSAS(...) user callback |
| 485 | * method. |
| 486 | * |
| 487 | * @param data |
| 488 | * Pointer to a data buffer. This buffer must have a size of |
| 489 | * at least 12 bytes (96 bit) (ZRTP Identifier, see chap. 4.9) |
| 490 | * @return |
| 491 | * Number of bytes copied into the data buffer - must be equivalent |
| 492 | * to 96 bit, usually 12 bytes. |
| 493 | */ |
| 494 | int32_t getPeerZid(uint8_t* data); |
| 495 | |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 496 | /** |
| 497 | * Returns a pointer to the gather detailed information structure. |
| 498 | * |
| 499 | * This structure contains some detailed information about the negotiated |
| 500 | * algorithms, the chached and matched shared secrets. |
| 501 | */ |
| 502 | const zrtpInfo *getDetailInfo(); |
| 503 | |
| 504 | /** |
| 505 | * Get peer's client id. |
| 506 | * |
| 507 | * @return the peer's client id or an empty @c string if not set. |
| 508 | */ |
| 509 | std::string getPeerClientId(); |
| 510 | |
| 511 | /** |
| 512 | * Get peer's protocl version string. |
| 513 | * |
| 514 | * @return the peer's protocol version or an empty @c string if not set. |
| 515 | */ |
| 516 | std::string getPeerProtcolVersion(); |
| 517 | |
| 518 | /** |
| 519 | * Get number of supported ZRTP protocol versions. |
| 520 | * |
| 521 | * @return the number of supported ZRTP protocol versions. |
| 522 | */ |
| 523 | int32_t getNumberSupportedVersions() {return SUPPORTED_ZRTP_VERSIONS;} |
| 524 | |
| 525 | /** |
| 526 | * Get negotiated ZRTP protocol version. |
| 527 | * |
| 528 | * @return the integer representation of the negotiated ZRTP protocol version. |
| 529 | */ |
| 530 | int32_t getCurrentProtocolVersion() {return currentHelloPacket->getVersionInt();} |
| 531 | |
| 532 | /** |
| 533 | * Validate the RS2 data if necessary. |
| 534 | * |
| 535 | * The cache functions stores the RS2 data but does not set its valid flag. The |
| 536 | * application may decide to set this flag. |
| 537 | */ |
| 538 | void setRs2Valid(); |
| 539 | |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 540 | private: |
| 541 | friend class ZrtpStateClass; |
| 542 | |
| 543 | /** |
| 544 | * The state engine takes care of protocol processing. |
| 545 | */ |
| 546 | ZrtpStateClass* stateEngine; |
| 547 | |
| 548 | /** |
| 549 | * This is my ZID that I send to the peer. |
| 550 | */ |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 551 | uint8_t ownZid[IDENTIFIER_LEN]; |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 552 | |
| 553 | /** |
| 554 | * The peer's ZID |
| 555 | */ |
| 556 | uint8_t peerZid[IDENTIFIER_LEN]; |
| 557 | |
| 558 | /** |
| 559 | * The callback class provides me with the interface to send |
| 560 | * data and to deal with timer management of the hosting system. |
| 561 | */ |
| 562 | ZrtpCallback* callback; |
| 563 | |
| 564 | /** |
| 565 | * My active Diffie-Helman context |
| 566 | */ |
| 567 | ZrtpDH* dhContext; |
| 568 | |
| 569 | /** |
| 570 | * The computed DH shared secret |
| 571 | */ |
| 572 | uint8_t* DHss; |
| 573 | |
| 574 | /** |
| 575 | * My computed public key |
| 576 | */ |
| 577 | uint8_t pubKeyBytes[400]; |
| 578 | /** |
| 579 | * Length off public key |
| 580 | */ |
| 581 | // int32_t pubKeyLen; |
| 582 | /** |
| 583 | * My Role in the game |
| 584 | */ |
| 585 | Role myRole; |
| 586 | |
| 587 | /** |
| 588 | * The human readable SAS value |
| 589 | */ |
| 590 | std::string SAS; |
| 591 | |
| 592 | /** |
| 593 | * The SAS hash for signaling and alike. Refer to chapters |
| 594 | * 4.5 and 7 how sasHash, sasValue and the SAS string are derived. |
| 595 | */ |
| 596 | uint8_t sasHash[MAX_DIGEST_LENGTH]; |
| 597 | /** |
| 598 | * The ids for the retained and other shared secrets |
| 599 | */ |
| 600 | uint8_t rs1IDr[MAX_DIGEST_LENGTH]; |
| 601 | uint8_t rs2IDr[MAX_DIGEST_LENGTH]; |
| 602 | uint8_t auxSecretIDr[MAX_DIGEST_LENGTH]; |
| 603 | uint8_t pbxSecretIDr[MAX_DIGEST_LENGTH]; |
| 604 | |
| 605 | uint8_t rs1IDi[MAX_DIGEST_LENGTH]; |
| 606 | uint8_t rs2IDi[MAX_DIGEST_LENGTH]; |
| 607 | uint8_t auxSecretIDi[MAX_DIGEST_LENGTH]; |
| 608 | uint8_t pbxSecretIDi[MAX_DIGEST_LENGTH]; |
| 609 | |
| 610 | /** |
| 611 | * pointers to aux secret storage and length of aux secret |
| 612 | */ |
| 613 | uint8_t* auxSecret; |
| 614 | int32_t auxSecretLength; |
| 615 | |
| 616 | /** |
| 617 | * Record if valid rs1 and/or rs1 were found in the |
| 618 | * retaind secret cache. |
| 619 | */ |
| 620 | bool rs1Valid; |
| 621 | bool rs2Valid; |
| 622 | /** |
| 623 | * My hvi |
| 624 | */ |
| 625 | uint8_t hvi[MAX_DIGEST_LENGTH]; |
| 626 | |
| 627 | /** |
| 628 | * The peer's hvi |
| 629 | */ |
| 630 | uint8_t peerHvi[8*ZRTP_WORD_SIZE]; |
| 631 | |
| 632 | /** |
| 633 | * Context to compute the SHA256 hash of selected messages. |
| 634 | * Used to compute the s0, refer to chapter 4.4.1.4 |
| 635 | */ |
| 636 | void* msgShaContext; |
| 637 | /** |
| 638 | * Commited Hash, Cipher, and public key algorithms |
