Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: srtp/srtp/srtp.c

Issue 2344973002: Update libsrtp to version 2.0 (Closed)
Patch Set: Add '.' back to include_dirs Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « srtp/srtp/ekt.c ('k') | srtp/tables/aes_tables.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /*
2 * srtp.c
3 *
4 * the secure real-time transport protocol
5 *
6 * David A. McGrew
7 * Cisco Systems, Inc.
8 */
9 /*
10 *
11 * Copyright (c) 2001-2006, Cisco Systems, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 *
18 * Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 *
21 * Redistributions in binary form must reproduce the above
22 * copyright notice, this list of conditions and the following
23 * disclaimer in the documentation and/or other materials provided
24 * with the distribution.
25 *
26 * Neither the name of the Cisco Systems, Inc. nor the names of its
27 * contributors may be used to endorse or promote products derived
28 * from this software without specific prior written permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 *
43 */
44
45
46 #include "srtp_priv.h"
47 #include "ekt.h" /* for SRTP Encrypted Key Transport */
48 #include "alloc.h" /* for crypto_alloc() */
49 #ifdef OPENSSL
50 #include "aes_gcm_ossl.h" /* for AES GCM mode */
51 #endif
52
53 #ifndef SRTP_KERNEL
54 # include <limits.h>
55 # ifdef HAVE_NETINET_IN_H
56 # include <netinet/in.h>
57 # elif defined(HAVE_WINSOCK2_H)
58 # include <winsock2.h>
59 # endif
60 #endif /* ! SRTP_KERNEL */
61
62
63 /* the debug module for srtp */
64
65 debug_module_t mod_srtp = {
66 0, /* debugging is off by default */
67 "srtp" /* printable name for module */
68 };
69
70 #define octets_in_rtp_header 12
71 #define uint32s_in_rtp_header 3
72 #define octets_in_rtcp_header 8
73 #define uint32s_in_rtcp_header 2
74 #define octets_in_rtp_extn_hdr 4
75
76 static err_status_t
77 srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) {
78 if (*pkt_octet_len < octets_in_rtp_header)
79 return err_status_bad_param;
80
81 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
82
83 /* Check RTP header length */
84 int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc;
85 if (hdr->x == 1)
86 rtp_header_len += octets_in_rtp_extn_hdr;
87
88 if (*pkt_octet_len < rtp_header_len)
89 return err_status_bad_param;
90
91 /* Verifing profile length. */
92 if (hdr->x == 1) {
93 srtp_hdr_xtnd_t *xtn_hdr =
94 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc);
95 int profile_len = ntohs(xtn_hdr->length);
96 rtp_header_len += profile_len * 4;
97 /* profile length counts the number of 32-bit words */
98 if (*pkt_octet_len < rtp_header_len)
99 return err_status_bad_param;
100 }
101 return err_status_ok;
102 }
103
104 const char *srtp_get_version_string ()
105 {
106 /*
107 * Simply return the autotools generated string
108 */
109 return SRTP_VER_STRING;
110 }
111
112 unsigned int srtp_get_version ()
113 {
114 unsigned int major = 0, minor = 0, micro = 0;
115 unsigned int rv = 0;
116 int parse_rv;
117
118 /*
119 * Parse the autotools generated version
120 */
121 parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, &micro);
122 if (parse_rv != 3) {
123 /*
124 * We're expected to parse all 3 version levels.
125 * If not, then this must not be an official release.
126 * Return all zeros on the version
127 */
128 return (0);
129 }
130
131 /*
132 * We allow 8 bits for the major and minor, while
133 * allowing 16 bits for the micro. 16 bits for the micro
134 * may be beneficial for a continuous delivery model
135 * in the future.
136 */
137 rv |= (major & 0xFF) << 24;
138 rv |= (minor & 0xFF) << 16;
139 rv |= micro & 0xFF;
140 return rv;
141 }
142
143 err_status_t
144 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
145 const srtp_policy_t *p) {
146 srtp_stream_ctx_t *str;
147 err_status_t stat;
148
149 /*
150 * This function allocates the stream context, rtp and rtcp ciphers
151 * and auth functions, and key limit structure. If there is a
152 * failure during allocation, we free all previously allocated
153 * memory and return a failure code. The code could probably
154 * be improved, but it works and should be clear.
155 */
156
157 /* allocate srtp stream and set str_ptr */
158 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
159 if (str == NULL)
160 return err_status_alloc_fail;
161 *str_ptr = str;
162
163 /* allocate cipher */
164 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
165 &str->rtp_cipher,
166 p->rtp.cipher_key_len,
167 p->rtp.auth_tag_len);
168 if (stat) {
169 crypto_free(str);
170 return stat;
171 }
172
173 /* allocate auth function */
174 stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
175 &str->rtp_auth,
176 p->rtp.auth_key_len,
177 p->rtp.auth_tag_len);
178 if (stat) {
179 cipher_dealloc(str->rtp_cipher);
180 crypto_free(str);
181 return stat;
182 }
183
184 /* allocate key limit structure */
185 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t));
186 if (str->limit == NULL) {
187 auth_dealloc(str->rtp_auth);
188 cipher_dealloc(str->rtp_cipher);
189 crypto_free(str);
190 return err_status_alloc_fail;
191 }
192
193 /*
194 * ...and now the RTCP-specific initialization - first, allocate
195 * the cipher
196 */
197 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
198 &str->rtcp_cipher,
199 p->rtcp.cipher_key_len,
200 p->rtcp.auth_tag_len);
201 if (stat) {
202 auth_dealloc(str->rtp_auth);
203 cipher_dealloc(str->rtp_cipher);
204 crypto_free(str->limit);
205 crypto_free(str);
206 return stat;
207 }
208
209 /* allocate auth function */
210 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
211 &str->rtcp_auth,
212 p->rtcp.auth_key_len,
213 p->rtcp.auth_tag_len);
214 if (stat) {
215 cipher_dealloc(str->rtcp_cipher);
216 auth_dealloc(str->rtp_auth);
217 cipher_dealloc(str->rtp_cipher);
218 crypto_free(str->limit);
219 crypto_free(str);
220 return stat;
221 }
222
223 /* allocate ekt data associated with stream */
224 stat = ekt_alloc(&str->ekt, p->ekt);
225 if (stat) {
226 auth_dealloc(str->rtcp_auth);
227 cipher_dealloc(str->rtcp_cipher);
228 auth_dealloc(str->rtp_auth);
229 cipher_dealloc(str->rtp_cipher);
230 crypto_free(str->limit);
231 crypto_free(str);
232 return stat;
233 }
234
235 if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) {
236 cipher_type_id_t enc_xtn_hdr_cipher_type;
237 int enc_xtn_hdr_cipher_key_len;
238
239 str->enc_xtn_hdr = (int*) crypto_alloc(p->enc_xtn_hdr_count * sizeof(p->enc_ xtn_hdr[0]));
240 if (!str->enc_xtn_hdr) {
241 auth_dealloc(str->rtcp_auth);
242 cipher_dealloc(str->rtcp_cipher);
243 auth_dealloc(str->rtp_auth);
244 cipher_dealloc(str->rtp_cipher);
245 crypto_free(str->limit);
246 crypto_free(str);
247 return err_status_alloc_fail;
248 }
249 memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr, p->enc_xtn_hdr_count * sizeof(p->en c_xtn_hdr[0]));
250 str->enc_xtn_hdr_count = p->enc_xtn_hdr_count;
251
252 /* For GCM ciphers, the corresponding ICM cipher is used for header extensio ns encryption. */
253 switch (p->rtp.cipher_type) {
254 case AES_128_GCM:
255 enc_xtn_hdr_cipher_type = AES_128_ICM;
256 enc_xtn_hdr_cipher_key_len = 30;
257 break;
258 case AES_256_GCM:
259 enc_xtn_hdr_cipher_type = AES_256_ICM;
260 enc_xtn_hdr_cipher_key_len = 46;
261 break;
262 default:
263 enc_xtn_hdr_cipher_type = p->rtp.cipher_type;
264 enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len;
265 break;
266 }
267
268 /* allocate cipher for extensions header encryption */
269 stat = crypto_kernel_alloc_cipher(enc_xtn_hdr_cipher_type,
270 &str->rtp_xtn_hdr_cipher,
271 enc_xtn_hdr_cipher_key_len,
272 0);
273
274 if (stat) {
275 crypto_free(str->enc_xtn_hdr);
276 auth_dealloc(str->rtcp_auth);
277 cipher_dealloc(str->rtcp_cipher);
278 auth_dealloc(str->rtp_auth);
279 cipher_dealloc(str->rtp_cipher);
280 crypto_free(str->limit);
281 crypto_free(str);
282 return stat;
283 }
284 } else {
285 str->rtp_xtn_hdr_cipher = NULL;
286 str->enc_xtn_hdr = NULL;
287 str->enc_xtn_hdr_count = 0;
288 }
289
290 return err_status_ok;
291 }
292
293 err_status_t
294 srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) {
295 err_status_t status;
296
297 /*
298 * we use a conservative deallocation strategy - if any deallocation
299 * fails, then we report that fact without trying to deallocate
300 * anything else
301 */
302
303 /* deallocate cipher, if it is not the same as that in template */
304 if (session->stream_template
305 && stream->rtp_cipher == session->stream_template->rtp_cipher) {
306 /* do nothing */
307 } else {
308 status = cipher_dealloc(stream->rtp_cipher);
309 if (status)
310 return status;
311 }
312
313 /* deallocate auth function, if it is not the same as that in template */
314 if (session->stream_template
315 && stream->rtp_auth == session->stream_template->rtp_auth) {
316 /* do nothing */
317 } else {
318 status = auth_dealloc(stream->rtp_auth);
319 if (status)
320 return status;
321 }
322
323 /* deallocate key usage limit, if it is not the same as that in template */
324 if (session->stream_template
325 && stream->limit == session->stream_template->limit) {
326 /* do nothing */
327 } else {
328 crypto_free(stream->limit);
329 }
330
331 if (session->stream_template
332 && stream->rtp_xtn_hdr_cipher == session->stream_template->rtp_xtn_hdr_cip her) {
333 /* do nothing */
334 } else if (stream->rtp_xtn_hdr_cipher) {
335 status = cipher_dealloc(stream->rtp_xtn_hdr_cipher);
336 if (status)
337 return status;
338 }
339
340 /*
341 * deallocate rtcp cipher, if it is not the same as that in
342 * template
343 */
344 if (session->stream_template
345 && stream->rtcp_cipher == session->stream_template->rtcp_cipher) {
346 /* do nothing */
347 } else {
348 status = cipher_dealloc(stream->rtcp_cipher);
349 if (status)
350 return status;
351 }
352
353 /*
354 * deallocate rtcp auth function, if it is not the same as that in
355 * template
356 */
357 if (session->stream_template
358 && stream->rtcp_auth == session->stream_template->rtcp_auth) {
359 /* do nothing */
360 } else {
361 status = auth_dealloc(stream->rtcp_auth);
362 if (status)
363 return status;
364 }
365
366 status = rdbx_dealloc(&stream->rtp_rdbx);
367 if (status)
368 return status;
369
370 /* DAM - need to deallocate EKT here */
371
372 if (session->stream_template
373 && stream->enc_xtn_hdr == session->stream_template->enc_xtn_hdr) {
374 /* do nothing */
375 } else if (stream->enc_xtn_hdr) {
376 crypto_free(stream->enc_xtn_hdr);
377 }
378
379 /*
380 * zeroize the salt value
381 */
382 memset(stream->salt, 0, SRTP_AEAD_SALT_LEN);
383 memset(stream->c_salt, 0, SRTP_AEAD_SALT_LEN);
384
385
386 /* deallocate srtp stream context */
387 crypto_free(stream);
388
389 return err_status_ok;
390 }
391
392
393 /*
394 * srtp_stream_clone(stream_template, new) allocates a new stream and
395 * initializes it using the cipher and auth of the stream_template
396 *
397 * the only unique data in a cloned stream is the replay database and
398 * the SSRC
399 */
400
401 err_status_t
402 srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
403 uint32_t ssrc,
404 srtp_stream_ctx_t **str_ptr) {
405 err_status_t status;
406 srtp_stream_ctx_t *str;
407
408 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
409
410 /* allocate srtp stream and set str_ptr */
411 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
412 if (str == NULL)
413 return err_status_alloc_fail;
414 *str_ptr = str;
415
416 /* set cipher and auth pointers to those of the template */
417 str->rtp_cipher = stream_template->rtp_cipher;
418 str->rtp_auth = stream_template->rtp_auth;
419 str->rtp_xtn_hdr_cipher = stream_template->rtp_xtn_hdr_cipher;
420 str->rtcp_cipher = stream_template->rtcp_cipher;
421 str->rtcp_auth = stream_template->rtcp_auth;
422
423 /* set key limit to point to that of the template */
424 status = key_limit_clone(stream_template->limit, &str->limit);
425 if (status) {
426 crypto_free(*str_ptr);
427 *str_ptr = NULL;
428 return status;
429 }
430
431 /* initialize replay databases */
432 status = rdbx_init(&str->rtp_rdbx,
433 rdbx_get_window_size(&stream_template->rtp_rdbx));
434 if (status) {
435 crypto_free(*str_ptr);
436 *str_ptr = NULL;
437 return status;
438 }
439 rdb_init(&str->rtcp_rdb);
440 str->allow_repeat_tx = stream_template->allow_repeat_tx;
441
442 /* set ssrc to that provided */
443 str->ssrc = ssrc;
444
445 /* set direction and security services */
446 str->direction = stream_template->direction;
447 str->rtp_services = stream_template->rtp_services;
448 str->rtcp_services = stream_template->rtcp_services;
449
450 /* set pointer to EKT data associated with stream */
451 str->ekt = stream_template->ekt;
452
453 /* copy information about extensions header encryption */
454 str->enc_xtn_hdr = stream_template->enc_xtn_hdr;
455 str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count;
456
457 /* Copy the salt values */
458 memcpy(str->salt, stream_template->salt, SRTP_AEAD_SALT_LEN);
459 memcpy(str->c_salt, stream_template->c_salt, SRTP_AEAD_SALT_LEN);
460
461 /* defensive coding */
462 str->next = NULL;
463
464 return err_status_ok;
465 }
466
467
468 /*
469 * key derivation functions, internal to libSRTP
470 *
471 * srtp_kdf_t is a key derivation context
472 *
473 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher
474 * described by cipher_id, with the master key k with length in octets keylen.
