2
0

zrtp_protocol.h 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495
  1. /*
  2. * libZRTP SDK library, implements the ZRTP secure VoIP protocol.
  3. * Copyright (c) 2006-2009 Philip R. Zimmermann. All rights reserved.
  4. * Contact: http://philzimmermann.com
  5. * For licensing and other legal details, see the file zrtp_legal.c.
  6. *
  7. * Viktor Krykun <v.krikun at zfoneproject.com>
  8. */
  9. #ifndef __ZRTP_PROTOCOL_H__
  10. #define __ZRTP_PROTOCOL_H__
  11. #include "zrtp_config.h"
  12. #include "zrtp_types.h"
  13. #include "zrtp_error.h"
  14. #if defined(_MSC_VER)
  15. #pragma warning(disable:4214)
  16. #endif
  17. /*!
  18. * \defgroup dev_protocol Protocol related data types and definitions
  19. * \ingroup zrtp_dev
  20. * \{
  21. */
  22. /*! ZRTP Protocol version, retransmitted in HELLO packets */
  23. #define ZRTP_PROTOCOL_VERSION "1.10"
  24. #define ZRTP_PROTOCOL_VERSION_VALUE 110
  25. #define ZRTP_ZFONE_PROTOCOL_VERSION "0.10"
  26. #define ZRTP_ZFONE_PROTOCOL_VERSION_VALUE 10
  27. /*
  28. * Protocol constants and definitions. All these values are defined by the ZRTP
  29. * specification <A HREF="http://zfoneproject.com/zrtp_ietf.html">"ZRTP Internet Draft"</A>.
  30. * Don't change them!
  31. */
  32. #define ZRTP_S384 "S384"
  33. #define ZRTP_S256 "S256"
  34. #define ZRTP_S160 "S160"
  35. #define ZRTP_AES1 "AES1"
  36. #define ZRTP_AES3 "AES3"
  37. #define ZRTP_HS32 "HS32"
  38. #define ZRTP_HS80 "HS80"
  39. #define ZRTP_DH2K "DH2k"
  40. #define ZRTP_DH3K "DH3k"
  41. #define ZRTP_EC256P "EC25"
  42. #define ZRTP_EC384P "EC38"
  43. #define ZRTP_EC521P "EC52"
  44. #define ZRTP_MULT "Mult"
  45. #define ZRTP_PRESHARED "Prsh"
  46. #define ZRTP_B32 "B32 "
  47. #define ZRTP_B256 "B256"
  48. #define ZRTP_ROLE_INITIATOR "Initiator"
  49. #define ZRTP_ROLE_RESPONDER "Responder"
  50. #define ZRTP_INITIATOR_HMAKKEY_STR "Initiator HMAC key"
  51. #define ZRTP_RESPONDER_HMAKKEY_STR "Responder HMAC key"
  52. #define ZRTP_GOCLEAR_STR "GoClear"
  53. #define ZRTP_INITIATOR_KEY_STR "Initiator SRTP master key"
  54. #define ZRTP_INITIATOR_SALT_STR "Initiator SRTP master salt"
  55. #define ZRTP_RESPONDER_KEY_STR "Responder SRTP master key"
  56. #define ZRTP_RESPONDER_SALT_STR "Responder SRTP master salt"
  57. #define ZRTP_SKEY_STR "ZRTP Session Key"
  58. #define ZRTP_SAS_STR "SAS"
  59. #define ZRTP_RS_STR "retained secret"
  60. #define ZRTP_INITIATOR_ZRTPKEY_STR "Initiator ZRTP key"
  61. #define ZRTP_RESPONDER_ZRTPKEY_STR "Responder ZRTP key"
  62. #define ZRTP_CLEAR_HMAC_STR "GoClear"
  63. #define ZRTP_KDF_STR "ZRTP-HMAC-KDF"
  64. #define ZRTP_SESS_STR "ZRTP Session Key"
  65. #define ZRTP_MULTI_STR "ZRTP MSK"
  66. #define ZRTP_PRESH_STR "ZRTP PSK"
  67. #define ZRTP_TRUSTMITMKEY_STR "Trusted MiTM key"
  68. #define ZRTP_COMMIT_HV_KEY_STR "Prsh"
  69. #define ZRTP_CACHE_DEFAULT_TTL (30*24*60*60)
  70. /** ZRTP Message magic Cookie */
  71. #define ZRTP_PACKETS_MAGIC 0x5a525450L
  72. /** Defines ZRTP extension type for RTP protocol */
  73. #define ZRTP_MESSAGE_MAGIC 0x505a
  74. /**
  75. * @brief Retransmission timer T1 in milliseconds
  76. * T1 is used for the retransmission of Hello messages. The HELLO timeout is
  77. * doubled each time a resend occurs. The gain (max timeout value) is limited
  78. * by @ref ZRTP_T1_CAPPING. After reaching \c ZRTP_T1_CAPPING, the state machine
  79. * keeps resending HELLO packets until the resend count is less than \ref
  80. * ZRTP_T1_MAX_COUNT
  81. * @sa ZRTP_T1_MAX_COUNT ZRTP_T1_CAPPING
  82. */
  83. #define ZRTP_T1 50
  84. /*!
