OLD | NEW |
| (Empty) |
1 /* | |
2 * srtp.c | |
3 * | |
4 * the secure real-time transport protocol | |
5 * | |
6 * David A. McGrew | |
7 * Cisco Systems, Inc. | |
8 */ | |
9 /* | |
10 * | |
11 * Copyright (c) 2001-2006, Cisco Systems, Inc. | |
12 * All rights reserved. | |
13 * | |
14 * Redistribution and use in source and binary forms, with or without | |
15 * modification, are permitted provided that the following conditions | |
16 * are met: | |
17 * | |
18 * Redistributions of source code must retain the above copyright | |
19 * notice, this list of conditions and the following disclaimer. | |
20 * | |
21 * Redistributions in binary form must reproduce the above | |
22 * copyright notice, this list of conditions and the following | |
23 * disclaimer in the documentation and/or other materials provided | |
24 * with the distribution. | |
25 * | |
26 * Neither the name of the Cisco Systems, Inc. nor the names of its | |
27 * contributors may be used to endorse or promote products derived | |
28 * from this software without specific prior written permission. | |
29 * | |
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | |
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE | |
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, | |
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
41 * OF THE POSSIBILITY OF SUCH DAMAGE. | |
42 * | |
43 */ | |
44 | |
45 | |
46 #include "srtp_priv.h" | |
47 #include "ekt.h" /* for SRTP Encrypted Key Transport */ | |
48 #include "alloc.h" /* for crypto_alloc() */ | |
49 #ifdef OPENSSL | |
50 #include "aes_gcm_ossl.h" /* for AES GCM mode */ | |
51 #endif | |
52 | |
53 #ifndef SRTP_KERNEL | |
54 # include <limits.h> | |
55 # ifdef HAVE_NETINET_IN_H | |
56 # include <netinet/in.h> | |
57 # elif defined(HAVE_WINSOCK2_H) | |
58 # include <winsock2.h> | |
59 # endif | |
60 #endif /* ! SRTP_KERNEL */ | |
61 | |
62 | |
63 /* the debug module for srtp */ | |
64 | |
65 debug_module_t mod_srtp = { | |
66 0, /* debugging is off by default */ | |
67 "srtp" /* printable name for module */ | |
68 }; | |
69 | |
70 #define octets_in_rtp_header 12 | |
71 #define uint32s_in_rtp_header 3 | |
72 #define octets_in_rtcp_header 8 | |
73 #define uint32s_in_rtcp_header 2 | |
74 #define octets_in_rtp_extn_hdr 4 | |
75 | |
76 static err_status_t | |
77 srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) { | |
78 if (*pkt_octet_len < octets_in_rtp_header) | |
79 return err_status_bad_param; | |
80 | |
81 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; | |
82 | |
83 /* Check RTP header length */ | |
84 int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc; | |
85 if (hdr->x == 1) | |
86 rtp_header_len += octets_in_rtp_extn_hdr; | |
87 | |
88 if (*pkt_octet_len < rtp_header_len) | |
89 return err_status_bad_param; | |
90 | |
91 /* Verifing profile length. */ | |
92 if (hdr->x == 1) { | |
93 srtp_hdr_xtnd_t *xtn_hdr = | |
94 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc); | |
95 int profile_len = ntohs(xtn_hdr->length); | |
96 rtp_header_len += profile_len * 4; | |
97 /* profile length counts the number of 32-bit words */ | |
98 if (*pkt_octet_len < rtp_header_len) | |
99 return err_status_bad_param; | |
100 } | |
101 return err_status_ok; | |
102 } | |
103 | |
104 const char *srtp_get_version_string () | |
105 { | |
106 /* | |
107 * Simply return the autotools generated string | |
108 */ | |
109 return SRTP_VER_STRING; | |
110 } | |
111 | |
112 unsigned int srtp_get_version () | |
113 { | |
114 unsigned int major = 0, minor = 0, micro = 0; | |
115 unsigned int rv = 0; | |
116 int parse_rv; | |
117 | |
118 /* | |
119 * Parse the autotools generated version | |
120 */ | |
121 parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, µ); | |
122 if (parse_rv != 3) { | |
123 /* | |
124 * We're expected to parse all 3 version levels. | |
125 * If not, then this must not be an official release. | |
126 * Return all zeros on the version | |
127 */ | |
128 return (0); | |
129 } | |
130 | |
131 /* | |
132 * We allow 8 bits for the major and minor, while | |
133 * allowing 16 bits for the micro. 16 bits for the micro | |
134 * may be beneficial for a continuous delivery model | |
135 * in the future. | |
136 */ | |
137 rv |= (major & 0xFF) << 24; | |
138 rv |= (minor & 0xFF) << 16; | |
139 rv |= micro & 0xFF; | |
140 return rv; | |
141 } | |
142 | |
143 err_status_t | |
144 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, | |
145 const srtp_policy_t *p) { | |
146 srtp_stream_ctx_t *str; | |
147 err_status_t stat; | |
148 | |
149 /* | |
150 * This function allocates the stream context, rtp and rtcp ciphers | |
151 * and auth functions, and key limit structure. If there is a | |
152 * failure during allocation, we free all previously allocated | |
153 * memory and return a failure code. The code could probably | |
154 * be improved, but it works and should be clear. | |
155 */ | |
156 | |
157 /* allocate srtp stream and set str_ptr */ | |
158 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t)); | |
159 if (str == NULL) | |
160 return err_status_alloc_fail; | |
161 *str_ptr = str; | |
162 | |
163 /* allocate cipher */ | |
164 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type, | |
165 &str->rtp_cipher, | |
166 p->rtp.cipher_key_len, | |
167 p->rtp.auth_tag_len); | |
168 if (stat) { | |
169 crypto_free(str); | |
170 return stat; | |
171 } | |
172 | |
173 /* allocate auth function */ | |
174 stat = crypto_kernel_alloc_auth(p->rtp.auth_type, | |
175 &str->rtp_auth, | |
176 p->rtp.auth_key_len, | |
177 p->rtp.auth_tag_len); | |
178 if (stat) { | |
179 cipher_dealloc(str->rtp_cipher); | |
180 crypto_free(str); | |
181 return stat; | |
182 } | |
183 | |
184 /* allocate key limit structure */ | |
185 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t)); | |
186 if (str->limit == NULL) { | |
187 auth_dealloc(str->rtp_auth); | |
188 cipher_dealloc(str->rtp_cipher); | |
189 crypto_free(str); | |
190 return err_status_alloc_fail; | |
191 } | |
192 | |
193 /* | |
194 * ...and now the RTCP-specific initialization - first, allocate | |
195 * the cipher | |
196 */ | |
197 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type, | |
198 &str->rtcp_cipher, | |
199 p->rtcp.cipher_key_len, | |
200 p->rtcp.auth_tag_len); | |
201 if (stat) { | |
202 auth_dealloc(str->rtp_auth); | |
203 cipher_dealloc(str->rtp_cipher); | |
204 crypto_free(str->limit); | |
205 crypto_free(str); | |
206 return stat; | |
207 } | |
208 | |
209 /* allocate auth function */ | |
210 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type, | |
211 &str->rtcp_auth, | |
212 p->rtcp.auth_key_len, | |
213 p->rtcp.auth_tag_len); | |
214 if (stat) { | |
215 cipher_dealloc(str->rtcp_cipher); | |
216 auth_dealloc(str->rtp_auth); | |
217 cipher_dealloc(str->rtp_cipher); | |
218 crypto_free(str->limit); | |
219 crypto_free(str); | |
220 return stat; | |
221 } | |
222 | |
223 /* allocate ekt data associated with stream */ | |
224 stat = ekt_alloc(&str->ekt, p->ekt); | |
225 if (stat) { | |
226 auth_dealloc(str->rtcp_auth); | |
227 cipher_dealloc(str->rtcp_cipher); | |
228 auth_dealloc(str->rtp_auth); | |
229 cipher_dealloc(str->rtp_cipher); | |
230 crypto_free(str->limit); | |
231 crypto_free(str); | |
232 return stat; | |
233 } | |
234 | |
235 if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) { | |
236 cipher_type_id_t enc_xtn_hdr_cipher_type; | |
237 int enc_xtn_hdr_cipher_key_len; | |
238 | |
239 str->enc_xtn_hdr = (int*) crypto_alloc(p->enc_xtn_hdr_count * sizeof(p->enc_
xtn_hdr[0])); | |
240 if (!str->enc_xtn_hdr) { | |
241 auth_dealloc(str->rtcp_auth); | |
242 cipher_dealloc(str->rtcp_cipher); | |
243 auth_dealloc(str->rtp_auth); | |
244 cipher_dealloc(str->rtp_cipher); | |
245 crypto_free(str->limit); | |
246 crypto_free(str); | |
247 return err_status_alloc_fail; | |
248 } | |
249 memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr, p->enc_xtn_hdr_count * sizeof(p->en
c_xtn_hdr[0])); | |
250 str->enc_xtn_hdr_count = p->enc_xtn_hdr_count; | |
251 | |
252 /* For GCM ciphers, the corresponding ICM cipher is used for header extensio
ns encryption. */ | |
253 switch (p->rtp.cipher_type) { | |
254 case AES_128_GCM: | |
255 enc_xtn_hdr_cipher_type = AES_128_ICM; | |
256 enc_xtn_hdr_cipher_key_len = 30; | |
257 break; | |
258 case AES_256_GCM: | |
259 enc_xtn_hdr_cipher_type = AES_256_ICM; | |
260 enc_xtn_hdr_cipher_key_len = 46; | |
261 break; | |
262 default: | |
263 enc_xtn_hdr_cipher_type = p->rtp.cipher_type; | |
264 enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len; | |
265 break; | |
266 } | |
267 | |
268 /* allocate cipher for extensions header encryption */ | |
269 stat = crypto_kernel_alloc_cipher(enc_xtn_hdr_cipher_type, | |
270 &str->rtp_xtn_hdr_cipher, | |
271 enc_xtn_hdr_cipher_key_len, | |
272 0); | |
273 | |
274 if (stat) { | |
275 crypto_free(str->enc_xtn_hdr); | |
276 auth_dealloc(str->rtcp_auth); | |
277 cipher_dealloc(str->rtcp_cipher); | |
278 auth_dealloc(str->rtp_auth); | |
279 cipher_dealloc(str->rtp_cipher); | |
280 crypto_free(str->limit); | |
281 crypto_free(str); | |
282 return stat; | |
283 } | |
284 } else { | |
285 str->rtp_xtn_hdr_cipher = NULL; | |
286 str->enc_xtn_hdr = NULL; | |
287 str->enc_xtn_hdr_count = 0; | |
288 } | |
289 | |
290 return err_status_ok; | |
291 } | |
292 | |
293 err_status_t | |
294 srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) { | |
295 err_status_t status; | |
296 | |
297 /* | |
298 * we use a conservative deallocation strategy - if any deallocation | |
299 * fails, then we report that fact without trying to deallocate | |
300 * anything else | |
301 */ | |
302 | |
303 /* deallocate cipher, if it is not the same as that in template */ | |
304 if (session->stream_template | |
305 && stream->rtp_cipher == session->stream_template->rtp_cipher) { | |
306 /* do nothing */ | |
307 } else { | |
308 status = cipher_dealloc(stream->rtp_cipher); | |
309 if (status) | |
310 return status; | |
311 } | |
312 | |
313 /* deallocate auth function, if it is not the same as that in template */ | |
314 if (session->stream_template | |
315 && stream->rtp_auth == session->stream_template->rtp_auth) { | |
316 /* do nothing */ | |
317 } else { | |
318 status = auth_dealloc(stream->rtp_auth); | |
319 if (status) | |
320 return status; | |
321 } | |
322 | |
323 /* deallocate key usage limit, if it is not the same as that in template */ | |
324 if (session->stream_template | |
325 && stream->limit == session->stream_template->limit) { | |
326 /* do nothing */ | |
327 } else { | |
328 crypto_free(stream->limit); | |
329 } | |
330 | |
331 if (session->stream_template | |
332 && stream->rtp_xtn_hdr_cipher == session->stream_template->rtp_xtn_hdr_cip
her) { | |
333 /* do nothing */ | |
334 } else if (stream->rtp_xtn_hdr_cipher) { | |
335 status = cipher_dealloc(stream->rtp_xtn_hdr_cipher); | |
336 if (status) | |
337 return status; | |
338 } | |
339 | |
340 /* | |
341 * deallocate rtcp cipher, if it is not the same as that in | |
342 * template | |
343 */ | |
344 if (session->stream_template | |
345 && stream->rtcp_cipher == session->stream_template->rtcp_cipher) { | |
346 /* do nothing */ | |
347 } else { | |
348 status = cipher_dealloc(stream->rtcp_cipher); | |
349 if (status) | |
350 return status; | |
351 } | |
352 | |
353 /* | |
354 * deallocate rtcp auth function, if it is not the same as that in | |
355 * template | |
356 */ | |
357 if (session->stream_template | |
358 && stream->rtcp_auth == session->stream_template->rtcp_auth) { | |
359 /* do nothing */ | |
360 } else { | |
361 status = auth_dealloc(stream->rtcp_auth); | |
362 if (status) | |
363 return status; | |
364 } | |
365 | |
366 status = rdbx_dealloc(&stream->rtp_rdbx); | |
367 if (status) | |
368 return status; | |
369 | |
370 /* DAM - need to deallocate EKT here */ | |
371 | |
372 if (session->stream_template | |
373 && stream->enc_xtn_hdr == session->stream_template->enc_xtn_hdr) { | |
374 /* do nothing */ | |
375 } else if (stream->enc_xtn_hdr) { | |
376 crypto_free(stream->enc_xtn_hdr); | |
377 } | |
378 | |
379 /* | |
380 * zeroize the salt value | |
381 */ | |
382 memset(stream->salt, 0, SRTP_AEAD_SALT_LEN); | |
383 memset(stream->c_salt, 0, SRTP_AEAD_SALT_LEN); | |
384 | |
385 | |
386 /* deallocate srtp stream context */ | |
387 crypto_free(stream); | |
388 | |
389 return err_status_ok; | |
390 } | |
391 | |
392 | |
393 /* | |
394 * srtp_stream_clone(stream_template, new) allocates a new stream and | |
395 * initializes it using the cipher and auth of the stream_template | |
396 * | |
397 * the only unique data in a cloned stream is the replay database and | |
398 * the SSRC | |
399 */ | |
400 | |
401 err_status_t | |
402 srtp_stream_clone(const srtp_stream_ctx_t *stream_template, | |
403 uint32_t ssrc, | |
404 srtp_stream_ctx_t **str_ptr) { | |
405 err_status_t status; | |
406 srtp_stream_ctx_t *str; | |
407 | |
408 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc); | |
409 | |
410 /* allocate srtp stream and set str_ptr */ | |
411 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t)); | |
412 if (str == NULL) | |
413 return err_status_alloc_fail; | |
414 *str_ptr = str; | |
415 | |
416 /* set cipher and auth pointers to those of the template */ | |
417 str->rtp_cipher = stream_template->rtp_cipher; | |
418 str->rtp_auth = stream_template->rtp_auth; | |
419 str->rtp_xtn_hdr_cipher = stream_template->rtp_xtn_hdr_cipher; | |
420 str->rtcp_cipher = stream_template->rtcp_cipher; | |
421 str->rtcp_auth = stream_template->rtcp_auth; | |
422 | |
423 /* set key limit to point to that of the template */ | |
424 status = key_limit_clone(stream_template->limit, &str->limit); | |
425 if (status) { | |
426 crypto_free(*str_ptr); | |
427 *str_ptr = NULL; | |
428 return status; | |
429 } | |
430 | |
431 /* initialize replay databases */ | |
432 status = rdbx_init(&str->rtp_rdbx, | |
433 rdbx_get_window_size(&stream_template->rtp_rdbx)); | |
434 if (status) { | |
435 crypto_free(*str_ptr); | |
436 *str_ptr = NULL; | |
437 return status; | |
438 } | |
439 rdb_init(&str->rtcp_rdb); | |
440 str->allow_repeat_tx = stream_template->allow_repeat_tx; | |
441 | |
442 /* set ssrc to that provided */ | |
443 str->ssrc = ssrc; | |
444 | |
445 /* set direction and security services */ | |
446 str->direction = stream_template->direction; | |
447 str->rtp_services = stream_template->rtp_services; | |
448 str->rtcp_services = stream_template->rtcp_services; | |
449 | |
450 /* set pointer to EKT data associated with stream */ | |
451 str->ekt = stream_template->ekt; | |
452 | |
453 /* copy information about extensions header encryption */ | |
454 str->enc_xtn_hdr = stream_template->enc_xtn_hdr; | |
455 str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count; | |
456 | |
457 /* Copy the salt values */ | |
458 memcpy(str->salt, stream_template->salt, SRTP_AEAD_SALT_LEN); | |
459 memcpy(str->c_salt, stream_template->c_salt, SRTP_AEAD_SALT_LEN); | |
460 | |
461 /* defensive coding */ | |
462 str->next = NULL; | |
463 | |
464 return err_status_ok; | |
465 } | |
466 | |
467 | |
468 /* | |
469 * key derivation functions, internal to libSRTP | |
470 * | |
471 * srtp_kdf_t is a key derivation context | |
472 * | |
473 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher | |
474 * described by cipher_id, with the master key k with length in octets keylen. | |
475 * | |
476 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key | |
477 * corresponding to label l and puts it into kl; the length | |
478 * of the key in octets is provided as keylen. this function | |