475 *
476 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
477 * corresponding to label l and puts it into kl; the length
478 * of the key in octets is provided as keylen. this function
479 * should be called once for each subkey that is derived.
480 *
481 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state
482 */
483
484 typedef enum {
485 label_rtp_encryption = 0x00,
486 label_rtp_msg_auth = 0x01,
487 label_rtp_salt = 0x02,
488 label_rtcp_encryption = 0x03,
489 label_rtcp_msg_auth = 0x04,
490 label_rtcp_salt = 0x05,
491 label_rtp_header_encryption = 0x06,
492 label_rtp_header_salt = 0x07
493 } srtp_prf_label;
494
495
496 /*
497 * srtp_kdf_t represents a key derivation function. The SRTP
498 * default KDF is the only one implemented at present.
499 */
500
501 typedef struct {
502 cipher_t *cipher; /* cipher used for key derivation */
503 } srtp_kdf_t;
504
505 err_status_t
506 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, i nt length) {
507
508 err_status_t stat;
509 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length, 0);
510 if (stat)
511 return stat;
512
513 stat = cipher_init(kdf->cipher, key);
514 if (stat) {
515 cipher_dealloc(kdf->cipher);
516 return stat;
517 }
518
519 return err_status_ok;
520 }
521
522 err_status_t
523 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
524 uint8_t *key, unsigned int length) {
525
526 v128_t nonce;
527 err_status_t status;
528
529 /* set eigth octet of nonce to <label>, set the rest of it to zero */
530 v128_set_to_zero(&nonce);
531 nonce.v8[7] = label;
532
533 status = cipher_set_iv(kdf->cipher, &nonce, direction_encrypt);
534 if (status)
535 return status;
536
537 /* generate keystream output */
538 octet_string_set_to_zero(key, length);
539 status = cipher_encrypt(kdf->cipher, key, &length);
540 if (status)
541 return status;
542
543 return err_status_ok;
544 }
545
546 err_status_t
547 srtp_kdf_clear(srtp_kdf_t *kdf) {
548 err_status_t status;
549 status = cipher_dealloc(kdf->cipher);
550 if (status)
551 return status;
552 kdf->cipher = NULL;
553
554 return err_status_ok;
555 }
556
557 /*
558 * end of key derivation functions
559 */
560
561 #define MAX_SRTP_KEY_LEN 256
562
563
564 /* Get the base key length corresponding to a given combined key+salt
565 * length for the given cipher.
566 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using
567 * AES-128 and short salts; everything else uses a salt length of 14.
568 * TODO: key and salt lengths should be separate fields in the policy. */
569 static inline int base_key_length(const cipher_type_t *cipher, int key_length)
570 {
571 switch (cipher->id) {
572 case AES_128_ICM:
573 case AES_192_ICM:
574 case AES_256_ICM:
575 /* The legacy modes are derived from
576 * the configured key length on the policy */
577 return key_length - 14;
578 break;
579 case AES_128_GCM:
580 return 16;
581 break;
582 case AES_256_GCM:
583 return 32;
584 break;
585 default:
586 return key_length;
587 break;
588 }
589 }
590
591 err_status_t
592 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
593 err_status_t stat;
594 srtp_kdf_t kdf;
595 uint8_t tmp_key[MAX_SRTP_KEY_LEN];
596 int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
597 int rtp_base_key_len, rtp_salt_len;
598 int rtcp_base_key_len, rtcp_salt_len;
599
600 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
601 /* TODO: kdf algorithm, master key length, and master salt length should
602 * be part of srtp_policy_t. */
603 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher);
604 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher);
605 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
606 rtp_salt_len = rtp_keylen - rtp_base_key_len;
607
608 if (rtp_keylen > kdf_keylen) {
609 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
610 }
611
612 if (rtcp_keylen > kdf_keylen) {
613 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
614 }
615
616 debug_print(mod_srtp, "srtp key len: %d", rtp_keylen);
617 debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen);
618 debug_print(mod_srtp, "base key len: %d", rtp_base_key_len);
619 debug_print(mod_srtp, "kdf key len: %d", kdf_keylen);
620 debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len);
621
622 /*
623 * Make sure the key given to us is 'zero' appended. GCM
624 * mode uses a shorter master SALT (96 bits), but still relies on
625 * the legacy CTR mode KDF, which uses a 112 bit master SALT.
626 */
627 memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN);
628 memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len));
629
630 /* initialize KDF state */
631 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)tmp_key, kdf_keylen);
632 if (stat) {
633 return err_status_init_fail;
634 }
635
636 /* generate encryption key */
637 stat = srtp_kdf_generate(&kdf, label_rtp_encryption,
638 tmp_key, rtp_base_key_len);
639 if (stat) {
640 /* zeroize temp buffer */
641 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
642 return err_status_init_fail;
643 }
644 debug_print(mod_srtp, "cipher key: %s",
645 octet_string_hex_string(tmp_key, rtp_base_key_len));
646
647 /*
648 * if the cipher in the srtp context uses a salt, then we need
649 * to generate the salt value
650 */
651 if (rtp_salt_len > 0) {
652 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
653
654 /* generate encryption salt, put after encryption key */
655 stat = srtp_kdf_generate(&kdf, label_rtp_salt,
656 tmp_key + rtp_base_key_len, rtp_salt_len);
657 if (stat) {
658 /* zeroize temp buffer */
659 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
660 return err_status_init_fail;
661 }
662 memcpy(srtp->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN);
663 }
664 if (rtp_salt_len > 0) {
665 debug_print(mod_srtp, "cipher salt: %s",
666 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len ));
667 }
668
669 /* initialize cipher */
670 stat = cipher_init(srtp->rtp_cipher, tmp_key);
671 if (stat) {
672 /* zeroize temp buffer */
673 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
674 return err_status_init_fail;
675 }
676
677 if (srtp->rtp_xtn_hdr_cipher) {
678 /* generate extensions header encryption key */
679 int rtp_xtn_hdr_keylen;
680 int rtp_xtn_hdr_base_key_len;
681 int rtp_xtn_hdr_salt_len;
682 srtp_kdf_t tmp_kdf;
683 srtp_kdf_t *xtn_hdr_kdf;
684
685 if (srtp->rtp_xtn_hdr_cipher->type != srtp->rtp_cipher->type) {
686 /* With GCM ciphers, the header extensions are still encrypted using the c orresponding ICM cipher. */
687 /* See https://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-17#sect ion-8.3 */
688 uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN];
689 rtp_xtn_hdr_keylen = cipher_get_key_length(srtp->rtp_xtn_hdr_cipher);
690 rtp_xtn_hdr_base_key_len = base_key_length(srtp->rtp_xtn_hdr_cipher->type, rtp_xtn_hdr_keylen);
691 rtp_xtn_hdr_salt_len = rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len;
692 memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN);
693 memcpy(tmp_xtn_hdr_key, key, (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_ len));
694 xtn_hdr_kdf = &tmp_kdf;
695
696 /* initialize KDF state */
697 stat = srtp_kdf_init(xtn_hdr_kdf, AES_ICM, (const uint8_t *)tmp_xtn_hdr_ke y, kdf_keylen);
698 octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN);
699 if (stat) {
700 return err_status_init_fail;
701 }
702 } else {
703 /* Reuse main KDF. */
704 rtp_xtn_hdr_keylen = rtp_keylen;
705 rtp_xtn_hdr_base_key_len = rtp_base_key_len;
706 rtp_xtn_hdr_salt_len = rtp_salt_len;
707 xtn_hdr_kdf = &kdf;
708 }
709
710 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption,
711 tmp_key, rtp_xtn_hdr_base_key_len);
712 if (stat) {
713 /* zeroize temp buffer */
714 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
715 return err_status_init_fail;
716 }
717 debug_print(mod_srtp, "extensions cipher key: %s",
718 octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len));
719
720 /*
721 * if the cipher in the srtp context uses a salt, then we need
722 * to generate the salt value
723 */
724 if (rtp_xtn_hdr_salt_len > 0) {
725 debug_print(mod_srtp, "found rtp_xtn_hdr_salt_len > 0, generating salt", N ULL);
726
727 /* generate encryption salt, put after encryption key */
728 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt,
729 tmp_key + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len);
730 if (stat) {
731 /* zeroize temp buffer */
732 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
733 return err_status_init_fail;
734 }
735 }
736 if (rtp_xtn_hdr_salt_len > 0) {
737 debug_print(mod_srtp, "extensions cipher salt: %s",
738 octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_sa lt_len));
739 }
740
741 /* initialize extensions header cipher */
742 stat = cipher_init(srtp->rtp_xtn_hdr_cipher, tmp_key);
743 if (stat) {
744 /* zeroize temp buffer */
745 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
746 return err_status_init_fail;
747 }
748
749 if (xtn_hdr_kdf != &kdf) {
750 /* release memory for custom header extension encryption kdf */
751 stat = srtp_kdf_clear(xtn_hdr_kdf);
752 if (stat) {
753 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
754 return err_status_init_fail;
755 }
756 }
757 }
758
759 /* generate authentication key */
760 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth,
761 tmp_key, auth_get_key_length(srtp->rtp_auth));
762 if (stat) {
763 /* zeroize temp buffer */
764 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
765 return err_status_init_fail;
766 }
767 debug_print(mod_srtp, "auth key: %s",
768 octet_string_hex_string(tmp_key,
769 auth_get_key_length(srtp->rtp_auth)));
770
771 /* initialize auth function */
772 stat = auth_init(srtp->rtp_auth, tmp_key);
773 if (stat) {
774 /* zeroize temp buffer */
775 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
776 return err_status_init_fail;
777 }
778
779 /*
780 * ...now initialize SRTCP keys
781 */
782
783 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen);
784 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
785 debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len);
786
787 /* generate encryption key */
788 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption,
789 tmp_key, rtcp_base_key_len);
790 if (stat) {
791 /* zeroize temp buffer */
792 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
793 return err_status_init_fail;
794 }
795
796 /*
797 * if the cipher in the srtp context uses a salt, then we need
798 * to generate the salt value
799 */
800 if (rtcp_salt_len > 0) {
801 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
802 NULL);
803
804 /* generate encryption salt, put after encryption key */
805 stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
806 tmp_key + rtcp_base_key_len, rtcp_salt_len);
807 if (stat) {
808 /* zeroize temp buffer */
809 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
810 return err_status_init_fail;
811 }
812 memcpy(srtp->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN);
813 }
814 debug_print(mod_srtp, "rtcp cipher key: %s",
815 octet_string_hex_string(tmp_key, rtcp_base_key_len));
816 if (rtcp_salt_len > 0) {
817 debug_print(mod_srtp, "rtcp cipher salt: %s",
818 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_l en));
819 }
820
821 /* initialize cipher */
822 stat = cipher_init(srtp->rtcp_cipher, tmp_key);
823 if (stat) {
824 /* zeroize temp buffer */
825 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
826 return err_status_init_fail;
827 }
828
829 /* generate authentication key */
830 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
831 tmp_key, auth_get_key_length(srtp->rtcp_auth));
832 if (stat) {
833 /* zeroize temp buffer */
834 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
835 return err_status_init_fail;
836 }
837
838 debug_print(mod_srtp, "rtcp auth key: %s",
839 octet_string_hex_string(tmp_key,
840 auth_get_key_length(srtp->rtcp_auth)));
841
842 /* initialize auth function */
843 stat = auth_init(srtp->rtcp_auth, tmp_key);
844 if (stat) {
845 /* zeroize temp buffer */
846 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
847 return err_status_init_fail;
848 }
849
850 /* clear memory then return */
851 stat = srtp_kdf_clear(&kdf);
852 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
853 if (stat)
854 return err_status_init_fail;
855
856 return err_status_ok;
857 }
858
859 err_status_t
860 srtp_stream_init(srtp_stream_ctx_t *srtp,
861 const srtp_policy_t *p) {
862 err_status_t err;
863
864 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)",
865 p->ssrc.value);
866
867 /* initialize replay database */
868 /* window size MUST be at least 64. MAY be larger. Values more than
869 * 2^15 aren't meaningful due to how extended sequence numbers are
870 * calculated. Let a window size of 0 imply the default value. */
871
872 if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000))
873 return err_status_bad_param;
874
875 if (p->window_size != 0)
876 err = rdbx_init(&srtp->rtp_rdbx, p->window_size);
877 else
878 err = rdbx_init(&srtp->rtp_rdbx, 128);
879 if (err) return err;
880
881 /* initialize key limit to maximum value */
882 #ifdef NO_64BIT_MATH
883 {
884 uint64_t temp;
885 temp = make64(UINT_MAX,UINT_MAX);
886 key_limit_set(srtp->limit, temp);
887 }
888 #else
889 key_limit_set(srtp->limit, 0xffffffffffffLL);
890 #endif
891
892 /* set the SSRC value */
893 srtp->ssrc = htonl(p->ssrc.value);
894
895 /* set the security service flags */
896 srtp->rtp_services = p->rtp.sec_serv;
897 srtp->rtcp_services = p->rtcp.sec_serv;
898
899 /*
900 * set direction to unknown - this flag gets checked in srtp_protect(),
901 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
902 * gets set appropriately if it is set to unknown.
