Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(148)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: libsrtp/srtp/srtp.c

Issue 3423016: Add current version of libSRTP from CVS. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/
Patch Set: '' Created 10 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « libsrtp/srtp/ekt.c ('k') | libsrtp/srtp7.sln » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Property Changes:
Added: svn:eol-style
+ LF
OLDNEW
(Empty)
1 /*
2 * srtp.c
3 *
4 * the secure real-time transport protocol
5 *
6 * David A. McGrew
7 * Cisco Systems, Inc.
8 */
9 /*
10 *
11 * Copyright (c) 2001-2006, Cisco Systems, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 *
18 * Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 *
21 * Redistributions in binary form must reproduce the above
22 * copyright notice, this list of conditions and the following
23 * disclaimer in the documentation and/or other materials provided
24 * with the distribution.
25 *
26 * Neither the name of the Cisco Systems, Inc. nor the names of its
27 * contributors may be used to endorse or promote products derived
28 * from this software without specific prior written permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 *
43 */
44
45
46 #include "srtp.h"
47 #include "ekt.h" /* for SRTP Encrypted Key Transport */
48 #include "alloc.h" /* for crypto_alloc() */
49
50 #ifndef SRTP_KERNEL
51 # include <limits.h>
52 # ifdef HAVE_NETINET_IN_H
53 # include <netinet/in.h>
54 # elif defined(HAVE_WINSOCK2_H)
55 # include <winsock2.h>
56 # endif
57 #endif /* ! SRTP_KERNEL */
58
59
60 /* the debug module for srtp */
61
62 debug_module_t mod_srtp = {
63 0, /* debugging is off by default */
64 "srtp" /* printable name for module */
65 };
66
67 #define octets_in_rtp_header 12
68 #define uint32s_in_rtp_header 3
69 #define octets_in_rtcp_header 8
70 #define uint32s_in_rtcp_header 2
71
72
73 err_status_t
74 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
75 const srtp_policy_t *p) {
76 srtp_stream_ctx_t *str;
77 err_status_t stat;
78
79 /*
80 * This function allocates the stream context, rtp and rtcp ciphers
81 * and auth functions, and key limit structure. If there is a
82 * failure during allocation, we free all previously allocated
83 * memory and return a failure code. The code could probably
84 * be improved, but it works and should be clear.
85 */
86
87 /* allocate srtp stream and set str_ptr */
88 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
89 if (str == NULL)
90 return err_status_alloc_fail;
91 *str_ptr = str;
92
93 /* allocate cipher */
94 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
95 &str->rtp_cipher,
96 p->rtp.cipher_key_len);
97 if (stat) {
98 crypto_free(str);
99 return stat;
100 }
101
102 /* allocate auth function */
103 stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
104 &str->rtp_auth,
105 p->rtp.auth_key_len,
106 p->rtp.auth_tag_len);
107 if (stat) {
108 cipher_dealloc(str->rtp_cipher);
109 crypto_free(str);
110 return stat;
111 }
112
113 /* allocate key limit structure */
114 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t));
115 if (str->limit == NULL) {
116 auth_dealloc(str->rtp_auth);
117 cipher_dealloc(str->rtp_cipher);
118 crypto_free(str);
119 return err_status_alloc_fail;
120 }
121
122 /*
123 * ...and now the RTCP-specific initialization - first, allocate
124 * the cipher
125 */
126 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
127 &str->rtcp_cipher,
128 p->rtcp.cipher_key_len);
129 if (stat) {
130 auth_dealloc(str->rtp_auth);
131 cipher_dealloc(str->rtp_cipher);
132 crypto_free(str->limit);
133 crypto_free(str);
134 return stat;
135 }
136
137 /* allocate auth function */
138 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
139 &str->rtcp_auth,
140 p->rtcp.auth_key_len,
141 p->rtcp.auth_tag_len);
142 if (stat) {
143 cipher_dealloc(str->rtcp_cipher);
144 auth_dealloc(str->rtp_auth);
145 cipher_dealloc(str->rtp_cipher);
146 crypto_free(str->limit);
147 crypto_free(str);
148 return stat;
149 }
150
151 /* allocate ekt data associated with stream */
152 stat = ekt_alloc(&str->ekt, p->ekt);
153 if (stat) {
154 auth_dealloc(str->rtcp_auth);
155 cipher_dealloc(str->rtcp_cipher);
156 auth_dealloc(str->rtp_auth);
157 cipher_dealloc(str->rtp_cipher);
158 crypto_free(str->limit);
159 crypto_free(str);
160 return stat;
161 }
162
163 return err_status_ok;
164 }
165
166 err_status_t
167 srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) {
168 err_status_t status;
169
170 /*
171 * we use a conservative deallocation strategy - if any deallocation
172 * fails, then we report that fact without trying to deallocate
173 * anything else
174 */
175
176 /* deallocate cipher, if it is not the same as that in template */
177 if (session->stream_template
178 && stream->rtp_cipher == session->stream_template->rtp_cipher) {
179 /* do nothing */
180 } else {
181 status = cipher_dealloc(stream->rtp_cipher);
182 if (status)
183 return status;
184 }
185
186 /* deallocate auth function, if it is not the same as that in template */
187 if (session->stream_template
188 && stream->rtp_auth == session->stream_template->rtp_auth) {
189 /* do nothing */
190 } else {
191 status = auth_dealloc(stream->rtp_auth);
192 if (status)
193 return status;
194 }
195
196 /* deallocate key usage limit, if it is not the same as that in template */
197 if (session->stream_template
198 && stream->limit == session->stream_template->limit) {
199 /* do nothing */
200 } else {
201 crypto_free(stream->limit);
202 }
203
204 /*
205 * deallocate rtcp cipher, if it is not the same as that in
206 * template
207 */
208 if (session->stream_template
209 && stream->rtcp_cipher == session->stream_template->rtcp_cipher) {
210 /* do nothing */
211 } else {
212 status = cipher_dealloc(stream->rtcp_cipher);
213 if (status)
214 return status;
215 }
216
217 /*
218 * deallocate rtcp auth function, if it is not the same as that in
219 * template
220 */
221 if (session->stream_template
222 && stream->rtcp_auth == session->stream_template->rtcp_auth) {
223 /* do nothing */
224 } else {
225 status = auth_dealloc(stream->rtcp_auth);
226 if (status)
227 return status;
228 }
229
230 status = rdbx_dealloc(&stream->rtp_rdbx);
231 if (status)
232 return status;
233
234 /* DAM - need to deallocate EKT here */
235
236 /* deallocate srtp stream context */
237 crypto_free(stream);
238
239 return err_status_ok;
240 }
241
242
243 /*
244 * srtp_stream_clone(stream_template, new) allocates a new stream and
245 * initializes it using the cipher and auth of the stream_template
246 *
247 * the only unique data in a cloned stream is the replay database and
248 * the SSRC
249 */
250
251 err_status_t
252 srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
253 uint32_t ssrc,
254 srtp_stream_ctx_t **str_ptr) {
255 err_status_t status;
256 srtp_stream_ctx_t *str;
257
258 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
259
260 /* allocate srtp stream and set str_ptr */
261 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
262 if (str == NULL)
263 return err_status_alloc_fail;
264 *str_ptr = str;
265
266 /* set cipher and auth pointers to those of the template */
267 str->rtp_cipher = stream_template->rtp_cipher;
268 str->rtp_auth = stream_template->rtp_auth;
269 str->rtcp_cipher = stream_template->rtcp_cipher;
270 str->rtcp_auth = stream_template->rtcp_auth;
271
272 /* set key limit to point to that of the template */
273 status = key_limit_clone(stream_template->limit, &str->limit);
274 if (status)
275 return status;
276
277 /* initialize replay databases */
278 status = rdbx_init(&str->rtp_rdbx,
279 rdbx_get_window_size(&stream_template->rtp_rdbx));
280 if (status)
281 return status;
282 rdb_init(&str->rtcp_rdb);
283 str->allow_repeat_tx = stream_template->allow_repeat_tx;
284
285 /* set ssrc to that provided */
286 str->ssrc = ssrc;
287
288 /* set direction and security services */
289 str->direction = stream_template->direction;
290 str->rtp_services = stream_template->rtp_services;
291 str->rtcp_services = stream_template->rtcp_services;
292
293 /* set pointer to EKT data associated with stream */
294 str->ekt = stream_template->ekt;
295
296 /* defensive coding */
297 str->next = NULL;
298
299 return err_status_ok;
300 }
301
302
303 /*
304 * key derivation functions, internal to libSRTP
305 *
306 * srtp_kdf_t is a key derivation context
307 *
308 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher
309 * described by cipher_id, with the master key k with length in octets keylen.