479 * should be called once for each subkey that is derived. | |
480 * | |
481 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state | |
482 */ | |
483 | |
484 typedef enum { | |
485 label_rtp_encryption = 0x00, | |
486 label_rtp_msg_auth = 0x01, | |
487 label_rtp_salt = 0x02, | |
488 label_rtcp_encryption = 0x03, | |
489 label_rtcp_msg_auth = 0x04, | |
490 label_rtcp_salt = 0x05, | |
491 label_rtp_header_encryption = 0x06, | |
492 label_rtp_header_salt = 0x07 | |
493 } srtp_prf_label; | |
494 | |
495 | |
496 /* | |
497 * srtp_kdf_t represents a key derivation function. The SRTP | |
498 * default KDF is the only one implemented at present. | |
499 */ | |
500 | |
501 typedef struct { | |
502 cipher_t *cipher; /* cipher used for key derivation */ | |
503 } srtp_kdf_t; | |
504 | |
505 err_status_t | |
506 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, i
nt length) { | |
507 | |
508 err_status_t stat; | |
509 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length, 0); | |
510 if (stat) | |
511 return stat; | |
512 | |
513 stat = cipher_init(kdf->cipher, key); | |
514 if (stat) { | |
515 cipher_dealloc(kdf->cipher); | |
516 return stat; | |
517 } | |
518 | |
519 return err_status_ok; | |
520 } | |
521 | |
522 err_status_t | |
523 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, | |
524 uint8_t *key, unsigned int length) { | |
525 | |
526 v128_t nonce; | |
527 err_status_t status; | |
528 | |
529 /* set eigth octet of nonce to <label>, set the rest of it to zero */ | |
530 v128_set_to_zero(&nonce); | |
531 nonce.v8[7] = label; | |
532 | |
533 status = cipher_set_iv(kdf->cipher, &nonce, direction_encrypt); | |
534 if (status) | |
535 return status; | |
536 | |
537 /* generate keystream output */ | |
538 octet_string_set_to_zero(key, length); | |
539 status = cipher_encrypt(kdf->cipher, key, &length); | |
540 if (status) | |
541 return status; | |
542 | |
543 return err_status_ok; | |
544 } | |
545 | |
546 err_status_t | |
547 srtp_kdf_clear(srtp_kdf_t *kdf) { | |
548 err_status_t status; | |
549 status = cipher_dealloc(kdf->cipher); | |
550 if (status) | |
551 return status; | |
552 kdf->cipher = NULL; | |
553 | |
554 return err_status_ok; | |
555 } | |
556 | |
557 /* | |
558 * end of key derivation functions | |
559 */ | |
560 | |
561 #define MAX_SRTP_KEY_LEN 256 | |
562 | |
563 | |
564 /* Get the base key length corresponding to a given combined key+salt | |
565 * length for the given cipher. | |
566 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using | |
567 * AES-128 and short salts; everything else uses a salt length of 14. | |
568 * TODO: key and salt lengths should be separate fields in the policy. */ | |
569 static inline int base_key_length(const cipher_type_t *cipher, int key_length) | |
570 { | |
571 switch (cipher->id) { | |
572 case AES_128_ICM: | |
573 case AES_192_ICM: | |
574 case AES_256_ICM: | |
575 /* The legacy modes are derived from | |
576 * the configured key length on the policy */ | |
577 return key_length - 14; | |
578 break; | |
579 case AES_128_GCM: | |
580 return 16; | |
581 break; | |
582 case AES_256_GCM: | |
583 return 32; | |
584 break; | |
585 default: | |
586 return key_length; | |
587 break; | |
588 } | |
589 } | |
590 | |
591 err_status_t | |
592 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) { | |
593 err_status_t stat; | |
594 srtp_kdf_t kdf; | |
595 uint8_t tmp_key[MAX_SRTP_KEY_LEN]; | |
596 int kdf_keylen = 30, rtp_keylen, rtcp_keylen; | |
597 int rtp_base_key_len, rtp_salt_len; | |
598 int rtcp_base_key_len, rtcp_salt_len; | |
599 | |
600 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ | |
601 /* TODO: kdf algorithm, master key length, and master salt length should | |
602 * be part of srtp_policy_t. */ | |
603 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher); | |
604 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher); | |
605 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen); | |
606 rtp_salt_len = rtp_keylen - rtp_base_key_len; | |
607 | |
608 if (rtp_keylen > kdf_keylen) { | |
609 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ | |
610 } | |
611 | |
612 if (rtcp_keylen > kdf_keylen) { | |
613 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ | |
614 } | |
615 | |
616 debug_print(mod_srtp, "srtp key len: %d", rtp_keylen); | |
617 debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen); | |
618 debug_print(mod_srtp, "base key len: %d", rtp_base_key_len); | |
619 debug_print(mod_srtp, "kdf key len: %d", kdf_keylen); | |
620 debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len); | |
621 | |
622 /* | |
623 * Make sure the key given to us is 'zero' appended. GCM | |
624 * mode uses a shorter master SALT (96 bits), but still relies on | |
625 * the legacy CTR mode KDF, which uses a 112 bit master SALT. | |
626 */ | |
627 memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN); | |
628 memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len)); | |
629 | |
630 /* initialize KDF state */ | |
631 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)tmp_key, kdf_keylen); | |
632 if (stat) { | |
633 return err_status_init_fail; | |
634 } | |
635 | |
636 /* generate encryption key */ | |
637 stat = srtp_kdf_generate(&kdf, label_rtp_encryption, | |
638 tmp_key, rtp_base_key_len); | |
639 if (stat) { | |
640 /* zeroize temp buffer */ | |
641 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
642 return err_status_init_fail; | |
643 } | |
644 debug_print(mod_srtp, "cipher key: %s", | |
645 octet_string_hex_string(tmp_key, rtp_base_key_len)); | |
646 | |
647 /* | |
648 * if the cipher in the srtp context uses a salt, then we need | |
649 * to generate the salt value | |
650 */ | |
651 if (rtp_salt_len > 0) { | |
652 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); | |
653 | |
654 /* generate encryption salt, put after encryption key */ | |
655 stat = srtp_kdf_generate(&kdf, label_rtp_salt, | |
656 tmp_key + rtp_base_key_len, rtp_salt_len); | |
657 if (stat) { | |
658 /* zeroize temp buffer */ | |
659 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
660 return err_status_init_fail; | |
661 } | |
662 memcpy(srtp->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN); | |
663 } | |
664 if (rtp_salt_len > 0) { | |
665 debug_print(mod_srtp, "cipher salt: %s", | |
666 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len
)); | |
667 } | |
668 | |
669 /* initialize cipher */ | |
670 stat = cipher_init(srtp->rtp_cipher, tmp_key); | |
671 if (stat) { | |
672 /* zeroize temp buffer */ | |
673 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
674 return err_status_init_fail; | |
675 } | |
676 | |
677 if (srtp->rtp_xtn_hdr_cipher) { | |
678 /* generate extensions header encryption key */ | |
679 int rtp_xtn_hdr_keylen; | |
680 int rtp_xtn_hdr_base_key_len; | |
681 int rtp_xtn_hdr_salt_len; | |
682 srtp_kdf_t tmp_kdf; | |
683 srtp_kdf_t *xtn_hdr_kdf; | |
684 | |
685 if (srtp->rtp_xtn_hdr_cipher->type != srtp->rtp_cipher->type) { | |
686 /* With GCM ciphers, the header extensions are still encrypted using the c
orresponding ICM cipher. */ | |
687 /* See https://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-17#sect
ion-8.3 */ | |
688 uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN]; | |
689 rtp_xtn_hdr_keylen = cipher_get_key_length(srtp->rtp_xtn_hdr_cipher); | |
690 rtp_xtn_hdr_base_key_len = base_key_length(srtp->rtp_xtn_hdr_cipher->type,
rtp_xtn_hdr_keylen); | |
691 rtp_xtn_hdr_salt_len = rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len; | |
692 memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN); | |
693 memcpy(tmp_xtn_hdr_key, key, (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_
len)); | |
694 xtn_hdr_kdf = &tmp_kdf; | |
695 | |
696 /* initialize KDF state */ | |
697 stat = srtp_kdf_init(xtn_hdr_kdf, AES_ICM, (const uint8_t *)tmp_xtn_hdr_ke
y, kdf_keylen); | |
698 octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN); | |
699 if (stat) { | |
700 return err_status_init_fail; | |
701 } | |
702 } else { | |
703 /* Reuse main KDF. */ | |
704 rtp_xtn_hdr_keylen = rtp_keylen; | |
705 rtp_xtn_hdr_base_key_len = rtp_base_key_len; | |
706 rtp_xtn_hdr_salt_len = rtp_salt_len; | |
707 xtn_hdr_kdf = &kdf; | |
708 } | |
709 | |
710 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption, | |
711 tmp_key, rtp_xtn_hdr_base_key_len); | |
712 if (stat) { | |
713 /* zeroize temp buffer */ | |
714 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
715 return err_status_init_fail; | |
716 } | |
717 debug_print(mod_srtp, "extensions cipher key: %s", | |
718 octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len)); | |
719 | |
720 /* | |
721 * if the cipher in the srtp context uses a salt, then we need | |
722 * to generate the salt value | |
723 */ | |
724 if (rtp_xtn_hdr_salt_len > 0) { | |
725 debug_print(mod_srtp, "found rtp_xtn_hdr_salt_len > 0, generating salt", N
ULL); | |
726 | |
727 /* generate encryption salt, put after encryption key */ | |
728 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt, | |
729 tmp_key + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len); | |
730 if (stat) { | |
731 /* zeroize temp buffer */ | |
732 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
733 return err_status_init_fail; | |
734 } | |
735 } | |
736 if (rtp_xtn_hdr_salt_len > 0) { | |
737 debug_print(mod_srtp, "extensions cipher salt: %s", | |
738 octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_sa
lt_len)); | |
739 } | |
740 | |
741 /* initialize extensions header cipher */ | |
742 stat = cipher_init(srtp->rtp_xtn_hdr_cipher, tmp_key); | |
743 if (stat) { | |
744 /* zeroize temp buffer */ | |
745 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
746 return err_status_init_fail; | |
747 } | |
748 | |
749 if (xtn_hdr_kdf != &kdf) { | |
750 /* release memory for custom header extension encryption kdf */ | |
751 stat = srtp_kdf_clear(xtn_hdr_kdf); | |
752 if (stat) { | |
753 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
754 return err_status_init_fail; | |
755 } | |
756 } | |
757 } | |
758 | |
759 /* generate authentication key */ | |
760 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, | |
761 tmp_key, auth_get_key_length(srtp->rtp_auth)); | |
762 if (stat) { | |
763 /* zeroize temp buffer */ | |
764 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
765 return err_status_init_fail; | |
766 } | |
767 debug_print(mod_srtp, "auth key: %s", | |
768 octet_string_hex_string(tmp_key, | |
769 auth_get_key_length(srtp->rtp_auth))); | |
770 | |
771 /* initialize auth function */ | |
772 stat = auth_init(srtp->rtp_auth, tmp_key); | |
773 if (stat) { | |
774 /* zeroize temp buffer */ | |
775 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
776 return err_status_init_fail; | |
777 } | |
778 | |
779 /* | |
780 * ...now initialize SRTCP keys | |
781 */ | |
782 | |
783 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen); | |
784 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; | |
785 debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len); | |
786 | |
787 /* generate encryption key */ | |
788 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, | |
789 tmp_key, rtcp_base_key_len); | |
790 if (stat) { | |
791 /* zeroize temp buffer */ | |
792 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
793 return err_status_init_fail; | |
794 } | |
795 | |
796 /* | |
797 * if the cipher in the srtp context uses a salt, then we need | |
798 * to generate the salt value | |
799 */ | |
800 if (rtcp_salt_len > 0) { | |
801 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", | |
802 NULL); | |
803 | |
804 /* generate encryption salt, put after encryption key */ | |
805 stat = srtp_kdf_generate(&kdf, label_rtcp_salt, | |
806 tmp_key + rtcp_base_key_len, rtcp_salt_len); | |
807 if (stat) { | |
808 /* zeroize temp buffer */ | |
809 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
810 return err_status_init_fail; | |
811 } | |
812 memcpy(srtp->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN); | |
813 } | |
814 debug_print(mod_srtp, "rtcp cipher key: %s", | |
815 octet_string_hex_string(tmp_key, rtcp_base_key_len)); | |
816 if (rtcp_salt_len > 0) { | |
817 debug_print(mod_srtp, "rtcp cipher salt: %s", | |
818 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_l
en)); | |
819 } | |
820 | |
821 /* initialize cipher */ | |
822 stat = cipher_init(srtp->rtcp_cipher, tmp_key); | |
823 if (stat) { | |
824 /* zeroize temp buffer */ | |
825 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
826 return err_status_init_fail; | |
827 } | |
828 | |
829 /* generate authentication key */ | |
830 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, | |
831 tmp_key, auth_get_key_length(srtp->rtcp_auth)); | |
832 if (stat) { | |
833 /* zeroize temp buffer */ | |
834 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
835 return err_status_init_fail; | |
836 } | |
837 | |
838 debug_print(mod_srtp, "rtcp auth key: %s", | |
839 octet_string_hex_string(tmp_key, | |
840 auth_get_key_length(srtp->rtcp_auth))); | |
841 | |
842 /* initialize auth function */ | |
843 stat = auth_init(srtp->rtcp_auth, tmp_key); | |
844 if (stat) { | |
845 /* zeroize temp buffer */ | |
846 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
847 return err_status_init_fail; | |
848 } | |
849 | |
850 /* clear memory then return */ | |
851 stat = srtp_kdf_clear(&kdf); | |
852 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | |
853 if (stat) | |
854 return err_status_init_fail; | |
855 | |
856 return err_status_ok; | |
857 } | |
858 | |
859 err_status_t | |
860 srtp_stream_init(srtp_stream_ctx_t *srtp, | |
861 const srtp_policy_t *p) { | |
862 err_status_t err; | |
863 | |
864 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", | |
865 p->ssrc.value); | |
866 | |
867 /* initialize replay database */ | |
868 /* window size MUST be at least 64. MAY be larger. Values more than | |
869 * 2^15 aren't meaningful due to how extended sequence numbers are | |
870 * calculated. Let a window size of 0 imply the default value. */ | |
871 | |
872 if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000)) | |
873 return err_status_bad_param; | |
874 | |
875 if (p->window_size != 0) | |
876 err = rdbx_init(&srtp->rtp_rdbx, p->window_size); | |
877 else | |
878 err = rdbx_init(&srtp->rtp_rdbx, 128); | |
879 if (err) return err; | |
880 | |
881 /* initialize key limit to maximum value */ | |
882 #ifdef NO_64BIT_MATH | |
883 { | |
884 uint64_t temp; | |
885 temp = make64(UINT_MAX,UINT_MAX); | |
886 key_limit_set(srtp->limit, temp); | |
887 } | |
888 #else | |
889 key_limit_set(srtp->limit, 0xffffffffffffLL); | |
890 #endif | |
891 | |
892 /* set the SSRC value */ | |
893 srtp->ssrc = htonl(p->ssrc.value); | |
894 | |
895 /* set the security service flags */ | |
896 srtp->rtp_services = p->rtp.sec_serv; | |
897 srtp->rtcp_services = p->rtcp.sec_serv; | |
898 | |
899 /* | |
900 * set direction to unknown - this flag gets checked in srtp_protect(), | |
901 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and | |
902 * gets set appropriately if it is set to unknown. | |
903 */ | |
904 srtp->direction = dir_unknown; | |
905 | |
906 /* initialize SRTCP replay database */ | |
907 rdb_init(&srtp->rtcp_rdb); | |
908 | |
909 /* initialize allow_repeat_tx */ | |
910 /* guard against uninitialized memory: allow only 0 or 1 here */ | |
911 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) { | |
912 rdbx_dealloc(&srtp->rtp_rdbx); | |
913 return err_status_bad_param; | |