| 639 | */ |
| 640 | AlgorithmEnum* hash; |
| 641 | AlgorithmEnum* cipher; |
| 642 | AlgorithmEnum* pubKey; |
| 643 | /** |
| 644 | * The selected SAS type. |
| 645 | */ |
| 646 | AlgorithmEnum* sasType; |
| 647 | |
| 648 | /** |
| 649 | * The selected SAS type. |
| 650 | */ |
| 651 | AlgorithmEnum* authLength; |
| 652 | |
| 653 | /** |
| 654 | * The Hash images as defined in chapter 5.1.1 (H0 is a random value, |
| 655 | * not stored here). Need full SHA 256 lenght to store hash value but |
| 656 | * only the leftmost 128 bits are used in computations and comparisons. |
| 657 | */ |
| 658 | uint8_t H0[IMPL_MAX_DIGEST_LENGTH]; |
| 659 | uint8_t H1[IMPL_MAX_DIGEST_LENGTH]; |
| 660 | uint8_t H2[IMPL_MAX_DIGEST_LENGTH]; |
| 661 | uint8_t H3[IMPL_MAX_DIGEST_LENGTH]; |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 662 | |
| 663 | uint8_t peerHelloHash[IMPL_MAX_DIGEST_LENGTH]; |
| 664 | uint8_t peerHelloVersion[ZRTP_WORD_SIZE + 1]; // +1 for nul byte |
| 665 | |
| 666 | // We get the peer's H? from the message where length is defined as 8 words |
| 667 | uint8_t peerH0[8*ZRTP_WORD_SIZE]; |
| 668 | uint8_t peerH1[8*ZRTP_WORD_SIZE]; |
| 669 | uint8_t peerH2[8*ZRTP_WORD_SIZE]; |
| 670 | uint8_t peerH3[8*ZRTP_WORD_SIZE]; |
| 671 | |
| 672 | /** |
| 673 | * The SHA256 hash over selected messages |
| 674 | */ |
| 675 | uint8_t messageHash[MAX_DIGEST_LENGTH]; |
| 676 | |
| 677 | /** |
| 678 | * The s0 |
| 679 | */ |
| 680 | uint8_t s0[MAX_DIGEST_LENGTH]; |
| 681 | |
| 682 | /** |
| 683 | * The new Retained Secret |
| 684 | */ |
| 685 | uint8_t newRs1[MAX_DIGEST_LENGTH]; |
| 686 | |
| 687 | /** |
| 688 | * The GoClear HMAC keys and confirm HMAC key |
| 689 | */ |
| 690 | uint8_t hmacKeyI[MAX_DIGEST_LENGTH]; |
| 691 | uint8_t hmacKeyR[MAX_DIGEST_LENGTH]; |
| 692 | |
| 693 | /** |
| 694 | * The Initiator's srtp key and salt |
| 695 | */ |
| 696 | uint8_t srtpKeyI[MAX_DIGEST_LENGTH]; |
| 697 | uint8_t srtpSaltI[MAX_DIGEST_LENGTH]; |
| 698 | |
| 699 | /** |
| 700 | * The Responder's srtp key and salt |
| 701 | */ |
| 702 | uint8_t srtpKeyR[MAX_DIGEST_LENGTH]; |
| 703 | uint8_t srtpSaltR[MAX_DIGEST_LENGTH]; |
| 704 | |
| 705 | /** |
| 706 | * The keys used to encrypt/decrypt the confirm message |
| 707 | */ |
| 708 | uint8_t zrtpKeyI[MAX_DIGEST_LENGTH]; |
| 709 | uint8_t zrtpKeyR[MAX_DIGEST_LENGTH]; |
| 710 | |
| 711 | /** |
| 712 | * Pointers to negotiated hash and HMAC functions |
| 713 | */ |
| 714 | void (*hashFunction)(unsigned char *data, |
| 715 | unsigned int data_length, |
| 716 | unsigned char *digest); |
| 717 | |
| 718 | void (*hashListFunction)(unsigned char *data[], |
| 719 | unsigned int data_length[], |
| 720 | unsigned char *digest); |
| 721 | |
| 722 | void (*hmacFunction)(uint8_t* key, uint32_t key_length, |
| 723 | uint8_t* data, int32_t data_length, |
| 724 | uint8_t* mac, uint32_t* mac_length); |
| 725 | |
| 726 | void (*hmacListFunction)( uint8_t* key, uint32_t key_length, |
| 727 | uint8_t* data[], uint32_t data_length[], |
| 728 | uint8_t* mac, uint32_t* mac_length ); |
| 729 | |
| 730 | void* (*createHashCtx)(); |
| 731 | |
| 732 | void (*closeHashCtx)(void* ctx, unsigned char* digest); |
| 733 | |
| 734 | void (*hashCtxFunction)(void* ctx, unsigned char* data, |
| 735 | unsigned int dataLength); |
| 736 | |
| 737 | void (*hashCtxListFunction)(void* ctx, unsigned char* dataChunks[], |
| 738 | unsigned int dataChunkLength[]); |
| 739 | |
| 740 | int32_t hashLength; |
| 741 | |
| 742 | // Funtion pointers to implicit hash and hmac functions |
| 743 | void (*hashFunctionImpl)(unsigned char *data, |
| 744 | unsigned int data_length, |
| 745 | unsigned char *digest); |
| 746 | |
| 747 | void (*hashListFunctionImpl)(unsigned char *data[], |
| 748 | unsigned int data_length[], |
| 749 | unsigned char *digest); |
| 750 | |
| 751 | void (*hmacFunctionImpl)(uint8_t* key, uint32_t key_length, |
| 752 | uint8_t* data, int32_t data_length, |
| 753 | uint8_t* mac, uint32_t* mac_length); |
| 754 | |
| 755 | void (*hmacListFunctionImpl)( uint8_t* key, uint32_t key_length, |
| 756 | uint8_t* data[], uint32_t data_length[], |
| 757 | uint8_t* mac, uint32_t* mac_length ); |
| 758 | |
| 759 | int32_t hashLengthImpl; |
| 760 | |
| 761 | /** |
| 762 | * The ZRTP Session Key |
| 763 | * Refer to chapter 5.4.1.4 |
| 764 | */ |
| 765 | uint8_t zrtpSession[MAX_DIGEST_LENGTH]; |
| 766 | |
| 767 | /** |
| 768 | * True if this ZRTP instance uses multi-stream mode. |
| 769 | */ |
| 770 | bool multiStream; |
| 771 | |
| 772 | /** |
| 773 | * True if the other ZRTP client supports multi-stream mode. |
| 774 | */ |
| 775 | bool multiStreamAvailable; |
| 776 | |
| 777 | /** |
| 778 | * Enable MitM (PBX) enrollment |
| 779 | * |
| 780 | * If set to true then ZRTP honors the PBX enrollment flag in |
| 781 | * Commit packets and calls the appropriate user callback |
| 782 | * methods. If the parameter is set to false ZRTP ignores the PBX |
| 783 | * enrollment flags. |