310 *
311 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
312 * corresponding to label l and puts it into kl; the length
313 * of the key in octets is provided as keylen. this function
314 * should be called once for each subkey that is derived.
315 *
316 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state
317 */
318
319 typedef enum {
320 label_rtp_encryption = 0x00,
321 label_rtp_msg_auth = 0x01,
322 label_rtp_salt = 0x02,
323 label_rtcp_encryption = 0x03,
324 label_rtcp_msg_auth = 0x04,
325 label_rtcp_salt = 0x05
326 } srtp_prf_label;
327
328
329 /*
330 * srtp_kdf_t represents a key derivation function. The SRTP
331 * default KDF is the only one implemented at present.
332 */
333
334 typedef struct {
335 cipher_t *cipher; /* cipher used for key derivation */
336 } srtp_kdf_t;
337
338 err_status_t
339 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, i nt length) {
340
341 err_status_t stat;
342 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length);
343 if (stat)
344 return stat;
345
346 stat = cipher_init(kdf->cipher, key, direction_encrypt);
347 if (stat) {
348 cipher_dealloc(kdf->cipher);
349 return stat;
350 }
351
352 return err_status_ok;
353 }
354
355 err_status_t
356 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
357 uint8_t *key, unsigned length) {
358
359 v128_t nonce;
360 err_status_t status;
361
362 /* set eigth octet of nonce to <label>, set the rest of it to zero */
363 v128_set_to_zero(&nonce);
364 nonce.v8[7] = label;
365
366 status = cipher_set_iv(kdf->cipher, &nonce);
367 if (status)
368 return status;
369
370 /* generate keystream output */
371 octet_string_set_to_zero(key, length);
372 status = cipher_encrypt(kdf->cipher, key, &length);
373 if (status)
374 return status;
375
376 return err_status_ok;
377 }
378
379 err_status_t
380 srtp_kdf_clear(srtp_kdf_t *kdf) {
381 err_status_t status;
382 status = cipher_dealloc(kdf->cipher);
383 if (status)
384 return status;
385 kdf->cipher = NULL;
386
387 return err_status_ok;
388 }
389
390 /*
391 * end of key derivation functions
392 */
393
394 #define MAX_SRTP_KEY_LEN 256
395
396
397 /* Get the base key length corresponding to a given combined key+salt
398 * length for the given cipher.
399 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using
400 * AES-128 and short salts; everything else uses a salt length of 14.
401 * TODO: key and salt lengths should be separate fields in the policy. */
402 inline int base_key_length(const cipher_type_t *cipher, int key_length)
403 {
404 if (cipher->id != AES_ICM)
405 return key_length;
406 else if (key_length > 16 && key_length < 30)
407 return 16;
408 return key_length - 14;
409 }
410
411 err_status_t
412 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
413 err_status_t stat;
414 srtp_kdf_t kdf;
415 uint8_t tmp_key[MAX_SRTP_KEY_LEN];
416 int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
417 int rtp_base_key_len, rtp_salt_len;
418 int rtcp_base_key_len, rtcp_salt_len;
419
420 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
421 /* TODO: kdf algorithm, master key length, and master salt length should
422 * be part of srtp_policy_t. */
423 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher);
424 if (rtp_keylen > kdf_keylen)
425 kdf_keylen = rtp_keylen;
426
427 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher);
428 if (rtcp_keylen > kdf_keylen)
429 kdf_keylen = rtcp_keylen;
430
431 /* initialize KDF state */
432 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)key, kdf_keylen);
433 if (stat) {
434 return err_status_init_fail;
435 }
436
437 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
438 rtp_salt_len = rtp_keylen - rtp_base_key_len;
439
440 /* generate encryption key */
441 stat = srtp_kdf_generate(&kdf, label_rtp_encryption,
442 tmp_key, rtp_base_key_len);
443 if (stat) {
444 /* zeroize temp buffer */
445 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
446 return err_status_init_fail;
447 }
448
449 /*
450 * if the cipher in the srtp context uses a salt, then we need
451 * to generate the salt value
452 */
453 if (rtp_salt_len > 0) {
454 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
455
456 /* generate encryption salt, put after encryption key */
457 stat = srtp_kdf_generate(&kdf, label_rtp_salt,
458 tmp_key + rtp_base_key_len, rtp_salt_len);
459 if (stat) {
460 /* zeroize temp buffer */
461 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
462 return err_status_init_fail;
463 }
464 }
465 debug_print(mod_srtp, "cipher key: %s",
466 octet_string_hex_string(tmp_key, rtp_keylen));
467
468 /* initialize cipher */
469 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any);
470 if (stat) {
471 /* zeroize temp buffer */
472 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
473 return err_status_init_fail;
474 }
475
476 /* generate authentication key */
477 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth,
478 tmp_key, auth_get_key_length(srtp->rtp_auth));
479 if (stat) {
480 /* zeroize temp buffer */
481 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
482 return err_status_init_fail;
483 }
484 debug_print(mod_srtp, "auth key: %s",
485 octet_string_hex_string(tmp_key,
486 auth_get_key_length(srtp->rtp_auth)));
487
488 /* initialize auth function */
489 stat = auth_init(srtp->rtp_auth, tmp_key);
490 if (stat) {
491 /* zeroize temp buffer */
492 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
493 return err_status_init_fail;
494 }
495
496 /*
497 * ...now initialize SRTCP keys
498 */
499
500 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen);
501 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
502
503 /* generate encryption key */
504 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption,
505 tmp_key, rtcp_base_key_len);
506 if (stat) {
507 /* zeroize temp buffer */
508 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
509 return err_status_init_fail;
510 }
511
512 /*
513 * if the cipher in the srtp context uses a salt, then we need
514 * to generate the salt value
515 */
516 if (rtcp_salt_len > 0) {
517 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
518 NULL);
519
520 /* generate encryption salt, put after encryption key */
521 stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
522 tmp_key + rtcp_base_key_len, rtcp_salt_len);
523 if (stat) {
524 /* zeroize temp buffer */
525 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
526 return err_status_init_fail;
527 }
528 }
529 debug_print(mod_srtp, "rtcp cipher key: %s",
530 octet_string_hex_string(tmp_key, rtcp_keylen));
531
532 /* initialize cipher */
533 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any);
534 if (stat) {
535 /* zeroize temp buffer */
536 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
537 return err_status_init_fail;
538 }
539
540 /* generate authentication key */
541 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
542 tmp_key, auth_get_key_length(srtp->rtcp_auth));
543 if (stat) {
544 /* zeroize temp buffer */
545 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
546 return err_status_init_fail;
547 }
548
549 debug_print(mod_srtp, "rtcp auth key: %s",
550 octet_string_hex_string(tmp_key,
551 auth_get_key_length(srtp->rtcp_auth)));
552
553 /* initialize auth function */
554 stat = auth_init(srtp->rtcp_auth, tmp_key);
555 if (stat) {
556 /* zeroize temp buffer */
557 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
558 return err_status_init_fail;
559 }
560
561 /* clear memory then return */
562 stat = srtp_kdf_clear(&kdf);
563 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
564 if (stat)
565 return err_status_init_fail;
566
567 return err_status_ok;
568 }
569
570 err_status_t
571 srtp_stream_init(srtp_stream_ctx_t *srtp,
572 const srtp_policy_t *p) {
573 err_status_t err;
574
575 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)",
576 p->ssrc.value);
577
578 /* initialize replay database */
579 /* window size MUST be at least 64. MAY be larger. Values more than
580 * 2^15 aren't meaningful due to how extended sequence numbers are
581 * calculated. Let a window size of 0 imply the default value. */
582
583 if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000))
584 return err_status_bad_param;
585
586 if (p->window_size != 0)
587 err = rdbx_init(&srtp->rtp_rdbx, p->window_size);
588 else
589 err = rdbx_init(&srtp->rtp_rdbx, 128);
590 if (err) return err;
591
592 /* initialize key limit to maximum value */
593 #ifdef NO_64BIT_MATH
594 {
595 uint64_t temp;
596 temp = make64(UINT_MAX,UINT_MAX);
597 key_limit_set(srtp->limit, temp);
598 }
599 #else
600 key_limit_set(srtp->limit, 0xffffffffffffLL);
601 #endif
602
603 /* set the SSRC value */
604 srtp->ssrc = htonl(p->ssrc.value);
605
606 /* set the security service flags */
607 srtp->rtp_services = p->rtp.sec_serv;
608 srtp->rtcp_services = p->rtcp.sec_serv;
609
610 /*
611 * set direction to unknown - this flag gets checked in srtp_protect(),
612 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
613 * gets set appropriately if it is set to unknown.