903 */
904 srtp->direction = dir_unknown;
905
906 /* initialize SRTCP replay database */
907 rdb_init(&srtp->rtcp_rdb);
908
909 /* initialize allow_repeat_tx */
910 /* guard against uninitialized memory: allow only 0 or 1 here */
911 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) {
912 rdbx_dealloc(&srtp->rtp_rdbx);
913 return err_status_bad_param;
914 }
915 srtp->allow_repeat_tx = p->allow_repeat_tx;
916
917 /* DAM - no RTCP key limit at present */
918
919 /* initialize keys */
920 err = srtp_stream_init_keys(srtp, p->key);
921 if (err) {
922 rdbx_dealloc(&srtp->rtp_rdbx);
923 return err;
924 }
925
926 /*
927 * if EKT is in use, then initialize the EKT data associated with
928 * the stream
929 */
930 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt);
931 if (err) {
932 rdbx_dealloc(&srtp->rtp_rdbx);
933 return err;
934 }
935
936 return err_status_ok;
937 }
938
939
940 /*
941 * srtp_event_reporter is an event handler function that merely
942 * reports the events that are reported by the callbacks
943 */
944
945 void
946 srtp_event_reporter(srtp_event_data_t *data) {
947
948 err_report(err_level_warning, "srtp: in stream 0x%x: ",
949 data->stream->ssrc);
950
951 switch(data->event) {
952 case event_ssrc_collision:
953 err_report(err_level_warning, "\tSSRC collision\n");
954 break;
955 case event_key_soft_limit:
956 err_report(err_level_warning, "\tkey usage soft limit reached\n");
957 break;
958 case event_key_hard_limit:
959 err_report(err_level_warning, "\tkey usage hard limit reached\n");
960 break;
961 case event_packet_index_limit:
962 err_report(err_level_warning, "\tpacket index limit reached\n");
963 break;
964 default:
965 err_report(err_level_warning, "\tunknown event reported to handler\n");
966 }
967 }
968
969 /*
970 * srtp_event_handler is a global variable holding a pointer to the
971 * event handler function; this function is called for any unexpected
972 * event that needs to be handled out of the SRTP data path. see
973 * srtp_event_t in srtp.h for more info
974 *
975 * it is okay to set srtp_event_handler to NULL, but we set
976 * it to the srtp_event_reporter.
977 */
978
979 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
980
981 err_status_t
982 srtp_install_event_handler(srtp_event_handler_func_t func) {
983
984 /*
985 * note that we accept NULL arguments intentionally - calling this
986 * function with a NULL arguments removes an event handler that's
987 * been previously installed
988 */
989
990 /* set global event handling function */
991 srtp_event_handler = func;
992 return err_status_ok;
993 }
994
995
996 /*
997 * Check if the given extension header id is / should be encrypted.
998 * Returns 1 if yes, otherwise 0.
999 */
1000 static int
1001 srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id) {
1002 int* enc_xtn_hdr = stream->enc_xtn_hdr;
1003 int count = stream->enc_xtn_hdr_count;
1004
1005 if (!enc_xtn_hdr || count <= 0) {
1006 return 0;
1007 }
1008
1009 while (count > 0) {
1010 if (*enc_xtn_hdr == id) {
1011 return 1;
1012 }
1013
1014 enc_xtn_hdr++;
1015 count--;
1016 }
1017 return 0;
1018 }
1019
1020
1021 /*
1022 + * extensions header encryption RFC 6904
1023 */
1024 static err_status_t
1025 srtp_process_header_encryption(srtp_stream_ctx_t *stream, srtp_hdr_xtnd_t *xtn_h dr) {
1026 err_status_t status;
1027 uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */
1028 int keystream_pos;
1029 uint8_t* xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr;
1030 uint8_t* xtn_hdr_end = xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_ t));
1031
1032 if (ntohs(xtn_hdr->profile_specific) == 0xbede) {
1033 /* RFC 5285, section 4.2. One-Byte Header */
1034 while (xtn_hdr_data < xtn_hdr_end) {
1035 uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4;
1036 unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1;
1037 uint32_t xlen_with_header = 1+xlen;
1038 xtn_hdr_data++;
1039
1040 if (xtn_hdr_data + xlen > xtn_hdr_end)
1041 return err_status_parse_err;
1042
1043 if (xid == 15) {
1044 /* found header 15, stop further processing. */
1045 break;
1046 }
1047
1048 status = cipher_output(stream->rtp_xtn_hdr_cipher, keystream, xlen_with_he ader);
1049 if (status)
1050 return err_status_cipher_fail;
1051
1052 if (srtp_protect_extension_header(stream, xid)) {
1053 keystream_pos = 1;
1054 while (xlen > 0) {
1055 *xtn_hdr_data ^= keystream[keystream_pos++];
1056 xtn_hdr_data++;
1057 xlen--;
1058 }
1059 } else {
1060 xtn_hdr_data += xlen;
1061 }
1062
1063 /* skip padding bytes. */
1064 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) {
1065 xtn_hdr_data++;
1066 }
1067 }
1068 } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) {
1069 /* RFC 5285, section 4.3. Two-Byte Header */
1070 while (xtn_hdr_data + 1 < xtn_hdr_end) {
1071 uint8_t xid = *xtn_hdr_data;
1072 unsigned int xlen = *(xtn_hdr_data+1);
1073 uint32_t xlen_with_header = 2+xlen;
1074 xtn_hdr_data += 2;
1075
1076 if (xtn_hdr_data + xlen > xtn_hdr_end)
1077 return err_status_parse_err;
1078
1079 status = cipher_output(stream->rtp_xtn_hdr_cipher, keystream, xlen_with_he ader);
1080 if (status)
1081 return err_status_cipher_fail;
1082
1083 if (xlen > 0 && srtp_protect_extension_header(stream, xid)) {
1084 keystream_pos = 2;
1085 while (xlen > 0) {
1086 *xtn_hdr_data ^= keystream[keystream_pos++];
1087 xtn_hdr_data++;
1088 xlen--;
1089 }
1090 } else {
1091 xtn_hdr_data += xlen;
1092 }
1093
1094 /* skip padding bytes. */
1095 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) {
1096 xtn_hdr_data++;
1097 }
1098 }
1099 } else {
1100 /* unsupported extension header format. */
1101 return err_status_parse_err;
1102 }
1103
1104 return err_status_ok;
1105 }
1106
1107
1108 /*
1109 * AEAD uses a new IV formation method. This function implements
1110 * section 9.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The
1111 * calculation is defined as, where (+) is the xor operation:
1112 *
1113 *
1114 * 0 0 0 0 0 0 0 0 0 0 1 1
1115 * 0 1 2 3 4 5 6 7 8 9 0 1
1116 * +--+--+--+--+--+--+--+--+--+--+--+--+
1117 * |00|00| SSRC | ROC | SEQ |---+
1118 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
1119 * |
1120 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
1121 * | Encryption Salt |->(+)
1122 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
1123 * |
1124 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
1125 * | Initialization Vector |<--+
1126 * +--+--+--+--+--+--+--+--+--+--+--+--+*
1127 *
1128 * Input: *stream - pointer to SRTP stream context, used to retrieve
1129 * the SALT
1130 * *iv - Pointer to receive the calculated IV
1131 * *seq - The ROC and SEQ value to use for the
1132 * IV calculation.
1133 * *hdr - The RTP header, used to get the SSRC value
1134 *
1135 */
1136 static void srtp_calc_aead_iv(srtp_stream_ctx_t *stream, v128_t *iv,
1137 xtd_seq_num_t *seq, srtp_hdr_t *hdr)
1138 {
1139 v128_t in;
1140 v128_t salt;
1141
1142 #ifdef NO_64BIT_MATH
1143 uint32_t local_roc = ((high32(*seq) << 16) |
1144 (low32(*seq) >> 16));
1145 uint16_t local_seq = (uint16_t) (low32(*seq));
1146 #else
1147 uint32_t local_roc = (uint32_t)(*seq >> 16);
1148 uint16_t local_seq = (uint16_t) *seq;
1149 #endif
1150
1151 memset(&in, 0, sizeof(v128_t));
1152 memset(&salt, 0, sizeof(v128_t));
1153
1154 in.v16[5] = htons(local_seq);
1155 local_roc = htonl(local_roc);
1156 memcpy(&in.v16[3], &local_roc, sizeof(local_roc));
1157
1158 /*
1159 * Copy in the RTP SSRC value
1160 */
1161 memcpy(&in.v8[2], &hdr->ssrc, 4);
1162 debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in));
1163
1164 /*
1165 * Get the SALT value from the context
1166 */
1167 memcpy(salt.v8, stream->salt, SRTP_AEAD_SALT_LEN);
1168 debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt));
1169
1170 /*
1171 * Finally, apply tyhe SALT to the input
1172 */
1173 v128_xor(iv, &in, &salt);
1174 }
1175
1176
1177 /*
1178 * This function handles outgoing SRTP packets while in AEAD mode,
1179 * which currently supports AES-GCM encryption. All packets are
1180 * encrypted and authenticated.
1181 */
1182 static err_status_t
1183 srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream,
1184 void *rtp_hdr, unsigned int *pkt_octet_len)
1185 {
1186 srtp_hdr_t *hdr = (srtp_hdr_t*)rtp_hdr;
1187 uint32_t *enc_start; /* pointer to start of encrypted portion */
1188 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
1189 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
1190 int delta; /* delta of local pkt idx and that in hdr */
1191 err_status_t status;
1192 int tag_len;
1193 v128_t iv;
1194 unsigned int aad_len;
1195 srtp_hdr_xtnd_t *xtn_hdr = NULL;
1196
1197 debug_print(mod_srtp, "function srtp_protect_aead", NULL);
1198
1199 /*
1200 * update the key usage limit, and check it to make sure that we
1201 * didn't just hit either the soft limit or the hard limit, and call
1202 * the event handler if we hit either.
1203 */
1204 switch (key_limit_update(stream->limit)) {
1205 case key_event_normal:
1206 break;
1207 case key_event_hard_limit:
1208 srtp_handle_event(ctx, stream, event_key_hard_limit);
1209 return err_status_key_expired;
1210 case key_event_soft_limit:
1211 default:
1212 srtp_handle_event(ctx, stream, event_key_soft_limit);
1213 break;
1214 }
1215
1216 /* get tag length from stream */
1217 tag_len = auth_get_tag_length(stream->rtp_auth);
1218
1219 /*
1220 * find starting point for encryption and length of data to be
1221 * encrypted - the encrypted portion starts after the rtp header
1222 * extension, if present; otherwise, it starts after the last csrc,
1223 * if any are present
1224 */
1225 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc;
1226 if (hdr->x == 1) {
1227 xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
1228 enc_start += (ntohs(xtn_hdr->length) + 1);
1229 }
1230 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len))
1231 return err_status_parse_err;
1232 enc_octet_len = (unsigned int)(*pkt_octet_len -
1233 ((uint8_t*)enc_start - (uint8_t*)hdr));
1234
1235 /*
1236 * estimate the packet index using the start of the replay window
1237 * and the sequence number from the header
1238 */
1239 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
1240 status = rdbx_check(&stream->rtp_rdbx, delta);
1241 if (status) {
1242 if (status != err_status_replay_fail || !stream->allow_repeat_tx) {
1243 return status; /* we've been asked to reuse an index */
1244 }
1245 } else {
1246 rdbx_add_index(&stream->rtp_rdbx, delta);
1247 }
1248
1249 #ifdef NO_64BIT_MATH
1250 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
1251 high32(est), low32(est));
1252 #else
1253 debug_print(mod_srtp, "estimated packet index: %016llx", est);
1254 #endif
1255
1256 /*
1257 * AEAD uses a new IV formation method
1258 */
1259 srtp_calc_aead_iv(stream, &iv, &est, hdr);
1260
1261 /* shift est, put into network byte order */
1262 #ifdef NO_64BIT_MATH
1263 est = be64_to_cpu(make64((high32(est) << 16) |
1264 (low32(est) >> 16),
1265 low32(est) << 16));
1266 #else
1267 est = be64_to_cpu(est << 16);
1268 #endif
1269
1270 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
1271 if (!status && stream->rtp_xtn_hdr_cipher) {
1272 iv.v32[0] = 0;
1273 iv.v32[1] = hdr->ssrc;
1274 iv.v64[1] = est;
1275 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directio n_encrypt);
1276 }
1277 if (status) {
1278 return err_status_cipher_fail;
1279 }
1280
1281 if (xtn_hdr && stream->rtp_xtn_hdr_cipher) {
1282 /*
1283 * extensions header encryption RFC 6904
1284 */
1285 status = srtp_process_header_encryption(stream, xtn_hdr);
1286 if (status) {
1287 return status;
1288 }
1289 }
1290
1291 /*
1292 * Set the AAD over the RTP header
1293 */
1294 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
1295 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len);
1296 if (status) {
1297 return ( err_status_cipher_fail);
1298 }
1299
1300 /* Encrypt the payload */
1301 status = cipher_encrypt(stream->rtp_cipher,
1302 (uint8_t*)enc_start, &enc_octet_len);
1303 if (status) {
1304 return err_status_cipher_fail;
1305 }
1306 /*
1307 * If we're doing GCM, we need to get the tag
1308 * and append that to the output
1309 */
1310 status = cipher_get_tag(stream->rtp_cipher,
1311 (uint8_t*)enc_start+enc_octet_len, &tag_len);
1312 if (status) {
1313 return ( err_status_cipher_fail);
1314 }
1315 enc_octet_len += tag_len;
1316
1317 /* increase the packet length by the length of the auth tag */
1318 *pkt_octet_len += tag_len;
1319
1320 return err_status_ok;
1321 }
1322
1323
1324 /*
1325 * This function handles incoming SRTP packets while in AEAD mode,
1326 * which currently supports AES-GCM encryption. All packets are
1327 * encrypted and authenticated. Note, the auth tag is at the end
1328 * of the packet stream and is automatically checked by GCM
1329 * when decrypting the payload.
