OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <assert.h> | 5 #include <assert.h> |
6 #include <netinet/in.h> | |
7 #include <stddef.h> | 6 #include <stddef.h> |
8 #include <stdint.h> | 7 #include <stdint.h> |
9 | 8 |
10 #include <algorithm> | 9 #include <algorithm> |
11 #include <vector> | 10 #include <vector> |
12 | 11 |
13 #include "third_party/libsrtp/include/rtp.h" | 12 #include "third_party/libsrtp/srtp/include/rtp.h" |
14 #include "third_party/libsrtp/include/rtp_priv.h" | 13 #include "third_party/libsrtp/srtp/include/rtp_priv.h" |
15 #include "third_party/libsrtp/include/srtp.h" | 14 #include "third_party/libsrtp/srtp/include/srtp.h" |
16 | 15 |
17 // TODO(katrielc) Also test the authenticated path, which is what | 16 // TODO(katrielc) Also test the authenticated path, which is what |
18 // WebRTC uses. This is nontrivial because you need to bypass the MAC | 17 // WebRTC uses. This is nontrivial because you need to bypass the MAC |
19 // check. Two options: add a UNSAFE_FUZZER_MODE flag to libsrtp (or | 18 // check. Two options: add a UNSAFE_FUZZER_MODE flag to libsrtp (or |
20 // the chromium fork of it), or compute the HMAC of whatever gibberish | 19 // the chromium fork of it), or compute the HMAC of whatever gibberish |
21 // the fuzzer produces and write it into the packet manually. | 20 // the fuzzer produces and write it into the packet manually. |
22 | 21 |
23 namespace LibSrtpFuzzer { | 22 namespace LibSrtpFuzzer { |
24 enum CryptoPolicy { | 23 enum CryptoPolicy { |
25 NONE, | 24 NONE, |
26 LIKE_WEBRTC, | 25 LIKE_WEBRTC, |
27 LIKE_WEBRTC_WITHOUT_AUTH, | 26 LIKE_WEBRTC_WITHOUT_AUTH, |
28 AES_GCM, | 27 AES_GCM, |
29 NUMBER_OF_POLICIES, | 28 NUMBER_OF_POLICIES, |
30 }; | 29 }; |
31 } | 30 } |
32 | 31 |
33 struct Environment { | 32 struct Environment { |
34 srtp_policy_t GetCryptoPolicy(LibSrtpFuzzer::CryptoPolicy crypto_policy, | 33 srtp_policy_t GetCryptoPolicy(LibSrtpFuzzer::CryptoPolicy crypto_policy, |
35 const unsigned char* replacement_key) { | 34 const unsigned char* replacement_key) { |
36 switch (crypto_policy) { | 35 switch (crypto_policy) { |
37 case LibSrtpFuzzer::NUMBER_OF_POLICIES: | 36 case LibSrtpFuzzer::NUMBER_OF_POLICIES: |
38 case LibSrtpFuzzer::NONE: | 37 case LibSrtpFuzzer::NONE: |
39 srtp_crypto_policy_set_null_cipher_null_auth(&policy.rtp); | 38 crypto_policy_set_null_cipher_null_auth(&policy.rtp); |
40 srtp_crypto_policy_set_null_cipher_null_auth(&policy.rtcp); | 39 crypto_policy_set_null_cipher_null_auth(&policy.rtcp); |
41 break; | 40 break; |
42 case LibSrtpFuzzer::LIKE_WEBRTC: | 41 case LibSrtpFuzzer::LIKE_WEBRTC: |
43 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp); | 42 crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp); |
44 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp); | 43 crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp); |
45 break; | 44 break; |
46 case LibSrtpFuzzer::LIKE_WEBRTC_WITHOUT_AUTH: | 45 case LibSrtpFuzzer::LIKE_WEBRTC_WITHOUT_AUTH: |
47 srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); | 46 crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); |
48 srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtcp); | 47 crypto_policy_set_aes_cm_128_null_auth(&policy.rtcp); |
49 break; | 48 break; |
50 case LibSrtpFuzzer::AES_GCM: | 49 case LibSrtpFuzzer::AES_GCM: |
51 // There was a security bug in the GCM mode in libsrtp 1.5.2. | 50 // There was a security bug in the GCM mode in libsrtp 1.5.2. |
52 srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); | 51 crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); |
53 srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); | 52 crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); |
54 break; | 53 break; |
55 } | 54 } |
56 | 55 |
57 memcpy(key, replacement_key, SRTP_MASTER_KEY_LEN); | 56 memcpy(key, replacement_key, SRTP_MASTER_KEY_LEN); |
58 return policy; | 57 return policy; |
59 }; | 58 }; |
60 | 59 |