614 */
615 srtp->direction = dir_unknown;
616
617 /* initialize SRTCP replay database */
618 rdb_init(&srtp->rtcp_rdb);
619
620 /* initialize allow_repeat_tx */
621 /* guard against uninitialized memory: allow only 0 or 1 here */
622 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) {
623 rdbx_dealloc(&srtp->rtp_rdbx);
624 return err_status_bad_param;
625 }
626 srtp->allow_repeat_tx = p->allow_repeat_tx;
627
628 /* DAM - no RTCP key limit at present */
629
630 /* initialize keys */
631 err = srtp_stream_init_keys(srtp, p->key);
632 if (err) {
633 rdbx_dealloc(&srtp->rtp_rdbx);
634 return err;
635 }
636
637 /*
638 * if EKT is in use, then initialize the EKT data associated with
639 * the stream
640 */
641 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt);
642 if (err) {
643 rdbx_dealloc(&srtp->rtp_rdbx);
644 return err;
645 }
646
647 return err_status_ok;
648 }
649
650
651 /*
652 * srtp_event_reporter is an event handler function that merely
653 * reports the events that are reported by the callbacks
654 */
655
656 void
657 srtp_event_reporter(srtp_event_data_t *data) {
658
659 err_report(err_level_warning, "srtp: in stream 0x%x: ",
660 data->stream->ssrc);
661
662 switch(data->event) {
663 case event_ssrc_collision:
664 err_report(err_level_warning, "\tSSRC collision\n");
665 break;
666 case event_key_soft_limit:
667 err_report(err_level_warning, "\tkey usage soft limit reached\n");
668 break;
669 case event_key_hard_limit:
670 err_report(err_level_warning, "\tkey usage hard limit reached\n");
671 break;
672 case event_packet_index_limit:
673 err_report(err_level_warning, "\tpacket index limit reached\n");
674 break;
675 default:
676 err_report(err_level_warning, "\tunknown event reported to handler\n");
677 }
678 }
679
680 /*
681 * srtp_event_handler is a global variable holding a pointer to the
682 * event handler function; this function is called for any unexpected
683 * event that needs to be handled out of the SRTP data path. see
684 * srtp_event_t in srtp.h for more info
685 *
686 * it is okay to set srtp_event_handler to NULL, but we set
687 * it to the srtp_event_reporter.
688 */
689
690 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
691
692 err_status_t
693 srtp_install_event_handler(srtp_event_handler_func_t func) {
694
695 /*
696 * note that we accept NULL arguments intentionally - calling this
697 * function with a NULL arguments removes an event handler that's
698 * been previously installed
699 */
700
701 /* set global event handling function */
702 srtp_event_handler = func;
703 return err_status_ok;
704 }
705
706 err_status_t
707 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
708 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
709 uint32_t *enc_start; /* pointer to start of encrypted portion */
710 uint32_t *auth_start; /* pointer to start of auth. portion */
711 unsigned enc_octet_len = 0; /* number of octets in encrypted portion */
712 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
713 int delta; /* delta of local pkt idx and that in hdr */
714 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
715 err_status_t status;
716 int tag_len;
717 srtp_stream_ctx_t *stream;
718 int prefix_len;
719
720 debug_print(mod_srtp, "function srtp_protect", NULL);
721
722 /* we assume the hdr is 32-bit aligned to start */
723
724 /* check the packet length - it must at least contain a full header */
725 if (*pkt_octet_len < octets_in_rtp_header)
726 return err_status_bad_param;
727
728 /*
729 * look up ssrc in srtp_stream list, and process the packet with
730 * the appropriate stream. if we haven't seen this stream before,
731 * there's a template key for this srtp_session, and the cipher
732 * supports key-sharing, then we assume that a new stream using
733 * that key has just started up
734 */
735 stream = srtp_get_stream(ctx, hdr->ssrc);
736 if (stream == NULL) {
737 if (ctx->stream_template != NULL) {
738 srtp_stream_ctx_t *new_stream;
739
740 /* allocate and initialize a new stream */
741 status = srtp_stream_clone(ctx->stream_template,
742 hdr->ssrc, &new_stream);
743 if (status)
744 return status;
745
746 /* add new stream to the head of the stream_list */
747 new_stream->next = ctx->stream_list;
748 ctx->stream_list = new_stream;
749
750 /* set direction to outbound */
751 new_stream->direction = dir_srtp_sender;
752
753 /* set stream (the pointer used in this function) */
754 stream = new_stream;
755 } else {
756 /* no template stream, so we return an error */
757 return err_status_no_ctx;
758 }
759 }
760
761 /*
762 * verify that stream is for sending traffic - this check will
763 * detect SSRC collisions, since a stream that appears in both
764 * srtp_protect() and srtp_unprotect() will fail this test in one of
765 * those functions.
766 */
767 if (stream->direction != dir_srtp_sender) {
768 if (stream->direction == dir_unknown) {
769 stream->direction = dir_srtp_sender;
770 } else {
771 srtp_handle_event(ctx, stream, event_ssrc_collision);
772 }
773 }
774
775 /*
776 * update the key usage limit, and check it to make sure that we
777 * didn't just hit either the soft limit or the hard limit, and call
778 * the event handler if we hit either.
