keyagreement.cxx

MiniSip Client with DomainKeys Authentication, Sip, Audio communications, Echo Cancel

	
	
	try{
		switch( securityConfig.ka_type ){
			case KEY_MGMT_METHOD_MIKEY_DH:
				if( !securityConfig.cert || securityConfig.cert->is_empty() ){
					throw MikeyException( "No certificate provided for DH key agreement" );
				}
#ifdef ENABLE_TS
				ts.save( DH_PRECOMPUTE_START );
#endif

				if( ka && ka->type() != KEY_AGREEMENT_TYPE_DH ){
					ka = NULL;
				}
				if( !ka ){
					ka = new KeyAgreementDH( securityConfig.cert, securityConfig.cert_db, DH_GROUP_OAKLEY5 );
				}
				addStreamsToKa();
#ifdef ENABLE_TS
				ts.save( DH_PRECOMPUTE_END );
#endif
				message = new MikeyMessage( ((KeyAgreementDH *)*ka) );
#ifdef ENABLE_TS
				ts.save( MIKEY_CREATE_END );
#endif
				break;

			//added by pmaurer
			case KEY_MGMT_METHOD_MIKEY_DK:

				if (!ka || ka->type() != KEY_AGREEMENT_TYPE_DK) {
					ka = new KeyAgreementDK(DH_GROUP_OAKLEY5);
				}

				addStreamsToKa(true);
				message = new MikeyMessage(	(KeyAgreementDK*) *ka,
											securityConfig.dk_pkey_loaded,
											commonConfig.sipIdentity->getSipUri());
				break;
			// end added by pmaurer

			case KEY_MGMT_METHOD_MIKEY_PSK:
#ifdef ENABLE_TS
				ts.save( DH_PRECOMPUTE_START );
#endif
				ka = new KeyAgreementPSK( securityConfig.psk, securityConfig.psk_length );
				addStreamsToKa();
#ifdef ENABLE_TS
				ts.save( DH_PRECOMPUTE_END );
#endif
				((KeyAgreementPSK *)*ka)->generateTgk();
#ifdef ENABLE_TS
				ts.save( MIKEY_CREATE_START );
#endif
				message = new MikeyMessage( ((KeyAgreementPSK *)*ka) );
#ifdef ENABLE_TS
				ts.save( MIKEY_CREATE_END );
#endif
				break;
			case KEY_MGMT_METHOD_MIKEY_PK:
				throw MikeyExceptionUnimplemented(
						"PK KA type not implemented" );
			default:
				throw MikeyException( "Invalid type of KA" );
		}
		
		string b64Message = message->b64Message();
		delete message;
		return "mikey "+b64Message;
	}
	catch( certificate_exception & ){
		// FIXME: tell the GUI
		merr << "Could not open certificate" <<end;
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.secured = false;
		return "";
	}
	catch( MikeyException & exc ){
		merr << "MikeyException caught: " << exc.what() << end;
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.secured=false;
		return "";
	}
}
			
bool Session::initiatorAuthenticate( string message ){

		
	if (message.substr(0,6) == "mikey ")
	{

		// get rid of the "mikey "
		message = message.substr(6,message.length()-6);
		if(message == ""){
			merr << "No MIKEY message received" << end;
			securityConfig.secured = false;
			return false;
		} else {
			try{
				MikeyMessage * resp_mes = new MikeyMessage( message );
				ka->setResponderData( resp_mes );

				switch( securityConfig.ka_type ){
					case KEY_MGMT_METHOD_MIKEY_DH:
						
#ifdef ENABLE_TS
						ts.save( AUTH_START );
#endif
						if( resp_mes->authenticate( ((KeyAgreementDH *)*ka) ) ){
							throw MikeyExceptionAuthentication(
							  "Authentication of the DH response message failed" );
						}
						