914 } | |
915 srtp->allow_repeat_tx = p->allow_repeat_tx; | |
916 | |
917 /* DAM - no RTCP key limit at present */ | |
918 | |
919 /* initialize keys */ | |
920 err = srtp_stream_init_keys(srtp, p->key); | |
921 if (err) { | |
922 rdbx_dealloc(&srtp->rtp_rdbx); | |
923 return err; | |
924 } | |
925 | |
926 /* | |
927 * if EKT is in use, then initialize the EKT data associated with | |
928 * the stream | |
929 */ | |
930 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt); | |
931 if (err) { | |
932 rdbx_dealloc(&srtp->rtp_rdbx); | |
933 return err; | |
934 } | |
935 | |
936 return err_status_ok; | |
937 } | |
938 | |
939 | |
940 /* | |
941 * srtp_event_reporter is an event handler function that merely | |
942 * reports the events that are reported by the callbacks | |
943 */ | |
944 | |
945 void | |
946 srtp_event_reporter(srtp_event_data_t *data) { | |
947 | |
948 err_report(err_level_warning, "srtp: in stream 0x%x: ", | |
949 data->stream->ssrc); | |
950 | |
951 switch(data->event) { | |
952 case event_ssrc_collision: | |
953 err_report(err_level_warning, "\tSSRC collision\n"); | |
954 break; | |
955 case event_key_soft_limit: | |
956 err_report(err_level_warning, "\tkey usage soft limit reached\n"); | |
957 break; | |
958 case event_key_hard_limit: | |
959 err_report(err_level_warning, "\tkey usage hard limit reached\n"); | |
960 break; | |
961 case event_packet_index_limit: | |
962 err_report(err_level_warning, "\tpacket index limit reached\n"); | |
963 break; | |
964 default: | |
965 err_report(err_level_warning, "\tunknown event reported to handler\n"); | |
966 } | |
967 } | |
968 | |
969 /* | |
970 * srtp_event_handler is a global variable holding a pointer to the | |
971 * event handler function; this function is called for any unexpected | |
972 * event that needs to be handled out of the SRTP data path. see | |
973 * srtp_event_t in srtp.h for more info | |
974 * | |
975 * it is okay to set srtp_event_handler to NULL, but we set | |
976 * it to the srtp_event_reporter. | |
977 */ | |
978 | |
979 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter; | |
980 | |
981 err_status_t | |
982 srtp_install_event_handler(srtp_event_handler_func_t func) { | |
983 | |
984 /* | |
985 * note that we accept NULL arguments intentionally - calling this | |
986 * function with a NULL arguments removes an event handler that's | |
987 * been previously installed | |
988 */ | |
989 | |
990 /* set global event handling function */ | |
991 srtp_event_handler = func; | |
992 return err_status_ok; | |
993 } | |
994 | |
995 | |
996 /* | |
997 * Check if the given extension header id is / should be encrypted. | |
998 * Returns 1 if yes, otherwise 0. | |
999 */ | |
1000 static int | |
1001 srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id) { | |
1002 int* enc_xtn_hdr = stream->enc_xtn_hdr; | |
1003 int count = stream->enc_xtn_hdr_count; | |
1004 | |
1005 if (!enc_xtn_hdr || count <= 0) { | |
1006 return 0; | |
1007 } | |
1008 | |
1009 while (count > 0) { | |
1010 if (*enc_xtn_hdr == id) { | |
1011 return 1; | |
1012 } | |
1013 | |
1014 enc_xtn_hdr++; | |
1015 count--; | |
1016 } | |
1017 return 0; | |
1018 } | |
1019 | |
1020 | |
1021 /* | |
1022 + * extensions header encryption RFC 6904 | |
1023 */ | |
1024 static err_status_t | |
1025 srtp_process_header_encryption(srtp_stream_ctx_t *stream, srtp_hdr_xtnd_t *xtn_h
dr) { | |
1026 err_status_t status; | |
1027 uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */ | |
1028 int keystream_pos; | |
1029 uint8_t* xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr; | |
1030 uint8_t* xtn_hdr_end = xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_
t)); | |
1031 | |
1032 if (ntohs(xtn_hdr->profile_specific) == 0xbede) { | |
1033 /* RFC 5285, section 4.2. One-Byte Header */ | |
1034 while (xtn_hdr_data < xtn_hdr_end) { | |
1035 uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4; | |
1036 unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1; | |
1037 uint32_t xlen_with_header = 1+xlen; | |
1038 xtn_hdr_data++; | |
1039 | |
1040 if (xtn_hdr_data + xlen > xtn_hdr_end) | |
1041 return err_status_parse_err; | |
1042 | |
1043 if (xid == 15) { | |
1044 /* found header 15, stop further processing. */ | |
1045 break; | |
1046 } | |
1047 | |
1048 status = cipher_output(stream->rtp_xtn_hdr_cipher, keystream, xlen_with_he
ader); | |
1049 if (status) | |
1050 return err_status_cipher_fail; | |
1051 | |
1052 if (srtp_protect_extension_header(stream, xid)) { | |
1053 keystream_pos = 1; | |
1054 while (xlen > 0) { | |
1055 *xtn_hdr_data ^= keystream[keystream_pos++]; | |
1056 xtn_hdr_data++; | |
1057 xlen--; | |
1058 } | |
1059 } else { | |
1060 xtn_hdr_data += xlen; | |
1061 } | |
1062 | |
1063 /* skip padding bytes. */ | |
1064 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { | |
1065 xtn_hdr_data++; | |
1066 } | |
1067 } | |
1068 } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) { | |
1069 /* RFC 5285, section 4.3. Two-Byte Header */ | |
1070 while (xtn_hdr_data + 1 < xtn_hdr_end) { | |
1071 uint8_t xid = *xtn_hdr_data; | |
1072 unsigned int xlen = *(xtn_hdr_data+1); | |
1073 uint32_t xlen_with_header = 2+xlen; | |
1074 xtn_hdr_data += 2; | |
1075 | |
1076 if (xtn_hdr_data + xlen > xtn_hdr_end) | |
1077 return err_status_parse_err; | |
1078 | |
1079 status = cipher_output(stream->rtp_xtn_hdr_cipher, keystream, xlen_with_he
ader); | |
1080 if (status) | |
1081 return err_status_cipher_fail; | |
1082 | |
1083 if (xlen > 0 && srtp_protect_extension_header(stream, xid)) { | |
1084 keystream_pos = 2; | |
1085 while (xlen > 0) { | |
1086 *xtn_hdr_data ^= keystream[keystream_pos++]; | |
1087 xtn_hdr_data++; | |
1088 xlen--; | |
1089 } | |
1090 } else { | |
1091 xtn_hdr_data += xlen; | |
1092 } | |
1093 | |
1094 /* skip padding bytes. */ | |
1095 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { | |
1096 xtn_hdr_data++; | |
1097 } | |
1098 } | |
1099 } else { | |
1100 /* unsupported extension header format. */ | |
1101 return err_status_parse_err; | |
1102 } | |
1103 | |
1104 return err_status_ok; | |
1105 } | |
1106 | |
1107 | |
1108 /* | |
1109 * AEAD uses a new IV formation method. This function implements | |
1110 * section 9.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The | |
1111 * calculation is defined as, where (+) is the xor operation: | |
1112 * | |
1113 * | |
1114 * 0 0 0 0 0 0 0 0 0 0 1 1 | |
1115 * 0 1 2 3 4 5 6 7 8 9 0 1 | |
1116 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
1117 * |00|00| SSRC | ROC | SEQ |---+ | |
1118 * +--+--+--+--+--+--+--+--+--+--+--+--+ | | |
1119 * | | |
1120 * +--+--+--+--+--+--+--+--+--+--+--+--+ | | |
1121 * | Encryption Salt |->(+) | |
1122 * +--+--+--+--+--+--+--+--+--+--+--+--+ | | |
1123 * | | |
1124 * +--+--+--+--+--+--+--+--+--+--+--+--+ | | |
1125 * | Initialization Vector |<--+ | |
1126 * +--+--+--+--+--+--+--+--+--+--+--+--+* | |
1127 * | |
1128 * Input: *stream - pointer to SRTP stream context, used to retrieve | |
1129 * the SALT | |
1130 * *iv - Pointer to receive the calculated IV | |
1131 * *seq - The ROC and SEQ value to use for the | |
1132 * IV calculation. | |
1133 * *hdr - The RTP header, used to get the SSRC value | |
1134 * | |
1135 */ | |
1136 static void srtp_calc_aead_iv(srtp_stream_ctx_t *stream, v128_t *iv, | |
1137 xtd_seq_num_t *seq, srtp_hdr_t *hdr) | |
1138 { | |
1139 v128_t in; | |
1140 v128_t salt; | |
1141 | |
1142 #ifdef NO_64BIT_MATH | |
1143 uint32_t local_roc = ((high32(*seq) << 16) | | |
1144 (low32(*seq) >> 16)); | |
1145 uint16_t local_seq = (uint16_t) (low32(*seq)); | |
1146 #else | |
1147 uint32_t local_roc = (uint32_t)(*seq >> 16); | |
1148 uint16_t local_seq = (uint16_t) *seq; | |
1149 #endif | |
1150 | |
1151 memset(&in, 0, sizeof(v128_t)); | |
1152 memset(&salt, 0, sizeof(v128_t)); | |
1153 | |
1154 in.v16[5] = htons(local_seq); | |
1155 local_roc = htonl(local_roc); | |
1156 memcpy(&in.v16[3], &local_roc, sizeof(local_roc)); | |
1157 | |
1158 /* | |
1159 * Copy in the RTP SSRC value | |
1160 */ | |
1161 memcpy(&in.v8[2], &hdr->ssrc, 4); | |
1162 debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in)); | |
1163 | |
1164 /* | |
1165 * Get the SALT value from the context | |
1166 */ | |
1167 memcpy(salt.v8, stream->salt, SRTP_AEAD_SALT_LEN); | |
1168 debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt)); | |
1169 | |
1170 /* | |
1171 * Finally, apply tyhe SALT to the input | |
1172 */ | |
1173 v128_xor(iv, &in, &salt); | |
1174 } | |
1175 | |
1176 | |
1177 /* | |
1178 * This function handles outgoing SRTP packets while in AEAD mode, | |
1179 * which currently supports AES-GCM encryption. All packets are | |
1180 * encrypted and authenticated. | |
1181 */ | |
1182 static err_status_t | |
1183 srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, | |
1184 void *rtp_hdr, unsigned int *pkt_octet_len) | |
1185 { | |
1186 srtp_hdr_t *hdr = (srtp_hdr_t*)rtp_hdr; | |
1187 uint32_t *enc_start; /* pointer to start of encrypted portion */ | |
1188 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ | |
1189 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ | |
1190 int delta; /* delta of local pkt idx and that in hdr */ | |
1191 err_status_t status; | |
1192 int tag_len; | |
1193 v128_t iv; | |
1194 unsigned int aad_len; | |
1195 srtp_hdr_xtnd_t *xtn_hdr = NULL; | |
1196 | |
1197 debug_print(mod_srtp, "function srtp_protect_aead", NULL); | |
1198 | |
1199 /* | |
1200 * update the key usage limit, and check it to make sure that we | |
1201 * didn't just hit either the soft limit or the hard limit, and call | |
1202 * the event handler if we hit either. | |
1203 */ | |
1204 switch (key_limit_update(stream->limit)) { | |
1205 case key_event_normal: | |
1206 break; | |
1207 case key_event_hard_limit: | |
1208 srtp_handle_event(ctx, stream, event_key_hard_limit); | |
1209 return err_status_key_expired; | |
1210 case key_event_soft_limit: | |
1211 default: | |
1212 srtp_handle_event(ctx, stream, event_key_soft_limit); | |
1213 break; | |
1214 } | |
1215 | |
1216 /* get tag length from stream */ | |
1217 tag_len = auth_get_tag_length(stream->rtp_auth); | |
1218 | |
1219 /* | |
1220 * find starting point for encryption and length of data to be | |
1221 * encrypted - the encrypted portion starts after the rtp header | |
1222 * extension, if present; otherwise, it starts after the last csrc, | |
1223 * if any are present | |
1224 */ | |
1225 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; | |
1226 if (hdr->x == 1) { | |
1227 xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; | |
1228 enc_start += (ntohs(xtn_hdr->length) + 1); | |
1229 } | |
1230 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len)) | |
1231 return err_status_parse_err; | |
1232 enc_octet_len = (unsigned int)(*pkt_octet_len - | |
1233 ((uint8_t*)enc_start - (uint8_t*)hdr)); | |
1234 | |
1235 /* | |
1236 * estimate the packet index using the start of the replay window | |
1237 * and the sequence number from the header | |
1238 */ | |
1239 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); | |
1240 status = rdbx_check(&stream->rtp_rdbx, delta); | |
1241 if (status) { | |
1242 if (status != err_status_replay_fail || !stream->allow_repeat_tx) { | |
1243 return status; /* we've been asked to reuse an index */ | |
1244 } | |
1245 } else { | |
1246 rdbx_add_index(&stream->rtp_rdbx, delta); | |
1247 } | |
1248 | |
1249 #ifdef NO_64BIT_MATH | |
1250 debug_print2(mod_srtp, "estimated packet index: %08x%08x", | |
1251 high32(est), low32(est)); | |
1252 #else | |
1253 debug_print(mod_srtp, "estimated packet index: %016llx", est); | |
1254 #endif | |
1255 | |
1256 /* | |
1257 * AEAD uses a new IV formation method | |
1258 */ | |
1259 srtp_calc_aead_iv(stream, &iv, &est, hdr); | |
1260 | |
1261 /* shift est, put into network byte order */ | |
1262 #ifdef NO_64BIT_MATH | |
1263 est = be64_to_cpu(make64((high32(est) << 16) | | |
1264 (low32(est) >> 16), | |
1265 low32(est) << 16)); | |
1266 #else | |
1267 est = be64_to_cpu(est << 16); | |
1268 #endif | |
1269 | |
1270 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); | |
1271 if (!status && stream->rtp_xtn_hdr_cipher) { | |
1272 iv.v32[0] = 0; | |
1273 iv.v32[1] = hdr->ssrc; | |
1274 iv.v64[1] = est; | |
1275 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directio
n_encrypt); | |
1276 } | |
1277 if (status) { | |
1278 return err_status_cipher_fail; | |
1279 } | |
1280 | |
1281 if (xtn_hdr && stream->rtp_xtn_hdr_cipher) { | |
1282 /* | |
1283 * extensions header encryption RFC 6904 | |
1284 */ | |
1285 status = srtp_process_header_encryption(stream, xtn_hdr); | |
1286 if (status) { | |
1287 return status; | |
1288 } | |
1289 } | |
1290 | |
1291 /* | |
1292 * Set the AAD over the RTP header | |
1293 */ | |
1294 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; | |
1295 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len); | |
1296 if (status) { | |
1297 return ( err_status_cipher_fail); | |
1298 } | |
1299 | |
1300 /* Encrypt the payload */ | |
1301 status = cipher_encrypt(stream->rtp_cipher, | |
1302 (uint8_t*)enc_start, &enc_octet_len); | |
1303 if (status) { | |
1304 return err_status_cipher_fail; | |
1305 } | |
1306 /* | |
1307 * If we're doing GCM, we need to get the tag | |
1308 * and append that to the output | |
1309 */ | |
1310 status = cipher_get_tag(stream->rtp_cipher, | |
1311 (uint8_t*)enc_start+enc_octet_len, &tag_len); | |
1312 if (status) { | |
1313 return ( err_status_cipher_fail); | |
1314 } | |
1315 enc_octet_len += tag_len; | |
1316 | |
1317 /* increase the packet length by the length of the auth tag */ | |
1318 *pkt_octet_len += tag_len; | |
1319 | |
1320 return err_status_ok; | |
1321 } | |
1322 | |
1323 | |
1324 /* | |
1325 * This function handles incoming SRTP packets while in AEAD mode, | |
1326 * which currently supports AES-GCM encryption. All packets are | |
1327 * encrypted and authenticated. Note, the auth tag is at the end | |
1328 * of the packet stream and is automatically checked by GCM | |
1329 * when decrypting the payload. | |
1330 */ | |
1331 static err_status_t | |
1332 srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, | |
1333 xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_
len) | |
1334 { | |
1335 srtp_hdr_t *hdr = (srtp_hdr_t*)srtp_hdr; | |
1336 uint32_t *enc_start; /* pointer to start of encrypted portion */ | |
1337 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ | |
1338 v128_t iv; | |
1339 err_status_t status; | |
1340 int tag_len; | |
1341 unsigned int aad_len; | |
1342 srtp_hdr_xtnd_t *xtn_hdr = NULL; | |
1343 | |
1344 debug_print(mod_srtp, "function srtp_unprotect_aead", NULL); | |
1345 | |
1346 #ifdef NO_64BIT_MATH | |
1347 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), lo
w32(est)); | |
1348 #else | |
1349 debug_print(mod_srtp, "estimated u_packet index: %016llx", est); | |
1350 #endif | |
1351 | |
1352 /* get tag length from stream */ | |
1353 tag_len = auth_get_tag_length(stream->rtp_auth); | |
1354 | |
1355 /* | |
1356 * AEAD uses a new IV formation method | |
1357 */ | |
1358 srtp_calc_aead_iv(stream, &iv, &est, hdr); | |
1359 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); | |
1360 if (status) { | |
1361 return err_status_cipher_fail; | |
1362 } | |
1363 | |
1364 /* | |
1365 * find starting point for decryption and length of data to be | |
1366 * decrypted - the encrypted portion starts after the rtp header | |
1367 * extension, if present; otherwise, it starts after the last csrc, | |
1368 * if any are present | |
1369 */ | |