779 */
780 switch(key_limit_update(stream->limit)) {
781 case key_event_normal:
782 break;
783 case key_event_soft_limit:
784 srtp_handle_event(ctx, stream, event_key_soft_limit);
785 break;
786 case key_event_hard_limit:
787 srtp_handle_event(ctx, stream, event_key_hard_limit);
788 return err_status_key_expired;
789 default:
790 break;
791 }
792
793 /* get tag length from stream */
794 tag_len = auth_get_tag_length(stream->rtp_auth);
795
796 /*
797 * find starting point for encryption and length of data to be
798 * encrypted - the encrypted portion starts after the rtp header
799 * extension, if present; otherwise, it starts after the last csrc,
800 * if any are present
801 *
802 * if we're not providing confidentiality, set enc_start to NULL
803 */
804 if (stream->rtp_services & sec_serv_conf) {
805 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
806 if (hdr->x == 1) {
807 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
808 enc_start += (ntohs(xtn_hdr->length) + 1);
809 }
810 enc_octet_len = (unsigned int)(*pkt_octet_len
811 - ((enc_start - (uint32_t *)hdr) << 2));
812 } else {
813 enc_start = NULL;
814 }
815
816 /*
817 * if we're providing authentication, set the auth_start and auth_tag
818 * pointers to the proper locations; otherwise, set auth_start to NULL
819 * to indicate that no authentication is needed
820 */
821 if (stream->rtp_services & sec_serv_auth) {
822 auth_start = (uint32_t *)hdr;
823 auth_tag = (uint8_t *)hdr + *pkt_octet_len;
824 } else {
825 auth_start = NULL;
826 auth_tag = NULL;
827 }
828
829 /*
830 * estimate the packet index using the start of the replay window
831 * and the sequence number from the header
832 */
833 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
834 status = rdbx_check(&stream->rtp_rdbx, delta);
835 if (status) {
836 if (status != err_status_replay_fail || !stream->allow_repeat_tx)
837 return status; /* we've been asked to reuse an index */
838 }
839 else
840 rdbx_add_index(&stream->rtp_rdbx, delta);
841
842 #ifdef NO_64BIT_MATH
843 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
844 high32(est),low32(est));
845 #else
846 debug_print(mod_srtp, "estimated packet index: %016llx", est);
847 #endif
848
849 /*
850 * if we're using rindael counter mode, set nonce and seq
851 */
852 if (stream->rtp_cipher->type->id == AES_ICM) {
853 v128_t iv;
854
855 iv.v32[0] = 0;
856 iv.v32[1] = hdr->ssrc;
857 #ifdef NO_64BIT_MATH
858 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
859 low32(est) << 1 6));
860 #else
861 iv.v64[1] = be64_to_cpu(est << 16);
862 #endif
863 status = cipher_set_iv(stream->rtp_cipher, &iv);
864
865 } else {
866 v128_t iv;
867
868 /* otherwise, set the index to est */
869 #ifdef NO_64BIT_MATH
870 iv.v32[0] = 0;
871 iv.v32[1] = 0;
872 #else
873 iv.v64[0] = 0;
874 #endif
875 iv.v64[1] = be64_to_cpu(est);
876 status = cipher_set_iv(stream->rtp_cipher, &iv);
877 }
878 if (status)
879 return err_status_cipher_fail;
880
881 /* shift est, put into network byte order */
882 #ifdef NO_64BIT_MATH
883 est = be64_to_cpu(make64((high32(est) << 16) |
884 (low32(est) >> 16),
885 low32(est) << 16));
886 #else
887 est = be64_to_cpu(est << 16);
888 #endif
889
890 /*
891 * if we're authenticating using a universal hash, put the keystream
892 * prefix into the authentication tag
893 */
894 if (auth_start) {
895
896 prefix_len = auth_get_prefix_length(stream->rtp_auth);
897 if (prefix_len) {
898 status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len);
899 if (status)
900 return err_status_cipher_fail;
901 debug_print(mod_srtp, "keystream prefix: %s",
902 octet_string_hex_string(auth_tag, prefix_len));
903 }
904 }
905
906 /* if we're encrypting, exor keystream into the message */
907 if (enc_start) {
908 status = cipher_encrypt(stream->rtp_cipher,
909 (uint8_t *)enc_start, &enc_octet_len);
910 if (status)
911 return err_status_cipher_fail;
912 }
913
914 /*
915 * if we're authenticating, run authentication function and put result
916 * into the auth_tag
917 */
918 if (auth_start) {
919
920 /* initialize auth func context */
921 status = auth_start(stream->rtp_auth);
922 if (status) return status;
923
924 /* run auth func over packet */
925 status = auth_update(stream->rtp_auth,
926 (uint8_t *)auth_start, *pkt_octet_len);
927 if (status) return status;
928
929 /* run auth func over ROC, put result into auth_tag */
930 debug_print(mod_srtp, "estimated packet index: %016llx", est);
931 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);
932 debug_print(mod_srtp, "srtp auth tag: %s",
933 octet_string_hex_string(auth_tag, tag_len));
934 if (status)
935 return err_status_auth_fail;
936
937 }
938
939 if (auth_tag) {
940
941 /* increase the packet length by the length of the auth tag */
942 *pkt_octet_len += tag_len;
943 }
944
945 return err_status_ok;
946 }
947
948
949 err_status_t
950 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
951 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
952 uint32_t *enc_start; /* pointer to start of encrypted portion */
953 uint32_t *auth_start; /* pointer to start of auth. portion */
954 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
955 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
956 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
957 int delta; /* delta of local pkt idx and that in hdr */
958 v128_t iv;
959 err_status_t status;
960 srtp_stream_ctx_t *stream;
961 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
962 int tag_len, prefix_len;
963
964 debug_print(mod_srtp, "function srtp_unprotect", NULL);
965
966 /* we assume the hdr is 32-bit aligned to start */
967
968 /* check the packet length - it must at least contain a full header */
969 if (*pkt_octet_len < octets_in_rtp_header)
970 return err_status_bad_param;
971
972 /*
973 * look up ssrc in srtp_stream list, and process the packet with
974 * the appropriate stream. if we haven't seen this stream before,
975 * there's only one key for this srtp_session, and the cipher
976 * supports key-sharing, then we assume that a new stream using
977 * that key has just started up
978 */
979 stream = srtp_get_stream(ctx, hdr->ssrc);
980 if (stream == NULL) {
981 if (ctx->stream_template != NULL) {
982 stream = ctx->stream_template;
983 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
984 hdr->ssrc);
985
986 /*
987 * set estimated packet index to sequence number from header,
988 * and set delta equal to the same value
989 */
990 #ifdef NO_64BIT_MATH
991 est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq));
992 delta = low32(est);
993 #else
994 est = (xtd_seq_num_t) ntohs(hdr->seq);
995 delta = (int)est;
996 #endif
997 } else {
998
999 /*
1000 * no stream corresponding to SSRC found, and we don't do
1001 * key-sharing, so return an error
1002 */
1003 return err_status_no_ctx;
1004 }
1005 } else {
1006
1007 /* estimate packet index from seq. num. in header */
1008 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
1009
1010 /* check replay database */
1011 status = rdbx_check(&stream->rtp_rdbx, delta);
1012 if (status)
1013 return status;
1014 }
1015
1016 #ifdef NO_64BIT_MATH
1017 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32 (est));
1018 #else
1019 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1020 #endif
1021
1022 /* get tag length from stream */
1023 tag_len = auth_get_tag_length(stream->rtp_auth);
1024
1025 /*
1026 * set the cipher's IV properly, depending on whatever cipher we
1027 * happen to be using
1028 */
1029 if (stream->rtp_cipher->type->id == AES_ICM) {
1030
1031 /* aes counter mode */
1032 iv.v32[0] = 0;
1033 iv.v32[1] = hdr->ssrc; /* still in network order */
1034 #ifdef NO_64BIT_MATH
1035 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
1036 low32(est) << 16));
1037 #else
1038 iv.v64[1] = be64_to_cpu(est << 16);
1039 #endif
1040 status = cipher_set_iv(stream->rtp_cipher, &iv);
1041 } else {
1042
1043 /* no particular format - set the iv to the pakcet index */
1044 #ifdef NO_64BIT_MATH
1045 iv.v32[0] = 0;
1046 iv.v32[1] = 0;
1047 #else
1048 iv.v64[0] = 0;
1049 #endif
1050 iv.v64[1] = be64_to_cpu(est);
1051 status = cipher_set_iv(stream->rtp_cipher, &iv);
1052 }
1053 if (status)
1054 return err_status_cipher_fail;
1055
1056 /* shift est, put into network byte order */
1057 #ifdef NO_64BIT_MATH
1058 est = be64_to_cpu(make64((high32(est) << 16) |
1059 (low32(est) >> 16),
1060 low32(est) << 16));
1061 #else
1062 est = be64_to_cpu(est << 16);
1063 #endif
1064
1065 /*
1066 * find starting point for decryption and length of data to be
1067 * decrypted - the encrypted portion starts after the rtp header
1068 * extension, if present; otherwise, it starts after the last csrc,
1069 * if any are present
1070 *
1071 * if we're not providing confidentiality, set enc_start to NULL
1072 */
1073 if (stream->rtp_services & sec_serv_conf) {
1074 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1075 if (hdr->x == 1) {
1076 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1077 enc_start += (ntohs(xtn_hdr->length) + 1);
1078 }
1079 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
1080 - ((enc_start - (uint32_t *)hdr) << 2));
1081 } else {
1082 enc_start = NULL;
1083 }
1084
1085 /*
1086 * if we're providing authentication, set the auth_start and auth_tag
1087 * pointers to the proper locations; otherwise, set auth_start to NULL
1088 * to indicate that no authentication is needed
1089 */
1090 if (stream->rtp_services & sec_serv_auth) {
1091 auth_start = (uint32_t *)hdr;
1092 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
1093 } else {
1094 auth_start = NULL;
1095 auth_tag = NULL;
1096 }
1097
1098 /*
1099 * if we expect message authentication, run the authentication
1100 * function and compare the result with the value of the auth_tag
1101 */
1102 if (auth_start) {
1103
1104 /*
1105 * if we're using a universal hash, then we need to compute the
1106 * keystream prefix for encrypting the universal hash output
1107 *
1108 * if the keystream prefix length is zero, then we know that
1109 * the authenticator isn't using a universal hash function
1110 */
1111 if (stream->rtp_auth->prefix_len != 0) {
1112
1113 prefix_len = auth_get_prefix_length(stream->rtp_auth);
1114 status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len);
1115 debug_print(mod_srtp, "keystream prefix: %s",
1116 octet_string_hex_string(tmp_tag, prefix_len));
1117 if (status)
1118 return err_status_cipher_fail;
1119 }
1120
1121 /* initialize auth func context */
1122 status = auth_start(stream->rtp_auth);
1123 if (status) return status;
1124
1125 /* now compute auth function over packet */
1126 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,
1127 *pkt_octet_len - tag_len);
1128
1129 /* run auth func over ROC, then write tmp tag */
1130 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);
1131
1132 debug_print(mod_srtp, "computed auth tag: %s",
1133 octet_string_hex_string(tmp_tag, tag_len));
1134 debug_print(mod_srtp, "packet auth tag: %s",
1135 octet_string_hex_string(auth_tag, tag_len));
1136 if (status)
1137 return err_status_auth_fail;
1138
1139 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1140 return err_status_auth_fail;
1141 }
1142
1143 /*
1144 * update the key usage limit, and check it to make sure that we
1145 * didn't just hit either the soft limit or the hard limit, and call
1146 * the event handler if we hit either.