#ifdef ENABLE_TS
						ts.save( TMP );
#endif
						if( securityConfig.check_cert ){
							if( ((KeyAgreementDH *)*ka)->controlPeerCertificate() == 0)
								throw MikeyExceptionAuthentication(
									"Certificate control failed" );
						}
#ifdef ENABLE_TS
						ts.save( AUTH_END );
#endif
						securityConfig.secured = true;
						return true;

						/*
						if( resp_mes->get_type() == MIKEY_TYPE_DH_RESP )
							((MikeyMessageDH*)resp_mes)->parse_response((KeyAgreementDH *)(key_agreement));
						else
							throw MikeyExceptionMessageContent(
								"Unexpected MIKEY Message type" );
						
						((KeyAgreementDH *)key_agreement)->compute_tgk();*/

					// added by pmauer
					case KEY_MGMT_METHOD_MIKEY_DK:

						if (resp_mes->authenticate((KeyAgreementDK*) *ka)) {
							merr << "Authentication of the DK response message failed" << end;
							return false;
						}

						securityConfig.secured = true;
						return true;
					// end added by pmaurer

					case KEY_MGMT_METHOD_MIKEY_PSK:

#ifdef ENABLE_TS
						ts.save( AUTH_START );
#endif
						if( resp_mes->authenticate( ((KeyAgreementPSK *)*ka) ) ){
							throw MikeyExceptionAuthentication(
							"Authentication of the PSK verification message failed" );
						}
#ifdef ENABLE_TS
						ts.save( AUTH_END );
#endif
					/*	
						if( resp_mes->get_type() == MIKEY_TYPE_PSK_RESP )
							((MikeyMessagePSK*)resp_mes)->parse_response((KeyAgreementPSK *)(key_agreement));
						else
							throw MikeyExceptionMessageContent(
								"Unexpected MIKEY Message type" );
						
						break;*/
						securityConfig.secured = true;
						return true;

					case KEY_MGMT_METHOD_MIKEY_PK:
						throw MikeyExceptionUnimplemented(
								"PK type of KA unimplemented" );
					default:
						throw MikeyException(
								"Invalid type of KA" );
				}

				//transii->getDialog()->getPhone()->log(LOG_INFO, "Negociated the TGK: " + print_hex( key_agreement->get_tgk(), key_agreement->get_tgk_length() ) );
			}
			catch(MikeyExceptionAuthentication &exc){
				merr << "MikeyException caught: " << exc.what() << end;
				//FIXME! send SIP Authorization failed with Mikey Error message
				securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
				securityConfig.secured=false;
				return false;
			}
			catch(MikeyExceptionMessageContent &exc){
				MikeyMessage * error_mes;
				merr << "MikeyExceptionMessageContent caught: " << exc.what() << end;
				if( ( error_mes = exc.errorMessage() ) != NULL ){
					//FIXME: send the error message!
				}
				securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
				securityConfig.secured=false;
				return false;
			}
				
			catch(MikeyException &exc){
				merr << "MikeyException caught: " << exc.what() << end;
				securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
				securityConfig.secured=false;
				return false;
			}
		}
	}
	else{
		merr << "Unknown key management method" << end;
		securityConfig.secured = false;
		return false;
	}

}

string Session::initiatorParse(){


	if( ! ( securityConfig.ka_type & KEY_MGMT_METHOD_MIKEY ) ){
		merr << "Unknown type of key agreement" << end;
		securityConfig.secured = false;
		return "";
	}
	
	MikeyMessage * responseMessage = NULL;
	
	try{
		MikeyMessage * initMessage = (MikeyMessage *)ka->responderData();

		if( initMessage == NULL ){
			merr << "Uninitialized MIKEY init message, this is a bug" << end;
			securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
			securityConfig.secured = false;
			return "";
		}
			
		switch( securityConfig.ka_type ){
			case KEY_MGMT_METHOD_MIKEY_DH:
#ifdef ENABLE_TS
				ts.save( MIKEY_PARSE_START );
#endif
				responseMessage = initMessage->parseResponse((KeyAgreementDH *)*ka);
#ifdef ENABLE_TS
				ts.save( MIKEY_PARSE_END );
#endif
				break;