1330 */
1331 static err_status_t
1332 srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta,
1333 xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_ len)
1334 {
1335 srtp_hdr_t *hdr = (srtp_hdr_t*)srtp_hdr;
1336 uint32_t *enc_start; /* pointer to start of encrypted portion */
1337 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
1338 v128_t iv;
1339 err_status_t status;
1340 int tag_len;
1341 unsigned int aad_len;
1342 srtp_hdr_xtnd_t *xtn_hdr = NULL;
1343
1344 debug_print(mod_srtp, "function srtp_unprotect_aead", NULL);
1345
1346 #ifdef NO_64BIT_MATH
1347 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), lo w32(est));
1348 #else
1349 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1350 #endif
1351
1352 /* get tag length from stream */
1353 tag_len = auth_get_tag_length(stream->rtp_auth);
1354
1355 /*
1356 * AEAD uses a new IV formation method
1357 */
1358 srtp_calc_aead_iv(stream, &iv, &est, hdr);
1359 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
1360 if (status) {
1361 return err_status_cipher_fail;
1362 }
1363
1364 /*
1365 * find starting point for decryption and length of data to be
1366 * decrypted - the encrypted portion starts after the rtp header
1367 * extension, if present; otherwise, it starts after the last csrc,
1368 * if any are present
1369 */
1370 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc;
1371 if (hdr->x == 1) {
1372 xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
1373 enc_start += (ntohs(xtn_hdr->length) + 1);
1374 }
1375 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
1376 return err_status_parse_err;
1377 /*
1378 * We pass the tag down to the cipher when doing GCM mode
1379 */
1380 enc_octet_len = (unsigned int)(*pkt_octet_len -
1381 ((uint8_t*)enc_start - (uint8_t*)hdr));
1382
1383 /*
1384 * Sanity check the encrypted payload length against
1385 * the tag size. It must always be at least as large
1386 * as the tag length.
1387 */
1388 if (enc_octet_len < (unsigned int) tag_len) {
1389 return err_status_cipher_fail;
1390 }
1391
1392 /*
1393 * update the key usage limit, and check it to make sure that we
1394 * didn't just hit either the soft limit or the hard limit, and call
1395 * the event handler if we hit either.
1396 */
1397 switch (key_limit_update(stream->limit)) {
1398 case key_event_normal:
1399 break;
1400 case key_event_soft_limit:
1401 srtp_handle_event(ctx, stream, event_key_soft_limit);
1402 break;
1403 case key_event_hard_limit:
1404 srtp_handle_event(ctx, stream, event_key_hard_limit);
1405 return err_status_key_expired;
1406 default:
1407 break;
1408 }
1409
1410 /*
1411 * Set the AAD for AES-GCM, which is the RTP header
1412 */
1413 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
1414 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len);
1415 if (!status && stream->rtp_xtn_hdr_cipher) {
1416 iv.v32[0] = 0;
1417 iv.v32[1] = hdr->ssrc;
1418 #ifdef NO_64BIT_MATH
1419 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
1420 low32(est) << 16));
1421 #else
1422 iv.v64[1] = be64_to_cpu(est << 16);
1423 #endif
1424 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directio n_encrypt);
1425 }
1426 if (status) {
1427 return ( err_status_cipher_fail);
1428 }
1429
1430 /* Decrypt the ciphertext. This also checks the auth tag based
1431 * on the AAD we just specified above */
1432 status = cipher_decrypt(stream->rtp_cipher,
1433 (uint8_t*)enc_start, &enc_octet_len);
1434 if (status) {
1435 return status;
1436 }
1437
1438 if (xtn_hdr && stream->rtp_xtn_hdr_cipher) {
1439 /*
1440 * extensions header encryption RFC 6904
1441 */
1442 status = srtp_process_header_encryption(stream, xtn_hdr);
1443 if (status) {
1444 return status;
1445 }
1446 }
1447
1448 /*
1449 * verify that stream is for received traffic - this check will
1450 * detect SSRC collisions, since a stream that appears in both
1451 * srtp_protect() and srtp_unprotect() will fail this test in one of
1452 * those functions.
1453 *
1454 * we do this check *after* the authentication check, so that the
1455 * latter check will catch any attempts to fool us into thinking
1456 * that we've got a collision
1457 */
1458 if (stream->direction != dir_srtp_receiver) {
1459 if (stream->direction == dir_unknown) {
1460 stream->direction = dir_srtp_receiver;
1461 } else {
1462 srtp_handle_event(ctx, stream, event_ssrc_collision);
1463 }
1464 }
1465
1466 /*
1467 * if the stream is a 'provisional' one, in which the template context
1468 * is used, then we need to allocate a new stream at this point, since
1469 * the authentication passed
1470 */
1471 if (stream == ctx->stream_template) {
1472 srtp_stream_ctx_t *new_stream;
1473
1474 /*
1475 * allocate and initialize a new stream
1476 *
1477 * note that we indicate failure if we can't allocate the new
1478 * stream, and some implementations will want to not return
1479 * failure here
1480 */
1481 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream) ;
1482 if (status) {
1483 return status;
1484 }
1485
1486 /* add new stream to the head of the stream_list */
1487 new_stream->next = ctx->stream_list;
1488 ctx->stream_list = new_stream;
1489
1490 /* set stream (the pointer used in this function) */
1491 stream = new_stream;
1492 }
1493
1494 /*
1495 * the message authentication function passed, so add the packet
1496 * index into the replay database
1497 */
1498 rdbx_add_index(&stream->rtp_rdbx, delta);
1499
1500 /* decrease the packet length by the length of the auth tag */
1501 *pkt_octet_len -= tag_len;
1502
1503 return err_status_ok;
1504 }
1505
1506
1507
1508
1509 err_status_t
1510 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
1511 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
1512 uint32_t *enc_start; /* pointer to start of encrypted portion */
1513 uint32_t *auth_start; /* pointer to start of auth. portion */
1514 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
1515 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
1516 int delta; /* delta of local pkt idx and that in hdr */
1517 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1518 err_status_t status;
1519 int tag_len;
1520 srtp_stream_ctx_t *stream;
1521 int prefix_len;
1522 srtp_hdr_xtnd_t *xtn_hdr = NULL;
1523
1524 debug_print(mod_srtp, "function srtp_protect", NULL);
1525
1526 /* we assume the hdr is 32-bit aligned to start */
1527
1528 /* Verify RTP header */
1529 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len);
1530 if (status)
1531 return status;
1532
1533 /* check the packet length - it must at least contain a full header */
1534 if (*pkt_octet_len < octets_in_rtp_header)
1535 return err_status_bad_param;
1536
1537 /*
1538 * look up ssrc in srtp_stream list, and process the packet with
1539 * the appropriate stream. if we haven't seen this stream before,
1540 * there's a template key for this srtp_session, and the cipher
1541 * supports key-sharing, then we assume that a new stream using
1542 * that key has just started up
1543 */
1544 stream = srtp_get_stream(ctx, hdr->ssrc);
1545 if (stream == NULL) {
1546 if (ctx->stream_template != NULL) {
1547 srtp_stream_ctx_t *new_stream;
1548
1549 /* allocate and initialize a new stream */
1550 status = srtp_stream_clone(ctx->stream_template,
1551 hdr->ssrc, &new_stream);
1552 if (status)
1553 return status;
1554
1555 /* add new stream to the head of the stream_list */
1556 new_stream->next = ctx->stream_list;
1557 ctx->stream_list = new_stream;
1558
1559 /* set direction to outbound */
1560 new_stream->direction = dir_srtp_sender;
1561
1562 /* set stream (the pointer used in this function) */
1563 stream = new_stream;
1564 } else {
1565 /* no template stream, so we return an error */
1566 return err_status_no_ctx;
1567 }
1568 }
1569
1570 /*
1571 * verify that stream is for sending traffic - this check will
1572 * detect SSRC collisions, since a stream that appears in both
1573 * srtp_protect() and srtp_unprotect() will fail this test in one of
1574 * those functions.
1575 */
1576 if (stream->direction != dir_srtp_sender) {
1577 if (stream->direction == dir_unknown) {
1578 stream->direction = dir_srtp_sender;
1579 } else {
1580 srtp_handle_event(ctx, stream, event_ssrc_collision);
1581 }
1582 }
1583
1584 /*
1585 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
1586 * the request to our AEAD handler.
1587 */
1588 if (stream->rtp_cipher->algorithm == AES_128_GCM ||
1589 stream->rtp_cipher->algorithm == AES_256_GCM) {
1590 return srtp_protect_aead(ctx, stream, rtp_hdr, (unsigned int*)pkt_octet_le n);
1591 }
1592
1593 /*
1594 * update the key usage limit, and check it to make sure that we
1595 * didn't just hit either the soft limit or the hard limit, and call
1596 * the event handler if we hit either.
1597 */
1598 switch(key_limit_update(stream->limit)) {
1599 case key_event_normal:
1600 break;
1601 case key_event_soft_limit:
1602 srtp_handle_event(ctx, stream, event_key_soft_limit);
1603 break;
1604 case key_event_hard_limit:
1605 srtp_handle_event(ctx, stream, event_key_hard_limit);
1606 return err_status_key_expired;
1607 default:
1608 break;
1609 }
1610
1611 /* get tag length from stream */
1612 tag_len = auth_get_tag_length(stream->rtp_auth);
1613
1614 /*
1615 * find starting point for encryption and length of data to be
1616 * encrypted - the encrypted portion starts after the rtp header
1617 * extension, if present; otherwise, it starts after the last csrc,
1618 * if any are present
1619 *
1620 * if we're not providing confidentiality, set enc_start to NULL
1621 */
1622 if (stream->rtp_services & sec_serv_conf) {
1623 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1624 if (hdr->x == 1) {
1625 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1626 enc_start += (ntohs(xtn_hdr->length) + 1);
1627 }
1628 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len))
1629 return err_status_parse_err;
1630 enc_octet_len = (unsigned int)(*pkt_octet_len -
1631 ((uint8_t*)enc_start - (uint8_t*)hdr));
1632 } else {
1633 enc_start = NULL;
1634 }
1635
1636 /*
1637 * if we're providing authentication, set the auth_start and auth_tag
1638 * pointers to the proper locations; otherwise, set auth_start to NULL
1639 * to indicate that no authentication is needed
1640 */
1641 if (stream->rtp_services & sec_serv_auth) {
1642 auth_start = (uint32_t *)hdr;
1643 auth_tag = (uint8_t *)hdr + *pkt_octet_len;
1644 } else {
1645 auth_start = NULL;
1646 auth_tag = NULL;
1647 }
1648
1649 /*
1650 * estimate the packet index using the start of the replay window
1651 * and the sequence number from the header
1652 */
1653 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
1654 status = rdbx_check(&stream->rtp_rdbx, delta);
1655 if (status) {
1656 if (status != err_status_replay_fail || !stream->allow_repeat_tx)
1657 return status; /* we've been asked to reuse an index */
1658 }
1659 else
1660 rdbx_add_index(&stream->rtp_rdbx, delta);
1661
1662 #ifdef NO_64BIT_MATH
1663 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
1664 high32(est),low32(est));
1665 #else
1666 debug_print(mod_srtp, "estimated packet index: %016llx", est);
1667 #endif
1668
1669 /*
1670 * if we're using rindael counter mode, set nonce and seq
1671 */
1672 if (stream->rtp_cipher->type->id == AES_ICM ||
1673 stream->rtp_cipher->type->id == AES_256_ICM) {
1674 v128_t iv;
1675
1676 iv.v32[0] = 0;
1677 iv.v32[1] = hdr->ssrc;
1678 #ifdef NO_64BIT_MATH
1679 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
1680 low32(est) << 1 6));
1681 #else
1682 iv.v64[1] = be64_to_cpu(est << 16);
1683 #endif
1684 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
1685 if (!status && stream->rtp_xtn_hdr_cipher) {
1686 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directi on_encrypt);
1687 }
1688 } else {
1689 v128_t iv;
1690
1691 /* otherwise, set the index to est */
1692 #ifdef NO_64BIT_MATH
1693 iv.v32[0] = 0;
1694 iv.v32[1] = 0;
1695 #else
1696 iv.v64[0] = 0;
1697 #endif
1698 iv.v64[1] = be64_to_cpu(est);
1699 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
1700 if (!status && stream->rtp_xtn_hdr_cipher) {
1701 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directi on_encrypt);
1702 }
1703 }
1704 if (status)
1705 return err_status_cipher_fail;
1706
1707 /* shift est, put into network byte order */
1708 #ifdef NO_64BIT_MATH
1709 est = be64_to_cpu(make64((high32(est) << 16) |
1710 (low32(est) >> 16),
1711 low32(est) << 16));
1712 #else
1713 est = be64_to_cpu(est << 16);
1714 #endif
1715
1716 /*
1717 * if we're authenticating using a universal hash, put the keystream
1718 * prefix into the authentication tag
1719 */
1720 if (auth_start) {
1721
1722 prefix_len = auth_get_prefix_length(stream->rtp_auth);
1723 if (prefix_len) {
1724 status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len);
1725 if (status)
1726 return err_status_cipher_fail;
1727 debug_print(mod_srtp, "keystream prefix: %s",
1728 octet_string_hex_string(auth_tag, prefix_len));
1729 }
1730 }
1731
1732 if (xtn_hdr && stream->rtp_xtn_hdr_cipher) {
1733 /*
1734 * extensions header encryption RFC 6904
1735 */
1736 status = srtp_process_header_encryption(stream, xtn_hdr);
1737 if (status) {
1738 return status;
1739 }
1740 }
1741
1742 /* if we're encrypting, exor keystream into the message */
1743 if (enc_start) {
1744 status = cipher_encrypt(stream->rtp_cipher,
1745 (uint8_t *)enc_start, &enc_octet_len);
1746 if (status)
1747 return err_status_cipher_fail;
1748 }
1749
1750 /*
1751 * if we're authenticating, run authentication function and put result
1752 * into the auth_tag
1753 */
1754 if (auth_start) {
1755
1756 /* initialize auth func context */
1757 status = auth_start(stream->rtp_auth);
1758 if (status) return status;
1759
1760 /* run auth func over packet */
1761 status = auth_update(stream->rtp_auth,
1762 (uint8_t *)auth_start, *pkt_octet_len);
1763 if (status) return status;
1764
1765 /* run auth func over ROC, put result into auth_tag */
1766 debug_print(mod_srtp, "estimated packet index: %016llx", est);
1767 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);
1768 debug_print(mod_srtp, "srtp auth tag: %s",
1769 octet_string_hex_string(auth_tag, tag_len));
1770 if (status)
1771 return err_status_auth_fail;
1772
1773 }
1774
1775 if (auth_tag) {
1776
1777 /* increase the packet length by the length of the auth tag */
1778 *pkt_octet_len += tag_len;
1779 }
1780
1781 return err_status_ok;
1782 }
1783
1784
1785 err_status_t
1786 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
1787 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
1788 uint32_t *enc_start; /* pointer to start of encrypted portion */
1789 uint32_t *auth_start; /* pointer to start of auth. portion */
1790 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
1791 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1792 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
1793 int delta; /* delta of local pkt idx and that in hdr */
1794 v128_t iv;
1795 err_status_t status;
1796 srtp_stream_ctx_t *stream;
1797 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
1798 int tag_len, prefix_len;
1799 srtp_hdr_xtnd_t *xtn_hdr = NULL;
1800
1801 debug_print(mod_srtp, "function srtp_unprotect", NULL);
1802
1803 /* we assume the hdr is 32-bit aligned to start */
1804
1805 /* Verify RTP header */
1806 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len);
1807 if (status)
1808 return status;
1809
1810 /* check the packet length - it must at least contain a full header */
1811 if (*pkt_octet_len < octets_in_rtp_header)
1812 return err_status_bad_param;
1813
1814 /*
1815 * look up ssrc in srtp_stream list, and process the packet with
1816 * the appropriate stream. if we haven't seen this stream before,
1817 * there's only one key for this srtp_session, and the cipher
1818 * supports key-sharing, then we assume that a new stream using
1819 * that key has just started up
1820 */
1821 stream = srtp_get_stream(ctx, hdr->ssrc);
1822 if (stream == NULL) {
1823 if (ctx->stream_template != NULL) {
1824 stream = ctx->stream_template;
1825 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
1826 hdr->ssrc);
1827
1828 /*
1829 * set estimated packet index to sequence number from header,
1830 * and set delta equal to the same value
1831 */
1832 #ifdef NO_64BIT_MATH
1833 est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq));
1834 delta = low32(est);
1835 #else
1836 est = (xtd_seq_num_t) ntohs(hdr->seq);
1837 delta = (int)est;
1838 #endif
1839 } else {
1840
1841 /*
1842 * no stream corresponding to SSRC found, and we don't do
1843 * key-sharing, so return an error
1844 */
1845 return err_status_no_ctx;
1846 }
1847 } else {
1848
1849 /* estimate packet index from seq. num. in header */
1850 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
1851
1852 /* check replay database */
1853 status = rdbx_check(&stream->rtp_rdbx, delta);
1854 if (status)
1855 return status;
1856 }
1857
1858 #ifdef NO_64BIT_MATH
1859 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32 (est));
1860 #else
1861 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1862 #endif
1863
1864 /*
1865 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
1866 * the request to our AEAD handler.