  85. * \brief Max resends count value for T1 timer
  86. * This is the threshold value for HELLO replays. See \ref ZRTP_T1 ZRTP_T1 for
  87. * details. If the resend count exceeds the value of ZRTP_T1_MAX_COUNT then
  88. * the state machine calls _zrtp_machine_enter_initiatingerror() with error code \ref
  89. * zrtp_protocol_error_t#zrtp_error_timeout and ZRTP session establishment is
  90. * failed.
  91. */
  92. #define ZRTP_T1_MAX_COUNT 20
  93. /*!
  94. * \brief Max resends count value for T1 timer for cases when local side have
  95. * received remote Hello. Libzrtp uses this extended number of retries when there
  96. * is an evidence, that remote side supports ZRTP protocol (remote Hello received).
  97. * This approach allows to eliminate problem when ZRTP state-machine switches to
  98. * NO_ZRTP state while remote side is computing his initial DH value. (especially
  99. * important for slow devices)
  100. */
  101. #define ZRTP_T1_MAX_COUNT_EXT 60
  102. /*! Hello retries counter for ZRTP_EVENT_NO_ZRTP_QUICK event */
  103. #define ZRTP_NO_ZRTP_FAST_COUNT 5
  104. /*!
  105. * \brief Max T1 timeout
  106. * ZRTP_T1_MAX_COUNT is the threshold for the growth of the timeout value of
  107. * HELLO resends. See \ref ZRTP_T1 for details.
  108. */
  109. #define ZRTP_T1_CAPPING 200
  110. /*!
  111. * \brief ZRTP stream initiation period in milliseconds
  112. * If for some reason the initiation of a secure ZRTP stream can't be performed
  113. * at a given time (there are no retained secrets for the session, or the
  114. * concurrent stream is being processed in "DH" mode) the next attempt will be
  115. * done in ZRTP_PROCESS_T1 milliseconds. If at the end of ZRTP_PROCESS_T1_MAX_COUNT
  116. * attempts the necessary conditions haven't been reached, the task is canceled.
  117. * The mechanism of delayed execution is the same as the mechanism of delayed
  118. * packet sending. \sa ZRTP_PROCESS_T1_MAX_COUNT
  119. */
  120. #define ZRTP_PROCESS_T1 50
  121. /*!
  122. * \brief Max recall count value
  123. * This is the threshold value for ZRTP stream initiation tries. See \ref
  124. * ZRTP_PROCESS_T1 for details.
  125. */
  126. #define ZRTP_PROCESS_T1_MAX_COUNT 20000
  127. /*!
  128. * \brief Retransmission timer T2 in milliseconds
  129. * T2 is used for the retransmission of all ZRTP messages except HELLO. The
  130. * timeout value is doubled after every retransmission. The gain (max timeout's
  131. * value) is limited by \ref ZRTP_T2_CAPPING. \ref ZRTP_T2_MAX_COUNT is the limit
  132. * for packets resent as for \ref ZRTP_T1.
  133. */
  134. #define ZRTP_T2 150
  135. /*!
  136. * \brief Max retransmissions for non-HELLO packets
  137. * ZRTP_T2_MAX_COUNT limits number of resends for the non-HELLO/GOCLEAR packets.
  138. * When exceeded, call_is_on_error() is called and the error code is set to
  139. * \ref zrtp_protocol_error_t#zrtp_error_timeout
  140. */
  141. #define ZRTP_T2_MAX_COUNT 10
  142. /*!