1370 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; | |
1371 if (hdr->x == 1) { | |
1372 xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; | |
1373 enc_start += (ntohs(xtn_hdr->length) + 1); | |
1374 } | |
1375 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len))) | |
1376 return err_status_parse_err; | |
1377 /* | |
1378 * We pass the tag down to the cipher when doing GCM mode | |
1379 */ | |
1380 enc_octet_len = (unsigned int)(*pkt_octet_len - | |
1381 ((uint8_t*)enc_start - (uint8_t*)hdr)); | |
1382 | |
1383 /* | |
1384 * Sanity check the encrypted payload length against | |
1385 * the tag size. It must always be at least as large | |
1386 * as the tag length. | |
1387 */ | |
1388 if (enc_octet_len < (unsigned int) tag_len) { | |
1389 return err_status_cipher_fail; | |
1390 } | |
1391 | |
1392 /* | |
1393 * update the key usage limit, and check it to make sure that we | |
1394 * didn't just hit either the soft limit or the hard limit, and call | |
1395 * the event handler if we hit either. | |
1396 */ | |
1397 switch (key_limit_update(stream->limit)) { | |
1398 case key_event_normal: | |
1399 break; | |
1400 case key_event_soft_limit: | |
1401 srtp_handle_event(ctx, stream, event_key_soft_limit); | |
1402 break; | |
1403 case key_event_hard_limit: | |
1404 srtp_handle_event(ctx, stream, event_key_hard_limit); | |
1405 return err_status_key_expired; | |
1406 default: | |
1407 break; | |
1408 } | |
1409 | |
1410 /* | |
1411 * Set the AAD for AES-GCM, which is the RTP header | |
1412 */ | |
1413 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; | |
1414 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len); | |
1415 if (!status && stream->rtp_xtn_hdr_cipher) { | |
1416 iv.v32[0] = 0; | |
1417 iv.v32[1] = hdr->ssrc; | |
1418 #ifdef NO_64BIT_MATH | |
1419 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), | |
1420 low32(est) << 16)); | |
1421 #else | |
1422 iv.v64[1] = be64_to_cpu(est << 16); | |
1423 #endif | |
1424 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directio
n_encrypt); | |
1425 } | |
1426 if (status) { | |
1427 return ( err_status_cipher_fail); | |
1428 } | |
1429 | |
1430 /* Decrypt the ciphertext. This also checks the auth tag based | |
1431 * on the AAD we just specified above */ | |
1432 status = cipher_decrypt(stream->rtp_cipher, | |
1433 (uint8_t*)enc_start, &enc_octet_len); | |
1434 if (status) { | |
1435 return status; | |
1436 } | |
1437 | |
1438 if (xtn_hdr && stream->rtp_xtn_hdr_cipher) { | |
1439 /* | |
1440 * extensions header encryption RFC 6904 | |
1441 */ | |
1442 status = srtp_process_header_encryption(stream, xtn_hdr); | |
1443 if (status) { | |
1444 return status; | |
1445 } | |
1446 } | |
1447 | |
1448 /* | |
1449 * verify that stream is for received traffic - this check will | |
1450 * detect SSRC collisions, since a stream that appears in both | |
1451 * srtp_protect() and srtp_unprotect() will fail this test in one of | |
1452 * those functions. | |
1453 * | |
1454 * we do this check *after* the authentication check, so that the | |
1455 * latter check will catch any attempts to fool us into thinking | |
1456 * that we've got a collision | |
1457 */ | |
1458 if (stream->direction != dir_srtp_receiver) { | |
1459 if (stream->direction == dir_unknown) { | |
1460 stream->direction = dir_srtp_receiver; | |
1461 } else { | |
1462 srtp_handle_event(ctx, stream, event_ssrc_collision); | |
1463 } | |
1464 } | |
1465 | |
1466 /* | |
1467 * if the stream is a 'provisional' one, in which the template context | |
1468 * is used, then we need to allocate a new stream at this point, since | |
1469 * the authentication passed | |
1470 */ | |
1471 if (stream == ctx->stream_template) { | |
1472 srtp_stream_ctx_t *new_stream; | |
1473 | |
1474 /* | |
1475 * allocate and initialize a new stream | |
1476 * | |
1477 * note that we indicate failure if we can't allocate the new | |
1478 * stream, and some implementations will want to not return | |
1479 * failure here | |
1480 */ | |
1481 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream)
; | |
1482 if (status) { | |
1483 return status; | |
1484 } | |
1485 | |
1486 /* add new stream to the head of the stream_list */ | |
1487 new_stream->next = ctx->stream_list; | |
1488 ctx->stream_list = new_stream; | |
1489 | |
1490 /* set stream (the pointer used in this function) */ | |
1491 stream = new_stream; | |
1492 } | |
1493 | |
1494 /* | |
1495 * the message authentication function passed, so add the packet | |
1496 * index into the replay database | |
1497 */ | |
1498 rdbx_add_index(&stream->rtp_rdbx, delta); | |
1499 | |
1500 /* decrease the packet length by the length of the auth tag */ | |
1501 *pkt_octet_len -= tag_len; | |
1502 | |
1503 return err_status_ok; | |
1504 } | |
1505 | |
1506 | |
1507 | |
1508 | |
1509 err_status_t | |
1510 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { | |
1511 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; | |
1512 uint32_t *enc_start; /* pointer to start of encrypted portion */ | |
1513 uint32_t *auth_start; /* pointer to start of auth. portion */ | |
1514 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ | |
1515 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ | |
1516 int delta; /* delta of local pkt idx and that in hdr */ | |
1517 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | |
1518 err_status_t status; | |
1519 int tag_len; | |
1520 srtp_stream_ctx_t *stream; | |
1521 int prefix_len; | |
1522 srtp_hdr_xtnd_t *xtn_hdr = NULL; | |
1523 | |
1524 debug_print(mod_srtp, "function srtp_protect", NULL); | |
1525 | |
1526 /* we assume the hdr is 32-bit aligned to start */ | |
1527 | |
1528 /* Verify RTP header */ | |
1529 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); | |
1530 if (status) | |
1531 return status; | |
1532 | |
1533 /* check the packet length - it must at least contain a full header */ | |
1534 if (*pkt_octet_len < octets_in_rtp_header) | |
1535 return err_status_bad_param; | |
1536 | |
1537 /* | |
1538 * look up ssrc in srtp_stream list, and process the packet with | |
1539 * the appropriate stream. if we haven't seen this stream before, | |
1540 * there's a template key for this srtp_session, and the cipher | |
1541 * supports key-sharing, then we assume that a new stream using | |
1542 * that key has just started up | |
1543 */ | |
1544 stream = srtp_get_stream(ctx, hdr->ssrc); | |
1545 if (stream == NULL) { | |
1546 if (ctx->stream_template != NULL) { | |
1547 srtp_stream_ctx_t *new_stream; | |
1548 | |
1549 /* allocate and initialize a new stream */ | |
1550 status = srtp_stream_clone(ctx->stream_template, | |
1551 hdr->ssrc, &new_stream); | |
1552 if (status) | |
1553 return status; | |
1554 | |
1555 /* add new stream to the head of the stream_list */ | |
1556 new_stream->next = ctx->stream_list; | |
1557 ctx->stream_list = new_stream; | |
1558 | |
1559 /* set direction to outbound */ | |
1560 new_stream->direction = dir_srtp_sender; | |
1561 | |
1562 /* set stream (the pointer used in this function) */ | |
1563 stream = new_stream; | |
1564 } else { | |
1565 /* no template stream, so we return an error */ | |
1566 return err_status_no_ctx; | |
1567 } | |
1568 } | |
1569 | |
1570 /* | |
1571 * verify that stream is for sending traffic - this check will | |
1572 * detect SSRC collisions, since a stream that appears in both | |
1573 * srtp_protect() and srtp_unprotect() will fail this test in one of | |
1574 * those functions. | |
1575 */ | |
1576 if (stream->direction != dir_srtp_sender) { | |
1577 if (stream->direction == dir_unknown) { | |
1578 stream->direction = dir_srtp_sender; | |
1579 } else { | |
1580 srtp_handle_event(ctx, stream, event_ssrc_collision); | |
1581 } | |
1582 } | |
1583 | |
1584 /* | |
1585 * Check if this is an AEAD stream (GCM mode). If so, then dispatch | |
1586 * the request to our AEAD handler. | |
1587 */ | |
1588 if (stream->rtp_cipher->algorithm == AES_128_GCM || | |
1589 stream->rtp_cipher->algorithm == AES_256_GCM) { | |
1590 return srtp_protect_aead(ctx, stream, rtp_hdr, (unsigned int*)pkt_octet_le
n); | |
1591 } | |
1592 | |
1593 /* | |
1594 * update the key usage limit, and check it to make sure that we | |
1595 * didn't just hit either the soft limit or the hard limit, and call | |
1596 * the event handler if we hit either. | |
1597 */ | |
1598 switch(key_limit_update(stream->limit)) { | |
1599 case key_event_normal: | |
1600 break; | |
1601 case key_event_soft_limit: | |
1602 srtp_handle_event(ctx, stream, event_key_soft_limit); | |
1603 break; | |
1604 case key_event_hard_limit: | |
1605 srtp_handle_event(ctx, stream, event_key_hard_limit); | |
1606 return err_status_key_expired; | |
1607 default: | |
1608 break; | |
1609 } | |
1610 | |
1611 /* get tag length from stream */ | |
1612 tag_len = auth_get_tag_length(stream->rtp_auth); | |
1613 | |
1614 /* | |
1615 * find starting point for encryption and length of data to be | |
1616 * encrypted - the encrypted portion starts after the rtp header | |
1617 * extension, if present; otherwise, it starts after the last csrc, | |
1618 * if any are present | |
1619 * | |
1620 * if we're not providing confidentiality, set enc_start to NULL | |
1621 */ | |
1622 if (stream->rtp_services & sec_serv_conf) { | |
1623 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; | |
1624 if (hdr->x == 1) { | |
1625 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; | |
1626 enc_start += (ntohs(xtn_hdr->length) + 1); | |
1627 } | |
1628 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len)) | |
1629 return err_status_parse_err; | |
1630 enc_octet_len = (unsigned int)(*pkt_octet_len - | |
1631 ((uint8_t*)enc_start - (uint8_t*)hdr)); | |
1632 } else { | |
1633 enc_start = NULL; | |
1634 } | |
1635 | |
1636 /* | |
1637 * if we're providing authentication, set the auth_start and auth_tag | |
1638 * pointers to the proper locations; otherwise, set auth_start to NULL | |
1639 * to indicate that no authentication is needed | |
1640 */ | |
1641 if (stream->rtp_services & sec_serv_auth) { | |
1642 auth_start = (uint32_t *)hdr; | |
1643 auth_tag = (uint8_t *)hdr + *pkt_octet_len; | |
1644 } else { | |
1645 auth_start = NULL; | |
1646 auth_tag = NULL; | |
1647 } | |
1648 | |
1649 /* | |
1650 * estimate the packet index using the start of the replay window | |
1651 * and the sequence number from the header | |
1652 */ | |
1653 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); | |
1654 status = rdbx_check(&stream->rtp_rdbx, delta); | |
1655 if (status) { | |
1656 if (status != err_status_replay_fail || !stream->allow_repeat_tx) | |
1657 return status; /* we've been asked to reuse an index */ | |
1658 } | |
1659 else | |
1660 rdbx_add_index(&stream->rtp_rdbx, delta); | |
1661 | |
1662 #ifdef NO_64BIT_MATH | |
1663 debug_print2(mod_srtp, "estimated packet index: %08x%08x", | |
1664 high32(est),low32(est)); | |
1665 #else | |
1666 debug_print(mod_srtp, "estimated packet index: %016llx", est); | |
1667 #endif | |
1668 | |
1669 /* | |
1670 * if we're using rindael counter mode, set nonce and seq | |
1671 */ | |
1672 if (stream->rtp_cipher->type->id == AES_ICM || | |
1673 stream->rtp_cipher->type->id == AES_256_ICM) { | |
1674 v128_t iv; | |
1675 | |
1676 iv.v32[0] = 0; | |
1677 iv.v32[1] = hdr->ssrc; | |
1678 #ifdef NO_64BIT_MATH | |
1679 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), | |
1680 low32(est) << 1
6)); | |
1681 #else | |
1682 iv.v64[1] = be64_to_cpu(est << 16); | |
1683 #endif | |
1684 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); | |
1685 if (!status && stream->rtp_xtn_hdr_cipher) { | |
1686 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directi
on_encrypt); | |
1687 } | |
1688 } else { | |
1689 v128_t iv; | |
1690 | |
1691 /* otherwise, set the index to est */ | |
1692 #ifdef NO_64BIT_MATH | |
1693 iv.v32[0] = 0; | |
1694 iv.v32[1] = 0; | |
1695 #else | |
1696 iv.v64[0] = 0; | |
1697 #endif | |
1698 iv.v64[1] = be64_to_cpu(est); | |
1699 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); | |
1700 if (!status && stream->rtp_xtn_hdr_cipher) { | |
1701 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directi
on_encrypt); | |
1702 } | |
1703 } | |
1704 if (status) | |
1705 return err_status_cipher_fail; | |
1706 | |
1707 /* shift est, put into network byte order */ | |
1708 #ifdef NO_64BIT_MATH | |
1709 est = be64_to_cpu(make64((high32(est) << 16) | | |
1710 (low32(est) >> 16), | |
1711 low32(est) << 16)); | |
1712 #else | |
1713 est = be64_to_cpu(est << 16); | |
1714 #endif | |
1715 | |
1716 /* | |
1717 * if we're authenticating using a universal hash, put the keystream | |
1718 * prefix into the authentication tag | |
1719 */ | |
1720 if (auth_start) { | |
1721 | |
1722 prefix_len = auth_get_prefix_length(stream->rtp_auth); | |
1723 if (prefix_len) { | |
1724 status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len); | |
1725 if (status) | |
1726 return err_status_cipher_fail; | |
1727 debug_print(mod_srtp, "keystream prefix: %s", | |
1728 octet_string_hex_string(auth_tag, prefix_len)); | |
1729 } | |
1730 } | |
1731 | |
1732 if (xtn_hdr && stream->rtp_xtn_hdr_cipher) { | |
1733 /* | |
1734 * extensions header encryption RFC 6904 | |
1735 */ | |
1736 status = srtp_process_header_encryption(stream, xtn_hdr); | |
1737 if (status) { | |
1738 return status; | |
1739 } | |
1740 } | |
1741 | |
1742 /* if we're encrypting, exor keystream into the message */ | |
1743 if (enc_start) { | |
1744 status = cipher_encrypt(stream->rtp_cipher, | |
1745 (uint8_t *)enc_start, &enc_octet_len); | |
1746 if (status) | |
1747 return err_status_cipher_fail; | |
1748 } | |
1749 | |
1750 /* | |
1751 * if we're authenticating, run authentication function and put result | |
1752 * into the auth_tag | |
1753 */ | |
1754 if (auth_start) { | |
1755 | |
1756 /* initialize auth func context */ | |
1757 status = auth_start(stream->rtp_auth); | |
1758 if (status) return status; | |
1759 | |
1760 /* run auth func over packet */ | |
1761 status = auth_update(stream->rtp_auth, | |
1762 (uint8_t *)auth_start, *pkt_octet_len); | |
1763 if (status) return status; | |
1764 | |
1765 /* run auth func over ROC, put result into auth_tag */ | |
1766 debug_print(mod_srtp, "estimated packet index: %016llx", est); | |
1767 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag); | |
1768 debug_print(mod_srtp, "srtp auth tag: %s", | |
1769 octet_string_hex_string(auth_tag, tag_len)); | |
1770 if (status) | |
1771 return err_status_auth_fail; | |
1772 | |
1773 } | |
1774 | |
1775 if (auth_tag) { | |
1776 | |
1777 /* increase the packet length by the length of the auth tag */ | |
1778 *pkt_octet_len += tag_len; | |
1779 } | |
1780 | |
1781 return err_status_ok; | |
1782 } | |
1783 | |
1784 | |
1785 err_status_t | |
1786 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) { | |
1787 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; | |
1788 uint32_t *enc_start; /* pointer to start of encrypted portion */ | |
1789 uint32_t *auth_start; /* pointer to start of auth. portion */ | |
1790 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ | |
1791 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | |
1792 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ | |
1793 int delta; /* delta of local pkt idx and that in hdr */ | |
1794 v128_t iv; | |
1795 err_status_t status; | |
1796 srtp_stream_ctx_t *stream; | |
1797 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; | |
1798 int tag_len, prefix_len; | |
1799 srtp_hdr_xtnd_t *xtn_hdr = NULL; | |
1800 | |
1801 debug_print(mod_srtp, "function srtp_unprotect", NULL); | |