1867 */
1868 if (stream->rtp_cipher->algorithm == AES_128_GCM ||
1869 stream->rtp_cipher->algorithm == AES_256_GCM) {
1870 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, (unsigned in t*)pkt_octet_len);
1871 }
1872
1873 /* get tag length from stream */
1874 tag_len = auth_get_tag_length(stream->rtp_auth);
1875
1876 /*
1877 * set the cipher's IV properly, depending on whatever cipher we
1878 * happen to be using
1879 */
1880 if (stream->rtp_cipher->type->id == AES_ICM ||
1881 stream->rtp_cipher->type->id == AES_256_ICM) {
1882
1883 /* aes counter mode */
1884 iv.v32[0] = 0;
1885 iv.v32[1] = hdr->ssrc; /* still in network order */
1886 #ifdef NO_64BIT_MATH
1887 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
1888 low32(est) << 16));
1889 #else
1890 iv.v64[1] = be64_to_cpu(est << 16);
1891 #endif
1892 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
1893 if (!status && stream->rtp_xtn_hdr_cipher) {
1894 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directio n_decrypt);
1895 }
1896 } else {
1897
1898 /* no particular format - set the iv to the pakcet index */
1899 #ifdef NO_64BIT_MATH
1900 iv.v32[0] = 0;
1901 iv.v32[1] = 0;
1902 #else
1903 iv.v64[0] = 0;
1904 #endif
1905 iv.v64[1] = be64_to_cpu(est);
1906 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
1907 if (!status && stream->rtp_xtn_hdr_cipher) {
1908 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directio n_decrypt);
1909 }
1910 }
1911 if (status)
1912 return err_status_cipher_fail;
1913
1914 /* shift est, put into network byte order */
1915 #ifdef NO_64BIT_MATH
1916 est = be64_to_cpu(make64((high32(est) << 16) |
1917 (low32(est) >> 16),
1918 low32(est) << 16));
1919 #else
1920 est = be64_to_cpu(est << 16);
1921 #endif
1922
1923 /*
1924 * find starting point for decryption and length of data to be
1925 * decrypted - the encrypted portion starts after the rtp header
1926 * extension, if present; otherwise, it starts after the last csrc,
1927 * if any are present
1928 *
1929 * if we're not providing confidentiality, set enc_start to NULL
1930 */
1931 if (stream->rtp_services & sec_serv_conf) {
1932 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1933 if (hdr->x == 1) {
1934 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1935 enc_start += (ntohs(xtn_hdr->length) + 1);
1936 }
1937 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
1938 return err_status_parse_err;
1939 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len -
1940 ((uint8_t*)enc_start - (uint8_t*)hdr));
1941 } else {
1942 enc_start = NULL;
1943 }
1944
1945 /*
1946 * if we're providing authentication, set the auth_start and auth_tag
1947 * pointers to the proper locations; otherwise, set auth_start to NULL
1948 * to indicate that no authentication is needed
1949 */
1950 if (stream->rtp_services & sec_serv_auth) {
1951 auth_start = (uint32_t *)hdr;
1952 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
1953 } else {
1954 auth_start = NULL;
1955 auth_tag = NULL;
1956 }
1957
1958 /*
1959 * if we expect message authentication, run the authentication
1960 * function and compare the result with the value of the auth_tag
1961 */
1962 if (auth_start) {
1963
1964 /*
1965 * if we're using a universal hash, then we need to compute the
1966 * keystream prefix for encrypting the universal hash output
1967 *
1968 * if the keystream prefix length is zero, then we know that
1969 * the authenticator isn't using a universal hash function
1970 */
1971 if (stream->rtp_auth->prefix_len != 0) {
1972
1973 prefix_len = auth_get_prefix_length(stream->rtp_auth);
1974 status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len);
1975 debug_print(mod_srtp, "keystream prefix: %s",
1976 octet_string_hex_string(tmp_tag, prefix_len));
1977 if (status)
1978 return err_status_cipher_fail;
1979 }
1980
1981 /* initialize auth func context */
1982 status = auth_start(stream->rtp_auth);
1983 if (status) return status;
1984
1985 /* now compute auth function over packet */
1986 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,
1987 *pkt_octet_len - tag_len);
1988
1989 /* run auth func over ROC, then write tmp tag */
1990 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);
1991
1992 debug_print(mod_srtp, "computed auth tag: %s",
1993 octet_string_hex_string(tmp_tag, tag_len));
1994 debug_print(mod_srtp, "packet auth tag: %s",
1995 octet_string_hex_string(auth_tag, tag_len));
1996 if (status)
1997 return err_status_auth_fail;
1998
1999 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
2000 return err_status_auth_fail;
2001 }
2002
2003 /*
2004 * update the key usage limit, and check it to make sure that we
2005 * didn't just hit either the soft limit or the hard limit, and call
2006 * the event handler if we hit either.
2007 */
2008 switch(key_limit_update(stream->limit)) {
2009 case key_event_normal:
2010 break;
2011 case key_event_soft_limit:
2012 srtp_handle_event(ctx, stream, event_key_soft_limit);
2013 break;
2014 case key_event_hard_limit:
2015 srtp_handle_event(ctx, stream, event_key_hard_limit);
2016 return err_status_key_expired;
2017 default:
2018 break;
2019 }
2020
2021 if (xtn_hdr && stream->rtp_xtn_hdr_cipher) {
2022 /*
2023 * extensions header encryption RFC 6904
2024 */
2025 status = srtp_process_header_encryption(stream, xtn_hdr);
2026 if (status) {
2027 return status;
2028 }
2029 }
2030
2031 /* if we're decrypting, add keystream into ciphertext */
2032 if (enc_start) {
2033 status = cipher_decrypt(stream->rtp_cipher,
2034 (uint8_t *)enc_start, &enc_octet_len);
2035 if (status)
2036 return err_status_cipher_fail;
2037 }
2038
2039 /*
2040 * verify that stream is for received traffic - this check will
2041 * detect SSRC collisions, since a stream that appears in both
2042 * srtp_protect() and srtp_unprotect() will fail this test in one of
2043 * those functions.
2044 *
2045 * we do this check *after* the authentication check, so that the
2046 * latter check will catch any attempts to fool us into thinking
2047 * that we've got a collision
2048 */
2049 if (stream->direction != dir_srtp_receiver) {
2050 if (stream->direction == dir_unknown) {
2051 stream->direction = dir_srtp_receiver;
2052 } else {
2053 srtp_handle_event(ctx, stream, event_ssrc_collision);
2054 }
2055 }
2056
2057 /*
2058 * if the stream is a 'provisional' one, in which the template context
2059 * is used, then we need to allocate a new stream at this point, since
2060 * the authentication passed
2061 */
2062 if (stream == ctx->stream_template) {
2063 srtp_stream_ctx_t *new_stream;
2064
2065 /*
2066 * allocate and initialize a new stream
2067 *
2068 * note that we indicate failure if we can't allocate the new
2069 * stream, and some implementations will want to not return
2070 * failure here
2071 */
2072 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2073 if (status)
2074 return status;
2075
2076 /* add new stream to the head of the stream_list */
2077 new_stream->next = ctx->stream_list;
2078 ctx->stream_list = new_stream;
2079
2080 /* set stream (the pointer used in this function) */
2081 stream = new_stream;
2082 }
2083
2084 /*
2085 * the message authentication function passed, so add the packet
2086 * index into the replay database
2087 */
2088 rdbx_add_index(&stream->rtp_rdbx, delta);
2089
2090 /* decrease the packet length by the length of the auth tag */
2091 *pkt_octet_len -= tag_len;
2092
2093 return err_status_ok;
2094 }
2095
2096 err_status_t
2097 srtp_init() {
2098 err_status_t status;
2099
2100 /* initialize crypto kernel */
2101 status = crypto_kernel_init();
2102 if (status)
2103 return status;
2104
2105 /* load srtp debug module into the kernel */
2106 status = crypto_kernel_load_debug_module(&mod_srtp);
2107 if (status)
2108 return status;
2109
2110 return err_status_ok;
2111 }
2112
2113 err_status_t
2114 srtp_shutdown() {
2115 err_status_t status;
2116
2117 /* shut down crypto kernel */
2118 status = crypto_kernel_shutdown();
2119 if (status)
2120 return status;
2121
2122 /* shutting down crypto kernel frees the srtp debug module as well */
2123
2124 return err_status_ok;
2125 }
2126
2127
2128 /*
2129 * The following code is under consideration for removal. See
2130 * SRTP_MAX_TRAILER_LEN
2131 */
2132 #if 0
2133
2134 /*
2135 * srtp_get_trailer_length(&a) returns the number of octets that will
2136 * be added to an RTP packet by the SRTP processing. This value
2137 * is constant for a given srtp_stream_t (i.e. between initializations).
