Fix DHPart1/DHPart2 messages

Now kvzRTP creates a private/public key pair and sends the public
key in the DHPartN message to remote.

kvzRTP does not support Preshared mode so the retained secrets just
contain random values and are going to be ignore when the shared
secrets are established.

DHResult is already calculated successfully though the architecture
is really starting show its limitations because the sha256 values
of various messages are calculated everywhere in the code which is
pretty ugly. Maybe create getters for various messages and calculate
all hashes at once.

src/crypto/crypto.cc

@@ -93,10 +93,9 @@ void kvz_rtp::crypto::aes::decrypt(uint8_t *input, uint8_t *output, size_t len)
 
 kvz_rtp::crypto::dh::dh():
     prng_(),
-    dh_()
+    dh_(),
+    rpk_()
 {
-    fprintf(stderr, "HERERERERE TOO\n");
-
     CryptoPP::Integer p(
         "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
         "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
@@ -119,23 +118,57 @@ kvz_rtp::crypto::dh::dh():
     CryptoPP::Integer g("0x02");
 
     dh_.AccessGroupParameters().Initialize(p, g);
-
-    CryptoPP::SecByteBlock t1(dh_.PrivateKeyLength()), t2(dh_.PublicKeyLength());
-
-    dh_.GenerateKeyPair(prng_, t1, t2);
-
-    CryptoPP::Integer k1(t1, t1.size()), k2(t2, t2.size());
-
-    cout << "Private key:\n";
-    cout << hex << k1 << endl;
-    cout << "Public key:\n";
-    cout << hex << k2 << endl;
 }
 
 kvz_rtp::crypto::dh::~dh()
 {
 }
 
+void kvz_rtp::crypto::dh::generate_keys()
+{
+    CryptoPP::SecByteBlock t1(dh_.PrivateKeyLength()), t2(dh_.PublicKeyLength());
+    dh_.GenerateKeyPair(prng_, t1, t2);
+
+    sk_ = CryptoPP::Integer(t1, t1.size());
+    pk_ = CryptoPP::Integer(t2, t2.size());
+}
+
+void kvz_rtp::crypto::dh::get_pk(uint8_t *pk, size_t len)
+{
+    pk_.Encode(pk, len);
+}
+
+void kvz_rtp::crypto::dh::set_remote_pk(uint8_t *pk, size_t len)
+{
+    rpk_.Decode(pk, len);
+}
+
+void kvz_rtp::crypto::dh::get_shared_secret(uint8_t *ss, size_t len)
+{
+    CryptoPP::Integer p(
+        "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"
+        "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"
+    );
+
+    CryptoPP::ModularArithmetic ma(p);
+
+    std::cout << std::hex << ma.Exponentiate(rpk_, sk_) << std::endl;
+}
+
 /* ***************** base32 ***************** */
 kvz_rtp::crypto::b32::b32():
     enc_()

src/crypto/crypto.hh

@@ -65,17 +65,28 @@ namespace kvz_rtp {
                 CryptoPP::CTR_Mode<CryptoPP::AES>::Decryption dec_;
         };
 
-        /* diffie-hellman key derivation */
+        /* diffie-hellman key derivation, 3072-bits */
         class dh {
             public:
                 dh();
                 ~dh();
 
-                /* TODO: generate keys? */
+                /* TODO:  */
+                void generate_keys();
+
+                /* TODO:  */
+                void get_pk(uint8_t *pk, size_t len);
+
+                /* TODO:  */
+                void set_remote_pk(uint8_t *pk, size_t len);
+
+                /* TODO:  */
+                void get_shared_secret(uint8_t *ss, size_t len);
 
             private:
                 CryptoPP::AutoSeededRandomPool prng_;
                 CryptoPP::DH dh_;
+                CryptoPP::Integer sk_, pk_, rpk_;
         };
 
         /* base32 */

src/mzrtp/dh_kxchng.cc

@@ -8,13 +8,13 @@
 #define ZRTP_DH_PART1       "DHPart1 "
 #define ZRTP_DH_PART2       "DHPart2 "
 