| 784 | */ |
| 785 | bool enableMitmEnrollment; |
| 786 | |
| 787 | /** |
| 788 | * True if a valid trusted MitM key of the other peer is available, i.e. enrolled. |
| 789 | */ |
| 790 | bool peerIsEnrolled; |
| 791 | |
| 792 | /** |
| 793 | * Set to true if the Hello packet contained the M-flag (MitM flag). |
| 794 | * We use this later to check some stuff for SAS Relay processing |
| 795 | */ |
| 796 | bool mitmSeen; |
| 797 | |
| 798 | /** |
| 799 | * Temporarily store computed pbxSecret, if user accepts enrollment then |
| 800 | * it will copied to our ZID record of the PBX (MitM) |
| 801 | */ |
| 802 | uint8_t* pbxSecretTmp; |
| 803 | uint8_t pbxSecretTmpBuffer[MAX_DIGEST_LENGTH]; |
| 804 | |
| 805 | /** |
| 806 | * If true then we will set the enrollment flag (E) in the confirm |
| 807 | * packets. Set to true if the PBX enrollment service started this ZRTP |
| 808 | * session. Can be set to true only if mitmMode is also true. |
| 809 | */ |
| 810 | bool enrollmentMode; |
| 811 | |
| 812 | /** |
| 813 | * Configuration data which algorithms to use. |
| 814 | */ |
| 815 | ZrtpConfigure configureAlgos; |
| 816 | /** |
| 817 | * Pre-initialized packets. |
| 818 | */ |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 819 | ZrtpPacketHello zrtpHello_11; |
| 820 | ZrtpPacketHello zrtpHello_12; // Prepare for ZRTP protocol version 1.2 |
| 821 | |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 822 | ZrtpPacketHelloAck zrtpHelloAck; |
| 823 | ZrtpPacketConf2Ack zrtpConf2Ack; |
| 824 | ZrtpPacketClearAck zrtpClearAck; |
| 825 | ZrtpPacketGoClear zrtpGoClear; |
| 826 | ZrtpPacketError zrtpError; |
| 827 | ZrtpPacketErrorAck zrtpErrorAck; |
| 828 | ZrtpPacketDHPart zrtpDH1; |
| 829 | ZrtpPacketDHPart zrtpDH2; |
| 830 | ZrtpPacketCommit zrtpCommit; |
| 831 | ZrtpPacketConfirm zrtpConfirm1; |
| 832 | ZrtpPacketConfirm zrtpConfirm2; |
| 833 | ZrtpPacketPingAck zrtpPingAck; |
| 834 | ZrtpPacketSASrelay zrtpSasRelay; |
| 835 | ZrtpPacketRelayAck zrtpRelayAck; |
| 836 | |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 837 | HelloPacketVersion helloPackets[MAX_ZRTP_VERSIONS + 1]; |
| 838 | int32_t highestZrtpVersion; |
| 839 | |
| 840 | /// Pointer to Hello packet sent to partner, initialized in ZRtp, modified by ZrtpStateClass |
| 841 | ZrtpPacketHello* currentHelloPacket; |
| 842 | |
| 843 | /** |
| 844 | * ZID cache record |
| 845 | */ |
| 846 | ZIDRecord *zidRec; |
| 847 | |
| 848 | /** |
| 849 | * Save record |
| 850 | * |
| 851 | * If false don't save record until user vrified and confirmed the SAS. |
| 852 | */ |
| 853 | bool saveZidRecord; |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 854 | /** |
| 855 | * Random IV data to encrypt the confirm data, 128 bit for AES |
| 856 | */ |
| 857 | uint8_t randomIV[16]; |
| 858 | |
| 859 | uint8_t tempMsgBuffer[1024]; |
| 860 | int32_t lengthOfMsgData; |
| 861 | |
| 862 | /** |
| 863 | * Variables to store signature data. Includes the signature type block |
| 864 | */ |
| 865 | const uint8_t* signatureData; // will be set when needed |
| 866 | int32_t signatureLength; // overall length in bytes |
| 867 | |
| 868 | /** |
| 869 | * Is true if the other peer signaled SAS signature support in its Hello packet. |
| 870 | */ |
| 871 | bool signSasSeen; |
| 872 | |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 873 | uint32_t peerSSRC; // peer's SSRC, required to setup PingAck packet |
| 874 | |
| 875 | zrtpInfo detailInfo; // filled with some more detailded information if application would like to know |
| 876 | |
| 877 | std::string peerClientId; // store the peer's client Id |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 878 | |
| 879 | /** |
| 880 | * Enable or disable paranoid mode. |
| 881 | * |
| 882 | * The Paranoid mode controls the behaviour and handling of the SAS verify flag. If |
| 883 | * Panaoid mode is set to flase then ZRtp applies the normal handling. If Paranoid |
| 884 | * mode is set to true then the handling is: |
| 885 | * |
| 886 | * <ul> |
| 887 | * <li> Force the SAS verify flag to be false at srtpSecretsOn() callback. This gives |
| 888 | * the user interface (UI) the indication to handle the SAS as <b>not verified</b>. |
| 889 | * See implementation note below.</li> |
| 890 | * <li> Don't set the SAS verify flag in the <code>Confirm</code> packets, thus the other |
| 891 | * also must report the SAS as <b>not verified</b>.</li> |
| 892 | * <li> ignore the <code>SASVerified()</code> function, thus do not set the SAS to verified |
| 893 | * in the ZRTP cache. </li> |
| 894 | * <li> Disable the <b>Trusted PBX MitM</b> feature. Just send the <code>SASRelay</code> packet |
| 895 | * but do not process the relayed data. This protects the user from a malicious |
| 896 | * "trusted PBX".</li> |
| 897 | * </ul> |
| 898 | * ZRtp performs alls other steps during the ZRTP negotiations as usual, in particular it |
| 899 | * computes, compares, uses, and stores the retained secrets. This avoids unnecessary warning |
