Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: srtp/srtp/srtp.c

Issue 889083003: Update libsrtp to upstream 1.5.0 (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/libsrtp@master
Patch Set: Updated to libsrtp 1.5.1 Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « srtp/srtp/ekt.c ('k') | srtp/tables/aes_tables.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * srtp.c 2 * srtp.c
3 * 3 *
4 * the secure real-time transport protocol 4 * the secure real-time transport protocol
5 * 5 *
6 * David A. McGrew 6 * David A. McGrew
7 * Cisco Systems, Inc. 7 * Cisco Systems, Inc.
8 */ 8 */
9 /* 9 /*
10 * 10 *
(...skipping 25 matching lines...) Expand all
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE. 41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 * 42 *
43 */ 43 */
44 44
45 45
46 #include "srtp.h" 46 #include "srtp_priv.h"
47 #include "ekt.h" /* for SRTP Encrypted Key Transport */ 47 #include "ekt.h" /* for SRTP Encrypted Key Transport */
48 #include "alloc.h" /* for crypto_alloc() */ 48 #include "alloc.h" /* for crypto_alloc() */
49 #ifdef OPENSSL
50 #include "aes_gcm_ossl.h" /* for AES GCM mode */
51 #endif
49 52
50 #ifndef SRTP_KERNEL 53 #ifndef SRTP_KERNEL
51 # include <limits.h> 54 # include <limits.h>
52 # ifdef HAVE_NETINET_IN_H 55 # ifdef HAVE_NETINET_IN_H
53 # include <netinet/in.h> 56 # include <netinet/in.h>
54 # elif defined(HAVE_WINSOCK2_H) 57 # elif defined(HAVE_WINSOCK2_H)
55 # include <winsock2.h> 58 # include <winsock2.h>
56 # endif 59 # endif
57 #endif /* ! SRTP_KERNEL */ 60 #endif /* ! SRTP_KERNEL */
58 61
(...skipping 29 matching lines...) Expand all
88 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc); 91 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc);
89 int profile_len = ntohs(xtn_hdr->length); 92 int profile_len = ntohs(xtn_hdr->length);
90 rtp_header_len += profile_len * 4; 93 rtp_header_len += profile_len * 4;
91 /* profile length counts the number of 32-bit words */ 94 /* profile length counts the number of 32-bit words */
92 if (*pkt_octet_len < rtp_header_len) 95 if (*pkt_octet_len < rtp_header_len)
93 return err_status_bad_param; 96 return err_status_bad_param;
94 } 97 }
95 return err_status_ok; 98 return err_status_ok;
96 } 99 }
97 100
101 const char *srtp_get_version_string ()
102 {
103 /*
104 * Simply return the autotools generated string
105 */
106 return SRTP_VER_STRING;
107 }
108
109 unsigned int srtp_get_version ()
110 {
111 unsigned int major = 0, minor = 0, micro = 0;
112 unsigned int rv = 0;
113 int parse_rv;
114
115 /*
116 * Parse the autotools generated version
117 */
118 parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, &micro);
119 if (parse_rv != 3) {
120 /*
121 * We're expected to parse all 3 version levels.
122 * If not, then this must not be an official release.
123 * Return all zeros on the version
124 */
125 return (0);
126 }
127
128 /*
129 * We allow 8 bits for the major and minor, while
130 * allowing 16 bits for the micro. 16 bits for the micro
131 * may be beneficial for a continuous delivery model
132 * in the future.
133 */
134 rv |= (major & 0xFF) << 24;
135 rv |= (minor & 0xFF) << 16;
136 rv |= micro & 0xFF;
137 return rv;
138 }
139
98 err_status_t 140 err_status_t
99 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, 141 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
100 const srtp_policy_t *p) { 142 const srtp_policy_t *p) {
101 srtp_stream_ctx_t *str; 143 srtp_stream_ctx_t *str;
102 err_status_t stat; 144 err_status_t stat;
103 145
104 /* 146 /*
105 * This function allocates the stream context, rtp and rtcp ciphers 147 * This function allocates the stream context, rtp and rtcp ciphers
106 * and auth functions, and key limit structure. If there is a 148 * and auth functions, and key limit structure. If there is a
107 * failure during allocation, we free all previously allocated 149 * failure during allocation, we free all previously allocated
108 * memory and return a failure code. The code could probably 150 * memory and return a failure code. The code could probably
109 * be improved, but it works and should be clear. 151 * be improved, but it works and should be clear.
110 */ 152 */
111 153
112 /* allocate srtp stream and set str_ptr */ 154 /* allocate srtp stream and set str_ptr */
113 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t)); 155 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
114 if (str == NULL) 156 if (str == NULL)
115 return err_status_alloc_fail; 157 return err_status_alloc_fail;
116 *str_ptr = str; 158 *str_ptr = str;
117 159
118 /* allocate cipher */ 160 /* allocate cipher */
119 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type, 161 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
120 &str->rtp_cipher, 162 &str->rtp_cipher,
121 » » » » p->rtp.cipher_key_len); 163 » » » » p->rtp.cipher_key_len,
164 » » » » p->rtp.auth_tag_len);
122 if (stat) { 165 if (stat) {
123 crypto_free(str); 166 crypto_free(str);
124 return stat; 167 return stat;
125 } 168 }
126 169
127 /* allocate auth function */ 170 /* allocate auth function */
128 stat = crypto_kernel_alloc_auth(p->rtp.auth_type, 171 stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
129 &str->rtp_auth, 172 &str->rtp_auth,
130 p->rtp.auth_key_len, 173 p->rtp.auth_key_len,
131 p->rtp.auth_tag_len); 174 p->rtp.auth_tag_len);
(...skipping 11 matching lines...) Expand all
143 crypto_free(str); 186 crypto_free(str);
144 return err_status_alloc_fail; 187 return err_status_alloc_fail;
145 } 188 }
146 189
147 /* 190 /*
148 * ...and now the RTCP-specific initialization - first, allocate 191 * ...and now the RTCP-specific initialization - first, allocate
149 * the cipher 192 * the cipher
150 */ 193 */
151 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type, 194 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
152 &str->rtcp_cipher, 195 &str->rtcp_cipher,
153 » » » » p->rtcp.cipher_key_len); 196 » » » » p->rtcp.cipher_key_len,
197 » » » » p->rtcp.auth_tag_len);
154 if (stat) { 198 if (stat) {
155 auth_dealloc(str->rtp_auth); 199 auth_dealloc(str->rtp_auth);
156 cipher_dealloc(str->rtp_cipher); 200 cipher_dealloc(str->rtp_cipher);
157 crypto_free(str->limit); 201 crypto_free(str->limit);
158 crypto_free(str); 202 crypto_free(str);
159 return stat; 203 return stat;
160 } 204 }
161 205
162 /* allocate auth function */ 206 /* allocate auth function */
163 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type, 207 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
250 status = auth_dealloc(stream->rtcp_auth); 294 status = auth_dealloc(stream->rtcp_auth);
251 if (status) 295 if (status)
252 return status; 296 return status;
253 } 297 }
254 298
255 status = rdbx_dealloc(&stream->rtp_rdbx); 299 status = rdbx_dealloc(&stream->rtp_rdbx);
256 if (status) 300 if (status)
257 return status; 301 return status;
258 302
259 /* DAM - need to deallocate EKT here */ 303 /* DAM - need to deallocate EKT here */
304
305 /*
306 * zeroize the salt value
307 */
308 memset(stream->salt, 0, SRTP_AEAD_SALT_LEN);
309 memset(stream->c_salt, 0, SRTP_AEAD_SALT_LEN);
310
260 311
261 /* deallocate srtp stream context */ 312 /* deallocate srtp stream context */
262 crypto_free(stream); 313 crypto_free(stream);
263 314
264 return err_status_ok; 315 return err_status_ok;
265 } 316 }
266 317
267 318
268 /* 319 /*
269 * srtp_stream_clone(stream_template, new) allocates a new stream and 320 * srtp_stream_clone(stream_template, new) allocates a new stream and
(...skipping 19 matching lines...) Expand all
289 *str_ptr = str; 340 *str_ptr = str;
290 341
291 /* set cipher and auth pointers to those of the template */ 342 /* set cipher and auth pointers to those of the template */
292 str->rtp_cipher = stream_template->rtp_cipher; 343 str->rtp_cipher = stream_template->rtp_cipher;
293 str->rtp_auth = stream_template->rtp_auth; 344 str->rtp_auth = stream_template->rtp_auth;
294 str->rtcp_cipher = stream_template->rtcp_cipher; 345 str->rtcp_cipher = stream_template->rtcp_cipher;
295 str->rtcp_auth = stream_template->rtcp_auth; 346 str->rtcp_auth = stream_template->rtcp_auth;