  143. * \brief Max timeout value for protocol packets (except HELLO and GOCLEAR)
  144. * The resend timeout value grows until it reaches ZRTP_T2_CAPPING. After that
  145. * the state machine keeps resending until the resend count hits the limit of
  146. * \ref ZRTP_T2_MAX_COUNT
  147. */
  148. #define ZRTP_T2_CAPPING 1200
  149. /*!
  150. * \brief Retransmission timer for GoClear resending in milliseconds.
  151. * To prevent pinholes from closing or NAT bindings from expiring, the GoClear
  152. * message should be resent every N seconds while waiting for confirmation from
  153. * the user. GoClear replays are endless.
  154. */
  155. #define ZRTP_T3 300
  156. /*!
  157. * \brief Set of timeouts for Error packet replays.
  158. * The meaning of these fields are the same as in the T1 group but for
  159. * Error/ErrorAck packets. The values of these options are not strongly
  160. * defined by the draft. We use empirical values.
  161. */
  162. #define ZRTP_ET 150
  163. #define ZRTP_ETI_MAX_COUNT 10
  164. #define ZRTP_ETR_MAX_COUNT 3
  165. /* ZRTP Retries schedule for slow CSD channel */
  166. #define ZRTP_CSD_T4PROC 2000
  167. #define ZRTP_CSD_T1 400 + ZRTP_CSD_T4PROC
  168. #define ZRTP_CSD_T2 900 + ZRTP_CSD_T4PROC
  169. #define ZRTP_CSD_T3 900 + ZRTP_CSD_T4PROC
  170. #define ZRTP_CSD_T4 200 + ZRTP_CSD_T4PROC
  171. #define ZRTP_CSD_ET 200 + ZRTP_CSD_T4PROC
  172. /*! Defines the max component number which can be used in a HELLO agreement */
  173. #define ZRTP_MAX_COMP_COUNT 7
  174. /*
  175. * Some definitions of protocol structure sizes. To simplify sizeof() constructions
  176. */
  177. #define ZRTP_VERSION_SIZE 4
  178. #define ZRTP_ZID_SIZE 12
  179. #define ZRTP_CLIENTID_SIZE 16
  180. #define ZRTP_COMP_TYPE_SIZE 4
  181. #define ZRTP_RS_SIZE 32
  182. #define ZRTP_RSID_SIZE 8
  183. #define ZRTP_PACKET_TYPE_SIZE 8
  184. #define RTP_V2_HDR_SIZE 12
  185. #define RTP_HDR_SIZE RTP_V2_HDR_SIZE
  186. #define RTCP_HDR_SIZE 8
  187. #define ZRTP_HV_SIZE 32
  188. #define ZRTP_HV_NONCE_SIZE 16
  189. #define ZRTP_HV_KEY_SIZE 8
  190. #define ZRTP_HMAC_SIZE 8
  191. #define ZRTP_CFBIV_SIZE 16
  192. #define ZRTP_MITM_SAS_SIZE 4
  193. #define ZRTP_MESSAGE_HASH_SIZE 32
  194. #define ZRTP_HASH_SIZE 32
  195. /* Without header and HMAC: <verison> + <client ID> + <hash> + <ZID> + <components length> */
  196. #define ZRTP_HELLO_STATIC_SIZE (ZRTP_VERSION_SIZE + ZRTP_CLIENTID_SIZE + 32 + ZRTP_ZID_SIZE + 4)
  197. /* Without header and HMAC: <hash> + <secrets IDs> */
  198. #define ZRTP_DH_STATIC_SIZE (32 + 4*8)
  199. /* Without header and HMAC: <hash> + <ZID> + <components definitions> */
  200. #define ZRTP_COMMIT_STATIC_SIZE (32 + ZRTP_ZID_SIZE + 4*5)
  201. /* <RTP> + <ext. header> + <ZRTP message type> + CRC32 */
  202. #define ZRTP_MIN_PACKET_LENGTH (RTP_HDR_SIZE + 4 + 8 + 4)
  203. #if ( ZRTP_PLATFORM != ZP_SYMBIAN )
  204. #pragma pack(push,1)
  205. #endif
  206. /** Base ZRTP messages header */
  207. typedef struct zrtp_msg_hdr
  208. {
  209. /** ZRTP magic cookie */
  210. uint16_t magic;
  211. /** ZRTP message length in 4-byte words */
  212. uint16_t length;
  213. /** ZRTP message type */
  214. zrtp_uchar8_t type;
  215. } zrtp_msg_hdr_t;
  216. /*!