| 900 | * messages. The user may enable or disable the Paranoid mode on a call-by-call basis without |
| 901 | * breaking the key continuity data. |
| 902 | * |
| 903 | * <b>Implementation note:</b></br> |
| 904 | * An application shall always display the SAS code if the SAS verify flag is <code>false</code>. |
| 905 | * The application shall also use mechanisms to remind the user to compare the SAS code, for |
| 906 | * example useing larger fonts, different colours and other display features. |
| 907 | */ |
| 908 | bool paranoidMode; |
| 909 | |
| 910 | /** |
| 911 | * Find the best Hash algorithm that is offered in Hello. |
| 912 | * |
| 913 | * Find the best, that is the strongest, Hash algorithm that our peer |
| 914 | * offers in its Hello packet. |
| 915 | * |
| 916 | * @param hello |
| 917 | * The Hello packet. |
| 918 | * @return |
| 919 | * The Enum that identifies the best offered Hash algortihm. Return |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 920 | * mandatory algorithm if no match was found. |
| 921 | */ |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 922 | AlgorithmEnum* findBestHash(ZrtpPacketHello *hello); |
| 923 | |
| 924 | /** |
| 925 | * Find the best symmetric cipher algorithm that is offered in Hello. |
| 926 | * |
| 927 | * Find the best, that is the strongest, cipher algorithm that our peer |
| 928 | * offers in its Hello packet. |
| 929 | * |
| 930 | * @param hello |
| 931 | * The Hello packet. |
| 932 | * @param pk |
| 933 | * The id of the selected public key algorithm |
| 934 | * @return |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 935 | * The Enum that identifies the best offered Cipher algorithm. Return |
| 936 | * mandatory algorithm if no match was found. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 937 | */ |
| 938 | AlgorithmEnum* findBestCipher(ZrtpPacketHello *hello, AlgorithmEnum* pk); |
| 939 | |
| 940 | /** |
| 941 | * Find the best Public Key algorithm that is offered in Hello. |
| 942 | * |
| 943 | * Find the best, that is the strongest, public key algorithm that our peer |
| 944 | * offers in its Hello packet. |
| 945 | * |
| 946 | * @param hello |
| 947 | * The Hello packet. |
| 948 | * @return |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 949 | * The Enum that identifies the best offered Public Key algorithm. Return |
| 950 | * mandatory algorithm if no match was found. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 951 | */ |
| 952 | AlgorithmEnum* findBestPubkey(ZrtpPacketHello *hello); |
| 953 | |
| 954 | /** |
| 955 | * Find the best SAS algorithm that is offered in Hello. |
| 956 | * |
| 957 | * Find the best, that is the strongest, SAS algorithm that our peer |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 958 | * offers in its Hello packet. The method works as definied in RFC 6189, |
| 959 | * chapter 4.1.2. |
| 960 | * |
| 961 | * The list of own supported public key algorithms must follow the rules |
| 962 | * defined in RFC 6189, chapter 4.1.2, thus the order in the list must go |
| 963 | * from fastest to slowest. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 964 | * |
| 965 | * @param hello |
| 966 | * The Hello packet. |
| 967 | * @return |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 968 | * The Enum that identifies the best offered SAS algorithm. Return |
| 969 | * mandatory algorithm if no match was found. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 970 | */ |
| 971 | AlgorithmEnum* findBestSASType(ZrtpPacketHello* hello); |
| 972 | |
| 973 | /** |
| 974 | * Find the best authentication length that is offered in Hello. |
| 975 | * |
| 976 | * Find the best, that is the strongest, authentication length that our peer |
| 977 | * offers in its Hello packet. |
| 978 | * |
| 979 | * @param hello |
| 980 | * The Hello packet. |
| 981 | * @return |
| 982 | * The Enum that identifies the best offered authentication length. Return |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 983 | * mandatory algorithm if no match was found. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 984 | */ |
| 985 | AlgorithmEnum* findBestAuthLen(ZrtpPacketHello* hello); |
| 986 | |
| 987 | /** |
| 988 | * Check if MultiStream mode is offered in Hello. |
| 989 | * |
| 990 | * Find the best, that is the strongest, authentication length that our peer |
| 991 | * offers in its Hello packet. |
| 992 | * |
| 993 | * @param hello |
| 994 | * The Hello packet. |
| 995 | * @return |
| 996 | * True if multi stream mode is available, false otherwise. |
| 997 | */ |
| 998 | bool checkMultiStream(ZrtpPacketHello* hello); |
| 999 | |
| 1000 | /** |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 1001 | * Checks if Hello packet contains a strong (384bit) hash based on selection policy. |
| 1002 | * |
| 1003 | * The function currently implements the nonNist policy only: |