-kvz_rtp::zrtp_msg::dh_key_exchange::dh_key_exchange(int part)
+kvz_rtp::zrtp_msg::dh_key_exchange::dh_key_exchange(zrtp_session_t& session)
 {
     LOG_DEBUG("Create ZRTP Commit message!");
 
     frame_  = kvz_rtp::frame::alloc_zrtp_frame(sizeof(zrtp_dh));
-    len_    = sizeof(zrtp_dh);
     rframe_ = kvz_rtp::frame::alloc_zrtp_frame(sizeof(zrtp_dh));
+    len_    = sizeof(zrtp_dh);
     rlen_   = sizeof(zrtp_dh);
 
     memset(frame_,  0, sizeof(zrtp_dh));
@@ -23,14 +23,16 @@ kvz_rtp::zrtp_msg::dh_key_exchange::dh_key_exchange(int part)
     zrtp_dh *msg = (zrtp_dh *)frame_;
 
     msg->msg_start.header.version = 0;
+    msg->msg_start.header.unused  = 0;
     msg->msg_start.header.magic   = ZRTP_HEADER_MAGIC;
-
-    /* TODO: convert to network byte order */
+    msg->msg_start.header.ssrc    = session.ssrc;
+    msg->msg_start.header.seq     = session.seq++;
 
     msg->msg_start.magic  = ZRTP_MSG_MAGIC;
     msg->msg_start.length = len_ - sizeof(zrtp_header);
+    msg->crc = 0;
 
-    memcpy(&msg->msg_start.msgblock, (part == 1) ? ZRTP_DH_PART1 : ZRTP_DH_PART2, 8);
+    session.cctx.sha256->update((uint8_t *)msg, msg->msg_start.length);
 }
 
 kvz_rtp::zrtp_msg::dh_key_exchange::~dh_key_exchange()
@@ -41,6 +43,66 @@ kvz_rtp::zrtp_msg::dh_key_exchange::~dh_key_exchange()
     (void)kvz_rtp::frame::dealloc_frame(rframe_);
 }
 
+rtp_error_t kvz_rtp::zrtp_msg::dh_key_exchange::set_role(zrtp_session_t& session, int part)
+{
+    zrtp_dh *msg = (zrtp_dh *)frame_;
+
+    const char *strs[2][2] = {
+        {
+            ZRTP_DH_PART1, "Responder"
+        },
+        {
+            ZRTP_DH_PART2, "Initiator"
+        }
+    };
+
+    memcpy(&msg->msg_start.msgblock, strs[part - 1][0],  8);
+    memcpy(msg->hash,                session.hashes[1], 32);
+
+    /* Calculate hashes for the secrets (as defined in Section 4.3.1)
+     *
+     * These hashes are truncated to 64 bits so we use one temporary
+     * buffer to store the full digest from which we copy the truncated
+     * hash directly to the DHPartN message */
+    uint8_t mac_full[32];
+
+    /* rs1IDr */
+    auto hmac_sha256 = kvz_rtp::crypto::hmac::sha256(session.us.rs1, 32);
+    hmac_sha256.update((uint8_t *)strs[part - 1][1], 9);
+    hmac_sha256.final(mac_full);
+    memcpy(msg->rs1_id, mac_full, 8);
+
+    /* rs2IDr */
+    hmac_sha256 = kvz_rtp::crypto::hmac::sha256(session.us.rs2, 32);
+    hmac_sha256.update((uint8_t *)strs[part - 1][1], 9);
+    hmac_sha256.final(mac_full);
+    memcpy(msg->rs2_id, mac_full, 8);
+
+    /* auxsecretIDr */
+    hmac_sha256 = kvz_rtp::crypto::hmac::sha256(session.us.raux, 32);
+    hmac_sha256.update(session.hashes[3], 32);
+    hmac_sha256.final(mac_full);
+    memcpy(msg->aux_secret, mac_full, 8);
+
+    /* pbxsecretIDr */
+    hmac_sha256 = kvz_rtp::crypto::hmac::sha256(session.us.rpbx, 32);
+    hmac_sha256.update((uint8_t *)strs[part - 1][1], 9);
+    hmac_sha256.final(mac_full);
+    memcpy(msg->pbx_secret, mac_full, 8);
+
+    /* public key */
+    memcpy(msg->pk, session.public_key, sizeof(session.public_key));
+
+    /* Finally calculate MAC code for the message */
+    hmac_sha256 = kvz_rtp::crypto::hmac::sha256(session.hashes[0], 32);
+    hmac_sha256.update((uint8_t *)frame_, len_ - 8);
+    hmac_sha256.final(mac_full);
+
+    memcpy(msg->mac, mac_full, 8);
+
+    return RTP_OK;
+}
+
 rtp_error_t kvz_rtp::zrtp_msg::dh_key_exchange::send_msg(socket_t& socket, sockaddr_in& addr)
 {
 #ifdef __linux
@@ -49,13 +111,23 @@ rtp_error_t kvz_rtp::zrtp_msg::dh_key_exchange::send_msg(socket_t& socket, socka
         return RTP_SEND_ERROR;
     }
 #else
-    /* TODO:  */
+    DWORD sent_bytes;
+    WSABUF data_buf;
+
+    data_buf.buf = (char *)frame_;
+    data_buf.len = len_;
+
+    if (WSASendTo(socket, &data_buf, 1, nullptr, 0, (const struct sockaddr *)&addr, sizeof(addr), nullptr, nullptr) == -1) {
+        win_get_last_error();
+
+        return RTP_SEND_ERROR;
+    }
 #endif
 