  217. * \brief ZRTP HELLO packet data
  218. * Contains fields needed to construct/store a ZRTP HELLO packet
  219. */
  220. typedef struct zrtp_packet_Hello
  221. {
  222. zrtp_msg_hdr_t hdr;
  223. /** ZRTP protocol version */
  224. zrtp_uchar4_t version;
  225. /** ZRTP client ID */
  226. zrtp_uchar16_t cliend_id;
  227. /*!< Hash to prevent DOS attacks */
  228. zrtp_uchar32_t hash;
  229. /** Endpoint unique ID */
  230. zrtp_uchar12_t zid;
  231. #if ZRTP_BYTE_ORDER == ZBO_LITTLE_ENDIAN
  232. uint8_t padding2:4;
  233. /** Passive flag */
  234. uint8_t pasive:1;
  235. /** M flag */
  236. uint8_t mitmflag:1;
  237. /** Signature support flag */
  238. uint8_t sigflag:1;
  239. uint8_t uflag:1;
  240. /** Hash scheme count */
  241. uint8_t hc:4;
  242. uint8_t padding3:4;
  243. /** Cipher count */
  244. uint8_t ac:4;
  245. /** Hash scheme count */
  246. uint8_t cc:4;
  247. /** SAS scheme count */
  248. uint8_t sc:4;
  249. /** PK Type count */
  250. uint8_t kc:4;
  251. #elif ZRTP_BYTE_ORDER == ZBO_BIG_ENDIAN
  252. uint8_t uflag:1;
  253. uint8_t sigflag:1;
  254. uint8_t mitmflag:1;
  255. uint8_t pasive:1;
  256. uint8_t padding2:4;
  257. uint8_t padding3:4;
  258. uint8_t hc:4;
  259. uint8_t cc:4;
  260. uint8_t ac:4;
  261. uint8_t kc:4;
  262. uint8_t sc:4;
  263. #endif
  264. zrtp_uchar4_t comp[ZRTP_MAX_COMP_COUNT*5];
  265. zrtp_uchar8_t hmac;
  266. } zrtp_packet_Hello_t;
  267. /**
  268. * @brief ZRTP COMMIT packet data
  269. * Contains information to build/store a ZRTP commit packet.
  270. */
  271. typedef struct zrtp_packet_Commit
  272. {
  273. zrtp_msg_hdr_t hdr;
  274. /** Hash to prevent DOS attacks */
  275. zrtp_uchar32_t hash;
  276. /** ZRTP endpoint unique ID */
  277. zrtp_uchar12_t zid;
  278. /** hash calculations schemes selected by ZRTP endpoint */
  279. zrtp_uchar4_t hash_type;
  280. /** cipher types selected by ZRTP endpoint */
  281. zrtp_uchar4_t cipher_type;
  282. /** SRTP auth tag lengths selected by ZRTP endpoint */
  283. zrtp_uchar4_t auth_tag_length;
  284. /** session key exchange schemes selected by endpoints */
  285. zrtp_uchar4_t public_key_type;
  286. /** SAS calculation schemes selected by endpoint*/
  287. zrtp_uchar4_t sas_type;
  288. /** hvi. See <A HREF="http://zfoneproject.com/zrtp_ietf.html">"ZRTP Internet Draft"</A> */
  289. zrtp_uchar32_t hv;
  290. zrtp_uchar8_t hmac;
  291. } zrtp_packet_Commit_t;
  292. /**
  293. * @brief ZRTP DH1/2 packets data
  294. * Contains fields needed to constructing/storing ZRTP DH1/2 packet.