| 1004 | * If the public key algorithm is a non-NIST ECC algorithm this function prefers |
| 1005 | * non-NIST HASH algorithms (Skein etc). |
| 1006 | * |
| 1007 | * If Hello packet does not contain a strong hash then this functions returns @c NULL. |
| 1008 | * |
| 1009 | * @param hello The Hello packet. |
| 1010 | * @param algoName name of selected PK algorithm |
| 1011 | * @return @c hash algorithm if found in Hello packet, @c NULL otherwise. |
| 1012 | */ |
| 1013 | AlgorithmEnum* getStrongHashOffered(ZrtpPacketHello *hello, int32_t algoName); |
| 1014 | |
| 1015 | /** |
| 1016 | * Checks if Hello packet offers a strong (256bit) symmetric cipher based on selection policy. |
| 1017 | * |
| 1018 | * The function currently implements the nonNist policy only: |
| 1019 | * If the public key algorithm is a non-NIST ECC algorithm this function prefers |
| 1020 | * non-NIST symmetric cipher algorithms (Twofish etc). |
| 1021 | * |
| 1022 | * If Hello packet does not contain a symmetric cipher then this functions returns @c NULL. |
| 1023 | |
| 1024 | * @param hello The Hello packet. |
| 1025 | * @param algoName name of selected PK algorithm |
| 1026 | * @return @c hash algorithm if found in Hello packet, @c NULL otherwise. |
| 1027 | * |
| 1028 | * @return @c cipher algorithm if found in Hello packet, @c NULL otherwise. |
| 1029 | */ |
| 1030 | AlgorithmEnum* getStrongCipherOffered(ZrtpPacketHello *hello, int32_t algoName); |
| 1031 | |
| 1032 | /** |
| 1033 | * Checks if Hello packet contains a hash based on selection policy. |
| 1034 | * |
| 1035 | * The function currently implements the nonNist policy only: |
| 1036 | * If the public key algorithm is a non-NIST ECC algorithm this function prefers |
| 1037 | * non-NIST HASH algorithms (Skein etc). |
| 1038 | * |
| 1039 | * @param hello The Hello packet. |
| 1040 | * @param algoName name of selected PK algorithm |
| 1041 | * @return @c hash algorithm found in Hello packet. |
| 1042 | */ |
| 1043 | AlgorithmEnum* getHashOffered(ZrtpPacketHello *hello, int32_t algoName); |
| 1044 | |
| 1045 | /** |
| 1046 | * Checks if Hello packet offers a symmetric cipher based on selection policy. |
| 1047 | * |
| 1048 | * The function currently implements the nonNist policy only: |
| 1049 | * If the public key algorithm is a non-NIST ECC algorithm this function prefers |
| 1050 | * non-NIST symmetric cipher algorithms (Twofish etc). |
| 1051 | * |
| 1052 | * @param hello The Hello packet. |
| 1053 | * @param algoName name of selected PK algorithm |
| 1054 | * @return non-NIST @c cipher algorithm if found in Hello packet, @c NULL otherwise |
| 1055 | */ |
| 1056 | AlgorithmEnum* getCipherOffered(ZrtpPacketHello *hello, int32_t algoName); |
| 1057 | |
| 1058 | /** |
| 1059 | * Checks if Hello packet offers a SRTP authentication length based on selection policy. |
| 1060 | * |
| 1061 | * The function currently implements the nonNist policy only: |
| 1062 | * If the public key algorithm is a non-NIST ECC algorithm this function prefers |
| 1063 | * non-NIST algorithms (Skein etc). |
| 1064 | * |
| 1065 | * @param hello The Hello packet. |
| 1066 | * @param algoName algoName name of selected PK algorithm |
| 1067 | * @return @c authLen algorithm found in Hello packet |
| 1068 | */ |
| 1069 | AlgorithmEnum* getAuthLenOffered(ZrtpPacketHello *hello, int32_t algoName); |
| 1070 | |
| 1071 | /** |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1072 | * Save the computed MitM secret to the ZID record of the peer |
| 1073 | */ |
| 1074 | void writeEnrollmentPBX(); |
| 1075 | |
| 1076 | /** |
| 1077 | * Compute my hvi value according to ZRTP specification. |
| 1078 | */ |
| 1079 | void computeHvi(ZrtpPacketDHPart* dh, ZrtpPacketHello *hello); |
| 1080 | |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 1081 | void computeSharedSecretSet(ZIDRecord *zidRec); |
| 1082 | |
| 1083 | void computeAuxSecretIds(); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1084 | |
| 1085 | void computeSRTPKeys(); |
| 1086 | |
| 1087 | void KDF(uint8_t* key, uint32_t keyLength, uint8_t* label, int32_t labelLength, |
| 1088 | uint8_t* context, int32_t contextLength, int32_t L, uint8_t* output); |
| 1089 | |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 1090 | void generateKeysInitiator(ZrtpPacketDHPart *dhPart, ZIDRecord *zidRec); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1091 | |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 1092 | void generateKeysResponder(ZrtpPacketDHPart *dhPart, ZIDRecord *zidRec); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1093 | |
| 1094 | void generateKeysMultiStream(); |
| 1095 | |
| 1096 | void computePBXSecret(); |
| 1097 | |
| 1098 | void setNegotiatedHash(AlgorithmEnum* hash); |
| 1099 | |
| 1100 | /* |
| 1101 | * The following methods are helper functions for ZrtpStateClass. |
| 1102 | * ZrtpStateClass calls them to prepare packets, send data, report |
| 1103 | * problems, etc. |
| 1104 | */ |
| 1105 | /** |