296 347
297 /* set key limit to point to that of the template */ 348 /* set key limit to point to that of the template */
298 status = key_limit_clone(stream_template->limit, &str->limit); 349 status = key_limit_clone(stream_template->limit, &str->limit);
299 if (status) 350 if (status) {
351 crypto_free(*str_ptr);
352 *str_ptr = NULL;
300 return status; 353 return status;
354 }
301 355
302 /* initialize replay databases */ 356 /* initialize replay databases */
303 status = rdbx_init(&str->rtp_rdbx, 357 status = rdbx_init(&str->rtp_rdbx,
304 rdbx_get_window_size(&stream_template->rtp_rdbx)); 358 rdbx_get_window_size(&stream_template->rtp_rdbx));
305 if (status) 359 if (status) {
360 crypto_free(*str_ptr);
361 *str_ptr = NULL;
306 return status; 362 return status;
363 }
307 rdb_init(&str->rtcp_rdb); 364 rdb_init(&str->rtcp_rdb);
308 str->allow_repeat_tx = stream_template->allow_repeat_tx; 365 str->allow_repeat_tx = stream_template->allow_repeat_tx;
309 366
310 /* set ssrc to that provided */ 367 /* set ssrc to that provided */
311 str->ssrc = ssrc; 368 str->ssrc = ssrc;
312 369
313 /* set direction and security services */ 370 /* set direction and security services */
314 str->direction = stream_template->direction; 371 str->direction = stream_template->direction;
315 str->rtp_services = stream_template->rtp_services; 372 str->rtp_services = stream_template->rtp_services;
316 str->rtcp_services = stream_template->rtcp_services; 373 str->rtcp_services = stream_template->rtcp_services;
317 374
318 /* set pointer to EKT data associated with stream */ 375 /* set pointer to EKT data associated with stream */
319 str->ekt = stream_template->ekt; 376 str->ekt = stream_template->ekt;
320 377
378 /* Copy the salt values */
379 memcpy(str->salt, stream_template->salt, SRTP_AEAD_SALT_LEN);
380 memcpy(str->c_salt, stream_template->c_salt, SRTP_AEAD_SALT_LEN);
381
321 /* defensive coding */ 382 /* defensive coding */
322 str->next = NULL; 383 str->next = NULL;
323 384
324 return err_status_ok; 385 return err_status_ok;
325 } 386 }
326 387
327 388
328 /* 389 /*
329 * key derivation functions, internal to libSRTP 390 * key derivation functions, internal to libSRTP
330 * 391 *
(...skipping 26 matching lines...) Expand all
357 */ 418 */
358 419
359 typedef struct { 420 typedef struct {
360 cipher_t *cipher; /* cipher used for key derivation */ 421 cipher_t *cipher; /* cipher used for key derivation */
361 } srtp_kdf_t; 422 } srtp_kdf_t;
362 423
363 err_status_t 424 err_status_t
364 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, i nt length) { 425 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, i nt length) {
365 426
366 err_status_t stat; 427 err_status_t stat;
367 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length); 428 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length, 0);
368 if (stat) 429 if (stat)
369 return stat; 430 return stat;
370 431
371 stat = cipher_init(kdf->cipher, key, direction_encrypt); 432 stat = cipher_init(kdf->cipher, key);
372 if (stat) { 433 if (stat) {
373 cipher_dealloc(kdf->cipher); 434 cipher_dealloc(kdf->cipher);
374 return stat; 435 return stat;
375 } 436 }
376 437
377 return err_status_ok; 438 return err_status_ok;
378 } 439 }
379 440
380 err_status_t 441 err_status_t
381 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, 442 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
382 » » uint8_t *key, unsigned length) { 443 » » uint8_t *key, unsigned int length) {
383 444
384 v128_t nonce; 445 v128_t nonce;
385 err_status_t status; 446 err_status_t status;
386 447
387 /* set eigth octet of nonce to <label>, set the rest of it to zero */ 448 /* set eigth octet of nonce to <label>, set the rest of it to zero */
388 v128_set_to_zero(&nonce); 449 v128_set_to_zero(&nonce);
389 nonce.v8[7] = label; 450 nonce.v8[7] = label;
390 451
391 status = cipher_set_iv(kdf->cipher, &nonce); 452 status = cipher_set_iv(kdf->cipher, &nonce, direction_encrypt);
392 if (status) 453 if (status)
393 return status; 454 return status;
394 455
395 /* generate keystream output */ 456 /* generate keystream output */
396 octet_string_set_to_zero(key, length); 457 octet_string_set_to_zero(key, length);
397 status = cipher_encrypt(kdf->cipher, key, &length); 458 status = cipher_encrypt(kdf->cipher, key, &length);
398 if (status) 459 if (status)
399 return status; 460 return status;
400 461
401 return err_status_ok; 462 return err_status_ok;
(...skipping 15 matching lines...) Expand all
417 */ 478 */
418 479
419 #define MAX_SRTP_KEY_LEN 256 480 #define MAX_SRTP_KEY_LEN 256
420 481
421 482
422 /* Get the base key length corresponding to a given combined key+salt 483 /* Get the base key length corresponding to a given combined key+salt
423 * length for the given cipher. 484 * length for the given cipher.
424 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using 485 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using
425 * AES-128 and short salts; everything else uses a salt length of 14. 486 * AES-128 and short salts; everything else uses a salt length of 14.
426 * TODO: key and salt lengths should be separate fields in the policy. */ 487 * TODO: key and salt lengths should be separate fields in the policy. */
427 static INLINE int base_key_length(const cipher_type_t *cipher, int key_length) 488 static inline int base_key_length(const cipher_type_t *cipher, int key_length)
428 { 489 {
429 if (cipher->id != AES_ICM) 490 switch (cipher->id) {
491 case AES_128_ICM:
492 case AES_192_ICM:
493 case AES_256_ICM:
494 /* The legacy modes are derived from
495 * the configured key length on the policy */
496 return key_length - 14;
497 break;
498 case AES_128_GCM:
499 return 16;
500 break;
501 case AES_256_GCM:
502 return 32;
503 break;
504 default:
430 return key_length; 505 return key_length;
431 else if (key_length > 16 && key_length < 30) 506 break;
432 return 16; 507 }
433 return key_length - 14;
434 } 508 }
435 509
436 err_status_t 510 err_status_t
437 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) { 511 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
438 err_status_t stat; 512 err_status_t stat;
439 srtp_kdf_t kdf; 513 srtp_kdf_t kdf;
440 uint8_t tmp_key[MAX_SRTP_KEY_LEN]; 514 uint8_t tmp_key[MAX_SRTP_KEY_LEN];
441 int kdf_keylen = 30, rtp_keylen, rtcp_keylen; 515 int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
442 int rtp_base_key_len, rtp_salt_len; 516 int rtp_base_key_len, rtp_salt_len;
443 int rtcp_base_key_len, rtcp_salt_len; 517 int rtcp_base_key_len, rtcp_salt_len;
444 518
445 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ 519 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
446 /* TODO: kdf algorithm, master key length, and master salt length should 520 /* TODO: kdf algorithm, master key length, and master salt length should
447 * be part of srtp_policy_t. */ 521 * be part of srtp_policy_t. */
448 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher); 522 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher);
449 if (rtp_keylen > kdf_keylen) 523 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher);
450 kdf_keylen = rtp_keylen; 524 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
525 rtp_salt_len = rtp_keylen - rtp_base_key_len;
451 526
452 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher); 527 if (rtp_keylen > kdf_keylen) {
453 if (rtcp_keylen > kdf_keylen) 528 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
454 kdf_keylen = rtcp_keylen; 529 }
530
531 if (rtcp_keylen > kdf_keylen) {
532 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
533 }
534
535 debug_print(mod_srtp, "srtp key len: %d", rtp_keylen);
536 debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen);
537 debug_print(mod_srtp, "base key len: %d", rtp_base_key_len);
538 debug_print(mod_srtp, "kdf key len: %d", kdf_keylen);
539 debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len);
540
541 /*
542 * Make sure the key given to us is 'zero' appended. GCM
543 * mode uses a shorter master SALT (96 bits), but still relies on
544 * the legacy CTR mode KDF, which uses a 112 bit master SALT.