1147 */
1148 switch(key_limit_update(stream->limit)) {
1149 case key_event_normal:
1150 break;
1151 case key_event_soft_limit:
1152 srtp_handle_event(ctx, stream, event_key_soft_limit);
1153 break;
1154 case key_event_hard_limit:
1155 srtp_handle_event(ctx, stream, event_key_hard_limit);
1156 return err_status_key_expired;
1157 default:
1158 break;
1159 }
1160
1161 /* if we're decrypting, add keystream into ciphertext */
1162 if (enc_start) {
1163 status = cipher_decrypt(stream->rtp_cipher,
1164 (uint8_t *)enc_start, &enc_octet_len);
1165 if (status)
1166 return err_status_cipher_fail;
1167 }
1168
1169 /*
1170 * verify that stream is for received traffic - this check will
1171 * detect SSRC collisions, since a stream that appears in both
1172 * srtp_protect() and srtp_unprotect() will fail this test in one of
1173 * those functions.
1174 *
1175 * we do this check *after* the authentication check, so that the
1176 * latter check will catch any attempts to fool us into thinking
1177 * that we've got a collision
1178 */
1179 if (stream->direction != dir_srtp_receiver) {
1180 if (stream->direction == dir_unknown) {
1181 stream->direction = dir_srtp_receiver;
1182 } else {
1183 srtp_handle_event(ctx, stream, event_ssrc_collision);
1184 }
1185 }
1186
1187 /*
1188 * if the stream is a 'provisional' one, in which the template context
1189 * is used, then we need to allocate a new stream at this point, since
1190 * the authentication passed
1191 */
1192 if (stream == ctx->stream_template) {
1193 srtp_stream_ctx_t *new_stream;
1194
1195 /*
1196 * allocate and initialize a new stream
1197 *
1198 * note that we indicate failure if we can't allocate the new
1199 * stream, and some implementations will want to not return
1200 * failure here
1201 */
1202 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1203 if (status)
1204 return status;
1205
1206 /* add new stream to the head of the stream_list */
1207 new_stream->next = ctx->stream_list;
1208 ctx->stream_list = new_stream;
1209
1210 /* set stream (the pointer used in this function) */
1211 stream = new_stream;
1212 }
1213
1214 /*
1215 * the message authentication function passed, so add the packet
1216 * index into the replay database
1217 */
1218 rdbx_add_index(&stream->rtp_rdbx, delta);
1219
1220 /* decrease the packet length by the length of the auth tag */
1221 *pkt_octet_len -= tag_len;
1222
1223 return err_status_ok;
1224 }
1225
1226 err_status_t
1227 srtp_init() {
1228 err_status_t status;
1229
1230 /* initialize crypto kernel */
1231 status = crypto_kernel_init();
1232 if (status)
1233 return status;
1234
1235 /* load srtp debug module into the kernel */
1236 status = crypto_kernel_load_debug_module(&mod_srtp);
1237 if (status)
1238 return status;
1239
1240 return err_status_ok;
1241 }
1242
1243 err_status_t
1244 srtp_shutdown() {
1245 err_status_t status;
1246
1247 /* shut down crypto kernel */
1248 status = crypto_kernel_shutdown();
1249 if (status)
1250 return status;
1251
1252 /* shutting down crypto kernel frees the srtp debug module as well */
1253
1254 return err_status_ok;
1255 }
1256
1257
1258 /*
1259 * The following code is under consideration for removal. See
1260 * SRTP_MAX_TRAILER_LEN
1261 */
1262 #if 0
1263
1264 /*
1265 * srtp_get_trailer_length(&a) returns the number of octets that will
1266 * be added to an RTP packet by the SRTP processing. This value
1267 * is constant for a given srtp_stream_t (i.e. between initializations).
1268 */
1269
1270 int
1271 srtp_get_trailer_length(const srtp_stream_t s) {
1272 return auth_get_tag_length(s->rtp_auth);
1273 }
1274
1275 #endif
1276
1277 /*
1278 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
1279 * to ssrc, or NULL if no stream exists for that ssrc
1280 *
1281 * this is an internal function
1282 */
1283
1284 srtp_stream_ctx_t *
1285 srtp_get_stream(srtp_t srtp, uint32_t ssrc) {
1286 srtp_stream_ctx_t *stream;
1287
1288 /* walk down list until ssrc is found */
1289 stream = srtp->stream_list;
1290 while (stream != NULL) {
1291 if (stream->ssrc == ssrc)
1292 return stream;
1293 stream = stream->next;
1294 }
1295
1296 /* we haven't found our ssrc, so return a null */
1297 return NULL;
1298 }
1299
1300 err_status_t
1301 srtp_dealloc(srtp_t session) {
1302 srtp_stream_ctx_t *stream;
1303 err_status_t status;
1304
1305 /*
1306 * we take a conservative deallocation strategy - if we encounter an
1307 * error deallocating a stream, then we stop trying to deallocate
1308 * memory and just return an error
1309 */
1310
1311 /* walk list of streams, deallocating as we go */
1312 stream = session->stream_list;
1313 while (stream != NULL) {
1314 srtp_stream_t next = stream->next;
1315 status = srtp_stream_dealloc(session, stream);
1316 if (status)
1317 return status;
1318 stream = next;
1319 }
1320
1321 /* deallocate stream template, if there is one */
1322 if (session->stream_template != NULL) {
1323 status = auth_dealloc(session->stream_template->rtcp_auth);
1324 if (status)
1325 return status;
1326 status = cipher_dealloc(session->stream_template->rtcp_cipher);
1327 if (status)
1328 return status;
1329 crypto_free(session->stream_template->limit);
1330 status = cipher_dealloc(session->stream_template->rtp_cipher);
1331 if (status)
1332 return status;
1333 status = auth_dealloc(session->stream_template->rtp_auth);
1334 if (status)
1335 return status;
1336 status = rdbx_dealloc(&session->stream_template->rtp_rdbx);
1337 if (status)
1338 return status;
1339 crypto_free(session->stream_template);
1340 }
1341
1342 /* deallocate session context */
1343 crypto_free(session);
1344
1345 return err_status_ok;
1346 }
1347
1348
1349 err_status_t
1350 srtp_add_stream(srtp_t session,
1351 const srtp_policy_t *policy) {
1352 err_status_t status;
1353 srtp_stream_t tmp;
1354
1355 /* sanity check arguments */
1356 if ((session == NULL) || (policy == NULL) || (policy->key == NULL))
1357 return err_status_bad_param;
1358
1359 /* allocate stream */
1360 status = srtp_stream_alloc(&tmp, policy);
1361 if (status) {
1362 return status;
1363 }
1364
1365 /* initialize stream */
1366 status = srtp_stream_init(tmp, policy);
1367 if (status) {
1368 crypto_free(tmp);
1369 return status;
1370 }
1371
1372 /*
1373 * set the head of the stream list or the template to point to the
1374 * stream that we've just alloced and init'ed, depending on whether
1375 * or not it has a wildcard SSRC value or not
1376 *
1377 * if the template stream has already been set, then the policy is
1378 * inconsistent, so we return a bad_param error code
1379 */
1380 switch (policy->ssrc.type) {
1381 case (ssrc_any_outbound):
1382 if (session->stream_template) {
1383 return err_status_bad_param;
1384 }
1385 session->stream_template = tmp;
1386 session->stream_template->direction = dir_srtp_sender;
1387 break;
1388 case (ssrc_any_inbound):
1389 if (session->stream_template) {
1390 return err_status_bad_param;
1391 }
1392 session->stream_template = tmp;
1393 session->stream_template->direction = dir_srtp_receiver;
1394 break;
1395 case (ssrc_specific):
1396 tmp->next = session->stream_list;
1397 session->stream_list = tmp;
1398 break;
1399 case (ssrc_undefined):
1400 default:
1401 crypto_free(tmp);