| 1106 | * Send a ZRTP packet. |
| 1107 | * |
| 1108 | * The state engines calls this method to send a packet via the RTP |
| 1109 | * stack. |
| 1110 | * |
| 1111 | * @param packet |
| 1112 | * Points to the ZRTP packet. |
| 1113 | * @return |
| 1114 | * zero if sending failed, one if packet was send |
| 1115 | */ |
| 1116 | int32_t sendPacketZRTP(ZrtpPacketBase *packet); |
| 1117 | |
| 1118 | /** |
| 1119 | * Activate a Timer using the host callback. |
| 1120 | * |
| 1121 | * @param tm |
| 1122 | * The time in milliseconds. |
| 1123 | * @return |
| 1124 | * zero if activation failed, one if timer was activated |
| 1125 | */ |
| 1126 | int32_t activateTimer(int32_t tm); |
| 1127 | |
| 1128 | /** |
| 1129 | * Cancel the active Timer using the host callback. |
| 1130 | * |
| 1131 | * @return |
| 1132 | * zero if activation failed, one if timer was activated |
| 1133 | */ |
| 1134 | int32_t cancelTimer(); |
| 1135 | |
| 1136 | /** |
| 1137 | * Prepare a Hello packet. |
| 1138 | * |
| 1139 | * Just take the preinitialized Hello packet and return it. No |
| 1140 | * further processing required. |
| 1141 | * |
| 1142 | * @return |
| 1143 | * A pointer to the initialized Hello packet. |
| 1144 | */ |
| 1145 | ZrtpPacketHello* prepareHello(); |
| 1146 | |
| 1147 | /** |
| 1148 | * Prepare a HelloAck packet. |
| 1149 | * |
| 1150 | * Just take the preinitialized HelloAck packet and return it. No |
| 1151 | * further processing required. |
| 1152 | * |
| 1153 | * @return |
| 1154 | * A pointer to the initialized HelloAck packet. |
| 1155 | */ |
| 1156 | ZrtpPacketHelloAck* prepareHelloAck(); |
| 1157 | |
| 1158 | /** |
| 1159 | * Prepare a Commit packet. |
| 1160 | * |
| 1161 | * We have received a Hello packet from our peer. Check the offers |
| 1162 | * it makes to us and select the most appropriate. Using the |
| 1163 | * selected values prepare a Commit packet and return it to protocol |
| 1164 | * state engine. |
| 1165 | * |
| 1166 | * @param hello |
| 1167 | * Points to the received Hello packet |
| 1168 | * @param errMsg |
| 1169 | * Points to an integer that can hold a ZRTP error code. |
| 1170 | * @return |
| 1171 | * A pointer to the prepared Commit packet |
| 1172 | */ |
| 1173 | ZrtpPacketCommit* prepareCommit(ZrtpPacketHello *hello, uint32_t* errMsg); |
| 1174 | |
| 1175 | /** |
| 1176 | * Prepare a Commit packet for Multi Stream mode. |
| 1177 | * |
| 1178 | * Using the selected values prepare a Commit packet and return it to protocol |
| 1179 | * state engine. |
| 1180 | * |
| 1181 | * @param hello |
| 1182 | * Points to the received Hello packet |
| 1183 | * @return |
| 1184 | * A pointer to the prepared Commit packet for multi stream mode |
| 1185 | */ |
| 1186 | ZrtpPacketCommit* prepareCommitMultiStream(ZrtpPacketHello *hello); |
| 1187 | |
| 1188 | /** |
| 1189 | * Prepare the DHPart1 packet. |
| 1190 | * |
| 1191 | * This method prepares a DHPart1 packet. The input to the method is always |
| 1192 | * a Commit packet received from the peer. Also we a in the role of the |
| 1193 | * Responder. |
| 1194 | * |
| 1195 | * When we receive a Commit packet we get the selected ciphers, hashes, etc |
| 1196 | * and cross-check if this is ok. Then we need to initialize a set of DH |
| 1197 | * keys according to the selected cipher. Using this data we prepare our DHPart1 |
| 1198 | * packet. |
| 1199 | */ |
| 1200 | ZrtpPacketDHPart* prepareDHPart1(ZrtpPacketCommit *commit, uint32_t* errMsg); |
| 1201 | |
| 1202 | /** |
| 1203 | * Prepare the DHPart2 packet. |
| 1204 | * |
| 1205 | * This method prepares a DHPart2 packet. The input to the method is always |
| 1206 | * a DHPart1 packet received from the peer. Our peer sends the DH1Part as |
| 1207 | * response to our Commit packet. Thus we are in the role of the |
| 1208 | * Initiator. |
| 1209 | * |
| 1210 | */ |
| 1211 | ZrtpPacketDHPart* prepareDHPart2(ZrtpPacketDHPart* dhPart1, uint32_t* errMsg); |
| 1212 | |
| 1213 | /** |
| 1214 | * Prepare the Confirm1 packet. |
| 1215 | * |
| 1216 | * This method prepare the Confirm1 packet. The input to this method is the |
| 1217 | * DHPart2 packect received from our peer. The peer sends the DHPart2 packet |
| 1218 | * as response of our DHPart1. Here we are in the role of the Responder |
| 1219 | * |
| 1220 | */ |
| 1221 | ZrtpPacketConfirm* prepareConfirm1(ZrtpPacketDHPart* dhPart2, uint32_t* errMsg); |
| 1222 | |
| 1223 | /** |
| 1224 | * Prepare the Confirm1 packet in multi stream mode. |
| 1225 | * |
| 1226 | * This method prepares the Confirm1 packet. The state engine call this method |
| 1227 | * if multi stream mode is selected and a Commit packet was received. The input to |
| 1228 | * this method is the Commit. |
| 1229 | * Here we are in the role of the Responder |
| 1230 | * |
| 1231 | */ |
| 1232 | ZrtpPacketConfirm* prepareConfirm1MultiStream(ZrtpPacketCommit* commit, uint32_t* errMsg); |
| 1233 | |
| 1234 | /** |
| 1235 | * Prepare the Confirm2 packet. |