545 */
546 memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN);
547 memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len));
455 548
456 /* initialize KDF state */ 549 /* initialize KDF state */
457 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)key, kdf_keylen); 550 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)tmp_key, kdf_keylen);
458 if (stat) { 551 if (stat) {
459 return err_status_init_fail; 552 return err_status_init_fail;
460 } 553 }
461
462 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
463 rtp_salt_len = rtp_keylen - rtp_base_key_len;
464 554
465 /* generate encryption key */ 555 /* generate encryption key */
466 stat = srtp_kdf_generate(&kdf, label_rtp_encryption, 556 stat = srtp_kdf_generate(&kdf, label_rtp_encryption,
467 tmp_key, rtp_base_key_len); 557 tmp_key, rtp_base_key_len);
468 if (stat) { 558 if (stat) {
469 /* zeroize temp buffer */ 559 /* zeroize temp buffer */
470 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 560 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
471 return err_status_init_fail; 561 return err_status_init_fail;
472 } 562 }
563 debug_print(mod_srtp, "cipher key: %s",
564 octet_string_hex_string(tmp_key, rtp_base_key_len));
473 565
474 /* 566 /*
475 * if the cipher in the srtp context uses a salt, then we need 567 * if the cipher in the srtp context uses a salt, then we need
476 * to generate the salt value 568 * to generate the salt value
477 */ 569 */
478 if (rtp_salt_len > 0) { 570 if (rtp_salt_len > 0) {
479 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); 571 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
480 572
481 /* generate encryption salt, put after encryption key */ 573 /* generate encryption salt, put after encryption key */
482 stat = srtp_kdf_generate(&kdf, label_rtp_salt, 574 stat = srtp_kdf_generate(&kdf, label_rtp_salt,
483 tmp_key + rtp_base_key_len, rtp_salt_len); 575 tmp_key + rtp_base_key_len, rtp_salt_len);
484 if (stat) { 576 if (stat) {
485 /* zeroize temp buffer */ 577 /* zeroize temp buffer */
486 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 578 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
487 return err_status_init_fail; 579 return err_status_init_fail;
488 } 580 }
581 memcpy(srtp->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN);
489 } 582 }
490 debug_print(mod_srtp, "cipher key: %s",
491 octet_string_hex_string(tmp_key, rtp_base_key_len));
492 if (rtp_salt_len > 0) { 583 if (rtp_salt_len > 0) {
493 debug_print(mod_srtp, "cipher salt: %s", 584 debug_print(mod_srtp, "cipher salt: %s",
494 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len )); 585 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len ));
495 } 586 }
496 587
497 /* initialize cipher */ 588 /* initialize cipher */
498 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any); 589 stat = cipher_init(srtp->rtp_cipher, tmp_key);
499 if (stat) { 590 if (stat) {
500 /* zeroize temp buffer */ 591 /* zeroize temp buffer */
501 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 592 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
502 return err_status_init_fail; 593 return err_status_init_fail;
503 } 594 }
504 595
505 /* generate authentication key */ 596 /* generate authentication key */
506 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, 597 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth,
507 tmp_key, auth_get_key_length(srtp->rtp_auth)); 598 tmp_key, auth_get_key_length(srtp->rtp_auth));
508 if (stat) { 599 if (stat) {
(...skipping 12 matching lines...) Expand all
521 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 612 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
522 return err_status_init_fail; 613 return err_status_init_fail;
523 } 614 }
524 615
525 /* 616 /*
526 * ...now initialize SRTCP keys 617 * ...now initialize SRTCP keys
527 */ 618 */
528 619
529 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen); 620 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen);
530 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; 621 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
622 debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len);
531 623
532 /* generate encryption key */ 624 /* generate encryption key */
533 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, 625 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption,
534 tmp_key, rtcp_base_key_len); 626 tmp_key, rtcp_base_key_len);
535 if (stat) { 627 if (stat) {
536 /* zeroize temp buffer */ 628 /* zeroize temp buffer */
537 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 629 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
538 return err_status_init_fail; 630 return err_status_init_fail;
539 } 631 }
540 632
541 /* 633 /*
542 * if the cipher in the srtp context uses a salt, then we need 634 * if the cipher in the srtp context uses a salt, then we need
543 * to generate the salt value 635 * to generate the salt value
544 */ 636 */
545 if (rtcp_salt_len > 0) { 637 if (rtcp_salt_len > 0) {
546 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", 638 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
547 NULL); 639 NULL);
548 640
549 /* generate encryption salt, put after encryption key */ 641 /* generate encryption salt, put after encryption key */
550 stat = srtp_kdf_generate(&kdf, label_rtcp_salt, 642 stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
551 tmp_key + rtcp_base_key_len, rtcp_salt_len); 643 tmp_key + rtcp_base_key_len, rtcp_salt_len);
552 if (stat) { 644 if (stat) {
553 /* zeroize temp buffer */ 645 /* zeroize temp buffer */
554 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 646 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
555 return err_status_init_fail; 647 return err_status_init_fail;
556 } 648 }
649 memcpy(srtp->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN);
557 } 650 }
558 debug_print(mod_srtp, "rtcp cipher key: %s", 651 debug_print(mod_srtp, "rtcp cipher key: %s",
559 octet_string_hex_string(tmp_key, rtcp_base_key_len)); 652 octet_string_hex_string(tmp_key, rtcp_base_key_len));
560 if (rtcp_salt_len > 0) { 653 if (rtcp_salt_len > 0) {
561 debug_print(mod_srtp, "rtcp cipher salt: %s", 654 debug_print(mod_srtp, "rtcp cipher salt: %s",
562 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_l en)); 655 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_l en));
563 } 656 }
564 657
565 /* initialize cipher */ 658 /* initialize cipher */
566 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any); 659 stat = cipher_init(srtp->rtcp_cipher, tmp_key);
567 if (stat) { 660 if (stat) {
568 /* zeroize temp buffer */ 661 /* zeroize temp buffer */
569 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 662 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
570 return err_status_init_fail; 663 return err_status_init_fail;
571 } 664 }
572 665
573 /* generate authentication key */ 666 /* generate authentication key */
574 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, 667 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
575 tmp_key, auth_get_key_length(srtp->rtcp_auth)); 668 tmp_key, auth_get_key_length(srtp->rtcp_auth));
576 if (stat) { 669 if (stat) {
(...skipping 152 matching lines...) Expand 10 before | Expand all | Expand 10 after
729 * note that we accept NULL arguments intentionally - calling this 822 * note that we accept NULL arguments intentionally - calling this
730 * function with a NULL arguments removes an event handler that's 823 * function with a NULL arguments removes an event handler that's
731 * been previously installed 824 * been previously installed
732 */ 825 */
733 826
734 /* set global event handling function */ 827 /* set global event handling function */
735 srtp_event_handler = func; 828 srtp_event_handler = func;
736 return err_status_ok; 829 return err_status_ok;
737 } 830 }
738 831
832 /*
833 * AEAD uses a new IV formation method. This function implements
834 * section 9.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The
835 * calculation is defined as, where (+) is the xor operation:
836 *
837 *
838 * 0 0 0 0 0 0 0 0 0 0 1 1
839 * 0 1 2 3 4 5 6 7 8 9 0 1
840 * +--+--+--+--+--+--+--+--+--+--+--+--+
841 * |00|00| SSRC | ROC | SEQ |---+
842 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
843 * |
844 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
845 * | Encryption Salt |->(+)
846 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
847 * |
848 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
849 * | Initialization Vector |<--+
850 * +--+--+--+--+--+--+--+--+--+--+--+--+*
851 *
852 * Input: *stream - pointer to SRTP stream context, used to retrieve
853 * the SALT
854 * *iv - Pointer to receive the calculated IV
855 * *seq - The ROC and SEQ value to use for the
856 * IV calculation.
857 * *hdr - The RTP header, used to get the SSRC value
858 *
859 */
860 static void srtp_calc_aead_iv(srtp_stream_ctx_t *stream, v128_t *iv,
861 xtd_seq_num_t *seq, srtp_hdr_t *hdr)
862 {
863 v128_t in;
864 v128_t salt;
865
866 #ifdef NO_64BIT_MATH
867 uint32_t local_roc = ((high32(*seq) << 16) |
868 (low32(*seq) >> 16));
869 uint16_t local_seq = (uint16_t) (low32(*seq));
870 #else
871 uint32_t local_roc = (uint32_t)(*seq >> 16);
872 uint16_t local_seq = (uint16_t) *seq;
873 #endif
874
875 memset(&in, 0, sizeof(v128_t));
876 memset(&salt, 0, sizeof(v128_t));
877
878 in.v16[5] = htons(local_seq);
879 local_roc = htonl(local_roc);
880 memcpy(&in.v16[3], &local_roc, sizeof(local_roc));
881
882 /*
883 * Copy in the RTP SSRC value
884 */
885 memcpy(&in.v8[2], &hdr->ssrc, 4);
886 debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in));
887
888 /*
889 * Get the SALT value from the context
890 */
891 memcpy(salt.v8, stream->salt, SRTP_AEAD_SALT_LEN);
892 debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt));
893
894 /*
895 * Finally, apply tyhe SALT to the input
896 */
897 v128_xor(iv, &in, &salt);
898 }
899
900
901 /*
902 * This function handles outgoing SRTP packets while in AEAD mode,
903 * which currently supports AES-GCM encryption. All packets are
904 * encrypted and authenticated.