1802 | |
1803 /* we assume the hdr is 32-bit aligned to start */ | |
1804 | |
1805 /* Verify RTP header */ | |
1806 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); | |
1807 if (status) | |
1808 return status; | |
1809 | |
1810 /* check the packet length - it must at least contain a full header */ | |
1811 if (*pkt_octet_len < octets_in_rtp_header) | |
1812 return err_status_bad_param; | |
1813 | |
1814 /* | |
1815 * look up ssrc in srtp_stream list, and process the packet with | |
1816 * the appropriate stream. if we haven't seen this stream before, | |
1817 * there's only one key for this srtp_session, and the cipher | |
1818 * supports key-sharing, then we assume that a new stream using | |
1819 * that key has just started up | |
1820 */ | |
1821 stream = srtp_get_stream(ctx, hdr->ssrc); | |
1822 if (stream == NULL) { | |
1823 if (ctx->stream_template != NULL) { | |
1824 stream = ctx->stream_template; | |
1825 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)", | |
1826 hdr->ssrc); | |
1827 | |
1828 /* | |
1829 * set estimated packet index to sequence number from header, | |
1830 * and set delta equal to the same value | |
1831 */ | |
1832 #ifdef NO_64BIT_MATH | |
1833 est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq)); | |
1834 delta = low32(est); | |
1835 #else | |
1836 est = (xtd_seq_num_t) ntohs(hdr->seq); | |
1837 delta = (int)est; | |
1838 #endif | |
1839 } else { | |
1840 | |
1841 /* | |
1842 * no stream corresponding to SSRC found, and we don't do | |
1843 * key-sharing, so return an error | |
1844 */ | |
1845 return err_status_no_ctx; | |
1846 } | |
1847 } else { | |
1848 | |
1849 /* estimate packet index from seq. num. in header */ | |
1850 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); | |
1851 | |
1852 /* check replay database */ | |
1853 status = rdbx_check(&stream->rtp_rdbx, delta); | |
1854 if (status) | |
1855 return status; | |
1856 } | |
1857 | |
1858 #ifdef NO_64BIT_MATH | |
1859 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32
(est)); | |
1860 #else | |
1861 debug_print(mod_srtp, "estimated u_packet index: %016llx", est); | |
1862 #endif | |
1863 | |
1864 /* | |
1865 * Check if this is an AEAD stream (GCM mode). If so, then dispatch | |
1866 * the request to our AEAD handler. | |
1867 */ | |
1868 if (stream->rtp_cipher->algorithm == AES_128_GCM || | |
1869 stream->rtp_cipher->algorithm == AES_256_GCM) { | |
1870 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, (unsigned in
t*)pkt_octet_len); | |
1871 } | |
1872 | |
1873 /* get tag length from stream */ | |
1874 tag_len = auth_get_tag_length(stream->rtp_auth); | |
1875 | |
1876 /* | |
1877 * set the cipher's IV properly, depending on whatever cipher we | |
1878 * happen to be using | |
1879 */ | |
1880 if (stream->rtp_cipher->type->id == AES_ICM || | |
1881 stream->rtp_cipher->type->id == AES_256_ICM) { | |
1882 | |
1883 /* aes counter mode */ | |
1884 iv.v32[0] = 0; | |
1885 iv.v32[1] = hdr->ssrc; /* still in network order */ | |
1886 #ifdef NO_64BIT_MATH | |
1887 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), | |
1888 low32(est) << 16)); | |
1889 #else | |
1890 iv.v64[1] = be64_to_cpu(est << 16); | |
1891 #endif | |
1892 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); | |
1893 if (!status && stream->rtp_xtn_hdr_cipher) { | |
1894 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directio
n_decrypt); | |
1895 } | |
1896 } else { | |
1897 | |
1898 /* no particular format - set the iv to the pakcet index */ | |
1899 #ifdef NO_64BIT_MATH | |
1900 iv.v32[0] = 0; | |
1901 iv.v32[1] = 0; | |
1902 #else | |
1903 iv.v64[0] = 0; | |
1904 #endif | |
1905 iv.v64[1] = be64_to_cpu(est); | |
1906 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); | |
1907 if (!status && stream->rtp_xtn_hdr_cipher) { | |
1908 status = cipher_set_iv(stream->rtp_xtn_hdr_cipher, (uint8_t*)&iv, directio
n_decrypt); | |
1909 } | |
1910 } | |
1911 if (status) | |
1912 return err_status_cipher_fail; | |
1913 | |
1914 /* shift est, put into network byte order */ | |
1915 #ifdef NO_64BIT_MATH | |
1916 est = be64_to_cpu(make64((high32(est) << 16) | | |
1917 (low32(est) >> 16), | |
1918 low32(est) << 16)); | |
1919 #else | |
1920 est = be64_to_cpu(est << 16); | |
1921 #endif | |
1922 | |
1923 /* | |
1924 * find starting point for decryption and length of data to be | |
1925 * decrypted - the encrypted portion starts after the rtp header | |
1926 * extension, if present; otherwise, it starts after the last csrc, | |
1927 * if any are present | |
1928 * | |
1929 * if we're not providing confidentiality, set enc_start to NULL | |
1930 */ | |
1931 if (stream->rtp_services & sec_serv_conf) { | |
1932 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; | |
1933 if (hdr->x == 1) { | |
1934 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; | |
1935 enc_start += (ntohs(xtn_hdr->length) + 1); | |
1936 } | |
1937 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len))) | |
1938 return err_status_parse_err; | |
1939 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - | |
1940 ((uint8_t*)enc_start - (uint8_t*)hdr)); | |
1941 } else { | |
1942 enc_start = NULL; | |
1943 } | |
1944 | |
1945 /* | |
1946 * if we're providing authentication, set the auth_start and auth_tag | |
1947 * pointers to the proper locations; otherwise, set auth_start to NULL | |
1948 * to indicate that no authentication is needed | |
1949 */ | |
1950 if (stream->rtp_services & sec_serv_auth) { | |
1951 auth_start = (uint32_t *)hdr; | |
1952 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len; | |
1953 } else { | |
1954 auth_start = NULL; | |
1955 auth_tag = NULL; | |
1956 } | |
1957 | |
1958 /* | |
1959 * if we expect message authentication, run the authentication | |
1960 * function and compare the result with the value of the auth_tag | |
1961 */ | |
1962 if (auth_start) { | |
1963 | |
1964 /* | |
1965 * if we're using a universal hash, then we need to compute the | |
1966 * keystream prefix for encrypting the universal hash output | |
1967 * | |
1968 * if the keystream prefix length is zero, then we know that | |
1969 * the authenticator isn't using a universal hash function | |
1970 */ | |
1971 if (stream->rtp_auth->prefix_len != 0) { | |
1972 | |
1973 prefix_len = auth_get_prefix_length(stream->rtp_auth); | |
1974 status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len); | |
1975 debug_print(mod_srtp, "keystream prefix: %s", | |
1976 octet_string_hex_string(tmp_tag, prefix_len)); | |
1977 if (status) | |
1978 return err_status_cipher_fail; | |
1979 } | |
1980 | |
1981 /* initialize auth func context */ | |
1982 status = auth_start(stream->rtp_auth); | |
1983 if (status) return status; | |
1984 | |
1985 /* now compute auth function over packet */ | |
1986 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start, | |
1987 *pkt_octet_len - tag_len); | |
1988 | |
1989 /* run auth func over ROC, then write tmp tag */ | |
1990 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag); | |
1991 | |
1992 debug_print(mod_srtp, "computed auth tag: %s", | |
1993 octet_string_hex_string(tmp_tag, tag_len)); | |
1994 debug_print(mod_srtp, "packet auth tag: %s", | |
1995 octet_string_hex_string(auth_tag, tag_len)); | |
1996 if (status) | |
1997 return err_status_auth_fail; | |
1998 | |
1999 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) | |
2000 return err_status_auth_fail; | |
2001 } | |
2002 | |
2003 /* | |
2004 * update the key usage limit, and check it to make sure that we | |
2005 * didn't just hit either the soft limit or the hard limit, and call | |
2006 * the event handler if we hit either. | |
2007 */ | |
2008 switch(key_limit_update(stream->limit)) { | |
2009 case key_event_normal: | |
2010 break; | |
2011 case key_event_soft_limit: | |
2012 srtp_handle_event(ctx, stream, event_key_soft_limit); | |
2013 break; | |
2014 case key_event_hard_limit: | |
2015 srtp_handle_event(ctx, stream, event_key_hard_limit); | |
2016 return err_status_key_expired; | |
2017 default: | |
2018 break; | |
2019 } | |
2020 | |
2021 if (xtn_hdr && stream->rtp_xtn_hdr_cipher) { | |
2022 /* | |
2023 * extensions header encryption RFC 6904 | |
2024 */ | |
2025 status = srtp_process_header_encryption(stream, xtn_hdr); | |
2026 if (status) { | |
2027 return status; | |
2028 } | |
2029 } | |
2030 | |
2031 /* if we're decrypting, add keystream into ciphertext */ | |
2032 if (enc_start) { | |
2033 status = cipher_decrypt(stream->rtp_cipher, | |
2034 (uint8_t *)enc_start, &enc_octet_len); | |
2035 if (status) | |
2036 return err_status_cipher_fail; | |
2037 } | |
2038 | |
2039 /* | |
2040 * verify that stream is for received traffic - this check will | |
2041 * detect SSRC collisions, since a stream that appears in both | |
2042 * srtp_protect() and srtp_unprotect() will fail this test in one of | |
2043 * those functions. | |
2044 * | |
2045 * we do this check *after* the authentication check, so that the | |
2046 * latter check will catch any attempts to fool us into thinking | |
2047 * that we've got a collision | |
2048 */ | |
2049 if (stream->direction != dir_srtp_receiver) { | |
2050 if (stream->direction == dir_unknown) { | |
2051 stream->direction = dir_srtp_receiver; | |
2052 } else { | |
2053 srtp_handle_event(ctx, stream, event_ssrc_collision); | |
2054 } | |
2055 } | |
2056 | |
2057 /* | |
2058 * if the stream is a 'provisional' one, in which the template context | |
2059 * is used, then we need to allocate a new stream at this point, since | |
2060 * the authentication passed | |
2061 */ | |
2062 if (stream == ctx->stream_template) { | |
2063 srtp_stream_ctx_t *new_stream; | |
2064 | |
2065 /* | |
2066 * allocate and initialize a new stream | |
2067 * | |
2068 * note that we indicate failure if we can't allocate the new | |
2069 * stream, and some implementations will want to not return | |
2070 * failure here | |
2071 */ | |
2072 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); | |
2073 if (status) | |
2074 return status; | |
2075 | |
2076 /* add new stream to the head of the stream_list */ | |
2077 new_stream->next = ctx->stream_list; | |
2078 ctx->stream_list = new_stream; | |
2079 | |
2080 /* set stream (the pointer used in this function) */ | |
2081 stream = new_stream; | |
2082 } | |
2083 | |
2084 /* | |
2085 * the message authentication function passed, so add the packet | |
2086 * index into the replay database | |
2087 */ | |
2088 rdbx_add_index(&stream->rtp_rdbx, delta); | |
2089 | |
2090 /* decrease the packet length by the length of the auth tag */ | |
2091 *pkt_octet_len -= tag_len; | |
2092 | |
2093 return err_status_ok; | |
2094 } | |
2095 | |
2096 err_status_t | |
2097 srtp_init() { | |
2098 err_status_t status; | |
2099 | |
2100 /* initialize crypto kernel */ | |
2101 status = crypto_kernel_init(); | |
2102 if (status) | |
2103 return status; | |
2104 | |
2105 /* load srtp debug module into the kernel */ | |
2106 status = crypto_kernel_load_debug_module(&mod_srtp); | |
2107 if (status) | |
2108 return status; | |
2109 | |
2110 return err_status_ok; | |
2111 } | |
2112 | |
2113 err_status_t | |
2114 srtp_shutdown() { | |
2115 err_status_t status; | |
2116 | |
2117 /* shut down crypto kernel */ | |
2118 status = crypto_kernel_shutdown(); | |
2119 if (status) | |
2120 return status; | |
2121 | |
2122 /* shutting down crypto kernel frees the srtp debug module as well */ | |
2123 | |
2124 return err_status_ok; | |
2125 } | |
2126 | |
2127 | |
2128 /* | |
2129 * The following code is under consideration for removal. See | |
2130 * SRTP_MAX_TRAILER_LEN | |
2131 */ | |
2132 #if 0 | |
2133 | |
2134 /* | |
2135 * srtp_get_trailer_length(&a) returns the number of octets that will | |
2136 * be added to an RTP packet by the SRTP processing. This value | |
2137 * is constant for a given srtp_stream_t (i.e. between initializations). | |
2138 */ | |
2139 | |
2140 int | |
2141 srtp_get_trailer_length(const srtp_stream_t s) { | |
2142 return auth_get_tag_length(s->rtp_auth); | |
2143 } | |
2144 | |
2145 #endif | |
2146 | |
2147 /* | |
2148 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding | |
2149 * to ssrc, or NULL if no stream exists for that ssrc | |
2150 * | |
2151 * this is an internal function | |
2152 */ | |
2153 | |
2154 srtp_stream_ctx_t * | |
2155 srtp_get_stream(srtp_t srtp, uint32_t ssrc) { | |
2156 srtp_stream_ctx_t *stream; | |
2157 | |
2158 /* walk down list until ssrc is found */ | |
2159 stream = srtp->stream_list; | |
2160 while (stream != NULL) { | |
2161 if (stream->ssrc == ssrc) | |
2162 return stream; | |
2163 stream = stream->next; | |
2164 } | |
2165 | |
2166 /* we haven't found our ssrc, so return a null */ | |
2167 return NULL; | |
2168 } | |
2169 | |
2170 err_status_t | |
2171 srtp_dealloc(srtp_t session) { | |
2172 srtp_stream_ctx_t *stream; | |
2173 err_status_t status; | |
2174 | |
2175 /* | |
2176 * we take a conservative deallocation strategy - if we encounter an | |
2177 * error deallocating a stream, then we stop trying to deallocate | |
2178 * memory and just return an error | |
2179 */ | |
2180 | |
2181 /* walk list of streams, deallocating as we go */ | |
2182 stream = session->stream_list; | |
2183 while (stream != NULL) { | |
2184 srtp_stream_t next = stream->next; | |
2185 status = srtp_stream_dealloc(session, stream); | |
2186 if (status) | |
2187 return status; | |
2188 stream = next; | |
2189 } | |
2190 | |
2191 /* deallocate stream template, if there is one */ | |
2192 if (session->stream_template != NULL) { | |
2193 status = auth_dealloc(session->stream_template->rtcp_auth); | |
2194 if (status) | |
2195 return status; | |
2196 status = cipher_dealloc(session->stream_template->rtcp_cipher); | |
2197 if (status) | |
2198 return status; | |
2199 crypto_free(session->stream_template->limit); | |
2200 status = cipher_dealloc(session->stream_template->rtp_cipher); | |
2201 if (status) | |
2202 return status; | |
2203 status = auth_dealloc(session->stream_template->rtp_auth); | |
2204 if (status) | |
2205 return status; | |
2206 status = rdbx_dealloc(&session->stream_template->rtp_rdbx); | |
2207 if (status) | |
2208 return status; | |
2209 crypto_free(session->stream_template); | |
2210 } | |
2211 | |
2212 /* deallocate session context */ | |
2213 crypto_free(session); | |
2214 | |
2215 return err_status_ok; | |
2216 } | |
2217 | |
2218 | |
2219 err_status_t | |
2220 srtp_add_stream(srtp_t session, | |
2221 const srtp_policy_t *policy) { | |
2222 err_status_t status; | |
2223 srtp_stream_t tmp; | |
2224 | |
2225 /* sanity check arguments */ | |
2226 if ((session == NULL) || (policy == NULL) || (policy->key == NULL)) | |
2227 return err_status_bad_param; | |
2228 | |
2229 /* allocate stream */ | |
2230 status = srtp_stream_alloc(&tmp, policy); | |
2231 if (status) { | |
2232 return status; | |
2233 } | |
2234 | |
2235 /* initialize stream */ | |
2236 status = srtp_stream_init(tmp, policy); | |
2237 if (status) { | |
2238 crypto_free(tmp); | |
2239 return status; | |
2240 } | |
2241 | |
2242 /* | |
2243 * set the head of the stream list or the template to point to the | |
2244 * stream that we've just alloced and init'ed, depending on whether | |
2245 * or not it has a wildcard SSRC value or not | |
2246 * | |
2247 * if the template stream has already been set, then the policy is | |
2248 * inconsistent, so we return a bad_param error code | |
2249 */ | |
2250 switch (policy->ssrc.type) { | |
2251 case (ssrc_any_outbound): | |
2252 if (session->stream_template) { | |
2253 return err_status_bad_param; | |