| 1236 | * |
| 1237 | * This method prepare the Confirm2 packet. The input to this method is the |
| 1238 | * Confirm1 packet received from our peer. The peer sends the Confirm1 packet |
| 1239 | * as response of our DHPart2. Here we are in the role of the Initiator |
| 1240 | */ |
| 1241 | ZrtpPacketConfirm* prepareConfirm2(ZrtpPacketConfirm* confirm1, uint32_t* errMsg); |
| 1242 | |
| 1243 | /** |
| 1244 | * Prepare the Confirm2 packet in multi stream mode. |
| 1245 | * |
| 1246 | * This method prepares the Confirm2 packet. The state engine call this method if |
| 1247 | * multi stream mode is active and in state CommitSent. The input to this method is |
| 1248 | * the Confirm1 packet received from our peer. The peer sends the Confirm1 packet |
| 1249 | * as response of our Commit packet in multi stream mode. |
| 1250 | * Here we are in the role of the Initiator |
| 1251 | */ |
| 1252 | ZrtpPacketConfirm* prepareConfirm2MultiStream(ZrtpPacketConfirm* confirm1, uint32_t* errMsg); |
| 1253 | |
| 1254 | /** |
| 1255 | * Prepare the Conf2Ack packet. |
| 1256 | * |
| 1257 | * This method prepare the Conf2Ack packet. The input to this method is the |
| 1258 | * Confirm2 packet received from our peer. The peer sends the Confirm2 packet |
| 1259 | * as response of our Confirm1. Here we are in the role of the Initiator |
| 1260 | */ |
| 1261 | ZrtpPacketConf2Ack* prepareConf2Ack(ZrtpPacketConfirm* confirm2, uint32_t* errMsg); |
| 1262 | |
| 1263 | /** |
| 1264 | * Prepare the ErrorAck packet. |
| 1265 | * |
| 1266 | * This method prepares the ErrorAck packet. The input to this method is the |
| 1267 | * Error packet received from the peer. |
| 1268 | */ |
| 1269 | ZrtpPacketErrorAck* prepareErrorAck(ZrtpPacketError* epkt); |
| 1270 | |
| 1271 | /** |
| 1272 | * Prepare the Error packet. |
| 1273 | * |
| 1274 | * This method prepares the Error packet. The input to this method is the |
| 1275 | * error code to be included into the message. |
| 1276 | */ |
| 1277 | ZrtpPacketError* prepareError(uint32_t errMsg); |
| 1278 | |
| 1279 | /** |
| 1280 | * Prepare a ClearAck packet. |
| 1281 | * |
| 1282 | * This method checks if the GoClear message is valid. If yes then switch |
| 1283 | * off SRTP processing, stop sending of RTP packets (pause transmit) and |
| 1284 | * inform the user about the fact. Only if user confirms the GoClear message |
| 1285 | * normal RTP processing is resumed. |
| 1286 | * |
| 1287 | * @return |
| 1288 | * NULL if GoClear could not be authenticated, a ClearAck packet |
| 1289 | * otherwise. |
| 1290 | */ |
| 1291 | ZrtpPacketClearAck* prepareClearAck(ZrtpPacketGoClear* gpkt); |
| 1292 | |
| 1293 | /** |
| 1294 | * Prepare the ErrorAck packet. |
| 1295 | * |
| 1296 | * This method prepares the ErrorAck packet. The input to this method is the |
| 1297 | * Error packet received from the peer. |
| 1298 | */ |
| 1299 | ZrtpPacketPingAck* preparePingAck(ZrtpPacketPing* ppkt); |
| 1300 | |
| 1301 | /** |
| 1302 | * Prepare the RelayAck packet. |
| 1303 | * |
| 1304 | * This method prepares the RelayAck packet. The input to this method is the |
| 1305 | * SASrelay packet received from the peer. |
| 1306 | */ |
| 1307 | ZrtpPacketRelayAck* prepareRelayAck(ZrtpPacketSASrelay* srly, uint32_t* errMsg); |
| 1308 | |
| 1309 | /** |
| 1310 | * Prepare a GoClearAck packet w/o HMAC |
| 1311 | * |
| 1312 | * Prepare a GoCLear packet without a HMAC but with a short error message. |
| 1313 | * This type of GoClear is used if something went wrong during the ZRTP |
| 1314 | * negotiation phase. |
| 1315 | * |
| 1316 | * @return |
| 1317 | * A goClear packet without HMAC |
| 1318 | */ |
| 1319 | ZrtpPacketGoClear* prepareGoClear(uint32_t errMsg = 0); |
| 1320 | |
| 1321 | /** |
| 1322 | * Compare the hvi values. |
| 1323 | * |
| 1324 | * Compare a received Commit packet with our Commit packet and returns |
| 1325 | * which Commit packt is "more important". See chapter 5.2 to get further |
| 1326 | * information how to compare Commit packets. |
| 1327 | * |
| 1328 | * @param commit |
| 1329 | * Pointer to the peer's commit packet we just received. |
| 1330 | * @return |
| 1331 | * <0 if our Commit packet is "less important" |
| 1332 | * >0 if our Commit is "more important" |
| 1333 | * 0 shouldn't happen because we compare crypto hashes |
| 1334 | */ |
| 1335 | int32_t compareCommit(ZrtpPacketCommit *commit); |
| 1336 | |
| 1337 | /** |
| 1338 | * Verify the H2 hash image. |
| 1339 | * |
| 1340 | * Verifies the H2 hash contained in a received commit message. |
| 1341 | * This functions just verifies H2 but does not store it. |
| 1342 | * |
| 1343 | * @param commit |
| 1344 | * Pointer to the peer's commit packet we just received. |
| 1345 | * @return |
| 1346 | * true if H2 is ok and verified |
| 1347 | * false if H2 could not be verified |
| 1348 | */ |
| 1349 | bool verifyH2(ZrtpPacketCommit *commit); |
| 1350 | |
| 1351 | /** |