     return RTP_OK;
 }
 
-rtp_error_t kvz_rtp::zrtp_msg::dh_key_exchange::parse_msg(kvz_rtp::zrtp_msg::receiver& receiver, kvz_rtp::zrtp_dh_t& dh)
+rtp_error_t kvz_rtp::zrtp_msg::dh_key_exchange::parse_msg(kvz_rtp::zrtp_msg::receiver& receiver, zrtp_session_t& session)
 {
     LOG_DEBUG("Parsing DHPart1/DHPart2 message...");
 
@@ -68,10 +140,15 @@ rtp_error_t kvz_rtp::zrtp_msg::dh_key_exchange::parse_msg(kvz_rtp::zrtp_msg::rec
 
     zrtp_dh *msg = (zrtp_dh *)rframe_;
 
-    memcpy(dh.retained1,  msg->rs1_id,     sizeof(uint32_t) * 2);
-    memcpy(dh.retained2,  msg->rs2_id,     sizeof(uint32_t) * 2);
-    memcpy(dh.aux_secret, msg->aux_secret, sizeof(uint32_t) * 2);
-    memcpy(dh.pbx_secret, msg->pbx_secret, sizeof(uint32_t) * 2);
+    memcpy(session.remote_public, msg->pk, 384);
+
+    /* Because kvzRTP only supports DH mode, the retained secrets sent in this
+     * DHPartN message are not going to match our own so there not point in parsing them.
+     *
+     * TODO support maybe preshared at some point? */
+    session.s1 = nullptr;
+    session.s2 = nullptr;
+    session.s3 = nullptr;
 
     return RTP_OK;
 }

src/mzrtp/dh_kxchng.hh

@@ -12,25 +12,29 @@ namespace kvz_rtp {
 
         struct zrtp_dh {
             zrtp_msg msg_start;
-            uint32_t hash_image[8];
-            uint32_t rs1_id[2];
-            uint32_t rs2_id[2];
-            uint32_t aux_secret[2];
-            uint32_t pbx_secret[2];
-            uint32_t pvr[8];
-            uint32_t mac[2];
+            uint32_t hash[8];
+            uint8_t rs1_id[8];
+            uint8_t rs2_id[8];
+            uint8_t aux_secret[8];
+            uint8_t pbx_secret[8];
+            uint8_t pk[384];
+            uint8_t mac[8];
+            uint32_t crc;
         };
 
         class dh_key_exchange {
             public:
-                dh_key_exchange(int part);
+                dh_key_exchange(zrtp_session_t& session);
                 ~dh_key_exchange();
 