2254 } | |
2255 session->stream_template = tmp; | |
2256 session->stream_template->direction = dir_srtp_sender; | |
2257 break; | |
2258 case (ssrc_any_inbound): | |
2259 if (session->stream_template) { | |
2260 return err_status_bad_param; | |
2261 } | |
2262 session->stream_template = tmp; | |
2263 session->stream_template->direction = dir_srtp_receiver; | |
2264 break; | |
2265 case (ssrc_specific): | |
2266 tmp->next = session->stream_list; | |
2267 session->stream_list = tmp; | |
2268 break; | |
2269 case (ssrc_undefined): | |
2270 default: | |
2271 crypto_free(tmp); | |
2272 return err_status_bad_param; | |
2273 } | |
2274 | |
2275 return err_status_ok; | |
2276 } | |
2277 | |
2278 | |
2279 err_status_t | |
2280 srtp_create(srtp_t *session, /* handle for session */ | |
2281 const srtp_policy_t *policy) { /* SRTP policy (list) */ | |
2282 err_status_t stat; | |
2283 srtp_ctx_t *ctx; | |
2284 | |
2285 /* sanity check arguments */ | |
2286 if (session == NULL) | |
2287 return err_status_bad_param; | |
2288 | |
2289 /* allocate srtp context and set ctx_ptr */ | |
2290 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t)); | |
2291 if (ctx == NULL) | |
2292 return err_status_alloc_fail; | |
2293 *session = ctx; | |
2294 | |
2295 /* | |
2296 * loop over elements in the policy list, allocating and | |
2297 * initializing a stream for each element | |
2298 */ | |
2299 ctx->stream_template = NULL; | |
2300 ctx->stream_list = NULL; | |
2301 ctx->user_data = NULL; | |
2302 while (policy != NULL) { | |
2303 | |
2304 stat = srtp_add_stream(ctx, policy); | |
2305 if (stat) { | |
2306 /* clean up everything */ | |
2307 srtp_dealloc(*session); | |
2308 return stat; | |
2309 } | |
2310 | |
2311 /* set policy to next item in list */ | |
2312 policy = policy->next; | |
2313 } | |
2314 | |
2315 return err_status_ok; | |
2316 } | |
2317 | |
2318 | |
2319 err_status_t | |
2320 srtp_remove_stream(srtp_t session, uint32_t ssrc) { | |
2321 srtp_stream_ctx_t *stream, *last_stream; | |
2322 err_status_t status; | |
2323 | |
2324 /* sanity check arguments */ | |
2325 if (session == NULL) | |
2326 return err_status_bad_param; | |
2327 | |
2328 /* find stream in list; complain if not found */ | |
2329 last_stream = stream = session->stream_list; | |
2330 while ((stream != NULL) && (ssrc != stream->ssrc)) { | |
2331 last_stream = stream; | |
2332 stream = stream->next; | |
2333 } | |
2334 if (stream == NULL) | |
2335 return err_status_no_ctx; | |
2336 | |
2337 /* remove stream from the list */ | |
2338 if (last_stream == stream) | |
2339 /* stream was first in list */ | |
2340 session->stream_list = stream->next; | |
2341 else | |
2342 last_stream->next = stream->next; | |
2343 | |
2344 /* deallocate the stream */ | |
2345 status = srtp_stream_dealloc(session, stream); | |
2346 if (status) | |
2347 return status; | |
2348 | |
2349 return err_status_ok; | |
2350 } | |
2351 | |
2352 | |
2353 /* | |
2354 * the default policy - provides a convenient way for callers to use | |
2355 * the default security policy | |
2356 * | |
2357 * this policy is that defined in the current SRTP internet draft. | |
2358 * | |
2359 */ | |
2360 | |
2361 /* | |
2362 * NOTE: cipher_key_len is really key len (128 bits) plus salt len | |
2363 * (112 bits) | |
2364 */ | |
2365 /* There are hard-coded 16's for base_key_len in the key generation code */ | |
2366 | |
2367 void | |
2368 crypto_policy_set_rtp_default(crypto_policy_t *p) { | |
2369 | |
2370 p->cipher_type = AES_ICM; | |
2371 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */ | |
2372 p->auth_type = HMAC_SHA1; | |
2373 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ | |
2374 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ | |
2375 p->sec_serv = sec_serv_conf_and_auth; | |
2376 | |
2377 } | |
2378 | |
2379 void | |
2380 crypto_policy_set_rtcp_default(crypto_policy_t *p) { | |
2381 | |
2382 p->cipher_type = AES_ICM; | |
2383 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */ | |
2384 p->auth_type = HMAC_SHA1; | |
2385 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ | |
2386 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ | |
2387 p->sec_serv = sec_serv_conf_and_auth; | |
2388 | |
2389 } | |
2390 | |
2391 void | |
2392 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) { | |
2393 | |
2394 /* | |
2395 * corresponds to RFC 4568 | |
2396 * | |
2397 * note that this crypto policy is intended for SRTP, but not SRTCP | |
2398 */ | |
2399 | |
2400 p->cipher_type = AES_ICM; | |
2401 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */ | |
2402 p->auth_type = HMAC_SHA1; | |
2403 p->auth_key_len = 20; /* 160 bit key */ | |
2404 p->auth_tag_len = 4; /* 32 bit tag */ | |
2405 p->sec_serv = sec_serv_conf_and_auth; | |
2406 | |
2407 } | |
2408 | |
2409 | |
2410 void | |
2411 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) { | |
2412 | |
2413 /* | |
2414 * corresponds to RFC 4568 | |
2415 * | |
2416 * note that this crypto policy is intended for SRTP, but not SRTCP | |
2417 */ | |
2418 | |
2419 p->cipher_type = AES_ICM; | |
2420 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */ | |
2421 p->auth_type = NULL_AUTH; | |
2422 p->auth_key_len = 0; | |
2423 p->auth_tag_len = 0; | |
2424 p->sec_serv = sec_serv_conf; | |
2425 | |
2426 } | |
2427 | |
2428 | |
2429 void | |
2430 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) { | |
2431 | |
2432 /* | |
2433 * corresponds to RFC 4568 | |
2434 */ | |
2435 | |
2436 p->cipher_type = NULL_CIPHER; | |
2437 p->cipher_key_len = 0; | |
2438 p->auth_type = HMAC_SHA1; | |
2439 p->auth_key_len = 20; | |
2440 p->auth_tag_len = 10; | |
2441 p->sec_serv = sec_serv_auth; | |
2442 | |
2443 } | |
2444 | |
2445 | |
2446 void | |
2447 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) { | |
2448 | |
2449 /* | |
2450 * corresponds to draft-ietf-avt-big-aes-03.txt | |
2451 */ | |
2452 | |
2453 p->cipher_type = AES_ICM; | |
2454 p->cipher_key_len = 46; | |
2455 p->auth_type = HMAC_SHA1; | |
2456 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ | |
2457 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ | |
2458 p->sec_serv = sec_serv_conf_and_auth; | |
2459 } | |
2460 | |
2461 | |
2462 void | |
2463 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) { | |
2464 | |
2465 /* | |
2466 * corresponds to draft-ietf-avt-big-aes-03.txt | |
2467 * | |
2468 * note that this crypto policy is intended for SRTP, but not SRTCP | |
2469 */ | |
2470 | |
2471 p->cipher_type = AES_ICM; | |
2472 p->cipher_key_len = 46; | |
2473 p->auth_type = HMAC_SHA1; | |
2474 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ | |
2475 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ | |
2476 p->sec_serv = sec_serv_conf_and_auth; | |
2477 } | |
2478 | |
2479 /* | |
2480 * AES-256 with no authentication. | |
2481 */ | |
2482 void | |
2483 crypto_policy_set_aes_cm_256_null_auth (crypto_policy_t *p) | |
2484 { | |
2485 p->cipher_type = AES_ICM; | |
2486 p->cipher_key_len = 46; | |
2487 p->auth_type = NULL_AUTH; | |
2488 p->auth_key_len = 0; | |
2489 p->auth_tag_len = 0; | |
2490 p->sec_serv = sec_serv_conf; | |
2491 } | |
2492 | |
2493 #ifdef OPENSSL | |
2494 /* | |
2495 * AES-128 GCM mode with 8 octet auth tag. | |
2496 */ | |
2497 void | |
2498 crypto_policy_set_aes_gcm_128_8_auth(crypto_policy_t *p) { | |
2499 p->cipher_type = AES_128_GCM; | |
2500 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; | |
2501 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ | |
2502 p->auth_key_len = 0; | |
2503 p->auth_tag_len = 8; /* 8 octet tag length */ | |
2504 p->sec_serv = sec_serv_conf_and_auth; | |
2505 } | |
2506 | |
2507 /* | |
2508 * AES-256 GCM mode with 8 octet auth tag. | |
2509 */ | |
2510 void | |
2511 crypto_policy_set_aes_gcm_256_8_auth(crypto_policy_t *p) { | |
2512 p->cipher_type = AES_256_GCM; | |
2513 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; | |
2514 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ | |
2515 p->auth_key_len = 0; | |
2516 p->auth_tag_len = 8; /* 8 octet tag length */ | |
2517 p->sec_serv = sec_serv_conf_and_auth; | |
2518 } | |
2519 | |
2520 /* | |
2521 * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption. | |
2522 */ | |
2523 void | |
2524 crypto_policy_set_aes_gcm_128_8_only_auth(crypto_policy_t *p) { | |
2525 p->cipher_type = AES_128_GCM; | |
2526 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; | |
2527 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ | |
2528 p->auth_key_len = 0; | |
2529 p->auth_tag_len = 8; /* 8 octet tag length */ | |
2530 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ | |
2531 } | |
2532 | |
2533 /* | |
2534 * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption. | |
2535 */ | |
2536 void | |
2537 crypto_policy_set_aes_gcm_256_8_only_auth(crypto_policy_t *p) { | |
2538 p->cipher_type = AES_256_GCM; | |
2539 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; | |
2540 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ | |
2541 p->auth_key_len = 0; | |
2542 p->auth_tag_len = 8; /* 8 octet tag length */ | |
2543 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ | |
2544 } | |
2545 | |
2546 /* | |
2547 * AES-128 GCM mode with 16 octet auth tag. | |
2548 */ | |
2549 void | |
2550 crypto_policy_set_aes_gcm_128_16_auth(crypto_policy_t *p) { | |
2551 p->cipher_type = AES_128_GCM; | |
2552 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; | |
2553 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ | |
2554 p->auth_key_len = 0; | |
2555 p->auth_tag_len = 16; /* 16 octet tag length */ | |
2556 p->sec_serv = sec_serv_conf_and_auth; | |
2557 } | |
2558 | |
2559 /* | |
2560 * AES-256 GCM mode with 16 octet auth tag. | |
2561 */ | |
2562 void | |
2563 crypto_policy_set_aes_gcm_256_16_auth(crypto_policy_t *p) { | |
2564 p->cipher_type = AES_256_GCM; | |
2565 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; | |
2566 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ | |
2567 p->auth_key_len = 0; | |
2568 p->auth_tag_len = 16; /* 16 octet tag length */ | |
2569 p->sec_serv = sec_serv_conf_and_auth; | |
2570 } | |
2571 | |
2572 #endif | |
2573 | |
2574 /* | |
2575 * secure rtcp functions | |
2576 */ | |
2577 | |
2578 /* | |
2579 * AEAD uses a new IV formation method. This function implements | |
2580 * section 10.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The | |
2581 * calculation is defined as, where (+) is the xor operation: | |
2582 * | |
2583 * 0 1 2 3 4 5 6 7 8 9 10 11 | |
2584 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
2585 * |00|00| SSRC |00|00|0+SRTCP Idx|---+ | |
2586 * +--+--+--+--+--+--+--+--+--+--+--+--+ | | |
2587 * | | |
2588 * +--+--+--+--+--+--+--+--+--+--+--+--+ | | |
2589 * | Encryption Salt |->(+) | |
2590 * +--+--+--+--+--+--+--+--+--+--+--+--+ | | |
2591 * | | |
2592 * +--+--+--+--+--+--+--+--+--+--+--+--+ | | |
2593 * | Initialization Vector |<--+ | |
2594 * +--+--+--+--+--+--+--+--+--+--+--+--+* | |
2595 * | |
2596 * Input: *stream - pointer to SRTP stream context, used to retrieve | |
2597 * the SALT | |
2598 * *iv - Pointer to recieve the calculated IV | |
2599 * seq_num - The SEQ value to use for the IV calculation. | |
2600 * *hdr - The RTP header, used to get the SSRC value | |
2601 * | |
2602 */ | |
2603 static void srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv, | |
2604 uint32_t seq_num, srtcp_hdr_t *hdr) | |
2605 { | |
2606 v128_t in; | |
2607 v128_t salt; | |
2608 | |
2609 memset(&in, 0, sizeof(v128_t)); | |
2610 memset(&salt, 0, sizeof(v128_t)); | |
2611 | |
2612 in.v16[0] = 0; | |
2613 memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */ | |
2614 in.v16[3] = 0; | |
2615 in.v32[2] = 0x7FFFFFFF & htonl(seq_num); /* bit 32 is suppose to be zero */ | |
2616 | |
2617 debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in)); | |
2618 | |
2619 /* | |
2620 * Get the SALT value from the context | |
2621 */ | |
2622 memcpy(salt.v8, stream->c_salt, 12); | |
2623 debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt)); | |
2624 | |
2625 /* | |
2626 * Finally, apply the SALT to the input | |
2627 */ | |
2628 v128_xor(iv, &in, &salt); | |
2629 } | |
2630 | |
2631 /* | |
2632 * This code handles AEAD ciphers for outgoing RTCP. We currently support | |
2633 * AES-GCM mode with 128 or 256 bit keys. | |
2634 */ | |
2635 static err_status_t | |
2636 srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, | |
2637 void *rtcp_hdr, unsigned int *pkt_octet_len) | |
2638 { | |
2639 srtcp_hdr_t *hdr = (srtcp_hdr_t*)rtcp_hdr; | |
2640 uint32_t *enc_start; /* pointer to start of encrypted portion */ | |
2641 uint32_t *trailer; /* pointer to start of trailer */ | |
2642 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ | |
2643 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | |
2644 err_status_t status; | |
2645 int tag_len; | |
2646 uint32_t seq_num; | |
2647 v128_t iv; | |
2648 uint32_t tseq; | |
2649 | |
2650 /* get tag length from stream context */ | |
2651 tag_len = auth_get_tag_length(stream->rtcp_auth); | |
2652 | |
2653 /* | |
2654 * set encryption start and encryption length - if we're not | |
2655 * providing confidentiality, set enc_start to NULL | |
2656 */ | |
2657 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header; | |
2658 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; | |
2659 | |
2660 /* NOTE: hdr->length is not usable - it refers to only the first | |
2661 RTCP report in the compound packet! */ | |
2662 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always | |
2663 multiples of 32-bits (RFC 3550 6.1) */ | |
2664 trailer = (uint32_t*)((char*)enc_start + enc_octet_len + tag_len); | |
2665 | |
2666 if (stream->rtcp_services & sec_serv_conf) { | |
2667 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ | |
2668 } else { | |
2669 enc_start = NULL; | |
2670 enc_octet_len = 0; | |
2671 /* 0 is network-order independant */ | |
2672 *trailer = 0x00000000; /* set encrypt bit */ | |
2673 } | |
2674 | |
2675 /* | |
2676 * set the auth_tag pointer to the proper location, which is after | |
2677 * the payload, but before the trailer | |
2678 * (note that srtpc *always* provides authentication, unlike srtp) | |
2679 */ | |
2680 /* Note: This would need to change for optional mikey data */ | |
2681 auth_tag = (uint8_t*)hdr + *pkt_octet_len; | |
2682 | |
2683 /* | |
2684 * check sequence number for overruns, and copy it into the packet | |
2685 * if its value isn't too big | |
2686 */ | |
2687 status = rdb_increment(&stream->rtcp_rdb); | |
2688 if (status) { | |
2689 return status; | |
2690 } | |
2691 seq_num = rdb_get_value(&stream->rtcp_rdb); | |
2692 *trailer |= htonl(seq_num); | |
2693 debug_print(mod_srtp, "srtcp index: %x", seq_num); | |
2694 | |
2695 /* | |
2696 * Calculating the IV and pass it down to the cipher | |
2697 */ | |
2698 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr); | |
2699 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); | |
2700 if (status) { | |
2701 return err_status_cipher_fail; | |
2702 } | |
2703 | |
2704 /* | |
2705 * Set the AAD for GCM mode | |
2706 */ | |
2707 if (enc_start) { | |
2708 /* | |
2709 * If payload encryption is enabled, then the AAD consist of | |
2710 * the RTCP header and the seq# at the end of the packet | |
2711 */ | |
2712 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, | |
2713 octets_in_rtcp_header); | |
2714 if (status) { | |
2715 return ( err_status_cipher_fail); | |
2716 } | |
2717 } else { | |
2718 /* | |
2719 * Since payload encryption is not enabled, we must authenticate | |