1402 return err_status_bad_param;
1403 }
1404
1405 return err_status_ok;
1406 }
1407
1408
1409 err_status_t
1410 srtp_create(srtp_t *session, /* handle for session */
1411 const srtp_policy_t *policy) { /* SRTP policy (list) */
1412 err_status_t stat;
1413 srtp_ctx_t *ctx;
1414
1415 /* sanity check arguments */
1416 if (session == NULL)
1417 return err_status_bad_param;
1418
1419 /* allocate srtp context and set ctx_ptr */
1420 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));
1421 if (ctx == NULL)
1422 return err_status_alloc_fail;
1423 *session = ctx;
1424
1425 /*
1426 * loop over elements in the policy list, allocating and
1427 * initializing a stream for each element
1428 */
1429 ctx->stream_template = NULL;
1430 ctx->stream_list = NULL;
1431 while (policy != NULL) {
1432
1433 stat = srtp_add_stream(ctx, policy);
1434 if (stat) {
1435 /* clean up everything */
1436 srtp_dealloc(*session);
1437 return stat;
1438 }
1439
1440 /* set policy to next item in list */
1441 policy = policy->next;
1442 }
1443
1444 return err_status_ok;
1445 }
1446
1447
1448 err_status_t
1449 srtp_remove_stream(srtp_t session, uint32_t ssrc) {
1450 srtp_stream_ctx_t *stream, *last_stream;
1451 err_status_t status;
1452
1453 /* sanity check arguments */
1454 if (session == NULL)
1455 return err_status_bad_param;
1456
1457 /* find stream in list; complain if not found */
1458 last_stream = stream = session->stream_list;
1459 while ((stream != NULL) && (ssrc != stream->ssrc)) {
1460 last_stream = stream;
1461 stream = stream->next;
1462 }
1463 if (stream == NULL)
1464 return err_status_no_ctx;
1465
1466 /* remove stream from the list */
1467 if (last_stream == stream)
1468 /* stream was first in list */
1469 session->stream_list = stream->next;
1470 else
1471 last_stream->next = stream->next;
1472
1473 /* deallocate the stream */
1474 status = srtp_stream_dealloc(session, stream);
1475 if (status)
1476 return status;
1477
1478 return err_status_ok;
1479 }
1480
1481
1482 /*
1483 * the default policy - provides a convenient way for callers to use
1484 * the default security policy
1485 *
1486 * this policy is that defined in the current SRTP internet draft.
1487 *
1488 */
1489
1490 /*
1491 * NOTE: cipher_key_len is really key len (128 bits) plus salt len
1492 * (112 bits)
1493 */
1494 /* There are hard-coded 16's for base_key_len in the key generation code */
1495
1496 void
1497 crypto_policy_set_rtp_default(crypto_policy_t *p) {
1498
1499 p->cipher_type = AES_ICM;
1500 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1501 p->auth_type = HMAC_SHA1;
1502 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1503 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1504 p->sec_serv = sec_serv_conf_and_auth;
1505
1506 }
1507
1508 void
1509 crypto_policy_set_rtcp_default(crypto_policy_t *p) {
1510
1511 p->cipher_type = AES_ICM;
1512 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1513 p->auth_type = HMAC_SHA1;
1514 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1515 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1516 p->sec_serv = sec_serv_conf_and_auth;
1517
1518 }
1519
1520 void
1521 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {
1522
1523 /*
1524 * corresponds to RFC 4568
1525 *
1526 * note that this crypto policy is intended for SRTP, but not SRTCP
1527 */
1528
1529 p->cipher_type = AES_ICM;
1530 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1531 p->auth_type = HMAC_SHA1;
1532 p->auth_key_len = 20; /* 160 bit key */
1533 p->auth_tag_len = 4; /* 32 bit tag */
1534 p->sec_serv = sec_serv_conf_and_auth;
1535
1536 }
1537
1538
1539 void
1540 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {
1541
1542 /*
1543 * corresponds to RFC 4568
1544 *
1545 * note that this crypto policy is intended for SRTP, but not SRTCP
1546 */
1547
1548 p->cipher_type = AES_ICM;
1549 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1550 p->auth_type = NULL_AUTH;
1551 p->auth_key_len = 0;
1552 p->auth_tag_len = 0;
1553 p->sec_serv = sec_serv_conf;
1554
1555 }
1556
1557
1558 void
1559 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {
1560
1561 /*
1562 * corresponds to RFC 4568
1563 */
1564
1565 p->cipher_type = NULL_CIPHER;
1566 p->cipher_key_len = 0;
1567 p->auth_type = HMAC_SHA1;
1568 p->auth_key_len = 20;
1569 p->auth_tag_len = 10;
1570 p->sec_serv = sec_serv_auth;
1571
1572 }
1573
1574
1575 void
1576 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) {
1577
1578 /*
1579 * corresponds to draft-ietf-avt-big-aes-03.txt
1580 */
1581
1582 p->cipher_type = AES_ICM;
1583 p->cipher_key_len = 46;
1584 p->auth_type = HMAC_SHA1;
1585 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1586 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1587 p->sec_serv = sec_serv_conf_and_auth;
1588 }
1589
1590
1591 void
1592 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) {
1593
1594 /*
1595 * corresponds to draft-ietf-avt-big-aes-03.txt
1596 *
1597 * note that this crypto policy is intended for SRTP, but not SRTCP
1598 */
1599
1600 p->cipher_type = AES_ICM;
1601 p->cipher_key_len = 46;
1602 p->auth_type = HMAC_SHA1;
1603 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1604 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */
1605 p->sec_serv = sec_serv_conf_and_auth;
1606 }
1607
1608
1609 /*
1610 * secure rtcp functions
1611 */
1612
1613 err_status_t
1614 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
1615 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
1616 uint32_t *enc_start; /* pointer to start of encrypted portion */
1617 uint32_t *auth_start; /* pointer to start of auth. portion */
1618 uint32_t *trailer; /* pointer to start of trailer */
1619 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1620 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1621 err_status_t status;
1622 int tag_len;
1623 srtp_stream_ctx_t *stream;
1624 int prefix_len;
1625 uint32_t seq_num;
1626
1627 /* we assume the hdr is 32-bit aligned to start */
1628 /*
1629 * look up ssrc in srtp_stream list, and process the packet with
1630 * the appropriate stream. if we haven't seen this stream before,
1631 * there's only one key for this srtp_session, and the cipher
1632 * supports key-sharing, then we assume that a new stream using
1633 * that key has just started up
1634 */
1635 stream = srtp_get_stream(ctx, hdr->ssrc);
1636 if (stream == NULL) {
1637 if (ctx->stream_template != NULL) {
1638 srtp_stream_ctx_t *new_stream;
1639
1640 /* allocate and initialize a new stream */
1641 status = srtp_stream_clone(ctx->stream_template,
1642 hdr->ssrc, &new_stream);
1643 if (status)
1644 return status;
1645
1646 /* add new stream to the head of the stream_list */
1647 new_stream->next = ctx->stream_list;
1648 ctx->stream_list = new_stream;
1649
1650 /* set stream (the pointer used in this function) */
1651 stream = new_stream;
1652 } else {
1653 /* no template stream, so we return an error */
1654 return err_status_no_ctx;
1655 }
1656 }
1657
1658 /*
1659 * verify that stream is for sending traffic - this check will
1660 * detect SSRC collisions, since a stream that appears in both
1661 * srtp_protect() and srtp_unprotect() will fail this test in one of
1662 * those functions.