                 /* TODO:  */
                 rtp_error_t send_msg(socket_t& socket, sockaddr_in& addr);
 
                 /* TODO:  */
-                rtp_error_t parse_msg(kvz_rtp::zrtp_msg::receiver& receiver, kvz_rtp::zrtp_dh_t& dh);
+                rtp_error_t parse_msg(kvz_rtp::zrtp_msg::receiver& receiver, zrtp_session_t& session);
+
+                /* TODO:  */
+                rtp_error_t set_role(zrtp_session_t& session, int part);
 
             private:
                 kvz_rtp::frame::zrtp_frame *frame_;

src/mzrtp/hello.cc

@@ -142,5 +142,7 @@ rtp_error_t kvz_rtp::zrtp_msg::hello::parse_msg(kvz_rtp::zrtp_msg::receiver& rec
     memcpy(&session.remote_macs[0],   &msg->mac,  8);
     memcpy(&session.remote_hashes[3], msg->hash, 32);
 
+    session.cctx.sha256->update((uint8_t *)msg, msg->msg_start.length);
+
     return RTP_OK;
 }

src/zrtp.cc

@@ -1,4 +1,5 @@
 #include <cstring>
+#include <thread>
 
 #include "debug.hh"
 #include "crypto/crypto.hh"
@@ -19,6 +20,7 @@ kvz_rtp::zrtp::zrtp():
     receiver_()
 {
     cctx_.sha256 = new kvz_rtp::crypto::sha256();
+    cctx_.dh     = new kvz_rtp::crypto::dh;
 }
 
 kvz_rtp::zrtp::~zrtp()
@@ -58,6 +60,22 @@ void kvz_rtp::zrtp::generate_zid()
     kvz_rtp::crypto::random::generate_random(zid_, 12);
 }
 
+void kvz_rtp::zrtp::generate_secrets()
+{
+    cctx_.dh->generate_keys();
+    cctx_.dh->get_pk(session_.public_key, 384);
+
+    /* kvzRTP does not support Preshared mode (for now at least) so
+     * there will be no shared secrets between the endpoints.
+     *
+     * Generate random data for the retained secret values that are sent
+     * in the DHPart1/DHPart2 message and, due to mismatch, ignored by remote */
+    kvz_rtp::crypto::random::generate_random(session_.us.rs1,  32);
+    kvz_rtp::crypto::random::generate_random(session_.us.s2,   32);
+    kvz_rtp::crypto::random::generate_random(session_.us.raux, 32);
+    kvz_rtp::crypto::random::generate_random(session_.us.rpbx, 32);
+}
+
 void kvz_rtp::zrtp::init_session_hashes()
 {
     kvz_rtp::crypto::random::generate_random(session_.hashes[0], 32);
@@ -209,10 +227,12 @@ rtp_error_t kvz_rtp::zrtp::init_session(bool& initiator)
 rtp_error_t kvz_rtp::zrtp::dh_part1()
 {
     rtp_error_t ret = RTP_OK;
-    auto dhpart     = kvz_rtp::zrtp_msg::dh_key_exchange(1);
+    auto dhpart     = kvz_rtp::zrtp_msg::dh_key_exchange(session_);
     size_t rto      = 150;
     int type        = 0;
 
+    dhpart.set_role(session_, 1);
+
     for (int i = 0; i < 10; ++i) {
         set_timeout(rto);
 
@@ -222,11 +242,14 @@ rtp_error_t kvz_rtp::zrtp::dh_part1()
 
         if ((type = receiver_.recv_msg(socket_, 0)) > 0) {
             if (type == ZRTP_FT_DH_PART2) {
-                if ((ret = dhpart.parse_msg(receiver_, session_.them)) != RTP_OK) {
+                if ((ret = dhpart.parse_msg(receiver_, session_)) != RTP_OK) {
                     LOG_ERROR("Failed to parse DHPart2 Message!");
                     continue;
                 }
 