2720 * the entire packet as described in section 10.3 in revision 07 | |
2721 * of the draft. | |
2722 */ | |
2723 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, | |
2724 *pkt_octet_len); | |
2725 if (status) { | |
2726 return ( err_status_cipher_fail); | |
2727 } | |
2728 } | |
2729 /* | |
2730 * Process the sequence# as AAD | |
2731 */ | |
2732 tseq = *trailer; | |
2733 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq, | |
2734 sizeof(srtcp_trailer_t)); | |
2735 if (status) { | |
2736 return ( err_status_cipher_fail); | |
2737 } | |
2738 | |
2739 /* if we're encrypting, exor keystream into the message */ | |
2740 if (enc_start) { | |
2741 status = cipher_encrypt(stream->rtcp_cipher, | |
2742 (uint8_t*)enc_start, &enc_octet_len); | |
2743 if (status) { | |
2744 return err_status_cipher_fail; | |
2745 } | |
2746 /* | |
2747 * Get the tag and append that to the output | |
2748 */ | |
2749 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag, | |
2750 &tag_len); | |
2751 if (status) { | |
2752 return ( err_status_cipher_fail); | |
2753 } | |
2754 enc_octet_len += tag_len; | |
2755 } else { | |
2756 /* | |
2757 * Even though we're not encrypting the payload, we need | |
2758 * to run the cipher to get the auth tag. | |
2759 */ | |
2760 unsigned int nolen = 0; | |
2761 status = cipher_encrypt(stream->rtcp_cipher, NULL, &nolen); | |
2762 if (status) { | |
2763 return err_status_cipher_fail; | |
2764 } | |
2765 /* | |
2766 * Get the tag and append that to the output | |
2767 */ | |
2768 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag, | |
2769 &tag_len); | |
2770 if (status) { | |
2771 return ( err_status_cipher_fail); | |
2772 } | |
2773 enc_octet_len += tag_len; | |
2774 } | |
2775 | |
2776 /* increase the packet length by the length of the auth tag and seq_num*/ | |
2777 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); | |
2778 | |
2779 return err_status_ok; | |
2780 } | |
2781 | |
2782 /* | |
2783 * This function handles incoming SRTCP packets while in AEAD mode, | |
2784 * which currently supports AES-GCM encryption. Note, the auth tag is | |
2785 * at the end of the packet stream and is automatically checked by GCM | |
2786 * when decrypting the payload. | |
2787 */ | |
2788 static err_status_t | |
2789 srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, | |
2790 void *srtcp_hdr, unsigned int *pkt_octet_len) | |
2791 { | |
2792 srtcp_hdr_t *hdr = (srtcp_hdr_t*)srtcp_hdr; | |
2793 uint32_t *enc_start; /* pointer to start of encrypted portion */ | |
2794 uint32_t *trailer; /* pointer to start of trailer */ | |
2795 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ | |
2796 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | |
2797 err_status_t status; | |
2798 int tag_len; | |
2799 unsigned int tmp_len; | |
2800 uint32_t seq_num; | |
2801 v128_t iv; | |
2802 uint32_t tseq; | |
2803 | |
2804 /* get tag length from stream context */ | |
2805 tag_len = auth_get_tag_length(stream->rtcp_auth); | |
2806 | |
2807 /* | |
2808 * set encryption start, encryption length, and trailer | |
2809 */ | |
2810 /* index & E (encryption) bit follow normal data. hdr->len | |
2811 is the number of words (32-bit) in the normal packet minus 1 */ | |
2812 /* This should point trailer to the word past the end of the | |
2813 normal data. */ | |
2814 /* This would need to be modified for optional mikey data */ | |
2815 /* | |
2816 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always | |
2817 * multiples of 32-bits (RFC 3550 6.1) | |
2818 */ | |
2819 trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t))
; | |
2820 /* | |
2821 * We pass the tag down to the cipher when doing GCM mode | |
2822 */ | |
2823 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + | |
2824 sizeof(srtcp_trailer_t)); | |
2825 auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - sizeof(srtcp_trailer_t
); | |
2826 | |
2827 if (*((unsigned char*)trailer) & SRTCP_E_BYTE_BIT) { | |
2828 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header; | |
2829 } else { | |
2830 enc_octet_len = 0; | |
2831 enc_start = NULL; /* this indicates that there's no encryption */ | |
2832 } | |
2833 | |
2834 /* | |
2835 * check the sequence number for replays | |
2836 */ | |
2837 /* this is easier than dealing with bitfield access */ | |
2838 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; | |
2839 debug_print(mod_srtp, "srtcp index: %x", seq_num); | |
2840 status = rdb_check(&stream->rtcp_rdb, seq_num); | |
2841 if (status) { | |
2842 return status; | |
2843 } | |
2844 | |
2845 /* | |
2846 * Calculate and set the IV | |
2847 */ | |
2848 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr); | |
2849 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); | |
2850 if (status) { | |
2851 return err_status_cipher_fail; | |
2852 } | |
2853 | |
2854 /* | |
2855 * Set the AAD for GCM mode | |
2856 */ | |
2857 if (enc_start) { | |
2858 /* | |
2859 * If payload encryption is enabled, then the AAD consist of | |
2860 * the RTCP header and the seq# at the end of the packet | |
2861 */ | |
2862 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, | |
2863 octets_in_rtcp_header); | |
2864 if (status) { | |
2865 return ( err_status_cipher_fail); | |
2866 } | |
2867 } else { | |
2868 /* | |
2869 * Since payload encryption is not enabled, we must authenticate | |
2870 * the entire packet as described in section 10.3 in revision 07 | |
2871 * of the draft. | |
2872 */ | |
2873 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, | |
2874 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_
t))); | |
2875 if (status) { | |
2876 return ( err_status_cipher_fail); | |
2877 } | |
2878 } | |
2879 | |
2880 /* | |
2881 * Process the sequence# as AAD | |
2882 */ | |
2883 tseq = *trailer; | |
2884 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq, | |
2885 sizeof(srtcp_trailer_t)); | |
2886 if (status) { | |
2887 return ( err_status_cipher_fail); | |
2888 } | |
2889 | |
2890 /* if we're decrypting, exor keystream into the message */ | |
2891 if (enc_start) { | |
2892 status = cipher_decrypt(stream->rtcp_cipher, | |
2893 (uint8_t*)enc_start, &enc_octet_len); | |
2894 if (status) { | |
2895 return status; | |
2896 } | |
2897 } else { | |
2898 /* | |
2899 * Still need to run the cipher to check the tag | |
2900 */ | |
2901 tmp_len = tag_len; | |
2902 status = cipher_decrypt(stream->rtcp_cipher, (uint8_t*)auth_tag, | |
2903 &tmp_len); | |
2904 if (status) { | |
2905 return status; | |
2906 } | |
2907 } | |
2908 | |
2909 /* decrease the packet length by the length of the auth tag and seq_num*/ | |
2910 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); | |
2911 | |
2912 /* | |
2913 * verify that stream is for received traffic - this check will | |
2914 * detect SSRC collisions, since a stream that appears in both | |
2915 * srtp_protect() and srtp_unprotect() will fail this test in one of | |
2916 * those functions. | |
2917 * | |
2918 * we do this check *after* the authentication check, so that the | |
2919 * latter check will catch any attempts to fool us into thinking | |
2920 * that we've got a collision | |
2921 */ | |
2922 if (stream->direction != dir_srtp_receiver) { | |
2923 if (stream->direction == dir_unknown) { | |
2924 stream->direction = dir_srtp_receiver; | |
2925 } else { | |
2926 srtp_handle_event(ctx, stream, event_ssrc_collision); | |
2927 } | |
2928 } | |
2929 | |
2930 /* | |
2931 * if the stream is a 'provisional' one, in which the template context | |
2932 * is used, then we need to allocate a new stream at this point, since | |
2933 * the authentication passed | |
2934 */ | |
2935 if (stream == ctx->stream_template) { | |
2936 srtp_stream_ctx_t *new_stream; | |
2937 | |
2938 /* | |
2939 * allocate and initialize a new stream | |
2940 * | |
2941 * note that we indicate failure if we can't allocate the new | |
2942 * stream, and some implementations will want to not return | |
2943 * failure here | |
2944 */ | |
2945 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream)
; | |
2946 if (status) { | |
2947 return status; | |
2948 } | |
2949 | |
2950 /* add new stream to the head of the stream_list */ | |
2951 new_stream->next = ctx->stream_list; | |
2952 ctx->stream_list = new_stream; | |
2953 | |
2954 /* set stream (the pointer used in this function) */ | |
2955 stream = new_stream; | |
2956 } | |
2957 | |
2958 /* we've passed the authentication check, so add seq_num to the rdb */ | |
2959 rdb_add_index(&stream->rtcp_rdb, seq_num); | |
2960 | |
2961 return err_status_ok; | |
2962 } | |
2963 | |
2964 err_status_t | |
2965 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) { | |
2966 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; | |
2967 uint32_t *enc_start; /* pointer to start of encrypted portion */ | |
2968 uint32_t *auth_start; /* pointer to start of auth. portion */ | |
2969 uint32_t *trailer; /* pointer to start of trailer */ | |
2970 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ | |
2971 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | |
2972 err_status_t status; | |
2973 int tag_len; | |
2974 srtp_stream_ctx_t *stream; | |
2975 int prefix_len; | |
2976 uint32_t seq_num; | |
2977 | |
2978 /* we assume the hdr is 32-bit aligned to start */ | |
2979 | |
2980 /* check the packet length - it must at least contain a full header */ | |
2981 if (*pkt_octet_len < octets_in_rtcp_header) | |
2982 return err_status_bad_param; | |
2983 | |
2984 /* | |
2985 * look up ssrc in srtp_stream list, and process the packet with | |
2986 * the appropriate stream. if we haven't seen this stream before, | |
2987 * there's only one key for this srtp_session, and the cipher | |
2988 * supports key-sharing, then we assume that a new stream using | |
2989 * that key has just started up | |
2990 */ | |
2991 stream = srtp_get_stream(ctx, hdr->ssrc); | |
2992 if (stream == NULL) { | |
2993 if (ctx->stream_template != NULL) { | |
2994 srtp_stream_ctx_t *new_stream; | |
2995 | |
2996 /* allocate and initialize a new stream */ | |
2997 status = srtp_stream_clone(ctx->stream_template, | |
2998 hdr->ssrc, &new_stream); | |
2999 if (status) | |
3000 return status; | |
3001 | |
3002 /* add new stream to the head of the stream_list */ | |
3003 new_stream->next = ctx->stream_list; | |
3004 ctx->stream_list = new_stream; | |
3005 | |
3006 /* set stream (the pointer used in this function) */ | |
3007 stream = new_stream; | |
3008 } else { | |
3009 /* no template stream, so we return an error */ | |
3010 return err_status_no_ctx; | |
3011 } | |
3012 } | |
3013 | |
3014 /* | |
3015 * verify that stream is for sending traffic - this check will | |
3016 * detect SSRC collisions, since a stream that appears in both | |
3017 * srtp_protect() and srtp_unprotect() will fail this test in one of | |
3018 * those functions. | |
3019 */ | |
3020 if (stream->direction != dir_srtp_sender) { | |
3021 if (stream->direction == dir_unknown) { | |
3022 stream->direction = dir_srtp_sender; | |
3023 } else { | |
3024 srtp_handle_event(ctx, stream, event_ssrc_collision); | |
3025 } | |
3026 } | |
3027 | |
3028 /* | |
3029 * Check if this is an AEAD stream (GCM mode). If so, then dispatch | |
3030 * the request to our AEAD handler. | |
3031 */ | |
3032 if (stream->rtp_cipher->algorithm == AES_128_GCM || | |
3033 stream->rtp_cipher->algorithm == AES_256_GCM) { | |
3034 return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, (unsigned int*)pkt_oc
tet_len); | |
3035 } | |
3036 | |
3037 /* get tag length from stream context */ | |
3038 tag_len = auth_get_tag_length(stream->rtcp_auth); | |
3039 | |
3040 /* | |
3041 * set encryption start and encryption length - if we're not | |
3042 * providing confidentiality, set enc_start to NULL | |
3043 */ | |
3044 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; | |
3045 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; | |
3046 | |
3047 /* all of the packet, except the header, gets encrypted */ | |
3048 /* NOTE: hdr->length is not usable - it refers to only the first | |
3049 RTCP report in the compound packet! */ | |
3050 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always | |
3051 multiples of 32-bits (RFC 3550 6.1) */ | |
3052 trailer = (uint32_t *) ((char *)enc_start + enc_octet_len); | |
3053 | |
3054 if (stream->rtcp_services & sec_serv_conf) { | |
3055 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ | |
3056 } else { | |
3057 enc_start = NULL; | |
3058 enc_octet_len = 0; | |
3059 /* 0 is network-order independant */ | |
3060 *trailer = 0x00000000; /* set encrypt bit */ | |
3061 } | |
3062 | |
3063 /* | |
3064 * set the auth_start and auth_tag pointers to the proper locations | |
3065 * (note that srtpc *always* provides authentication, unlike srtp) | |
3066 */ | |
3067 /* Note: This would need to change for optional mikey data */ | |
3068 auth_start = (uint32_t *)hdr; | |
3069 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t); | |
3070 | |
3071 /* perform EKT processing if needed */ | |
3072 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len, | |
3073 rdbx_get_packet_index(&stream->rtp_rdbx)); | |
3074 | |
3075 /* | |
3076 * check sequence number for overruns, and copy it into the packet | |
3077 * if its value isn't too big | |
3078 */ | |
3079 status = rdb_increment(&stream->rtcp_rdb); | |
3080 if (status) | |
3081 return status; | |
3082 seq_num = rdb_get_value(&stream->rtcp_rdb); | |
3083 *trailer |= htonl(seq_num); | |
3084 debug_print(mod_srtp, "srtcp index: %x", seq_num); | |
3085 | |
3086 /* | |
3087 * if we're using rindael counter mode, set nonce and seq | |
3088 */ | |
3089 if (stream->rtcp_cipher->type->id == AES_ICM) { | |
3090 v128_t iv; | |
3091 | |
3092 iv.v32[0] = 0; | |
3093 iv.v32[1] = hdr->ssrc; /* still in network order! */ | |
3094 iv.v32[2] = htonl(seq_num >> 16); | |
3095 iv.v32[3] = htonl(seq_num << 16); | |
3096 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); | |
3097 | |
3098 } else { | |
3099 v128_t iv; | |
3100 | |
3101 /* otherwise, just set the index to seq_num */ | |
3102 iv.v32[0] = 0; | |
3103 iv.v32[1] = 0; | |
3104 iv.v32[2] = 0; | |
3105 iv.v32[3] = htonl(seq_num); | |
3106 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); | |
3107 } | |
3108 if (status) | |
3109 return err_status_cipher_fail; | |
3110 | |
3111 /* | |
3112 * if we're authenticating using a universal hash, put the keystream | |
3113 * prefix into the authentication tag | |
3114 */ | |
3115 | |
3116 /* if auth_start is non-null, then put keystream into tag */ | |
3117 if (auth_start) { | |
3118 | |
3119 /* put keystream prefix into auth_tag */ | |
3120 prefix_len = auth_get_prefix_length(stream->rtcp_auth); | |
3121 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len); | |
3122 | |
3123 debug_print(mod_srtp, "keystream prefix: %s", | |
3124 octet_string_hex_string(auth_tag, prefix_len)); | |
3125 | |
3126 if (status) | |
3127 return err_status_cipher_fail; | |
3128 } | |
3129 | |
3130 /* if we're encrypting, exor keystream into the message */ | |
3131 if (enc_start) { | |
3132 status = cipher_encrypt(stream->rtcp_cipher, | |
3133 (uint8_t *)enc_start, &enc_octet_len); | |
3134 if (status) | |
3135 return err_status_cipher_fail; | |
3136 } | |
3137 | |
3138 /* initialize auth func context */ | |
3139 auth_start(stream->rtcp_auth); | |
3140 | |
3141 /* | |
3142 * run auth func over packet (including trailer), and write the | |
3143 * result at auth_tag | |
3144 */ | |
3145 status = auth_compute(stream->rtcp_auth, | |
3146 (uint8_t *)auth_start, | |
3147 (*pkt_octet_len) + sizeof(srtcp_trailer_t), | |