1663 */
1664 if (stream->direction != dir_srtp_sender) {
1665 if (stream->direction == dir_unknown) {
1666 stream->direction = dir_srtp_sender;
1667 } else {
1668 srtp_handle_event(ctx, stream, event_ssrc_collision);
1669 }
1670 }
1671
1672 /* get tag length from stream context */
1673 tag_len = auth_get_tag_length(stream->rtcp_auth);
1674
1675 /*
1676 * set encryption start and encryption length - if we're not
1677 * providing confidentiality, set enc_start to NULL
1678 */
1679 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1680 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
1681
1682 /* all of the packet, except the header, gets encrypted */
1683 /* NOTE: hdr->length is not usable - it refers to only the first
1684 RTCP report in the compound packet! */
1685 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1686 multiples of 32-bits (RFC 3550 6.1) */
1687 trailer = (uint32_t *) ((char *)enc_start + enc_octet_len);
1688
1689 if (stream->rtcp_services & sec_serv_conf) {
1690 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
1691 } else {
1692 enc_start = NULL;
1693 enc_octet_len = 0;
1694 /* 0 is network-order independant */
1695 *trailer = 0x00000000; /* set encrypt bit */
1696 }
1697
1698 /*
1699 * set the auth_start and auth_tag pointers to the proper locations
1700 * (note that srtpc *always* provides authentication, unlike srtp)
1701 */
1702 /* Note: This would need to change for optional mikey data */
1703 auth_start = (uint32_t *)hdr;
1704 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t);
1705
1706 /* perform EKT processing if needed */
1707 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
1708 rdbx_get_packet_index(&stream->rtp_rdbx));
1709
1710 /*
1711 * check sequence number for overruns, and copy it into the packet
1712 * if its value isn't too big
1713 */
1714 status = rdb_increment(&stream->rtcp_rdb);
1715 if (status)
1716 return status;
1717 seq_num = rdb_get_value(&stream->rtcp_rdb);
1718 *trailer |= htonl(seq_num);
1719 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1720
1721 /*
1722 * if we're using rindael counter mode, set nonce and seq
1723 */
1724 if (stream->rtcp_cipher->type->id == AES_ICM) {
1725 v128_t iv;
1726
1727 iv.v32[0] = 0;
1728 iv.v32[1] = hdr->ssrc; /* still in network order! */
1729 iv.v32[2] = htonl(seq_num >> 16);
1730 iv.v32[3] = htonl(seq_num << 16);
1731 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1732
1733 } else {
1734 v128_t iv;
1735
1736 /* otherwise, just set the index to seq_num */
1737 iv.v32[0] = 0;
1738 iv.v32[1] = 0;
1739 iv.v32[2] = 0;
1740 iv.v32[3] = htonl(seq_num);
1741 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1742 }
1743 if (status)
1744 return err_status_cipher_fail;
1745
1746 /*
1747 * if we're authenticating using a universal hash, put the keystream
1748 * prefix into the authentication tag
1749 */
1750
1751 /* if auth_start is non-null, then put keystream into tag */
1752 if (auth_start) {
1753
1754 /* put keystream prefix into auth_tag */
1755 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1756 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1757
1758 debug_print(mod_srtp, "keystream prefix: %s",
1759 octet_string_hex_string(auth_tag, prefix_len));
1760
1761 if (status)
1762 return err_status_cipher_fail;
1763 }
1764
1765 /* if we're encrypting, exor keystream into the message */
1766 if (enc_start) {
1767 status = cipher_encrypt(stream->rtcp_cipher,
1768 (uint8_t *)enc_start, &enc_octet_len);
1769 if (status)
1770 return err_status_cipher_fail;
1771 }
1772
1773 /* initialize auth func context */
1774 auth_start(stream->rtcp_auth);
1775
1776 /*
1777 * run auth func over packet (including trailer), and write the
1778 * result at auth_tag
1779 */
1780 status = auth_compute(stream->rtcp_auth,
1781 (uint8_t *)auth_start,
1782 (*pkt_octet_len) + sizeof(srtcp_trailer_t),
1783 auth_tag);
1784 debug_print(mod_srtp, "srtcp auth tag: %s",
1785 octet_string_hex_string(auth_tag, tag_len));
1786 if (status)
1787 return err_status_auth_fail;
1788
1789 /* increase the packet length by the length of the auth tag and seq_num*/
1790 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
1791
1792 return err_status_ok;
1793 }
1794
1795
1796 err_status_t
1797 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
1798 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
1799 uint32_t *enc_start; /* pointer to start of encrypted portion */
1800 uint32_t *auth_start; /* pointer to start of auth. portion */
1801 uint32_t *trailer; /* pointer to start of trailer */
1802 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1803 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1804 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
1805 uint8_t tag_copy[SRTP_MAX_TAG_LEN];
1806 err_status_t status;
1807 unsigned auth_len;
1808 int tag_len;
1809 srtp_stream_ctx_t *stream;
1810 int prefix_len;
1811 uint32_t seq_num;
1812
1813 /* we assume the hdr is 32-bit aligned to start */
1814 /*
1815 * look up ssrc in srtp_stream list, and process the packet with
1816 * the appropriate stream. if we haven't seen this stream before,
1817 * there's only one key for this srtp_session, and the cipher
1818 * supports key-sharing, then we assume that a new stream using
1819 * that key has just started up
1820 */
1821 stream = srtp_get_stream(ctx, hdr->ssrc);
1822 if (stream == NULL) {
1823 if (ctx->stream_template != NULL) {
1824 stream = ctx->stream_template;
1825
1826 /*
1827 * check to see if stream_template has an EKT data structure, in
1828 * which case we initialize the template using the EKT policy
1829 * referenced by that data (which consists of decrypting the
1830 * master key from the EKT field)
1831 *
1832 * this function initializes a *provisional* stream, and this
1833 * stream should not be accepted until and unless the packet
1834 * passes its authentication check
1835 */
1836 if (stream->ekt != NULL) {
1837 status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len);
1838 if (status)
1839 return status;
1840 }
1841
1842 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
1843 hdr->ssrc);
1844 } else {
1845 /* no template stream, so we return an error */
1846 return err_status_no_ctx;
1847 }
1848 }
1849
1850 /* get tag length from stream context */
1851 tag_len = auth_get_tag_length(stream->rtcp_auth);
1852
1853 /*
1854 * set encryption start, encryption length, and trailer
1855 */
1856 enc_octet_len = *pkt_octet_len -
1857 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
1858 /* index & E (encryption) bit follow normal data. hdr->len
1859 is the number of words (32-bit) in the normal packet minus 1 */
1860 /* This should point trailer to the word past the end of the
1861 normal data. */
1862 /* This would need to be modified for optional mikey data */
1863 /*
1864 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1865 * multiples of 32-bits (RFC 3550 6.1)
1866 */
1867 trailer = (uint32_t *) ((char *) hdr +
1868 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
1869 if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) {
1870 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1871 } else {
1872 enc_octet_len = 0;
1873 enc_start = NULL; /* this indicates that there's no encryption */
1874 }
1875
1876 /*
1877 * set the auth_start and auth_tag pointers to the proper locations
1878 * (note that srtcp *always* uses authentication, unlike srtp)
1879 */
1880 auth_start = (uint32_t *)hdr;
1881 auth_len = *pkt_octet_len - tag_len;
1882 auth_tag = (uint8_t *)hdr + auth_len;
1883
1884 /*
1885 * if EKT is in use, then we make a copy of the tag from the packet,
1886 * and then zeroize the location of the base tag
1887 *
1888 * we first re-position the auth_tag pointer so that it points to
1889 * the base tag
1890 */
1891 if (stream->ekt) {
1892 auth_tag -= ekt_octets_after_base_tag(stream->ekt);
1893 memcpy(tag_copy, auth_tag, tag_len);
1894 octet_string_set_to_zero(auth_tag, tag_len);
1895 auth_tag = tag_copy;
1896 auth_len += tag_len;
1897 }
1898
1899 /*
1900 * check the sequence number for replays
1901 */
1902 /* this is easier than dealing with bitfield access */