+                cctx_.dh->set_remote_pk(session_.remote_public, 384);
+                cctx_.dh->get_shared_secret(session_.dh_result, 384);
+
                 LOG_DEBUG("DHPart2 received and parse successfully!");
                 return RTP_OK;
             }
@@ -244,13 +267,19 @@ rtp_error_t kvz_rtp::zrtp::dh_part2()
     int type        = 0;
     size_t rto      = 0;
     rtp_error_t ret = RTP_OK;
-    auto dhpart     = kvz_rtp::zrtp_msg::dh_key_exchange(2);
+    auto dhpart     = kvz_rtp::zrtp_msg::dh_key_exchange(session_);
 
-    if ((ret = dhpart.parse_msg(receiver_, session_.them)) != RTP_OK) {
+    dhpart.set_role(session_, 2);
+
+    if ((ret = dhpart.parse_msg(receiver_, session_)) != RTP_OK) {
         LOG_ERROR("Failed to parse DHPart1 Message!");
         return RTP_INVALID_VALUE;
     }
 
+    std::this_thread::sleep_for(std::chrono::milliseconds(1000));
+    cctx_.dh->set_remote_pk(session_.remote_public, 384);
+    cctx_.dh->get_shared_secret(session_.dh_result, 384);
+
     for (int i = 0; i < 10; ++i) {
         set_timeout(rto);
 
@@ -342,7 +371,12 @@ rtp_error_t kvz_rtp::zrtp::init(uint32_t ssrc, socket_t& socket, sockaddr_in& ad
     bool initiator  = false;
     rtp_error_t ret = RTP_OK;
 
+    /* TODO: set all fields initially to zero */
+
     generate_zid();
+    generate_secrets();
+
+    /* Initialize the session hashes H0 - H3 defined in Section 9 of RFC 6189 */
     init_session_hashes();
 
     socket_    = socket;
@@ -350,34 +384,42 @@ rtp_error_t kvz_rtp::zrtp::init(uint32_t ssrc, socket_t& socket, sockaddr_in& ad
     capab_     = get_capabilities();
     capab_.zid = zid_;
 
-    session_.ssrc = ssrc;
     session_.seq  = 0;
-
-    /* TODO: initialize properly  */
-    session_.us.retained1[0]  = 1337;
-    session_.us.retained2[0]  = 1337;
-    session_.us.aux_secret[0] = 1337;
-    session_.us.pbx_secret[0] = 1337;
-
-    session_.capabilities     = capab_;
-    session_.capabilities.zid = zid_;
-
+    session_.ssrc = ssrc;
     session_.cctx = cctx_;
 
-    /* TODO: what is this doing here? */
-    /* kvz_rtp::crypto::dh dh__; */
+    session_.capabilities     = get_capabilities();
+    session_.capabilities.zid = zid_;
+
+    /* Now that our session parameters have been created, we can create
+     * DHPart2 message which is used, in conjunction with Hello message,
+     * to create the hash value of initiator (hvi) for Commit message
+     *
+     * dh_key_exchange() creates a DHPart2 message but this messages
+     * is used by both parties so responder will update the Message
+     * Block type in dh_part1() function once the execution gets
+     * there
+     *
+     * dh_key_exchange() will update crypto context's sha256 object */
+    auto dh_msg = kvz_rtp::zrtp_msg::dh_key_exchange(session_);
+    dh_msg.set_role(session_, 2);
 
     /* Begin session by exchanging Hello and HelloACK messages.
      *
      * After begin_session() we know what remote is capable of
      * and whether we are compatible implementations
      *
-     * Remote participant's capabilities are stored to rcapab_ */
+     * begin_session() will update crypto context's sha256 object */
     if ((ret = begin_session()) != RTP_OK) {
         LOG_ERROR("Session initialization failed, ZRTP cannot be used!");
         return ret;
     }
 