3148 auth_tag); | |
3149 debug_print(mod_srtp, "srtcp auth tag: %s", | |
3150 octet_string_hex_string(auth_tag, tag_len)); | |
3151 if (status) | |
3152 return err_status_auth_fail; | |
3153 | |
3154 /* increase the packet length by the length of the auth tag and seq_num*/ | |
3155 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); | |
3156 | |
3157 return err_status_ok; | |
3158 } | |
3159 | |
3160 | |
3161 err_status_t | |
3162 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) { | |
3163 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; | |
3164 uint32_t *enc_start; /* pointer to start of encrypted portion */ | |
3165 uint32_t *auth_start; /* pointer to start of auth. portion */ | |
3166 uint32_t *trailer; /* pointer to start of trailer */ | |
3167 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ | |
3168 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | |
3169 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; | |
3170 uint8_t tag_copy[SRTP_MAX_TAG_LEN]; | |
3171 err_status_t status; | |
3172 unsigned int auth_len; | |
3173 int tag_len; | |
3174 srtp_stream_ctx_t *stream; | |
3175 int prefix_len; | |
3176 uint32_t seq_num; | |
3177 int e_bit_in_packet; /* whether the E-bit was found in the packet */ | |
3178 int sec_serv_confidentiality; /* whether confidentiality was requested */ | |
3179 | |
3180 /* we assume the hdr is 32-bit aligned to start */ | |
3181 | |
3182 /* check that the length value is sane; we'll check again once we | |
3183 know the tag length, but we at least want to know that it is | |
3184 a positive value */ | |
3185 if (*pkt_octet_len < octets_in_rtcp_header + sizeof(srtcp_trailer_t)) | |
3186 return err_status_bad_param; | |
3187 | |
3188 /* | |
3189 * look up ssrc in srtp_stream list, and process the packet with | |
3190 * the appropriate stream. if we haven't seen this stream before, | |
3191 * there's only one key for this srtp_session, and the cipher | |
3192 * supports key-sharing, then we assume that a new stream using | |
3193 * that key has just started up | |
3194 */ | |
3195 stream = srtp_get_stream(ctx, hdr->ssrc); | |
3196 if (stream == NULL) { | |
3197 if (ctx->stream_template != NULL) { | |
3198 stream = ctx->stream_template; | |
3199 | |
3200 /* | |
3201 * check to see if stream_template has an EKT data structure, in | |
3202 * which case we initialize the template using the EKT policy | |
3203 * referenced by that data (which consists of decrypting the | |
3204 * master key from the EKT field) | |
3205 * | |
3206 * this function initializes a *provisional* stream, and this | |
3207 * stream should not be accepted until and unless the packet | |
3208 * passes its authentication check | |
3209 */ | |
3210 if (stream->ekt != NULL) { | |
3211 status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len); | |
3212 if (status) | |
3213 return status; | |
3214 } | |
3215 | |
3216 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", | |
3217 hdr->ssrc); | |
3218 } else { | |
3219 /* no template stream, so we return an error */ | |
3220 return err_status_no_ctx; | |
3221 } | |
3222 } | |
3223 | |
3224 /* get tag length from stream context */ | |
3225 tag_len = auth_get_tag_length(stream->rtcp_auth); | |
3226 | |
3227 /* check the packet length - it must contain at least a full RTCP | |
3228 header, an auth tag (if applicable), and the SRTCP encrypted flag | |
3229 and 31-bit index value */ | |
3230 if (*pkt_octet_len < (int) (octets_in_rtcp_header + tag_len + sizeof(srtcp_tra
iler_t))) { | |
3231 return err_status_bad_param; | |
3232 } | |
3233 | |
3234 /* | |
3235 * Check if this is an AEAD stream (GCM mode). If so, then dispatch | |
3236 * the request to our AEAD handler. | |
3237 */ | |
3238 if (stream->rtp_cipher->algorithm == AES_128_GCM || | |
3239 stream->rtp_cipher->algorithm == AES_256_GCM) { | |
3240 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, (unsigned int*)pkt
_octet_len); | |
3241 } | |
3242 | |
3243 sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf || | |
3244 stream->rtcp_services == sec_serv_conf_and_auth; | |
3245 | |
3246 /* | |
3247 * set encryption start, encryption length, and trailer | |
3248 */ | |
3249 enc_octet_len = *pkt_octet_len - | |
3250 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t)); | |
3251 /* index & E (encryption) bit follow normal data. hdr->len | |
3252 is the number of words (32-bit) in the normal packet minus 1 */ | |
3253 /* This should point trailer to the word past the end of the | |
3254 normal data. */ | |
3255 /* This would need to be modified for optional mikey data */ | |
3256 /* | |
3257 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always | |
3258 * multiples of 32-bits (RFC 3550 6.1) | |
3259 */ | |
3260 trailer = (uint32_t *) ((char *) hdr + | |
3261 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); | |
3262 e_bit_in_packet = | |
3263 (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; | |
3264 if (e_bit_in_packet != sec_serv_confidentiality) { | |
3265 return err_status_cant_check; | |
3266 } | |
3267 if (sec_serv_confidentiality) { | |
3268 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; | |
3269 } else { | |
3270 enc_octet_len = 0; | |
3271 enc_start = NULL; /* this indicates that there's no encryption */ | |
3272 } | |
3273 | |
3274 /* | |
3275 * set the auth_start and auth_tag pointers to the proper locations | |
3276 * (note that srtcp *always* uses authentication, unlike srtp) | |
3277 */ | |
3278 auth_start = (uint32_t *)hdr; | |
3279 auth_len = *pkt_octet_len - tag_len; | |
3280 auth_tag = (uint8_t *)hdr + auth_len; | |
3281 | |
3282 /* | |
3283 * if EKT is in use, then we make a copy of the tag from the packet, | |
3284 * and then zeroize the location of the base tag | |
3285 * | |
3286 * we first re-position the auth_tag pointer so that it points to | |
3287 * the base tag | |
3288 */ | |
3289 if (stream->ekt) { | |
3290 auth_tag -= ekt_octets_after_base_tag(stream->ekt); | |
3291 memcpy(tag_copy, auth_tag, tag_len); | |
3292 octet_string_set_to_zero(auth_tag, tag_len); | |
3293 auth_tag = tag_copy; | |
3294 auth_len += tag_len; | |
3295 } | |
3296 | |
3297 /* | |
3298 * check the sequence number for replays | |
3299 */ | |
3300 /* this is easier than dealing with bitfield access */ | |
3301 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; | |
3302 debug_print(mod_srtp, "srtcp index: %x", seq_num); | |
3303 status = rdb_check(&stream->rtcp_rdb, seq_num); | |
3304 if (status) | |
3305 return status; | |
3306 | |
3307 /* | |
3308 * if we're using aes counter mode, set nonce and seq | |
3309 */ | |
3310 if (stream->rtcp_cipher->type->id == AES_ICM) { | |
3311 v128_t iv; | |
3312 | |
3313 iv.v32[0] = 0; | |
3314 iv.v32[1] = hdr->ssrc; /* still in network order! */ | |
3315 iv.v32[2] = htonl(seq_num >> 16); | |
3316 iv.v32[3] = htonl(seq_num << 16); | |
3317 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); | |
3318 | |
3319 } else { | |
3320 v128_t iv; | |
3321 | |
3322 /* otherwise, just set the index to seq_num */ | |
3323 iv.v32[0] = 0; | |
3324 iv.v32[1] = 0; | |
3325 iv.v32[2] = 0; | |
3326 iv.v32[3] = htonl(seq_num); | |
3327 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); | |
3328 | |
3329 } | |
3330 if (status) | |
3331 return err_status_cipher_fail; | |
3332 | |
3333 /* initialize auth func context */ | |
3334 auth_start(stream->rtcp_auth); | |
3335 | |
3336 /* run auth func over packet, put result into tmp_tag */ | |
3337 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start, | |
3338 auth_len, tmp_tag); | |
3339 debug_print(mod_srtp, "srtcp computed tag: %s", | |
3340 octet_string_hex_string(tmp_tag, tag_len)); | |
3341 if (status) | |
3342 return err_status_auth_fail; | |
3343 | |
3344 /* compare the tag just computed with the one in the packet */ | |
3345 debug_print(mod_srtp, "srtcp tag from packet: %s", | |
3346 octet_string_hex_string(auth_tag, tag_len)); | |
3347 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) | |
3348 return err_status_auth_fail; | |
3349 | |
3350 /* | |
3351 * if we're authenticating using a universal hash, put the keystream | |
3352 * prefix into the authentication tag | |
3353 */ | |
3354 prefix_len = auth_get_prefix_length(stream->rtcp_auth); | |
3355 if (prefix_len) { | |
3356 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len); | |
3357 debug_print(mod_srtp, "keystream prefix: %s", | |
3358 octet_string_hex_string(auth_tag, prefix_len)); | |
3359 if (status) | |
3360 return err_status_cipher_fail; | |
3361 } | |
3362 | |
3363 /* if we're decrypting, exor keystream into the message */ | |
3364 if (enc_start) { | |
3365 status = cipher_decrypt(stream->rtcp_cipher, | |
3366 (uint8_t *)enc_start, &enc_octet_len); | |
3367 if (status) | |
3368 return err_status_cipher_fail; | |
3369 } | |
3370 | |
3371 /* decrease the packet length by the length of the auth tag and seq_num */ | |
3372 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); | |
3373 | |
3374 /* | |
3375 * if EKT is in effect, subtract the EKT data out of the packet | |
3376 * length | |
3377 */ | |
3378 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt); | |
3379 | |
3380 /* | |
3381 * verify that stream is for received traffic - this check will | |
3382 * detect SSRC collisions, since a stream that appears in both | |
3383 * srtp_protect() and srtp_unprotect() will fail this test in one of | |
3384 * those functions. | |
3385 * | |
3386 * we do this check *after* the authentication check, so that the | |
3387 * latter check will catch any attempts to fool us into thinking | |
3388 * that we've got a collision | |
3389 */ | |
3390 if (stream->direction != dir_srtp_receiver) { | |
3391 if (stream->direction == dir_unknown) { | |
3392 stream->direction = dir_srtp_receiver; | |
3393 } else { | |
3394 srtp_handle_event(ctx, stream, event_ssrc_collision); | |
3395 } | |
3396 } | |
3397 | |
3398 /* | |
3399 * if the stream is a 'provisional' one, in which the template context | |
3400 * is used, then we need to allocate a new stream at this point, since | |
3401 * the authentication passed | |
3402 */ | |
3403 if (stream == ctx->stream_template) { | |
3404 srtp_stream_ctx_t *new_stream; | |
3405 | |
3406 /* | |
3407 * allocate and initialize a new stream | |
3408 * | |
3409 * note that we indicate failure if we can't allocate the new | |
3410 * stream, and some implementations will want to not return | |
3411 * failure here | |
3412 */ | |
3413 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); | |
3414 if (status) | |
3415 return status; | |
3416 | |
3417 /* add new stream to the head of the stream_list */ | |
3418 new_stream->next = ctx->stream_list; | |
3419 ctx->stream_list = new_stream; | |
3420 | |
3421 /* set stream (the pointer used in this function) */ | |
3422 stream = new_stream; | |
3423 } | |
3424 | |
3425 /* we've passed the authentication check, so add seq_num to the rdb */ | |
3426 rdb_add_index(&stream->rtcp_rdb, seq_num); | |
3427 | |
3428 | |
3429 return err_status_ok; | |
3430 } | |
3431 | |
3432 | |
3433 /* | |
3434 * user data within srtp_t context | |
3435 */ | |
3436 | |
3437 void | |
3438 srtp_set_user_data(srtp_t ctx, void *data) { | |
3439 ctx->user_data = data; | |
3440 } | |
3441 | |
3442 void* | |
3443 srtp_get_user_data(srtp_t ctx) { | |
3444 return ctx->user_data; | |
3445 } | |
3446 | |
3447 | |
3448 /* | |
3449 * dtls keying for srtp | |
3450 */ | |
3451 | |
3452 err_status_t | |
3453 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy, | |
3454 srtp_profile_t profile) { | |
3455 | |
3456 /* set SRTP policy from the SRTP profile in the key set */ | |
3457 switch(profile) { | |
3458 case srtp_profile_aes128_cm_sha1_80: | |
3459 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); | |
3460 break; | |
3461 case srtp_profile_aes128_cm_sha1_32: | |
3462 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); | |
3463 break; | |
3464 case srtp_profile_null_sha1_80: | |
3465 crypto_policy_set_null_cipher_hmac_sha1_80(policy); | |
3466 break; | |
3467 case srtp_profile_aes256_cm_sha1_80: | |
3468 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); | |
3469 break; | |
3470 case srtp_profile_aes256_cm_sha1_32: | |
3471 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy); | |
3472 break; | |
3473 /* the following profiles are not (yet) supported */ | |
3474 case srtp_profile_null_sha1_32: | |
3475 default: | |
3476 return err_status_bad_param; | |
3477 } | |
3478 | |
3479 return err_status_ok; | |
3480 } | |
3481 | |
3482 err_status_t | |
3483 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy, | |
3484 srtp_profile_t profile) { | |
3485 | |
3486 /* set SRTP policy from the SRTP profile in the key set */ | |
3487 switch(profile) { | |
3488 case srtp_profile_aes128_cm_sha1_80: | |
3489 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); | |
3490 break; | |
3491 case srtp_profile_aes128_cm_sha1_32: | |
3492 /* We do not honor the 32-bit auth tag request since | |
3493 * this is not compliant with RFC 3711 */ | |
3494 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); | |
3495 break; | |
3496 case srtp_profile_null_sha1_80: | |
3497 crypto_policy_set_null_cipher_hmac_sha1_80(policy); | |
3498 break; | |
3499 case srtp_profile_aes256_cm_sha1_80: | |
3500 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); | |
3501 break; | |
3502 case srtp_profile_aes256_cm_sha1_32: | |
3503 /* We do not honor the 32-bit auth tag request since | |
3504 * this is not compliant with RFC 3711 */ | |
3505 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); | |
3506 break; | |
3507 /* the following profiles are not (yet) supported */ | |
3508 case srtp_profile_null_sha1_32: | |
3509 default: | |
3510 return err_status_bad_param; | |
3511 } | |
3512 | |
3513 return err_status_ok; | |
3514 } | |
3515 | |
3516 void | |
3517 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key, | |
3518 uint8_t *salt, unsigned int bytes_in_salt) { | |
3519 | |
3520 memcpy(key + bytes_in_key, salt, bytes_in_salt); | |
3521 | |
3522 } | |
3523 | |
3524 unsigned int | |
3525 srtp_profile_get_master_key_length(srtp_profile_t profile) { | |
3526 | |
3527 switch(profile) { | |
3528 case srtp_profile_aes128_cm_sha1_80: | |
3529 return 16; | |
3530 break; | |
3531 case srtp_profile_aes128_cm_sha1_32: | |
3532 return 16; | |
3533 break; | |
3534 case srtp_profile_null_sha1_80: | |
3535 return 16; | |
3536 break; | |
3537 case srtp_profile_aes256_cm_sha1_80: | |
3538 return 32; | |
3539 break; | |
3540 case srtp_profile_aes256_cm_sha1_32: | |
3541 return 32; | |
3542 break; | |
3543 /* the following profiles are not (yet) supported */ | |
3544 case srtp_profile_null_sha1_32: | |
3545 default: | |
3546 return 0; /* indicate error by returning a zero */ | |
3547 } | |
3548 } | |
3549 | |
3550 unsigned int | |
3551 srtp_profile_get_master_salt_length(srtp_profile_t profile) { | |
3552 | |
3553 switch(profile) { | |
3554 case srtp_profile_aes128_cm_sha1_80: | |
3555 return 14; | |
3556 break; | |
3557 case srtp_profile_aes128_cm_sha1_32: | |
3558 return 14; | |
3559 break; | |
3560 case srtp_profile_null_sha1_80: | |
3561 return 14; | |
3562 break; | |
3563 case srtp_profile_aes256_cm_sha1_80: | |
3564 return 14; | |
3565 break; | |
3566 case srtp_profile_aes256_cm_sha1_32: | |
3567 return 14; | |
3568 break; | |
3569 /* the following profiles are not (yet) supported */ | |
3570 case srtp_profile_null_sha1_32: | |
3571 default: | |
3572 return 0; /* indicate error by returning a zero */ | |
3573 } | |
3574 } | |
OLD | NEW |