2138 */
2139
2140 int
2141 srtp_get_trailer_length(const srtp_stream_t s) {
2142 return auth_get_tag_length(s->rtp_auth);
2143 }
2144
2145 #endif
2146
2147 /*
2148 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
2149 * to ssrc, or NULL if no stream exists for that ssrc
2150 *
2151 * this is an internal function
2152 */
2153
2154 srtp_stream_ctx_t *
2155 srtp_get_stream(srtp_t srtp, uint32_t ssrc) {
2156 srtp_stream_ctx_t *stream;
2157
2158 /* walk down list until ssrc is found */
2159 stream = srtp->stream_list;
2160 while (stream != NULL) {
2161 if (stream->ssrc == ssrc)
2162 return stream;
2163 stream = stream->next;
2164 }
2165
2166 /* we haven't found our ssrc, so return a null */
2167 return NULL;
2168 }
2169
2170 err_status_t
2171 srtp_dealloc(srtp_t session) {
2172 srtp_stream_ctx_t *stream;
2173 err_status_t status;
2174
2175 /*
2176 * we take a conservative deallocation strategy - if we encounter an
2177 * error deallocating a stream, then we stop trying to deallocate
2178 * memory and just return an error
2179 */
2180
2181 /* walk list of streams, deallocating as we go */
2182 stream = session->stream_list;
2183 while (stream != NULL) {
2184 srtp_stream_t next = stream->next;
2185 status = srtp_stream_dealloc(session, stream);
2186 if (status)
2187 return status;
2188 stream = next;
2189 }
2190
2191 /* deallocate stream template, if there is one */
2192 if (session->stream_template != NULL) {
2193 status = auth_dealloc(session->stream_template->rtcp_auth);
2194 if (status)
2195 return status;
2196 status = cipher_dealloc(session->stream_template->rtcp_cipher);
2197 if (status)
2198 return status;
2199 crypto_free(session->stream_template->limit);
2200 status = cipher_dealloc(session->stream_template->rtp_cipher);
2201 if (status)
2202 return status;
2203 status = auth_dealloc(session->stream_template->rtp_auth);
2204 if (status)
2205 return status;
2206 status = rdbx_dealloc(&session->stream_template->rtp_rdbx);
2207 if (status)
2208 return status;
2209 crypto_free(session->stream_template);
2210 }
2211
2212 /* deallocate session context */
2213 crypto_free(session);
2214
2215 return err_status_ok;
2216 }
2217
2218
2219 err_status_t
2220 srtp_add_stream(srtp_t session,
2221 const srtp_policy_t *policy) {
2222 err_status_t status;
2223 srtp_stream_t tmp;
2224
2225 /* sanity check arguments */
2226 if ((session == NULL) || (policy == NULL) || (policy->key == NULL))
2227 return err_status_bad_param;
2228
2229 /* allocate stream */
2230 status = srtp_stream_alloc(&tmp, policy);
2231 if (status) {
2232 return status;
2233 }
2234
2235 /* initialize stream */
2236 status = srtp_stream_init(tmp, policy);
2237 if (status) {
2238 crypto_free(tmp);
2239 return status;
2240 }
2241
2242 /*
2243 * set the head of the stream list or the template to point to the
2244 * stream that we've just alloced and init'ed, depending on whether
2245 * or not it has a wildcard SSRC value or not
2246 *
2247 * if the template stream has already been set, then the policy is
2248 * inconsistent, so we return a bad_param error code
2249 */
2250 switch (policy->ssrc.type) {
2251 case (ssrc_any_outbound):
2252 if (session->stream_template) {
2253 return err_status_bad_param;
2254 }
2255 session->stream_template = tmp;
2256 session->stream_template->direction = dir_srtp_sender;
2257 break;
2258 case (ssrc_any_inbound):
2259 if (session->stream_template) {
2260 return err_status_bad_param;
2261 }
2262 session->stream_template = tmp;
2263 session->stream_template->direction = dir_srtp_receiver;
2264 break;
2265 case (ssrc_specific):
2266 tmp->next = session->stream_list;
2267 session->stream_list = tmp;
2268 break;
2269 case (ssrc_undefined):
2270 default:
2271 crypto_free(tmp);
2272 return err_status_bad_param;
2273 }
2274
2275 return err_status_ok;
2276 }
2277
2278
2279 err_status_t
2280 srtp_create(srtp_t *session, /* handle for session */
2281 const srtp_policy_t *policy) { /* SRTP policy (list) */
2282 err_status_t stat;
2283 srtp_ctx_t *ctx;
2284
2285 /* sanity check arguments */
2286 if (session == NULL)
2287 return err_status_bad_param;
2288
2289 /* allocate srtp context and set ctx_ptr */
2290 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));
2291 if (ctx == NULL)
2292 return err_status_alloc_fail;
2293 *session = ctx;
2294
2295 /*
2296 * loop over elements in the policy list, allocating and
2297 * initializing a stream for each element
2298 */
2299 ctx->stream_template = NULL;
2300 ctx->stream_list = NULL;
2301 ctx->user_data = NULL;
2302 while (policy != NULL) {
2303
2304 stat = srtp_add_stream(ctx, policy);
2305 if (stat) {
2306 /* clean up everything */
2307 srtp_dealloc(*session);
2308 return stat;
2309 }
2310
2311 /* set policy to next item in list */
2312 policy = policy->next;
2313 }
2314
2315 return err_status_ok;
2316 }
2317
2318
2319 err_status_t
2320 srtp_remove_stream(srtp_t session, uint32_t ssrc) {
2321 srtp_stream_ctx_t *stream, *last_stream;
2322 err_status_t status;
2323
2324 /* sanity check arguments */
2325 if (session == NULL)
2326 return err_status_bad_param;
2327
2328 /* find stream in list; complain if not found */
2329 last_stream = stream = session->stream_list;
2330 while ((stream != NULL) && (ssrc != stream->ssrc)) {
2331 last_stream = stream;
2332 stream = stream->next;
2333 }
2334 if (stream == NULL)
2335 return err_status_no_ctx;
2336
2337 /* remove stream from the list */
2338 if (last_stream == stream)
2339 /* stream was first in list */
2340 session->stream_list = stream->next;
2341 else
2342 last_stream->next = stream->next;
2343
2344 /* deallocate the stream */
2345 status = srtp_stream_dealloc(session, stream);
2346 if (status)
2347 return status;
2348
2349 return err_status_ok;
2350 }
2351
2352
2353 /*
2354 * the default policy - provides a convenient way for callers to use
2355 * the default security policy
2356 *
2357 * this policy is that defined in the current SRTP internet draft.
2358 *
2359 */
2360
2361 /*
2362 * NOTE: cipher_key_len is really key len (128 bits) plus salt len
2363 * (112 bits)
2364 */
2365 /* There are hard-coded 16's for base_key_len in the key generation code */
2366
2367 void
2368 crypto_policy_set_rtp_default(crypto_policy_t *p) {
2369
2370 p->cipher_type = AES_ICM;
2371 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
2372 p->auth_type = HMAC_SHA1;
2373 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
2374 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
2375 p->sec_serv = sec_serv_conf_and_auth;
2376
2377 }
2378
2379 void
2380 crypto_policy_set_rtcp_default(crypto_policy_t *p) {
2381
2382 p->cipher_type = AES_ICM;
2383 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
2384 p->auth_type = HMAC_SHA1;
2385 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
2386 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
2387 p->sec_serv = sec_serv_conf_and_auth;
2388
2389 }
2390
2391 void
2392 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {
2393
2394 /*
2395 * corresponds to RFC 4568
2396 *
2397 * note that this crypto policy is intended for SRTP, but not SRTCP
2398 */
2399
2400 p->cipher_type = AES_ICM;
2401 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
2402 p->auth_type = HMAC_SHA1;
2403 p->auth_key_len = 20; /* 160 bit key */
2404 p->auth_tag_len = 4; /* 32 bit tag */
2405 p->sec_serv = sec_serv_conf_and_auth;
2406
2407 }
2408
2409
2410 void
2411 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {
2412
2413 /*
2414 * corresponds to RFC 4568
2415 *
2416 * note that this crypto policy is intended for SRTP, but not SRTCP
2417 */
2418
2419 p->cipher_type = AES_ICM;
2420 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
2421 p->auth_type = NULL_AUTH;
2422 p->auth_key_len = 0;
2423 p->auth_tag_len = 0;
2424 p->sec_serv = sec_serv_conf;
2425
2426 }
2427
2428
2429 void
2430 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {
2431
2432 /*
2433 * corresponds to RFC 4568
2434 */
2435
2436 p->cipher_type = NULL_CIPHER;
2437 p->cipher_key_len = 0;
2438 p->auth_type = HMAC_SHA1;
2439 p->auth_key_len = 20;
2440 p->auth_tag_len = 10;
2441 p->sec_serv = sec_serv_auth;
2442
2443 }
2444
2445
2446 void
2447 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) {
2448
2449 /*
2450 * corresponds to draft-ietf-avt-big-aes-03.txt
2451 */
2452
2453 p->cipher_type = AES_ICM;
2454 p->cipher_key_len = 46;
2455 p->auth_type = HMAC_SHA1;
2456 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
2457 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
2458 p->sec_serv = sec_serv_conf_and_auth;
2459 }
2460
2461
2462 void
2463 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) {
2464
2465 /*
2466 * corresponds to draft-ietf-avt-big-aes-03.txt
2467 *
2468 * note that this crypto policy is intended for SRTP, but not SRTCP
2469 */
2470
2471 p->cipher_type = AES_ICM;
2472 p->cipher_key_len = 46;
2473 p->auth_type = HMAC_SHA1;
2474 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
2475 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */
2476 p->sec_serv = sec_serv_conf_and_auth;
2477 }
2478
2479 /*
2480 * AES-256 with no authentication.
2481 */
2482 void
2483 crypto_policy_set_aes_cm_256_null_auth (crypto_policy_t *p)
2484 {
2485 p->cipher_type = AES_ICM;
2486 p->cipher_key_len = 46;
2487 p->auth_type = NULL_AUTH;
2488 p->auth_key_len = 0;
2489 p->auth_tag_len = 0;
2490 p->sec_serv = sec_serv_conf;
2491 }
2492
2493 #ifdef OPENSSL
2494 /*
2495 * AES-128 GCM mode with 8 octet auth tag.
2496 */
2497 void
2498 crypto_policy_set_aes_gcm_128_8_auth(crypto_policy_t *p) {
2499 p->cipher_type = AES_128_GCM;
2500 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
2501 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2502 p->auth_key_len = 0;
2503 p->auth_tag_len = 8; /* 8 octet tag length */
2504 p->sec_serv = sec_serv_conf_and_auth;
2505 }
2506
2507 /*
2508 * AES-256 GCM mode with 8 octet auth tag.
2509 */
2510 void
2511 crypto_policy_set_aes_gcm_256_8_auth(crypto_policy_t *p) {
2512 p->cipher_type = AES_256_GCM;
2513 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
2514 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2515 p->auth_key_len = 0;
2516 p->auth_tag_len = 8; /* 8 octet tag length */
2517 p->sec_serv = sec_serv_conf_and_auth;
2518 }
2519
2520 /*
2521 * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption.
2522 */
2523 void
2524 crypto_policy_set_aes_gcm_128_8_only_auth(crypto_policy_t *p) {
2525 p->cipher_type = AES_128_GCM;
2526 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
2527 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2528 p->auth_key_len = 0;
2529 p->auth_tag_len = 8; /* 8 octet tag length */
2530 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
2531 }
2532
2533 /*
2534 * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption.
2535 */
2536 void
2537 crypto_policy_set_aes_gcm_256_8_only_auth(crypto_policy_t *p) {
2538 p->cipher_type = AES_256_GCM;
2539 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
2540 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2541 p->auth_key_len = 0;
2542 p->auth_tag_len = 8; /* 8 octet tag length */
2543 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
2544 }
2545
2546 /*
2547 * AES-128 GCM mode with 16 octet auth tag.
2548 */
2549 void
2550 crypto_policy_set_aes_gcm_128_16_auth(crypto_policy_t *p) {
2551 p->cipher_type = AES_128_GCM;
2552 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
2553 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2554 p->auth_key_len = 0;
2555 p->auth_tag_len = 16; /* 16 octet tag length */
2556 p->sec_serv = sec_serv_conf_and_auth;
2557 }
2558
2559 /*
2560 * AES-256 GCM mode with 16 octet auth tag.
2561 */
2562 void
2563 crypto_policy_set_aes_gcm_256_16_auth(crypto_policy_t *p) {
2564 p->cipher_type = AES_256_GCM;
2565 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
2566 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2567 p->auth_key_len = 0;
2568 p->auth_tag_len = 16; /* 16 octet tag length */
2569 p->sec_serv = sec_serv_conf_and_auth;
2570 }
2571
2572 #endif
2573
2574 /*
2575 * secure rtcp functions
2576 */
2577
2578 /*
2579 * AEAD uses a new IV formation method. This function implements
2580 * section 10.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The
2581 * calculation is defined as, where (+) is the xor operation:
2582 *
2583 * 0 1 2 3 4 5 6 7 8 9 10 11
2584 * +--+--+--+--+--+--+--+--+--+--+--+--+
2585 * |00|00| SSRC |00|00|0+SRTCP Idx|---+
2586 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
2587 * |
2588 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
2589 * | Encryption Salt |->(+)
2590 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
2591 * |
2592 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
2593 * | Initialization Vector |<--+
2594 * +--+--+--+--+--+--+--+--+--+--+--+--+*
2595 *
2596 * Input: *stream - pointer to SRTP stream context, used to retrieve
2597 * the SALT
2598 * *iv - Pointer to recieve the calculated IV
2599 * seq_num - The SEQ value to use for the IV calculation.
2600 * *hdr - The RTP header, used to get the SSRC value
2601 *
2602 */
2603 static void srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv,
2604 uint32_t seq_num, srtcp_hdr_t *hdr)
2605 {
2606 v128_t in;
2607 v128_t salt;
2608
2609 memset(&in, 0, sizeof(v128_t));
2610 memset(&salt, 0, sizeof(v128_t));
2611
2612 in.v16[0] = 0;
2613 memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */
2614 in.v16[3] = 0;
2615 in.v32[2] = 0x7FFFFFFF & htonl(seq_num); /* bit 32 is suppose to be zero */
2616
2617 debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in));
2618
2619 /*
2620 * Get the SALT value from the context
2621 */
2622 memcpy(salt.v8, stream->c_salt, 12);
2623 debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt));
2624
2625 /*
2626 * Finally, apply the SALT to the input
2627 */
2628 v128_xor(iv, &in, &salt);
2629 }
2630
2631 /*
2632 * This code handles AEAD ciphers for outgoing RTCP. We currently support
2633 * AES-GCM mode with 128 or 256 bit keys.
2634 */
2635 static err_status_t
2636 srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream,
2637 void *rtcp_hdr, unsigned int *pkt_octet_len)
2638 {
2639 srtcp_hdr_t *hdr = (srtcp_hdr_t*)rtcp_hdr;
2640 uint32_t *enc_start; /* pointer to start of encrypted portion */
2641 uint32_t *trailer; /* pointer to start of trailer */
2642 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
2643 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
2644 err_status_t status;
2645 int tag_len;
2646 uint32_t seq_num;
2647 v128_t iv;
2648 uint32_t tseq;
2649
2650 /* get tag length from stream context */
2651 tag_len = auth_get_tag_length(stream->rtcp_auth);
2652
2653 /*
2654 * set encryption start and encryption length - if we're not
2655 * providing confidentiality, set enc_start to NULL
2656 */
2657 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header;
2658 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
2659
2660 /* NOTE: hdr->length is not usable - it refers to only the first
2661 RTCP report in the compound packet! */
2662 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
2663 multiples of 32-bits (RFC 3550 6.1) */
2664 trailer = (uint32_t*)((char*)enc_start + enc_octet_len + tag_len);
2665
2666 if (stream->rtcp_services & sec_serv_conf) {
2667 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
2668 } else {
2669 enc_start = NULL;
2670 enc_octet_len = 0;
2671 /* 0 is network-order independant */
2672 *trailer = 0x00000000; /* set encrypt bit */
2673 }
2674
2675 /*
2676 * set the auth_tag pointer to the proper location, which is after
2677 * the payload, but before the trailer
2678 * (note that srtpc *always* provides authentication, unlike srtp)
2679 */
2680 /* Note: This would need to change for optional mikey data */
2681 auth_tag = (uint8_t*)hdr + *pkt_octet_len;
2682
2683 /*
2684 * check sequence number for overruns, and copy it into the packet
2685 * if its value isn't too big
2686 */
2687 status = rdb_increment(&stream->rtcp_rdb);
2688 if (status) {
2689 return status;
2690 }
2691 seq_num = rdb_get_value(&stream->rtcp_rdb);
2692 *trailer |= htonl(seq_num);
2693 debug_print(mod_srtp, "srtcp index: %x", seq_num);
2694
2695 /*
2696 * Calculating the IV and pass it down to the cipher
2697 */
2698 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
2699 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
2700 if (status) {
2701 return err_status_cipher_fail;
2702 }
2703
2704 /*
2705 * Set the AAD for GCM mode
2706 */
2707 if (enc_start) {
2708 /*
2709 * If payload encryption is enabled, then the AAD consist of
2710 * the RTCP header and the seq# at the end of the packet
2711 */
2712 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
2713 octets_in_rtcp_header);
2714 if (status) {
2715 return ( err_status_cipher_fail);
2716 }
2717 } else {
2718 /*
2719 * Since payload encryption is not enabled, we must authenticate
2720 * the entire packet as described in section 10.3 in revision 07
2721 * of the draft.