905 */
906 static err_status_t
907 srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream,
908 void *rtp_hdr, unsigned int *pkt_octet_len)
909 {
910 srtp_hdr_t *hdr = (srtp_hdr_t*)rtp_hdr;
911 uint32_t *enc_start; /* pointer to start of encrypted portion */
912 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
913 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
914 int delta; /* delta of local pkt idx and that in hdr */
915 err_status_t status;
916 int tag_len;
917 v128_t iv;
918 unsigned int aad_len;
919
920 debug_print(mod_srtp, "function srtp_protect_aead", NULL);
921
922 /*
923 * update the key usage limit, and check it to make sure that we
924 * didn't just hit either the soft limit or the hard limit, and call
925 * the event handler if we hit either.
926 */
927 switch (key_limit_update(stream->limit)) {
928 case key_event_normal:
929 break;
930 case key_event_hard_limit:
931 srtp_handle_event(ctx, stream, event_key_hard_limit);
932 return err_status_key_expired;
933 case key_event_soft_limit:
934 default:
935 srtp_handle_event(ctx, stream, event_key_soft_limit);
936 break;
937 }
938
939 /* get tag length from stream */
940 tag_len = auth_get_tag_length(stream->rtp_auth);
941
942 /*
943 * find starting point for encryption and length of data to be
944 * encrypted - the encrypted portion starts after the rtp header
945 * extension, if present; otherwise, it starts after the last csrc,
946 * if any are present
947 */
948 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc;
949 if (hdr->x == 1) {
950 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
951 enc_start += (ntohs(xtn_hdr->length) + 1);
952 }
953 if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
954 return err_status_parse_err;
955 enc_octet_len = (unsigned int)(*pkt_octet_len -
956 ((uint8_t*)enc_start - (uint8_t*)hdr));
957
958 /*
959 * estimate the packet index using the start of the replay window
960 * and the sequence number from the header
961 */
962 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
963 status = rdbx_check(&stream->rtp_rdbx, delta);
964 if (status) {
965 if (status != err_status_replay_fail || !stream->allow_repeat_tx) {
966 return status; /* we've been asked to reuse an index */
967 }
968 } else {
969 rdbx_add_index(&stream->rtp_rdbx, delta);
970 }
971
972 #ifdef NO_64BIT_MATH
973 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
974 high32(est), low32(est));
975 #else
976 debug_print(mod_srtp, "estimated packet index: %016llx", est);
977 #endif
978
979 /*
980 * AEAD uses a new IV formation method
981 */
982 srtp_calc_aead_iv(stream, &iv, &est, hdr);
983 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
984 if (status) {
985 return err_status_cipher_fail;
986 }
987
988 /* shift est, put into network byte order */
989 #ifdef NO_64BIT_MATH
990 est = be64_to_cpu(make64((high32(est) << 16) |
991 (low32(est) >> 16),
992 low32(est) << 16));
993 #else
994 est = be64_to_cpu(est << 16);
995 #endif
996
997 /*
998 * Set the AAD over the RTP header
999 */
1000 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
1001 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len);
1002 if (status) {
1003 return ( err_status_cipher_fail);
1004 }
1005
1006 /* Encrypt the payload */
1007 status = cipher_encrypt(stream->rtp_cipher,
1008 (uint8_t*)enc_start, &enc_octet_len);
1009 if (status) {
1010 return err_status_cipher_fail;
1011 }
1012 /*
1013 * If we're doing GCM, we need to get the tag
1014 * and append that to the output
1015 */
1016 status = cipher_get_tag(stream->rtp_cipher,
1017 (uint8_t*)enc_start+enc_octet_len, &tag_len);
1018 if (status) {
1019 return ( err_status_cipher_fail);
1020 }
1021 enc_octet_len += tag_len;
1022
1023 /* increase the packet length by the length of the auth tag */
1024 *pkt_octet_len += tag_len;
1025
1026 return err_status_ok;
1027 }
1028
1029
1030 /*
1031 * This function handles incoming SRTP packets while in AEAD mode,
1032 * which currently supports AES-GCM encryption. All packets are
1033 * encrypted and authenticated. Note, the auth tag is at the end
1034 * of the packet stream and is automatically checked by GCM
1035 * when decrypting the payload.
1036 */
1037 static err_status_t
1038 srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta,
1039 xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_ len)
1040 {
1041 srtp_hdr_t *hdr = (srtp_hdr_t*)srtp_hdr;
1042 uint32_t *enc_start; /* pointer to start of encrypted portion */
1043 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
1044 v128_t iv;
1045 err_status_t status;
1046 int tag_len;
1047 unsigned int aad_len;
1048
1049 debug_print(mod_srtp, "function srtp_unprotect_aead", NULL);
1050
1051 #ifdef NO_64BIT_MATH
1052 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), lo w32(est));
1053 #else
1054 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1055 #endif
1056
1057 /* get tag length from stream */
1058 tag_len = auth_get_tag_length(stream->rtp_auth);
1059
1060 /*
1061 * AEAD uses a new IV formation method
1062 */
1063 srtp_calc_aead_iv(stream, &iv, &est, hdr);
1064 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
1065 if (status) {
1066 return err_status_cipher_fail;
1067 }
1068
1069 /*
1070 * find starting point for decryption and length of data to be
1071 * decrypted - the encrypted portion starts after the rtp header
1072 * extension, if present; otherwise, it starts after the last csrc,
1073 * if any are present
1074 */
1075 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc;
1076 if (hdr->x == 1) {
1077 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
1078 enc_start += (ntohs(xtn_hdr->length) + 1);
1079 }
1080 if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
1081 return err_status_parse_err;
1082 /*
1083 * We pass the tag down to the cipher when doing GCM mode
1084 */
1085 enc_octet_len = (unsigned int)(*pkt_octet_len -
1086 ((uint8_t*)enc_start - (uint8_t*)hdr));
1087
1088 /*
1089 * Sanity check the encrypted payload length against
1090 * the tag size. It must always be at least as large
1091 * as the tag length.
1092 */
1093 if (enc_octet_len < tag_len) {
1094 return err_status_cipher_fail;
1095 }
1096
1097 /*
1098 * update the key usage limit, and check it to make sure that we
1099 * didn't just hit either the soft limit or the hard limit, and call
1100 * the event handler if we hit either.
1101 */
1102 switch (key_limit_update(stream->limit)) {
1103 case key_event_normal:
1104 break;
1105 case key_event_soft_limit:
1106 srtp_handle_event(ctx, stream, event_key_soft_limit);
1107 break;
1108 case key_event_hard_limit:
1109 srtp_handle_event(ctx, stream, event_key_hard_limit);
1110 return err_status_key_expired;
1111 default:
1112 break;
1113 }
1114
1115 /*
1116 * Set the AAD for AES-GCM, which is the RTP header
1117 */
1118 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
1119 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len);
1120 if (status) {
1121 return ( err_status_cipher_fail);
1122 }
1123
1124 /* Decrypt the ciphertext. This also checks the auth tag based
1125 * on the AAD we just specified above */
1126 status = cipher_decrypt(stream->rtp_cipher,
1127 (uint8_t*)enc_start, &enc_octet_len);
1128 if (status) {
1129 return status;
1130 }
1131
1132 /*
1133 * verify that stream is for received traffic - this check will
1134 * detect SSRC collisions, since a stream that appears in both
1135 * srtp_protect() and srtp_unprotect() will fail this test in one of
1136 * those functions.