+    /* begin_session() has updated current sha256 value with Hello message.
+     * We can now obtain the digest of DHPart2 and Hello to get our hvi
+     * which is used in the next step when creating Commit message */
+    cctx_.sha256->final(session_.hvi);
+
     /* We're here which means that remote respond to us and sent a Hello message
      * with same version number as ours. This means that the implementations are
      * compatible with each other and we can start the actual negotiation

src/zrtp.hh

@@ -47,17 +47,31 @@ namespace kvz_rtp {
 
     /* DH exchange related information */
     typedef struct zrtp_dh {
-        uint32_t retained1[2]; /* hash of retained shared secret 1 */
-        uint32_t retained2[2]; /* hash of retained shared secret 2 */
+        /* uint32_t retained1[2]; /1* hash of retained shared secret 1 *1/ */
+        /* uint32_t retained2[2]; /1* hash of retained shared secret 2 *1/ */
+        /* uint32_t aux_secret[2]; /1* hash of auxiliary secret *1/ */
+        /* uint32_t pbx_secret[2]; /1* hash of MiTM PBX secret *1/ */
+
+        /* Retained (for kvzRTP, preshared mode is not supported so we're
+         * going to generate just some random values for these) */
+        uint8_t rs1[32];
+        uint8_t rs2[32];
+        uint8_t raux[32];
+        uint8_t rpbx[32];
+
+        /* Shared between  parties */
+        uint8_t s1[8];
+        uint8_t s2[8];
+        uint8_t aux[8];
+        uint8_t pbx[8];
 
-        uint32_t aux_secret[2]; /* hash of auxiliary secret */
-        uint32_t pbx_secret[2]; /* hash of MiTM PBX secret */
     } zrtp_dh_t;
 
     /* One common crypto contex for all ZRTP functions */
     typedef struct zrtp_crypto_ctx {
         kvz_rtp::crypto::hmac::sha256 *hmac_sha256;
         kvz_rtp::crypto::sha256 *sha256;
+        kvz_rtp::crypto::dh *dh;
     } zrtp_crypto_ctx_t;
 
     /* TODO: voisiko näitä structeja järjestellä jotenkin järkevämmin? */
@@ -78,16 +92,34 @@ namespace kvz_rtp {
         zrtp_capab_t capabilities; /* TODO: rename to ocapab */
         zrtp_capab_t rcapab;
 
+        uint8_t private_key[22];
+        uint8_t public_key[384];
+
+        uint8_t remote_public[384];
+
+        uint8_t dh_result[384];
+
         /* Hash value of initiator */
         uint8_t hvi[32];
         uint8_t remote_hvi[32];
 
         /* Section 9 of RFC 6189 */
         uint8_t hashes[4][32];
-        uint32_t remote_hashes[4][32];
+        uint8_t remote_hashes[4][32];
 
         uint64_t remote_macs[4];
 
+        kvz_rtp::crypto::sha256 *aux_total_hash;
+
+        /* Shared secrets
+         *
+         * Because kvzRTP supports only DH mode,
+         * other shared secrets (s1 - s3) are null */
+        uint8_t s0[1];
+        uint8_t *s1;
+        uint8_t *s2;
+        uint8_t *s3;
+
         zrtp_dh_t us;
         zrtp_dh_t them;
 
@@ -121,6 +153,9 @@ namespace kvz_rtp {
             /* Generate zid for this ZRTP instance. ZID is a unique, 96-bit long ID */
             void generate_zid();
 
+            /* TODO:  */
+            void generate_secrets();
+
             /* Compare our and remote's hvi values to determine who is the initiator */
             bool are_we_initiator(uint8_t *our_hvi, uint8_t *their_hvi);
 
@@ -172,7 +207,6 @@ namespace kvz_rtp {
             kvz_rtp::zrtp_msg::receiver receiver_;
 
             zrtp_crypto_ctx_t cctx_;
-
             /* Initialized after Hello messages have been exchanged */
             zrtp_session_t session_;