2722 */
2723 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
2724 *pkt_octet_len);
2725 if (status) {
2726 return ( err_status_cipher_fail);
2727 }
2728 }
2729 /*
2730 * Process the sequence# as AAD
2731 */
2732 tseq = *trailer;
2733 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq,
2734 sizeof(srtcp_trailer_t));
2735 if (status) {
2736 return ( err_status_cipher_fail);
2737 }
2738
2739 /* if we're encrypting, exor keystream into the message */
2740 if (enc_start) {
2741 status = cipher_encrypt(stream->rtcp_cipher,
2742 (uint8_t*)enc_start, &enc_octet_len);
2743 if (status) {
2744 return err_status_cipher_fail;
2745 }
2746 /*
2747 * Get the tag and append that to the output
2748 */
2749 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag,
2750 &tag_len);
2751 if (status) {
2752 return ( err_status_cipher_fail);
2753 }
2754 enc_octet_len += tag_len;
2755 } else {
2756 /*
2757 * Even though we're not encrypting the payload, we need
2758 * to run the cipher to get the auth tag.
2759 */
2760 unsigned int nolen = 0;
2761 status = cipher_encrypt(stream->rtcp_cipher, NULL, &nolen);
2762 if (status) {
2763 return err_status_cipher_fail;
2764 }
2765 /*
2766 * Get the tag and append that to the output
2767 */
2768 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag,
2769 &tag_len);
2770 if (status) {
2771 return ( err_status_cipher_fail);
2772 }
2773 enc_octet_len += tag_len;
2774 }
2775
2776 /* increase the packet length by the length of the auth tag and seq_num*/
2777 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
2778
2779 return err_status_ok;
2780 }
2781
2782 /*
2783 * This function handles incoming SRTCP packets while in AEAD mode,
2784 * which currently supports AES-GCM encryption. Note, the auth tag is
2785 * at the end of the packet stream and is automatically checked by GCM
2786 * when decrypting the payload.
2787 */
2788 static err_status_t
2789 srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream,
2790 void *srtcp_hdr, unsigned int *pkt_octet_len)
2791 {
2792 srtcp_hdr_t *hdr = (srtcp_hdr_t*)srtcp_hdr;
2793 uint32_t *enc_start; /* pointer to start of encrypted portion */
2794 uint32_t *trailer; /* pointer to start of trailer */
2795 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
2796 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
2797 err_status_t status;
2798 int tag_len;
2799 unsigned int tmp_len;
2800 uint32_t seq_num;
2801 v128_t iv;
2802 uint32_t tseq;
2803
2804 /* get tag length from stream context */
2805 tag_len = auth_get_tag_length(stream->rtcp_auth);
2806
2807 /*
2808 * set encryption start, encryption length, and trailer
2809 */
2810 /* index & E (encryption) bit follow normal data. hdr->len
2811 is the number of words (32-bit) in the normal packet minus 1 */
2812 /* This should point trailer to the word past the end of the
2813 normal data. */
2814 /* This would need to be modified for optional mikey data */
2815 /*
2816 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
2817 * multiples of 32-bits (RFC 3550 6.1)
2818 */
2819 trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t)) ;
2820 /*
2821 * We pass the tag down to the cipher when doing GCM mode
2822 */
2823 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header +
2824 sizeof(srtcp_trailer_t));
2825 auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - sizeof(srtcp_trailer_t );
2826
2827 if (*((unsigned char*)trailer) & SRTCP_E_BYTE_BIT) {
2828 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header;
2829 } else {
2830 enc_octet_len = 0;
2831 enc_start = NULL; /* this indicates that there's no encryption */
2832 }
2833
2834 /*
2835 * check the sequence number for replays
2836 */
2837 /* this is easier than dealing with bitfield access */
2838 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
2839 debug_print(mod_srtp, "srtcp index: %x", seq_num);
2840 status = rdb_check(&stream->rtcp_rdb, seq_num);
2841 if (status) {
2842 return status;
2843 }
2844
2845 /*
2846 * Calculate and set the IV
2847 */
2848 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
2849 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
2850 if (status) {
2851 return err_status_cipher_fail;
2852 }
2853
2854 /*
2855 * Set the AAD for GCM mode
2856 */
2857 if (enc_start) {
2858 /*
2859 * If payload encryption is enabled, then the AAD consist of
2860 * the RTCP header and the seq# at the end of the packet
2861 */
2862 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
2863 octets_in_rtcp_header);
2864 if (status) {
2865 return ( err_status_cipher_fail);
2866 }
2867 } else {
2868 /*
2869 * Since payload encryption is not enabled, we must authenticate
2870 * the entire packet as described in section 10.3 in revision 07
2871 * of the draft.
2872 */
2873 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
2874 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_ t)));
2875 if (status) {
2876 return ( err_status_cipher_fail);
2877 }
2878 }
2879
2880 /*
2881 * Process the sequence# as AAD
2882 */
2883 tseq = *trailer;
2884 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq,
2885 sizeof(srtcp_trailer_t));
2886 if (status) {
2887 return ( err_status_cipher_fail);
2888 }
2889
2890 /* if we're decrypting, exor keystream into the message */
2891 if (enc_start) {
2892 status = cipher_decrypt(stream->rtcp_cipher,
2893 (uint8_t*)enc_start, &enc_octet_len);
2894 if (status) {
2895 return status;
2896 }
2897 } else {
2898 /*
2899 * Still need to run the cipher to check the tag
2900 */
2901 tmp_len = tag_len;
2902 status = cipher_decrypt(stream->rtcp_cipher, (uint8_t*)auth_tag,
2903 &tmp_len);
2904 if (status) {
2905 return status;
2906 }
2907 }
2908
2909 /* decrease the packet length by the length of the auth tag and seq_num*/
2910 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
2911
2912 /*
2913 * verify that stream is for received traffic - this check will
2914 * detect SSRC collisions, since a stream that appears in both
2915 * srtp_protect() and srtp_unprotect() will fail this test in one of
2916 * those functions.
2917 *
2918 * we do this check *after* the authentication check, so that the
2919 * latter check will catch any attempts to fool us into thinking
2920 * that we've got a collision
2921 */
2922 if (stream->direction != dir_srtp_receiver) {
2923 if (stream->direction == dir_unknown) {
2924 stream->direction = dir_srtp_receiver;
2925 } else {
2926 srtp_handle_event(ctx, stream, event_ssrc_collision);
2927 }
2928 }
2929
2930 /*
2931 * if the stream is a 'provisional' one, in which the template context
2932 * is used, then we need to allocate a new stream at this point, since
2933 * the authentication passed
2934 */
2935 if (stream == ctx->stream_template) {
2936 srtp_stream_ctx_t *new_stream;
2937
2938 /*
2939 * allocate and initialize a new stream
2940 *
2941 * note that we indicate failure if we can't allocate the new
2942 * stream, and some implementations will want to not return
2943 * failure here
2944 */
2945 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream) ;
2946 if (status) {
2947 return status;
2948 }
2949
2950 /* add new stream to the head of the stream_list */
2951 new_stream->next = ctx->stream_list;
2952 ctx->stream_list = new_stream;
2953
2954 /* set stream (the pointer used in this function) */
2955 stream = new_stream;
2956 }
2957
2958 /* we've passed the authentication check, so add seq_num to the rdb */
2959 rdb_add_index(&stream->rtcp_rdb, seq_num);
2960
2961 return err_status_ok;
2962 }
2963
2964 err_status_t
2965 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
2966 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
2967 uint32_t *enc_start; /* pointer to start of encrypted portion */
2968 uint32_t *auth_start; /* pointer to start of auth. portion */
2969 uint32_t *trailer; /* pointer to start of trailer */
2970 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
2971 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
2972 err_status_t status;
2973 int tag_len;
2974 srtp_stream_ctx_t *stream;
2975 int prefix_len;
2976 uint32_t seq_num;
2977
2978 /* we assume the hdr is 32-bit aligned to start */
2979
2980 /* check the packet length - it must at least contain a full header */
2981 if (*pkt_octet_len < octets_in_rtcp_header)
2982 return err_status_bad_param;
2983
2984 /*
2985 * look up ssrc in srtp_stream list, and process the packet with
2986 * the appropriate stream. if we haven't seen this stream before,
2987 * there's only one key for this srtp_session, and the cipher
2988 * supports key-sharing, then we assume that a new stream using
2989 * that key has just started up
2990 */
2991 stream = srtp_get_stream(ctx, hdr->ssrc);
2992 if (stream == NULL) {
2993 if (ctx->stream_template != NULL) {
2994 srtp_stream_ctx_t *new_stream;
2995
2996 /* allocate and initialize a new stream */
2997 status = srtp_stream_clone(ctx->stream_template,
2998 hdr->ssrc, &new_stream);
2999 if (status)
3000 return status;
3001
3002 /* add new stream to the head of the stream_list */
3003 new_stream->next = ctx->stream_list;
3004 ctx->stream_list = new_stream;
3005
3006 /* set stream (the pointer used in this function) */
3007 stream = new_stream;
3008 } else {
3009 /* no template stream, so we return an error */
3010 return err_status_no_ctx;
3011 }
3012 }
3013
3014 /*
3015 * verify that stream is for sending traffic - this check will
3016 * detect SSRC collisions, since a stream that appears in both
3017 * srtp_protect() and srtp_unprotect() will fail this test in one of
3018 * those functions.
3019 */
3020 if (stream->direction != dir_srtp_sender) {
3021 if (stream->direction == dir_unknown) {
3022 stream->direction = dir_srtp_sender;
3023 } else {
3024 srtp_handle_event(ctx, stream, event_ssrc_collision);
3025 }
3026 }
3027
3028 /*
3029 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
3030 * the request to our AEAD handler.
3031 */
3032 if (stream->rtp_cipher->algorithm == AES_128_GCM ||
3033 stream->rtp_cipher->algorithm == AES_256_GCM) {
3034 return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, (unsigned int*)pkt_oc tet_len);
3035 }
3036
3037 /* get tag length from stream context */
3038 tag_len = auth_get_tag_length(stream->rtcp_auth);
3039
3040 /*
3041 * set encryption start and encryption length - if we're not
3042 * providing confidentiality, set enc_start to NULL
3043 */
3044 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
3045 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
3046
3047 /* all of the packet, except the header, gets encrypted */
3048 /* NOTE: hdr->length is not usable - it refers to only the first
3049 RTCP report in the compound packet! */
3050 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
3051 multiples of 32-bits (RFC 3550 6.1) */
3052 trailer = (uint32_t *) ((char *)enc_start + enc_octet_len);
3053
3054 if (stream->rtcp_services & sec_serv_conf) {
3055 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
3056 } else {
3057 enc_start = NULL;
3058 enc_octet_len = 0;
3059 /* 0 is network-order independant */
3060 *trailer = 0x00000000; /* set encrypt bit */
3061 }
3062
3063 /*
3064 * set the auth_start and auth_tag pointers to the proper locations
3065 * (note that srtpc *always* provides authentication, unlike srtp)
3066 */
3067 /* Note: This would need to change for optional mikey data */
3068 auth_start = (uint32_t *)hdr;
3069 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t);
3070
3071 /* perform EKT processing if needed */
3072 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
3073 rdbx_get_packet_index(&stream->rtp_rdbx));
3074
3075 /*
3076 * check sequence number for overruns, and copy it into the packet
3077 * if its value isn't too big
3078 */
3079 status = rdb_increment(&stream->rtcp_rdb);
3080 if (status)
3081 return status;
3082 seq_num = rdb_get_value(&stream->rtcp_rdb);
3083 *trailer |= htonl(seq_num);
3084 debug_print(mod_srtp, "srtcp index: %x", seq_num);
3085
3086 /*
3087 * if we're using rindael counter mode, set nonce and seq
3088 */
3089 if (stream->rtcp_cipher->type->id == AES_ICM) {
3090 v128_t iv;
3091
3092 iv.v32[0] = 0;
3093 iv.v32[1] = hdr->ssrc; /* still in network order! */
3094 iv.v32[2] = htonl(seq_num >> 16);
3095 iv.v32[3] = htonl(seq_num << 16);
3096 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
3097
3098 } else {
3099 v128_t iv;
3100
3101 /* otherwise, just set the index to seq_num */
3102 iv.v32[0] = 0;
3103 iv.v32[1] = 0;
3104 iv.v32[2] = 0;
3105 iv.v32[3] = htonl(seq_num);
3106 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
3107 }
3108 if (status)
3109 return err_status_cipher_fail;
3110
3111 /*
3112 * if we're authenticating using a universal hash, put the keystream
3113 * prefix into the authentication tag
3114 */
3115
3116 /* if auth_start is non-null, then put keystream into tag */
3117 if (auth_start) {
3118
3119 /* put keystream prefix into auth_tag */
3120 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
3121 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
3122
3123 debug_print(mod_srtp, "keystream prefix: %s",
3124 octet_string_hex_string(auth_tag, prefix_len));
3125
3126 if (status)
3127 return err_status_cipher_fail;
3128 }
3129
3130 /* if we're encrypting, exor keystream into the message */
3131 if (enc_start) {
3132 status = cipher_encrypt(stream->rtcp_cipher,
3133 (uint8_t *)enc_start, &enc_octet_len);
3134 if (status)
3135 return err_status_cipher_fail;
3136 }
3137
3138 /* initialize auth func context */
3139 auth_start(stream->rtcp_auth);
3140
3141 /*
3142 * run auth func over packet (including trailer), and write the
3143 * result at auth_tag
3144 */
3145 status = auth_compute(stream->rtcp_auth,
3146 (uint8_t *)auth_start,
3147 (*pkt_octet_len) + sizeof(srtcp_trailer_t),
3148 auth_tag);
3149 debug_print(mod_srtp, "srtcp auth tag: %s",
3150 octet_string_hex_string(auth_tag, tag_len));
3151 if (status)
3152 return err_status_auth_fail;
3153
3154 /* increase the packet length by the length of the auth tag and seq_num*/
3155 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
3156
3157 return err_status_ok;
3158 }
3159
3160
3161 err_status_t
3162 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
3163 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
3164 uint32_t *enc_start; /* pointer to start of encrypted portion */
3165 uint32_t *auth_start; /* pointer to start of auth. portion */
3166 uint32_t *trailer; /* pointer to start of trailer */
3167 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
3168 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
3169 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
3170 uint8_t tag_copy[SRTP_MAX_TAG_LEN];
3171 err_status_t status;
3172 unsigned int auth_len;
3173 int tag_len;
3174 srtp_stream_ctx_t *stream;
3175 int prefix_len;
3176 uint32_t seq_num;
3177 int e_bit_in_packet; /* whether the E-bit was found in the packet */
3178 int sec_serv_confidentiality; /* whether confidentiality was requested */
3179
3180 /* we assume the hdr is 32-bit aligned to start */
3181
3182 /* check that the length value is sane; we'll check again once we
3183 know the tag length, but we at least want to know that it is
3184 a positive value */
3185 if (*pkt_octet_len < octets_in_rtcp_header + sizeof(srtcp_trailer_t))
3186 return err_status_bad_param;
3187
3188 /*
3189 * look up ssrc in srtp_stream list, and process the packet with
3190 * the appropriate stream. if we haven't seen this stream before,
3191 * there's only one key for this srtp_session, and the cipher
3192 * supports key-sharing, then we assume that a new stream using
3193 * that key has just started up
3194 */
3195 stream = srtp_get_stream(ctx, hdr->ssrc);
3196 if (stream == NULL) {
3197 if (ctx->stream_template != NULL) {
3198 stream = ctx->stream_template;
3199
3200 /*
3201 * check to see if stream_template has an EKT data structure, in
3202 * which case we initialize the template using the EKT policy
3203 * referenced by that data (which consists of decrypting the
3204 * master key from the EKT field)
3205 *
3206 * this function initializes a *provisional* stream, and this
3207 * stream should not be accepted until and unless the packet
3208 * passes its authentication check
3209 */
3210 if (stream->ekt != NULL) {
3211 status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len);
3212 if (status)
3213 return status;
3214 }
3215
3216 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
3217 hdr->ssrc);
3218 } else {
3219 /* no template stream, so we return an error */
3220 return err_status_no_ctx;
3221 }
3222 }
3223
3224 /* get tag length from stream context */
3225 tag_len = auth_get_tag_length(stream->rtcp_auth);
3226
3227 /* check the packet length - it must contain at least a full RTCP
3228 header, an auth tag (if applicable), and the SRTCP encrypted flag
3229 and 31-bit index value */
3230 if (*pkt_octet_len < (int) (octets_in_rtcp_header + tag_len + sizeof(srtcp_tra iler_t))) {
3231 return err_status_bad_param;
3232 }
3233
3234 /*
3235 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
3236 * the request to our AEAD handler.