1137 *
1138 * we do this check *after* the authentication check, so that the
1139 * latter check will catch any attempts to fool us into thinking
1140 * that we've got a collision
1141 */
1142 if (stream->direction != dir_srtp_receiver) {
1143 if (stream->direction == dir_unknown) {
1144 stream->direction = dir_srtp_receiver;
1145 } else {
1146 srtp_handle_event(ctx, stream, event_ssrc_collision);
1147 }
1148 }
1149
1150 /*
1151 * if the stream is a 'provisional' one, in which the template context
1152 * is used, then we need to allocate a new stream at this point, since
1153 * the authentication passed
1154 */
1155 if (stream == ctx->stream_template) {
1156 srtp_stream_ctx_t *new_stream;
1157
1158 /*
1159 * allocate and initialize a new stream
1160 *
1161 * note that we indicate failure if we can't allocate the new
1162 * stream, and some implementations will want to not return
1163 * failure here
1164 */
1165 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream) ;
1166 if (status) {
1167 return status;
1168 }
1169
1170 /* add new stream to the head of the stream_list */
1171 new_stream->next = ctx->stream_list;
1172 ctx->stream_list = new_stream;
1173
1174 /* set stream (the pointer used in this function) */
1175 stream = new_stream;
1176 }
1177
1178 /*
1179 * the message authentication function passed, so add the packet
1180 * index into the replay database
1181 */
1182 rdbx_add_index(&stream->rtp_rdbx, delta);
1183
1184 /* decrease the packet length by the length of the auth tag */
1185 *pkt_octet_len -= tag_len;
1186
1187 return err_status_ok;
1188 }
1189
1190
1191
1192
739 err_status_t 1193 err_status_t
740 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { 1194 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
741 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; 1195 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
742 uint32_t *enc_start; /* pointer to start of encrypted portion */ 1196 uint32_t *enc_start; /* pointer to start of encrypted portion */
743 uint32_t *auth_start; /* pointer to start of auth. portion */ 1197 uint32_t *auth_start; /* pointer to start of auth. portion */
744 unsigned enc_octet_len = 0; /* number of octets in encrypted portion */ 1198 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
745 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 1199 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
746 int delta; /* delta of local pkt idx and that in hdr */ 1200 int delta; /* delta of local pkt idx and that in hdr */
747 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 1201 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
748 err_status_t status; 1202 err_status_t status;
749 int tag_len; 1203 int tag_len;
750 srtp_stream_ctx_t *stream; 1204 srtp_stream_ctx_t *stream;
751 int prefix_len; 1205 int prefix_len;
752 1206
753 debug_print(mod_srtp, "function srtp_protect", NULL); 1207 debug_print(mod_srtp, "function srtp_protect", NULL);
754 1208
755 /* we assume the hdr is 32-bit aligned to start */ 1209 /* we assume the hdr is 32-bit aligned to start */
756 1210
757 /* Verify RTP header */ 1211 /* Verify RTP header */
758 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); 1212 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len);
759 if (status) 1213 if (status)
760 return status; 1214 return status;
761 1215
1216 /* check the packet length - it must at least contain a full header */
1217 if (*pkt_octet_len < octets_in_rtp_header)
1218 return err_status_bad_param;
1219
762 /* 1220 /*
763 * look up ssrc in srtp_stream list, and process the packet with 1221 * look up ssrc in srtp_stream list, and process the packet with
764 * the appropriate stream. if we haven't seen this stream before, 1222 * the appropriate stream. if we haven't seen this stream before,
765 * there's a template key for this srtp_session, and the cipher 1223 * there's a template key for this srtp_session, and the cipher
766 * supports key-sharing, then we assume that a new stream using 1224 * supports key-sharing, then we assume that a new stream using
767 * that key has just started up 1225 * that key has just started up
768 */ 1226 */
769 stream = srtp_get_stream(ctx, hdr->ssrc); 1227 stream = srtp_get_stream(ctx, hdr->ssrc);
770 if (stream == NULL) { 1228 if (stream == NULL) {
771 if (ctx->stream_template != NULL) { 1229 if (ctx->stream_template != NULL) {
(...skipping 19 matching lines...) Expand all
791 return err_status_no_ctx; 1249 return err_status_no_ctx;
792 } 1250 }
793 } 1251 }
794 1252
795 /* 1253 /*
796 * verify that stream is for sending traffic - this check will 1254 * verify that stream is for sending traffic - this check will
797 * detect SSRC collisions, since a stream that appears in both 1255 * detect SSRC collisions, since a stream that appears in both
798 * srtp_protect() and srtp_unprotect() will fail this test in one of 1256 * srtp_protect() and srtp_unprotect() will fail this test in one of
799 * those functions. 1257 * those functions.
800 */ 1258 */
801 if (stream->direction != dir_srtp_sender) { 1259 if (stream->direction != dir_srtp_sender) {
802 if (stream->direction == dir_unknown) { 1260 if (stream->direction == dir_unknown) {
803 stream->direction = dir_srtp_sender; 1261 stream->direction = dir_srtp_sender;
804 } else { 1262 } else {
805 srtp_handle_event(ctx, stream, event_ssrc_collision); 1263 srtp_handle_event(ctx, stream, event_ssrc_collision);
806 } 1264 }
807 } 1265 }
1266
1267 /*
1268 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
1269 * the request to our AEAD handler.
1270 */
1271 if (stream->rtp_cipher->algorithm == AES_128_GCM ||
1272 stream->rtp_cipher->algorithm == AES_256_GCM) {
1273 return srtp_protect_aead(ctx, stream, rtp_hdr, (unsigned int*)pkt_octet_le n);
1274 }
808 1275
809 /* 1276 /*
810 * update the key usage limit, and check it to make sure that we 1277 * update the key usage limit, and check it to make sure that we
811 * didn't just hit either the soft limit or the hard limit, and call 1278 * didn't just hit either the soft limit or the hard limit, and call
812 * the event handler if we hit either. 1279 * the event handler if we hit either.
813 */ 1280 */
814 switch(key_limit_update(stream->limit)) { 1281 switch(key_limit_update(stream->limit)) {
815 case key_event_normal: 1282 case key_event_normal:
816 break; 1283 break;
817 case key_event_soft_limit: 1284 case key_event_soft_limit:
(...skipping 15 matching lines...) Expand all
833 * extension, if present; otherwise, it starts after the last csrc, 1300 * extension, if present; otherwise, it starts after the last csrc,
834 * if any are present 1301 * if any are present
835 * 1302 *
836 * if we're not providing confidentiality, set enc_start to NULL 1303 * if we're not providing confidentiality, set enc_start to NULL
837 */ 1304 */
838 if (stream->rtp_services & sec_serv_conf) { 1305 if (stream->rtp_services & sec_serv_conf) {
839 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; 1306 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
840 if (hdr->x == 1) { 1307 if (hdr->x == 1) {
841 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; 1308 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
842 enc_start += (ntohs(xtn_hdr->length) + 1); 1309 enc_start += (ntohs(xtn_hdr->length) + 1);
1310 if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
1311 return err_status_parse_err;
843 } 1312 }
844 enc_octet_len = (unsigned int)(*pkt_octet_len 1313 enc_octet_len = (unsigned int)(*pkt_octet_len -
845 » » » » - ((enc_start - (uint32_t *)hdr) << 2)); 1314 ((uint8_t*)enc_start - (uint8_t*)hdr));
846 } else { 1315 } else {
847 enc_start = NULL; 1316 enc_start = NULL;
848 } 1317 }
849 1318
850 /* 1319 /*
851 * if we're providing authentication, set the auth_start and auth_tag 1320 * if we're providing authentication, set the auth_start and auth_tag
852 * pointers to the proper locations; otherwise, set auth_start to NULL 1321 * pointers to the proper locations; otherwise, set auth_start to NULL
853 * to indicate that no authentication is needed 1322 * to indicate that no authentication is needed
854 */ 1323 */
855 if (stream->rtp_services & sec_serv_auth) { 1324 if (stream->rtp_services & sec_serv_auth) {
(...skipping 20 matching lines...) Expand all
876 #ifdef NO_64BIT_MATH 1345 #ifdef NO_64BIT_MATH
877 debug_print2(mod_srtp, "estimated packet index: %08x%08x", 1346 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
878 high32(est),low32(est)); 1347 high32(est),low32(est));
879 #else 1348 #else
880 debug_print(mod_srtp, "estimated packet index: %016llx", est); 1349 debug_print(mod_srtp, "estimated packet index: %016llx", est);