| 1352 | * Send information messages to the hosting environment. |
| 1353 | * |
| 1354 | * The ZRTP implementation uses this method to send information messages |
| 1355 | * to the host. Along with the message ZRTP provides a severity indicator |
| 1356 | * that defines: Info, Warning, Error, Alert. Refer to the MessageSeverity |
| 1357 | * enum in the ZrtpCallback class. |
| 1358 | * |
| 1359 | * @param severity |
| 1360 | * This defines the message's severity |
| 1361 | * @param subCode |
| 1362 | * The subcode identifying the reason. |
| 1363 | * @see ZrtpCodes#MessageSeverity |
| 1364 | */ |
| 1365 | void sendInfo(GnuZrtpCodes::MessageSeverity severity, int32_t subCode); |
| 1366 | |
| 1367 | /** |
| 1368 | * ZRTP state engine calls this if the negotiation failed. |
| 1369 | * |
| 1370 | * ZRTP calls this method in case ZRTP negotiation failed. The parameters |
| 1371 | * show the severity as well as some explanatory text. |
| 1372 | * |
| 1373 | * @param severity |
| 1374 | * This defines the message's severity |
| 1375 | * @param subCode |
| 1376 | * The subcode identifying the reason. |
| 1377 | * @see ZrtpCodes#MessageSeverity |
| 1378 | */ |
| 1379 | void zrtpNegotiationFailed(GnuZrtpCodes::MessageSeverity severity, int32_t subCode); |
| 1380 | |
| 1381 | /** |
| 1382 | * ZRTP state engine calls this method if the other side does not support ZRTP. |
| 1383 | * |
| 1384 | * If the other side does not answer the ZRTP <em>Hello</em> packets then |
| 1385 | * ZRTP calls this method, |
| 1386 | * |
| 1387 | */ |
| 1388 | void zrtpNotSuppOther(); |
| 1389 | |
| 1390 | /** |
| 1391 | * Signal SRTP secrets are ready. |
| 1392 | * |
| 1393 | * This method calls a callback method to inform the host that the SRTP |
| 1394 | * secrets are ready. |
| 1395 | * |
| 1396 | * @param part |
| 1397 | * Defines for which part (sender or receiver) to switch on security |
| 1398 | * @return |
| 1399 | * Returns false if something went wrong during initialization of SRTP |
| 1400 | * context. Propagate error back to state engine. |
| 1401 | */ |
| 1402 | bool srtpSecretsReady(EnableSecurity part); |
| 1403 | |
| 1404 | /** |
| 1405 | * Switch off SRTP secrets. |
| 1406 | * |
| 1407 | * This method calls a callback method to inform the host that the SRTP |
| 1408 | * secrets shall be cleared. |
| 1409 | * |
| 1410 | * @param part |
| 1411 | * Defines for which part (sender or receiver) to clear |
| 1412 | */ |
| 1413 | void srtpSecretsOff(EnableSecurity part); |
| 1414 | |
| 1415 | /** |
| 1416 | * ZRTP state engine calls these methods to enter or leave its |
| 1417 | * synchronization mutex. |
| 1418 | */ |
| 1419 | void synchEnter(); |
| 1420 | |
| 1421 | void synchLeave(); |
| 1422 | |
| 1423 | /** |
| 1424 | * Helper function to store ZRTP message data in a temporary buffer |
| 1425 | * |
| 1426 | * This functions first clears the temporary buffer, then stores |
| 1427 | * the packet's data to it. We use this to check the packet's HMAC |
| 1428 | * after we received the HMAC key in to following packet. |
| 1429 | * |
| 1430 | * @param data |
| 1431 | * Pointer to the packet's ZRTP message |
| 1432 | */ |
| 1433 | void storeMsgTemp(ZrtpPacketBase* pkt); |
| 1434 | |
| 1435 | /** |
| 1436 | * Helper function to check a ZRTP message HMAC |
| 1437 | * |
| 1438 | * This function gets a HMAC key and uses it to compute a HMAC |
| 1439 | * with this key and the stored data of a previous received ZRTP |
| 1440 | * message. It compares the computed HMAC and the HMAC stored in |
| 1441 | * the received message and returns the result. |
| 1442 | * |
| 1443 | * @param key |
| 1444 | * Pointer to the HMAC key. |
| 1445 | * @return |
| 1446 | * Returns true if the computed HMAC and the stored HMAC match, |
| 1447 | * false otherwise. |
| 1448 | */ |
| 1449 | bool checkMsgHmac(uint8_t* key); |
| 1450 | |
| 1451 | /** |
| 1452 | * Set the client ID for ZRTP Hello message. |
| 1453 | * |
| 1454 | * The user of ZRTP must set its id to identify itself in the |
| 1455 | * ZRTP HELLO message. The maximum length is 16 characters. Shorter |
| 1456 | * id string are allowed, they will be filled with blanks. A longer id |
| 1457 | * is truncated to 16 characters. |
| 1458 | * |
| 1459 | * The identifier is set in the Hello packet of ZRTP. Thus only after |
| 1460 | * setting the identifier ZRTP can compute the HMAC and the final |
| 1461 | * helloHash. |
| 1462 | * |
| 1463 | * @param id |
| 1464 | * The client's id |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 1465 | * @param hpv |
| 1466 | * Pointer to hello packet version structure. |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1467 | */ |
Alexandre Lision | 7fd5d3d | 2013-12-04 13:06:40 -0500 | [diff] [blame] | 1468 | void setClientId(std::string id, HelloPacketVersion* hpv); |
Alexandre Lision | 51140e1 | 2013-12-02 10:54:09 -0500 | [diff] [blame] | 1469 | }; |
| 1470 | |
| 1471 | /** |
| 1472 | * @} |
| 1473 | */ |
| 1474 | #endif // ZRTP |
| 1475 | |