  295. */
  296. typedef struct zrtp_packet_DHPart
  297. {
  298. zrtp_msg_hdr_t hdr;
  299. /** Hash to prevent DOS attacks */
  300. zrtp_uchar32_t hash;
  301. /** hash of retained shared secret 1 */
  302. zrtp_uchar8_t rs1ID;
  303. /** hash of retained shared secret 2 */
  304. zrtp_uchar8_t rs2ID;
  305. /** hash of user-defined secret */
  306. zrtp_uchar8_t auxsID;
  307. /** hash of PBX secret */
  308. zrtp_uchar8_t pbxsID;
  309. /** pvi/pvr or nonce field depends on stream mode */
  310. zrtp_uchar1024_t pv;
  311. zrtp_uchar8_t hmac;
  312. } zrtp_packet_DHPart_t;
  313. /**
  314. * @brief ZRTP Confirm1/Confirm2 packets data
  315. */
  316. typedef struct zrtp_packet_Confirm
  317. {
  318. zrtp_msg_hdr_t hdr;
  319. /** HMAC of preceding parameters */
  320. zrtp_uchar8_t hmac;
  321. /** The CFB Initialization Vector is a 128 bit random nonce */
  322. zrtp_uchar16_t iv;
  323. /** Hash to prevent DOS attacks */
  324. zrtp_uchar32_t hash;
  325. /** Unused (Set to zero and ignored) */
  326. uint8_t pad[2];
  327. /** Length of optional signature field */
  328. uint8_t sig_length;
  329. /** boolean flags for allowclear, SAS verified and disclose */
  330. uint8_t flags;
  331. /** how long (seconds) to cache shared secret */
  332. uint32_t expired_interval;
  333. } zrtp_packet_Confirm_t;
  334. /**
  335. * @brief ZRTP Confirm1/Confirm2 packets data
  336. */
  337. typedef struct zrtp_packet_SASRelay
  338. {
  339. zrtp_msg_hdr_t hdr;
  340. /** HMAC of preceding parameters */
  341. zrtp_uchar8_t hmac;
  342. /** The CFB Initialization Vector is a 128 bit random nonce */
  343. zrtp_uchar16_t iv;
  344. /** Unused (Set to zero and ignored) */
  345. uint8_t pad[2];
  346. /** Length of optionas signature field */
  347. uint8_t sig_length;
  348. /** boolean flags for allowclear, SAS verified and disclose */
  349. uint8_t flags;
  350. /** Rendering scheme of relayed sasvalue (for trusted MitMs) */
  351. zrtp_uchar4_t sas_scheme;
  352. /** Trusted MITM relayed sashash */
  353. uint8_t sashash[32];
  354. } zrtp_packet_SASRelay_t;
  355. /**
  356. * @brief GoClear packet structure according to ZRTP specification
  357. */
  358. typedef struct zrtp_packet_GoClear
  359. {
  360. zrtp_msg_hdr_t hdr;
  361. /** Clear HMAC to protect SRTP session from accidental termination */
  362. zrtp_uchar8_t clear_hmac;
  363. } zrtp_packet_GoClear_t;
  364. /**
  365. * @brief Error packet structure in accordance with ZRTP specification
  366. */
  367. typedef struct zrtp_packet_Error
  368. {
  369. zrtp_msg_hdr_t hdr;
  370. /** ZRTP error code defined by draft and \ref zrtp_protocol_error_t */
  371. uint32_t code;
  372. } zrtp_packet_Error_t;
  373. /** ZFone Ping Message. Similar to ZRTP protocol packet format */
  374. typedef struct
  375. {
  376. zrtp_msg_hdr_t hdr;
  377. zrtp_uchar4_t version; /** Zfone discovery protocol version */
  378. zrtp_uchar8_t endpointhash; /** Zfone endpoint unique identifier */
  379. } zrtp_packet_zfoneping_t;
  380. /** ZFone Ping MessageAck. Similar to ZRTP protocol packet format */
  381. typedef struct
  382. {
  383. zrtp_msg_hdr_t hdr;
  384. zrtp_uchar4_t version; /** Zfone discovery protocol version */
  385. zrtp_uchar8_t endpointhash; /** Zfone endpoint unique identifier */
  386. zrtp_uchar8_t peerendpointhash; /** EndpointHash copied from Ping message */
  387. uint32_t peerssrc;
  388. } zrtp_packet_zfonepingack_t;
  389. /*! \} */
  390. #if ( ZRTP_PLATFORM != ZP_SYMBIAN )
  391. #pragma pack(pop)
  392. #endif
  393. #endif /*__ZRTP_PROTOCOL_H__*/