3237 */
3238 if (stream->rtp_cipher->algorithm == AES_128_GCM ||
3239 stream->rtp_cipher->algorithm == AES_256_GCM) {
3240 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, (unsigned int*)pkt _octet_len);
3241 }
3242
3243 sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf ||
3244 stream->rtcp_services == sec_serv_conf_and_auth;
3245
3246 /*
3247 * set encryption start, encryption length, and trailer
3248 */
3249 enc_octet_len = *pkt_octet_len -
3250 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
3251 /* index & E (encryption) bit follow normal data. hdr->len
3252 is the number of words (32-bit) in the normal packet minus 1 */
3253 /* This should point trailer to the word past the end of the
3254 normal data. */
3255 /* This would need to be modified for optional mikey data */
3256 /*
3257 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
3258 * multiples of 32-bits (RFC 3550 6.1)
3259 */
3260 trailer = (uint32_t *) ((char *) hdr +
3261 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
3262 e_bit_in_packet =
3263 (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT;
3264 if (e_bit_in_packet != sec_serv_confidentiality) {
3265 return err_status_cant_check;
3266 }
3267 if (sec_serv_confidentiality) {
3268 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
3269 } else {
3270 enc_octet_len = 0;
3271 enc_start = NULL; /* this indicates that there's no encryption */
3272 }
3273
3274 /*
3275 * set the auth_start and auth_tag pointers to the proper locations
3276 * (note that srtcp *always* uses authentication, unlike srtp)
3277 */
3278 auth_start = (uint32_t *)hdr;
3279 auth_len = *pkt_octet_len - tag_len;
3280 auth_tag = (uint8_t *)hdr + auth_len;
3281
3282 /*
3283 * if EKT is in use, then we make a copy of the tag from the packet,
3284 * and then zeroize the location of the base tag
3285 *
3286 * we first re-position the auth_tag pointer so that it points to
3287 * the base tag
3288 */
3289 if (stream->ekt) {
3290 auth_tag -= ekt_octets_after_base_tag(stream->ekt);
3291 memcpy(tag_copy, auth_tag, tag_len);
3292 octet_string_set_to_zero(auth_tag, tag_len);
3293 auth_tag = tag_copy;
3294 auth_len += tag_len;
3295 }
3296
3297 /*
3298 * check the sequence number for replays
3299 */
3300 /* this is easier than dealing with bitfield access */
3301 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
3302 debug_print(mod_srtp, "srtcp index: %x", seq_num);
3303 status = rdb_check(&stream->rtcp_rdb, seq_num);
3304 if (status)
3305 return status;
3306
3307 /*
3308 * if we're using aes counter mode, set nonce and seq
3309 */
3310 if (stream->rtcp_cipher->type->id == AES_ICM) {
3311 v128_t iv;
3312
3313 iv.v32[0] = 0;
3314 iv.v32[1] = hdr->ssrc; /* still in network order! */
3315 iv.v32[2] = htonl(seq_num >> 16);
3316 iv.v32[3] = htonl(seq_num << 16);
3317 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
3318
3319 } else {
3320 v128_t iv;
3321
3322 /* otherwise, just set the index to seq_num */
3323 iv.v32[0] = 0;
3324 iv.v32[1] = 0;
3325 iv.v32[2] = 0;
3326 iv.v32[3] = htonl(seq_num);
3327 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
3328
3329 }
3330 if (status)
3331 return err_status_cipher_fail;
3332
3333 /* initialize auth func context */
3334 auth_start(stream->rtcp_auth);
3335
3336 /* run auth func over packet, put result into tmp_tag */
3337 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
3338 auth_len, tmp_tag);
3339 debug_print(mod_srtp, "srtcp computed tag: %s",
3340 octet_string_hex_string(tmp_tag, tag_len));
3341 if (status)
3342 return err_status_auth_fail;
3343
3344 /* compare the tag just computed with the one in the packet */
3345 debug_print(mod_srtp, "srtcp tag from packet: %s",
3346 octet_string_hex_string(auth_tag, tag_len));
3347 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
3348 return err_status_auth_fail;
3349
3350 /*
3351 * if we're authenticating using a universal hash, put the keystream
3352 * prefix into the authentication tag
3353 */
3354 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
3355 if (prefix_len) {
3356 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
3357 debug_print(mod_srtp, "keystream prefix: %s",
3358 octet_string_hex_string(auth_tag, prefix_len));
3359 if (status)
3360 return err_status_cipher_fail;
3361 }
3362
3363 /* if we're decrypting, exor keystream into the message */
3364 if (enc_start) {
3365 status = cipher_decrypt(stream->rtcp_cipher,
3366 (uint8_t *)enc_start, &enc_octet_len);
3367 if (status)
3368 return err_status_cipher_fail;
3369 }
3370
3371 /* decrease the packet length by the length of the auth tag and seq_num */
3372 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
3373
3374 /*
3375 * if EKT is in effect, subtract the EKT data out of the packet
3376 * length
3377 */
3378 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt);
3379
3380 /*
3381 * verify that stream is for received traffic - this check will
3382 * detect SSRC collisions, since a stream that appears in both
3383 * srtp_protect() and srtp_unprotect() will fail this test in one of
3384 * those functions.
3385 *
3386 * we do this check *after* the authentication check, so that the
3387 * latter check will catch any attempts to fool us into thinking
3388 * that we've got a collision
3389 */
3390 if (stream->direction != dir_srtp_receiver) {
3391 if (stream->direction == dir_unknown) {
3392 stream->direction = dir_srtp_receiver;
3393 } else {
3394 srtp_handle_event(ctx, stream, event_ssrc_collision);
3395 }
3396 }
3397
3398 /*
3399 * if the stream is a 'provisional' one, in which the template context
3400 * is used, then we need to allocate a new stream at this point, since
3401 * the authentication passed
3402 */
3403 if (stream == ctx->stream_template) {
3404 srtp_stream_ctx_t *new_stream;
3405
3406 /*
3407 * allocate and initialize a new stream
3408 *
3409 * note that we indicate failure if we can't allocate the new
3410 * stream, and some implementations will want to not return
3411 * failure here
3412 */
3413 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
3414 if (status)
3415 return status;
3416
3417 /* add new stream to the head of the stream_list */
3418 new_stream->next = ctx->stream_list;
3419 ctx->stream_list = new_stream;
3420
3421 /* set stream (the pointer used in this function) */
3422 stream = new_stream;
3423 }
3424
3425 /* we've passed the authentication check, so add seq_num to the rdb */
3426 rdb_add_index(&stream->rtcp_rdb, seq_num);
3427
3428
3429 return err_status_ok;
3430 }
3431
3432
3433 /*
3434 * user data within srtp_t context
3435 */
3436
3437 void
3438 srtp_set_user_data(srtp_t ctx, void *data) {
3439 ctx->user_data = data;
3440 }
3441
3442 void*
3443 srtp_get_user_data(srtp_t ctx) {
3444 return ctx->user_data;
3445 }
3446
3447
3448 /*
3449 * dtls keying for srtp
3450 */
3451
3452 err_status_t
3453 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
3454 srtp_profile_t profile) {
3455
3456 /* set SRTP policy from the SRTP profile in the key set */
3457 switch(profile) {
3458 case srtp_profile_aes128_cm_sha1_80:
3459 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
3460 break;
3461 case srtp_profile_aes128_cm_sha1_32:
3462 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
3463 break;
3464 case srtp_profile_null_sha1_80:
3465 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
3466 break;
3467 case srtp_profile_aes256_cm_sha1_80:
3468 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
3469 break;
3470 case srtp_profile_aes256_cm_sha1_32:
3471 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
3472 break;
3473 /* the following profiles are not (yet) supported */
3474 case srtp_profile_null_sha1_32:
3475 default:
3476 return err_status_bad_param;
3477 }
3478
3479 return err_status_ok;
3480 }
3481
3482 err_status_t
3483 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
3484 srtp_profile_t profile) {
3485
3486 /* set SRTP policy from the SRTP profile in the key set */
3487 switch(profile) {
3488 case srtp_profile_aes128_cm_sha1_80:
3489 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
3490 break;
3491 case srtp_profile_aes128_cm_sha1_32:
3492 /* We do not honor the 32-bit auth tag request since
3493 * this is not compliant with RFC 3711 */
3494 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
3495 break;
3496 case srtp_profile_null_sha1_80:
3497 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
3498 break;
3499 case srtp_profile_aes256_cm_sha1_80:
3500 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
3501 break;
3502 case srtp_profile_aes256_cm_sha1_32:
3503 /* We do not honor the 32-bit auth tag request since
3504 * this is not compliant with RFC 3711 */
3505 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
3506 break;
3507 /* the following profiles are not (yet) supported */
3508 case srtp_profile_null_sha1_32:
3509 default:
3510 return err_status_bad_param;
3511 }
3512
3513 return err_status_ok;
3514 }
3515
3516 void
3517 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key,
3518 uint8_t *salt, unsigned int bytes_in_salt) {
3519
3520 memcpy(key + bytes_in_key, salt, bytes_in_salt);
3521
3522 }
3523
3524 unsigned int
3525 srtp_profile_get_master_key_length(srtp_profile_t profile) {
3526
3527 switch(profile) {
3528 case srtp_profile_aes128_cm_sha1_80:
3529 return 16;
3530 break;
3531 case srtp_profile_aes128_cm_sha1_32:
3532 return 16;
3533 break;
3534 case srtp_profile_null_sha1_80:
3535 return 16;
3536 break;
3537 case srtp_profile_aes256_cm_sha1_80:
3538 return 32;
3539 break;
3540 case srtp_profile_aes256_cm_sha1_32:
3541 return 32;
3542 break;
3543 /* the following profiles are not (yet) supported */
3544 case srtp_profile_null_sha1_32:
3545 default:
3546 return 0; /* indicate error by returning a zero */
3547 }
3548 }
3549
3550 unsigned int
3551 srtp_profile_get_master_salt_length(srtp_profile_t profile) {
3552
3553 switch(profile) {
3554 case srtp_profile_aes128_cm_sha1_80:
3555 return 14;
3556 break;
3557 case srtp_profile_aes128_cm_sha1_32:
3558 return 14;
3559 break;
3560 case srtp_profile_null_sha1_80:
3561 return 14;
3562 break;
3563 case srtp_profile_aes256_cm_sha1_80:
3564 return 14;
3565 break;
3566 case srtp_profile_aes256_cm_sha1_32:
3567 return 14;
3568 break;
3569 /* the following profiles are not (yet) supported */
3570 case srtp_profile_null_sha1_32:
3571 default:
3572 return 0; /* indicate error by returning a zero */
3573 }
3574 }
OLDNEW
« no previous file with comments | « srtp/srtp/ekt.c ('k') | srtp/tables/aes_tables.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698