61 Environment() { | 60 Environment() { |
62 srtp_init(); | 61 srtp_init(); |
63 | 62 |
64 memset(&policy, 0, sizeof(policy)); | 63 memset(&policy, 0, sizeof(policy)); |
65 policy.allow_repeat_tx = 1; | 64 policy.allow_repeat_tx = 1; |
66 policy.ekt = nullptr; | 65 policy.ekt = nullptr; |
67 policy.key = key; | 66 policy.key = key; |
68 policy.next = nullptr; | 67 policy.next = nullptr; |
69 policy.ssrc.type = ssrc_any_inbound; | 68 policy.ssrc.type = ssrc_any_inbound; |
70 policy.ssrc.value = 0xdeadbeef; | 69 policy.ssrc.value = 0xdeadbeef; |
71 policy.window_size = 1024; | 70 policy.window_size = 1024; |
72 } | 71 } |
73 | 72 |
74 private: | 73 private: |
75 srtp_policy_t policy; | 74 srtp_policy_t policy; |
76 unsigned char key[SRTP_MASTER_KEY_LEN] = {0}; | 75 unsigned char key[SRTP_MASTER_KEY_LEN] = {0}; |
77 | 76 |
78 static void srtp_crypto_policy_set_null_cipher_null_auth( | 77 static void crypto_policy_set_null_cipher_null_auth(crypto_policy_t* p) { |
79 srtp_crypto_policy_t* p) { | 78 p->cipher_type = NULL_CIPHER; |
80 p->cipher_type = SRTP_NULL_CIPHER; | |
81 p->cipher_key_len = 0; | 79 p->cipher_key_len = 0; |
82 p->auth_type = SRTP_NULL_AUTH; | 80 p->auth_type = NULL_AUTH; |
83 p->auth_key_len = 0; | 81 p->auth_key_len = 0; |
84 p->auth_tag_len = 0; | 82 p->auth_tag_len = 0; |
85 p->sec_serv = sec_serv_none; | 83 p->sec_serv = sec_serv_none; |
86 }; | 84 }; |
87 }; | 85 }; |
88 | 86 |
89 size_t ReadLength(const uint8_t* data, size_t size) { | 87 size_t ReadLength(const uint8_t* data, size_t size) { |
90 // Read one byte of input and interpret it as a length to read from | 88 // Read one byte of input and interpret it as a length to read from |
91 // data. Don't return more bytes than are available. | 89 // data. Don't return more bytes than are available. |
92 size_t n = static_cast<size_t>(data[0]); | 90 size_t n = static_cast<size_t>(data[0]); |
(...skipping 12 matching lines...) Expand all Loading... |
105 size -= 1; | 103 size -= 1; |
106 | 104 |
107 // Read some more bytes to use as a key. | 105 // Read some more bytes to use as a key. |
108 if (size <= SRTP_MASTER_KEY_LEN) | 106 if (size <= SRTP_MASTER_KEY_LEN) |
109 return 0; | 107 return 0; |
110 srtp_policy_t srtp_policy = env->GetCryptoPolicy(policy, data); | 108 srtp_policy_t srtp_policy = env->GetCryptoPolicy(policy, data); |
111 data += SRTP_MASTER_KEY_LEN; | 109 data += SRTP_MASTER_KEY_LEN; |
112 size -= SRTP_MASTER_KEY_LEN; | 110 size -= SRTP_MASTER_KEY_LEN; |
113 | 111 |
114 srtp_t session; | 112 srtp_t session; |
115 srtp_err_status_t error = srtp_create(&session, &srtp_policy); | 113 err_status_t error = srtp_create(&session, &srtp_policy); |
116 if (error != srtp_err_status_ok) { | 114 if (error != err_status_ok) { |
117 assert(false); | 115 assert(false); |
118 return 0; | 116 return 0; |
119 } | 117 } |
120 | 118 |
121 // Read one byte as a packet length N, then feed the next N bytes | 119 // Read one byte as a packet length N, then feed the next N bytes |
122 // into srtp_unprotect. Keep going until we run out of data. | 120 // into srtp_unprotect. Keep going until we run out of data. |
123 size_t packet_size; | 121 size_t packet_size; |
124 while (size > 0 && (packet_size = ReadLength(data, size)) > 0) { | 122 while (size > 0 && (packet_size = ReadLength(data, size)) > 0) { |
125 // One byte was used by ReadLength. | 123 // One byte was used by ReadLength. |
126 data++; | 124 data++; |
(...skipping 12 matching lines...) Expand all Loading... |
139 srtp_unprotect(session, &message, &out_len); | 137 srtp_unprotect(session, &message, &out_len); |
140 | 138 |
141 // |packet_size| bytes were used above. | 139 // |packet_size| bytes were used above. |
142 data += packet_size; | 140 data += packet_size; |
143 size -= packet_size; | 141 size -= packet_size; |
144 } | 142 } |
145 | 143 |
146 srtp_dealloc(session); | 144 srtp_dealloc(session); |
147 return 0; | 145 return 0; |
148 } | 146 } |
OLD | NEW |