881 #endif 1350 #endif
882 1351
883 /* 1352 /*
884 * if we're using rindael counter mode, set nonce and seq 1353 * if we're using rindael counter mode, set nonce and seq
885 */ 1354 */
886 if (stream->rtp_cipher->type->id == AES_ICM) { 1355 if (stream->rtp_cipher->type->id == AES_ICM ||
1356 stream->rtp_cipher->type->id == AES_256_ICM) {
887 v128_t iv; 1357 v128_t iv;
888 1358
889 iv.v32[0] = 0; 1359 iv.v32[0] = 0;
890 iv.v32[1] = hdr->ssrc; 1360 iv.v32[1] = hdr->ssrc;
891 #ifdef NO_64BIT_MATH 1361 #ifdef NO_64BIT_MATH
892 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), 1362 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
893 low32(est) << 1 6)); 1363 low32(est) << 1 6));
894 #else 1364 #else
895 iv.v64[1] = be64_to_cpu(est << 16); 1365 iv.v64[1] = be64_to_cpu(est << 16);
896 #endif 1366 #endif
897 status = cipher_set_iv(stream->rtp_cipher, &iv); 1367 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
898 1368
899 } else { 1369 } else {
900 v128_t iv; 1370 v128_t iv;
901 1371
902 /* otherwise, set the index to est */ 1372 /* otherwise, set the index to est */
903 #ifdef NO_64BIT_MATH 1373 #ifdef NO_64BIT_MATH
904 iv.v32[0] = 0; 1374 iv.v32[0] = 0;
905 iv.v32[1] = 0; 1375 iv.v32[1] = 0;
906 #else 1376 #else
907 iv.v64[0] = 0; 1377 iv.v64[0] = 0;
908 #endif 1378 #endif
909 iv.v64[1] = be64_to_cpu(est); 1379 iv.v64[1] = be64_to_cpu(est);
910 status = cipher_set_iv(stream->rtp_cipher, &iv); 1380 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
911 } 1381 }
912 if (status) 1382 if (status)
913 return err_status_cipher_fail; 1383 return err_status_cipher_fail;
914 1384
915 /* shift est, put into network byte order */ 1385 /* shift est, put into network byte order */
916 #ifdef NO_64BIT_MATH 1386 #ifdef NO_64BIT_MATH
917 est = be64_to_cpu(make64((high32(est) << 16) | 1387 est = be64_to_cpu(make64((high32(est) << 16) |
918 (low32(est) >> 16), 1388 (low32(est) >> 16),
919 low32(est) << 16)); 1389 low32(est) << 16));
920 #else 1390 #else
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after
978 1448
979 return err_status_ok; 1449 return err_status_ok;
980 } 1450 }
981 1451
982 1452
983 err_status_t 1453 err_status_t
984 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) { 1454 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
985 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; 1455 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
986 uint32_t *enc_start; /* pointer to start of encrypted portion */ 1456 uint32_t *enc_start; /* pointer to start of encrypted portion */
987 uint32_t *auth_start; /* pointer to start of auth. portion */ 1457 uint32_t *auth_start; /* pointer to start of auth. portion */
988 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ 1458 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
989 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 1459 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
990 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 1460 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
991 int delta; /* delta of local pkt idx and that in hdr */ 1461 int delta; /* delta of local pkt idx and that in hdr */
992 v128_t iv; 1462 v128_t iv;
993 err_status_t status; 1463 err_status_t status;
994 srtp_stream_ctx_t *stream; 1464 srtp_stream_ctx_t *stream;
995 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 1465 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
996 int tag_len, prefix_len; 1466 int tag_len, prefix_len;
997 1467
998 debug_print(mod_srtp, "function srtp_unprotect", NULL); 1468 debug_print(mod_srtp, "function srtp_unprotect", NULL);
999 1469
1000 /* we assume the hdr is 32-bit aligned to start */ 1470 /* we assume the hdr is 32-bit aligned to start */
1001 1471
1002 /* Verify RTP header */ 1472 /* Verify RTP header */
1003 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); 1473 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len);
1004 if (status) 1474 if (status)
1005 return status; 1475 return status;
1006 1476
1477 /* check the packet length - it must at least contain a full header */
1478 if (*pkt_octet_len < octets_in_rtp_header)
1479 return err_status_bad_param;
1480
1007 /* 1481 /*
1008 * look up ssrc in srtp_stream list, and process the packet with 1482 * look up ssrc in srtp_stream list, and process the packet with
1009 * the appropriate stream. if we haven't seen this stream before, 1483 * the appropriate stream. if we haven't seen this stream before,
1010 * there's only one key for this srtp_session, and the cipher 1484 * there's only one key for this srtp_session, and the cipher
1011 * supports key-sharing, then we assume that a new stream using 1485 * supports key-sharing, then we assume that a new stream using
1012 * that key has just started up 1486 * that key has just started up
1013 */ 1487 */
1014 stream = srtp_get_stream(ctx, hdr->ssrc); 1488 stream = srtp_get_stream(ctx, hdr->ssrc);
1015 if (stream == NULL) { 1489 if (stream == NULL) {
1016 if (ctx->stream_template != NULL) { 1490 if (ctx->stream_template != NULL) {
(...skipping 30 matching lines...) Expand all
1047 if (status) 1521 if (status)
1048 return status; 1522 return status;
1049 } 1523 }
1050 1524
1051 #ifdef NO_64BIT_MATH 1525 #ifdef NO_64BIT_MATH
1052 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32 (est)); 1526 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32 (est));
1053 #else 1527 #else
1054 debug_print(mod_srtp, "estimated u_packet index: %016llx", est); 1528 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1055 #endif 1529 #endif
1056 1530
1531 /*
1532 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
1533 * the request to our AEAD handler.
1534 */
1535 if (stream->rtp_cipher->algorithm == AES_128_GCM ||
1536 stream->rtp_cipher->algorithm == AES_256_GCM) {
1537 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, (unsigned in t*)pkt_octet_len);
1538 }
1539
1057 /* get tag length from stream */ 1540 /* get tag length from stream */
1058 tag_len = auth_get_tag_length(stream->rtp_auth); 1541 tag_len = auth_get_tag_length(stream->rtp_auth);
1059 1542
1060 /* 1543 /*
1061 * set the cipher's IV properly, depending on whatever cipher we 1544 * set the cipher's IV properly, depending on whatever cipher we
1062 * happen to be using 1545 * happen to be using
1063 */ 1546 */
1064 if (stream->rtp_cipher->type->id == AES_ICM) { 1547 if (stream->rtp_cipher->type->id == AES_ICM ||
1548 stream->rtp_cipher->type->id == AES_256_ICM) {
1065 1549
1066 /* aes counter mode */ 1550 /* aes counter mode */
1067 iv.v32[0] = 0; 1551 iv.v32[0] = 0;
1068 iv.v32[1] = hdr->ssrc; /* still in network order */ 1552 iv.v32[1] = hdr->ssrc; /* still in network order */
1069 #ifdef NO_64BIT_MATH 1553 #ifdef NO_64BIT_MATH
1070 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), 1554 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
1071 low32(est) << 16)); 1555 low32(est) << 16));
1072 #else 1556 #else
1073 iv.v64[1] = be64_to_cpu(est << 16); 1557 iv.v64[1] = be64_to_cpu(est << 16);
1074 #endif 1558 #endif
1075 status = cipher_set_iv(stream->rtp_cipher, &iv); 1559 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
1076 } else { 1560 } else {
1077 1561
1078 /* no particular format - set the iv to the pakcet index */ 1562 /* no particular format - set the iv to the pakcet index */
1079 #ifdef NO_64BIT_MATH 1563 #ifdef NO_64BIT_MATH
1080 iv.v32[0] = 0; 1564 iv.v32[0] = 0;
1081 iv.v32[1] = 0; 1565 iv.v32[1] = 0;
1082 #else 1566 #else
1083 iv.v64[0] = 0; 1567 iv.v64[0] = 0;
1084 #endif 1568 #endif
1085 iv.v64[1] = be64_to_cpu(est); 1569 iv.v64[1] = be64_to_cpu(est);
1086 status = cipher_set_iv(stream->rtp_cipher, &iv); 1570 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
1087 } 1571 }
1088 if (status) 1572 if (status)
1089 return err_status_cipher_fail; 1573 return err_status_cipher_fail;
1090 1574
1091 /* shift est, put into network byte order */ 1575 /* shift est, put into network byte order */
1092 #ifdef NO_64BIT_MATH 1576 #ifdef NO_64BIT_MATH
1093 est = be64_to_cpu(make64((high32(est) << 16) | 1577 est = be64_to_cpu(make64((high32(est) << 16) |
1094 (low32(est) >> 16), 1578 (low32(est) >> 16),
1095 low32(est) << 16)); 1579 low32(est) << 16));
1096 #else 1580 #else
1097 est = be64_to_cpu(est << 16); 1581 est = be64_to_cpu(est << 16);
1098 #endif 1582 #endif
1099 1583
1100 /* 1584 /*
1101 * find starting point for decryption and length of data to be 1585 * find starting point for decryption and length of data to be
1102 * decrypted - the encrypted portion starts after the rtp header 1586 * decrypted - the encrypted portion starts after the rtp header