1903 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
1904 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1905 status = rdb_check(&stream->rtcp_rdb, seq_num);
1906 if (status)
1907 return status;
1908
1909 /*
1910 * if we're using aes counter mode, set nonce and seq
1911 */
1912 if (stream->rtcp_cipher->type->id == AES_ICM) {
1913 v128_t iv;
1914
1915 iv.v32[0] = 0;
1916 iv.v32[1] = hdr->ssrc; /* still in network order! */
1917 iv.v32[2] = htonl(seq_num >> 16);
1918 iv.v32[3] = htonl(seq_num << 16);
1919 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1920
1921 } else {
1922 v128_t iv;
1923
1924 /* otherwise, just set the index to seq_num */
1925 iv.v32[0] = 0;
1926 iv.v32[1] = 0;
1927 iv.v32[2] = 0;
1928 iv.v32[3] = htonl(seq_num);
1929 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1930
1931 }
1932 if (status)
1933 return err_status_cipher_fail;
1934
1935 /* initialize auth func context */
1936 auth_start(stream->rtcp_auth);
1937
1938 /* run auth func over packet, put result into tmp_tag */
1939 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
1940 auth_len, tmp_tag);
1941 debug_print(mod_srtp, "srtcp computed tag: %s",
1942 octet_string_hex_string(tmp_tag, tag_len));
1943 if (status)
1944 return err_status_auth_fail;
1945
1946 /* compare the tag just computed with the one in the packet */
1947 debug_print(mod_srtp, "srtcp tag from packet: %s",
1948 octet_string_hex_string(auth_tag, tag_len));
1949 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1950 return err_status_auth_fail;
1951
1952 /*
1953 * if we're authenticating using a universal hash, put the keystream
1954 * prefix into the authentication tag
1955 */
1956 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1957 if (prefix_len) {
1958 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1959 debug_print(mod_srtp, "keystream prefix: %s",
1960 octet_string_hex_string(auth_tag, prefix_len));
1961 if (status)
1962 return err_status_cipher_fail;
1963 }
1964
1965 /* if we're decrypting, exor keystream into the message */
1966 if (enc_start) {
1967 status = cipher_decrypt(stream->rtcp_cipher,
1968 (uint8_t *)enc_start, &enc_octet_len);
1969 if (status)
1970 return err_status_cipher_fail;
1971 }
1972
1973 /* decrease the packet length by the length of the auth tag and seq_num */
1974 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
1975
1976 /*
1977 * if EKT is in effect, subtract the EKT data out of the packet
1978 * length
1979 */
1980 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt);
1981
1982 /*
1983 * verify that stream is for received traffic - this check will
1984 * detect SSRC collisions, since a stream that appears in both
1985 * srtp_protect() and srtp_unprotect() will fail this test in one of
1986 * those functions.
1987 *
1988 * we do this check *after* the authentication check, so that the
1989 * latter check will catch any attempts to fool us into thinking
1990 * that we've got a collision
1991 */
1992 if (stream->direction != dir_srtp_receiver) {
1993 if (stream->direction == dir_unknown) {
1994 stream->direction = dir_srtp_receiver;
1995 } else {
1996 srtp_handle_event(ctx, stream, event_ssrc_collision);
1997 }
1998 }
1999
2000 /*
2001 * if the stream is a 'provisional' one, in which the template context
2002 * is used, then we need to allocate a new stream at this point, since
2003 * the authentication passed
2004 */
2005 if (stream == ctx->stream_template) {
2006 srtp_stream_ctx_t *new_stream;
2007
2008 /*
2009 * allocate and initialize a new stream
2010 *
2011 * note that we indicate failure if we can't allocate the new
2012 * stream, and some implementations will want to not return
2013 * failure here
2014 */
2015 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2016 if (status)
2017 return status;
2018
2019 /* add new stream to the head of the stream_list */
2020 new_stream->next = ctx->stream_list;
2021 ctx->stream_list = new_stream;
2022
2023 /* set stream (the pointer used in this function) */
2024 stream = new_stream;
2025 }
2026
2027 /* we've passed the authentication check, so add seq_num to the rdb */
2028 rdb_add_index(&stream->rtcp_rdb, seq_num);
2029
2030
2031 return err_status_ok;
2032 }
2033
2034
2035
2036 /*
2037 * dtls keying for srtp
2038 */
2039
2040 err_status_t
2041 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
2042 srtp_profile_t profile) {
2043
2044 /* set SRTP policy from the SRTP profile in the key set */
2045 switch(profile) {
2046 case srtp_profile_aes128_cm_sha1_80:
2047 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2048 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2049 break;
2050 case srtp_profile_aes128_cm_sha1_32:
2051 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
2052 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2053 break;
2054 case srtp_profile_null_sha1_80:
2055 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2056 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2057 break;
2058 case srtp_profile_aes256_cm_sha1_80:
2059 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2060 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2061 break;
2062 case srtp_profile_aes256_cm_sha1_32:
2063 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
2064 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2065 break;
2066 /* the following profiles are not (yet) supported */
2067 case srtp_profile_null_sha1_32:
2068 default:
2069 return err_status_bad_param;
2070 }
2071
2072 return err_status_ok;
2073 }
2074
2075 err_status_t
2076 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
2077 srtp_profile_t profile) {
2078
2079 /* set SRTP policy from the SRTP profile in the key set */
2080 switch(profile) {
2081 case srtp_profile_aes128_cm_sha1_80:
2082 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2083 break;
2084 case srtp_profile_aes128_cm_sha1_32:
2085 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2086 break;
2087 case srtp_profile_null_sha1_80:
2088 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2089 break;
2090 case srtp_profile_aes256_cm_sha1_80:
2091 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2092 break;
2093 case srtp_profile_aes256_cm_sha1_32:
2094 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2095 break;
2096 /* the following profiles are not (yet) supported */
2097 case srtp_profile_null_sha1_32:
2098 default:
2099 return err_status_bad_param;
2100 }
2101
2102 return err_status_ok;
2103 }
2104
2105 void
2106 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key,
2107 uint8_t *salt, unsigned int bytes_in_salt) {
2108
2109 memcpy(key + bytes_in_key, salt, bytes_in_salt);
2110
2111 }
2112
2113 unsigned int
2114 srtp_profile_get_master_key_length(srtp_profile_t profile) {
2115
2116 switch(profile) {
2117 case srtp_profile_aes128_cm_sha1_80:
2118 return 16;
2119 break;
2120 case srtp_profile_aes128_cm_sha1_32:
2121 return 16;
2122 break;
2123 case srtp_profile_null_sha1_80:
2124 return 16;
2125 break;
2126 case srtp_profile_aes256_cm_sha1_80:
2127 return 32;
2128 break;
2129 case srtp_profile_aes256_cm_sha1_32:
2130 return 32;
2131 break;
2132 /* the following profiles are not (yet) supported */
2133 case srtp_profile_null_sha1_32:
2134 default:
2135 return 0; /* indicate error by returning a zero */
2136 }
2137 }
2138
2139 unsigned int
2140 srtp_profile_get_master_salt_length(srtp_profile_t profile) {
2141
2142 switch(profile) {
2143 case srtp_profile_aes128_cm_sha1_80:
2144 return 14;
2145 break;
2146 case srtp_profile_aes128_cm_sha1_32:
2147 return 14;
2148 break;
2149 case srtp_profile_null_sha1_80:
2150 return 14;
2151 break;
2152 case srtp_profile_aes256_cm_sha1_80:
2153 return 14;
2154 break;
2155 case srtp_profile_aes256_cm_sha1_32:
2156 return 14;
2157 break;
2158 /* the following profiles are not (yet) supported */
2159 case srtp_profile_null_sha1_32:
2160 default:
2161 return 0; /* indicate error by returning a zero */
2162 }
2163 }
OLDNEW
« no previous file with comments | « libsrtp/srtp/ekt.c ('k') | libsrtp/srtp7.sln » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698