				// added by pmauer
				case KEY_MGMT_METHOD_MIKEY_DK:
					responseMessage = initMessage->parseResponse((KeyAgreementDK*) *ka);
					break;
				// end added by pmaurer

			case KEY_MGMT_METHOD_MIKEY_PSK:
#ifdef ENABLE_TS
				ts.save( MIKEY_PARSE_START );
#endif
				responseMessage = initMessage->parseResponse((KeyAgreementPSK *)*ka);
#ifdef ENABLE_TS
				ts.save( MIKEY_PARSE_END );
#endif

				break;
			case KEY_MGMT_METHOD_MIKEY_PK:
				/* Should not happen at that point */
				throw MikeyExceptionUnimplemented(
						"Public Key key agreement not implemented" );
				break;
			default:
				throw MikeyExceptionMessageContent(
						"Unexpected type of message in INVITE" );
		}
	}
	catch( certificate_exception & ){
		// TODO: Tell the GUI
		merr << "Could not open certificate" <<end;
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.secured = false;
	}
	catch( MikeyExceptionUnacceptable &exc ){
		merr << "MikeyException caught: "<<exc.what()<<end;
		//FIXME! send SIP Unacceptable with Mikey Error message
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.secured = false;
	}
	// Message was invalid
	catch( MikeyExceptionMessageContent &exc ){
		MikeyMessage * error_mes;
		merr << "MikeyExceptionMesageContent caught: " << exc.what() << end;
		if( ( error_mes = exc.errorMessage() ) != NULL ){
			responseMessage = error_mes;
		}
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.secured = false;
	}
	catch( MikeyException & exc ){
		merr << "MikeyException caught: " << exc.what() << end;
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.secured = false;
	}

	if( responseMessage != NULL )
		return responseMessage->b64Message();
	else
		return string("");

}

void Session::addStreamsToKa( bool initiating ){
	list< MRef<MediaStreamSender *> >::iterator iSender;
	ka->setCsIdMapType(HDR_CS_ID_MAP_TYPE_SRTP_ID);
	uint8_t j = 1;
	for( iSender = mediaStreamSenders.begin(); 
	     iSender != mediaStreamSenders.end();
	     iSender ++, j++ ){

		if( initiating ){ 
			uint8_t policyNo = ka->setdefaultPolicy( MIKEY_PROTO_SRTP );
			ka->addSrtpStream( (*iSender)->getSsrc(), 0/*ROC*/, 
					policyNo );
			/* Placeholder for the receiver to place his SSRC */
			ka->addSrtpStream( 0, 0/*ROC*/, 
					policyNo );
		}
		else{
			ka->setSrtpStreamSsrc( (*iSender)->getSsrc(), 2*j );
			ka->setSrtpStreamRoc ( 0, 2*j );
		}

	}
}

void Session::setMikeyOffer(){
	MikeyMessage * initMessage = (MikeyMessage *)ka->initiatorData();
	switch( securityConfig.ka_type ){
		case KEY_MGMT_METHOD_MIKEY_DH:
			initMessage->setOffer((KeyAgreementDH *)*ka);
			break;

		// added by pmaurer
		case KEY_MGMT_METHOD_MIKEY_DK:
			initMessage->setOffer((KeyAgreementDK*) *ka);
			break;
		// end added by pmaurer
			
		case KEY_MGMT_METHOD_MIKEY_PSK:
			initMessage->setOffer((KeyAgreementPSK *)*ka);
			break;
		case KEY_MGMT_METHOD_MIKEY_PK:
		/* Should not happen at that point */
			throw MikeyExceptionUnimplemented("Public Key key agreement not implemented" );
			break;
		default:
			throw MikeyExceptionMessageContent("Unexpected type of message in INVITE" );
		}
}