1103 * extension, if present; otherwise, it starts after the last csrc, 1587 * extension, if present; otherwise, it starts after the last csrc,
1104 * if any are present 1588 * if any are present
1105 * 1589 *
1106 * if we're not providing confidentiality, set enc_start to NULL 1590 * if we're not providing confidentiality, set enc_start to NULL
1107 */ 1591 */
1108 if (stream->rtp_services & sec_serv_conf) { 1592 if (stream->rtp_services & sec_serv_conf) {
1109 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; 1593 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1110 if (hdr->x == 1) { 1594 if (hdr->x == 1) {
1111 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; 1595 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1112 enc_start += (ntohs(xtn_hdr->length) + 1); 1596 enc_start += (ntohs(xtn_hdr->length) + 1);
1113 } 1597 }
1114 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 1598 if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
1115 » » » - ((enc_start - (uint32_t *)hdr) << 2)); 1599 return err_status_parse_err;
1600 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len -
1601 ((uint8_t*)enc_start - (uint8_t*)hdr));
1116 } else { 1602 } else {
1117 enc_start = NULL; 1603 enc_start = NULL;
1118 } 1604 }
1119 1605
1120 /* 1606 /*
1121 * if we're providing authentication, set the auth_start and auth_tag 1607 * if we're providing authentication, set the auth_start and auth_tag
1122 * pointers to the proper locations; otherwise, set auth_start to NULL 1608 * pointers to the proper locations; otherwise, set auth_start to NULL
1123 * to indicate that no authentication is needed 1609 * to indicate that no authentication is needed
1124 */ 1610 */
1125 if (stream->rtp_services & sec_serv_auth) { 1611 if (stream->rtp_services & sec_serv_auth) {
(...skipping 330 matching lines...) Expand 10 before | Expand all | Expand 10 after
1456 if (ctx == NULL) 1942 if (ctx == NULL)
1457 return err_status_alloc_fail; 1943 return err_status_alloc_fail;
1458 *session = ctx; 1944 *session = ctx;
1459 1945
1460 /* 1946 /*
1461 * loop over elements in the policy list, allocating and 1947 * loop over elements in the policy list, allocating and
1462 * initializing a stream for each element 1948 * initializing a stream for each element
1463 */ 1949 */
1464 ctx->stream_template = NULL; 1950 ctx->stream_template = NULL;
1465 ctx->stream_list = NULL; 1951 ctx->stream_list = NULL;
1952 ctx->user_data = NULL;
1466 while (policy != NULL) { 1953 while (policy != NULL) {
1467 1954
1468 stat = srtp_add_stream(ctx, policy); 1955 stat = srtp_add_stream(ctx, policy);
1469 if (stat) { 1956 if (stat) {
1470 /* clean up everything */ 1957 /* clean up everything */
1471 srtp_dealloc(*session); 1958 srtp_dealloc(*session);
1472 return stat; 1959 return stat;
1473 } 1960 }
1474 1961
1475 /* set policy to next item in list */ 1962 /* set policy to next item in list */
(...skipping 157 matching lines...) Expand 10 before | Expand all | Expand 10 after
1633 */ 2120 */
1634 2121
1635 p->cipher_type = AES_ICM; 2122 p->cipher_type = AES_ICM;
1636 p->cipher_key_len = 46; 2123 p->cipher_key_len = 46;
1637 p->auth_type = HMAC_SHA1; 2124 p->auth_type = HMAC_SHA1;
1638 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 2125 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1639 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ 2126 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */
1640 p->sec_serv = sec_serv_conf_and_auth; 2127 p->sec_serv = sec_serv_conf_and_auth;
1641 } 2128 }
1642 2129
2130 /*
2131 * AES-256 with no authentication.
2132 */
2133 void
2134 crypto_policy_set_aes_cm_256_null_auth (crypto_policy_t *p)
2135 {
2136 p->cipher_type = AES_ICM;
2137 p->cipher_key_len = 46;
2138 p->auth_type = NULL_AUTH;
2139 p->auth_key_len = 0;
2140 p->auth_tag_len = 0;
2141 p->sec_serv = sec_serv_conf;
2142 }
2143
2144 #ifdef OPENSSL
2145 /*
2146 * AES-128 GCM mode with 8 octet auth tag.
2147 */
2148 void
2149 crypto_policy_set_aes_gcm_128_8_auth(crypto_policy_t *p) {
2150 p->cipher_type = AES_128_GCM;
2151 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
2152 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2153 p->auth_key_len = 0;
2154 p->auth_tag_len = 8; /* 8 octet tag length */
2155 p->sec_serv = sec_serv_conf_and_auth;
2156 }
2157
2158 /*
2159 * AES-256 GCM mode with 8 octet auth tag.
2160 */
2161 void
2162 crypto_policy_set_aes_gcm_256_8_auth(crypto_policy_t *p) {
2163 p->cipher_type = AES_256_GCM;
2164 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
2165 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2166 p->auth_key_len = 0;
2167 p->auth_tag_len = 8; /* 8 octet tag length */
2168 p->sec_serv = sec_serv_conf_and_auth;
2169 }
2170
2171 /*
2172 * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption.
2173 */
2174 void
2175 crypto_policy_set_aes_gcm_128_8_only_auth(crypto_policy_t *p) {
2176 p->cipher_type = AES_128_GCM;
2177 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
2178 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2179 p->auth_key_len = 0;
2180 p->auth_tag_len = 8; /* 8 octet tag length */
2181 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
2182 }
2183
2184 /*
2185 * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption.
2186 */
2187 void
2188 crypto_policy_set_aes_gcm_256_8_only_auth(crypto_policy_t *p) {
2189 p->cipher_type = AES_256_GCM;
2190 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
2191 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2192 p->auth_key_len = 0;
2193 p->auth_tag_len = 8; /* 8 octet tag length */
2194 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
2195 }
2196
2197 /*
2198 * AES-128 GCM mode with 16 octet auth tag.
2199 */
2200 void
2201 crypto_policy_set_aes_gcm_128_16_auth(crypto_policy_t *p) {
2202 p->cipher_type = AES_128_GCM;
2203 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
2204 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2205 p->auth_key_len = 0;
2206 p->auth_tag_len = 16; /* 16 octet tag length */
2207 p->sec_serv = sec_serv_conf_and_auth;
2208 }
2209
2210 /*
2211 * AES-256 GCM mode with 16 octet auth tag.
2212 */
2213 void
2214 crypto_policy_set_aes_gcm_256_16_auth(crypto_policy_t *p) {
2215 p->cipher_type = AES_256_GCM;
2216 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
2217 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
2218 p->auth_key_len = 0;
2219 p->auth_tag_len = 16; /* 16 octet tag length */
2220 p->sec_serv = sec_serv_conf_and_auth;
2221 }
2222
2223 #endif
1643 2224
1644 /* 2225 /*
1645 * secure rtcp functions 2226 * secure rtcp functions
1646 */ 2227 */
1647 2228
2229 /*
2230 * AEAD uses a new IV formation method. This function implements
2231 * section 10.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The
2232 * calculation is defined as, where (+) is the xor operation:
2233 *
2234 * 0 1 2 3 4 5 6 7 8 9 10 11
2235 * +--+--+--+--+--+--+--+--+--+--+--+--+
2236 * |00|00| SSRC |00|00|0+SRTCP Idx|---+
2237 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
2238 * |
2239 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
2240 * | Encryption Salt |->(+)
2241 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
2242 * |
2243 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
2244 * | Initialization Vector |<--+
2245 * +--+--+--+--+--+--+--+--+--+--+--+--+*
2246 *
2247 * Input: *stream - pointer to SRTP stream context, used to retrieve
2248 * the SALT
2249 * *iv - Pointer to recieve the calculated IV
2250 * seq_num - The SEQ value to use for the IV calculation.
2251 * *hdr - The RTP header, used to get the SSRC value
2252 *
2253 */
2254 static void srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv,
2255 uint32_t seq_num, srtcp_hdr_t *hdr)
2256 {
2257 v128_t in;
2258 v128_t salt;
2259
2260 memset(&in, 0, sizeof(v128_t));
2261 memset(&salt, 0, sizeof(v128_t));
2262
2263 in.v16[0] = 0;
2264 memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */
2265 in.v16[3] = 0;
2266 in.v32[2] = 0x7FFFFFFF & htonl(seq_num); /* bit 32 is suppose to be zero */
2267
2268 debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in));
2269
2270 /*
2271 * Get the SALT value from the context
2272 */
2273 memcpy(salt.v8, stream->c_salt, 12);
2274 debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt));
2275
2276 /*
2277 * Finally, apply the SALT to the input
2278 */
2279 v128_xor(iv, &in, &salt);
2280 }
2281
2282 /*
2283 * This code handles AEAD ciphers for outgoing RTCP. We currently support
2284 * AES-GCM mode with 128 or 256 bit keys.
2285 */
2286 static err_status_t
2287 srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream,
2288 void *rtcp_hdr, unsigned int *pkt_octet_len)
2289 {
2290 srtcp_hdr_t *hdr = (srtcp_hdr_t*)rtcp_hdr;
2291 uint32_t *enc_start; /* pointer to start of encrypted portion */
2292 uint32_t *trailer; /* pointer to start of trailer */
2293 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
2294 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
2295 err_status_t status;
2296 int tag_len;
2297 uint32_t seq_num;
2298 v128_t iv;
2299 uint32_t tseq;
2300
2301 /* get tag length from stream context */
2302 tag_len = auth_get_tag_length(stream->rtcp_auth);
2303
2304 /*
2305 * set encryption start and encryption length - if we're not
2306 * providing confidentiality, set enc_start to NULL
2307 */
2308 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header;
2309 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
2310
2311 /* NOTE: hdr->length is not usable - it refers to only the first
2312 RTCP report in the compound packet! */
2313 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
2314 multiples of 32-bits (RFC 3550 6.1) */
2315 trailer = (uint32_t*)((char*)enc_start + enc_octet_len + tag_len);
2316
2317 if (stream->rtcp_services & sec_serv_conf) {
2318 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
2319 } else {
2320 enc_start = NULL;
2321 enc_octet_len = 0;
2322 /* 0 is network-order independant */
2323 *trailer = 0x00000000; /* set encrypt bit */
2324 }
2325
2326 /*
2327 * set the auth_tag pointer to the proper location, which is after
2328 * the payload, but before the trailer
2329 * (note that srtpc *always* provides authentication, unlike srtp)
2330 */
2331 /* Note: This would need to change for optional mikey data */
2332 auth_tag = (uint8_t*)hdr + *pkt_octet_len;
2333
2334 /*
2335 * check sequence number for overruns, and copy it into the packet
2336 * if its value isn't too big
2337 */
2338 status = rdb_increment(&stream->rtcp_rdb);
2339 if (status) {
2340 return status;
2341 }
2342 seq_num = rdb_get_value(&stream->rtcp_rdb);
2343 *trailer |= htonl(seq_num);
2344 debug_print(mod_srtp, "srtcp index: %x", seq_num);
2345
2346 /*
2347 * Calculating the IV and pass it down to the cipher
2348 */
2349 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
2350 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
2351 if (status) {
2352 return err_status_cipher_fail;
2353 }
2354
2355 /*
2356 * Set the AAD for GCM mode
2357 */
2358 if (enc_start) {
2359 /*
2360 * If payload encryption is enabled, then the AAD consist of
2361 * the RTCP header and the seq# at the end of the packet
2362 */
2363 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
2364 octets_in_rtcp_header);
2365 if (status) {
2366 return ( err_status_cipher_fail);
2367 }
2368 } else {
2369 /*
2370 * Since payload encryption is not enabled, we must authenticate
2371 * the entire packet as described in section 10.3 in revision 07
2372 * of the draft.
2373 */
2374 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
2375 *pkt_octet_len);
2376 if (status) {
2377 return ( err_status_cipher_fail);
2378 }
2379 }
2380 /*
2381 * put the idx# into network byte order and process it as AAD
2382 */
2383 tseq = htonl(*trailer);
2384 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq,
2385 sizeof(srtcp_trailer_t));
2386 if (status) {
2387 return ( err_status_cipher_fail);
2388 }
2389
2390 /* if we're encrypting, exor keystream into the message */
2391 if (enc_start) {
2392 status = cipher_encrypt(stream->rtcp_cipher,
2393 (uint8_t*)enc_start, &enc_octet_len);
2394 if (status) {
2395 return err_status_cipher_fail;
2396 }
2397 /*
2398 * Get the tag and append that to the output
2399 */
2400 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag,
2401 &tag_len);
2402 if (status) {
2403 return ( err_status_cipher_fail);
2404 }
2405 enc_octet_len += tag_len;
2406 } else {
2407 /*
2408 * Even though we're not encrypting the payload, we need
2409 * to run the cipher to get the auth tag.
2410 */
2411 unsigned int nolen = 0;
2412 status = cipher_encrypt(stream->rtcp_cipher, NULL, &nolen);
2413 if (status) {
2414 return err_status_cipher_fail;
2415 }
2416 /*
2417 * Get the tag and append that to the output
2418 */
2419 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag,
2420 &tag_len);
2421 if (status) {
2422 return ( err_status_cipher_fail);
2423 }
2424 enc_octet_len += tag_len;
2425 }
2426
2427 /* increase the packet length by the length of the auth tag and seq_num*/
2428 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
2429
2430 return err_status_ok;
2431 }
2432
2433 /*
2434 * This function handles incoming SRTCP packets while in AEAD mode,
2435 * which currently supports AES-GCM encryption. Note, the auth tag is
2436 * at the end of the packet stream and is automatically checked by GCM
2437 * when decrypting the payload.
2438 */
2439 static err_status_t
2440 srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream,
2441 void *srtcp_hdr, unsigned int *pkt_octet_len)
2442 {
2443 srtcp_hdr_t *hdr = (srtcp_hdr_t*)srtcp_hdr;
2444 uint32_t *enc_start; /* pointer to start of encrypted portion */
2445 uint32_t *trailer; /* pointer to start of trailer */
2446 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
2447 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
2448 err_status_t status;
2449 int tag_len;
2450 unsigned int tmp_len;
2451 uint32_t seq_num;
2452 v128_t iv;
2453 uint32_t tseq;
2454
2455 /* get tag length from stream context */
2456 tag_len = auth_get_tag_length(stream->rtcp_auth);
2457
2458 /*
2459 * set encryption start, encryption length, and trailer
2460 */
2461 /* index & E (encryption) bit follow normal data. hdr->len
2462 is the number of words (32-bit) in the normal packet minus 1 */
2463 /* This should point trailer to the word past the end of the
2464 normal data. */
2465 /* This would need to be modified for optional mikey data */
2466 /*
2467 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
2468 * multiples of 32-bits (RFC 3550 6.1)
2469 */
2470 trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t)) ;
2471 /*
2472 * We pass the tag down to the cipher when doing GCM mode
2473 */
2474 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header +
2475 sizeof(srtcp_trailer_t));
2476 auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - sizeof(srtcp_trailer_t );
2477
2478 if (*((unsigned char*)trailer) & SRTCP_E_BYTE_BIT) {
2479 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header;
2480 } else {
2481 enc_octet_len = 0;
2482 enc_start = NULL; /* this indicates that there's no encryption */
2483 }
2484
2485 /*
2486 * check the sequence number for replays
2487 */
2488 /* this is easier than dealing with bitfield access */
2489 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
2490 debug_print(mod_srtp, "srtcp index: %x", seq_num);
2491 status = rdb_check(&stream->rtcp_rdb, seq_num);
2492 if (status) {
2493 return status;
2494 }
2495
2496 /*
2497 * Calculate and set the IV
2498 */
2499 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
2500 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
2501 if (status) {
2502 return err_status_cipher_fail;
2503 }
2504
2505 /*
2506 * Set the AAD for GCM mode
2507 */
2508 if (enc_start) {
2509 /*
2510 * If payload encryption is enabled, then the AAD consist of
2511 * the RTCP header and the seq# at the end of the packet
2512 */
2513 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
2514 octets_in_rtcp_header);
2515 if (status) {
2516 return ( err_status_cipher_fail);
2517 }
2518 } else {
2519 /*
2520 * Since payload encryption is not enabled, we must authenticate
2521 * the entire packet as described in section 10.3 in revision 07
2522 * of the draft.
2523 */
2524 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
2525 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_ t)));
2526 if (status) {
2527 return ( err_status_cipher_fail);
2528 }
2529 }
2530
2531 /*
2532 * put the idx# into network byte order, and process it as AAD
2533 */
2534 tseq = htonl(*trailer);
2535 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq,
2536 sizeof(srtcp_trailer_t));
2537 if (status) {
2538 return ( err_status_cipher_fail);
2539 }
2540
2541 /* if we're decrypting, exor keystream into the message */
2542 if (enc_start) {
2543 status = cipher_decrypt(stream->rtcp_cipher,
2544 (uint8_t*)enc_start, &enc_octet_len);
2545 if (status) {
2546 return status;
2547 }
2548 } else {
2549 /*
2550 * Still need to run the cipher to check the tag
2551 */
2552 tmp_len = tag_len;
2553 status = cipher_decrypt(stream->rtcp_cipher, (uint8_t*)auth_tag,
2554 &tmp_len);
2555 if (status) {
2556 return status;
2557 }
2558 }
2559
2560 /* decrease the packet length by the length of the auth tag and seq_num*/
2561 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
2562
2563 /*
2564 * verify that stream is for received traffic - this check will
2565 * detect SSRC collisions, since a stream that appears in both
2566 * srtp_protect() and srtp_unprotect() will fail this test in one of
2567 * those functions.
2568 *
2569 * we do this check *after* the authentication check, so that the
2570 * latter check will catch any attempts to fool us into thinking
2571 * that we've got a collision
2572 */
2573 if (stream->direction != dir_srtp_receiver) {
2574 if (stream->direction == dir_unknown) {
2575 stream->direction = dir_srtp_receiver;
2576 } else {
2577 srtp_handle_event(ctx, stream, event_ssrc_collision);
2578 }
2579 }
2580
2581 /*
2582 * if the stream is a 'provisional' one, in which the template context
2583 * is used, then we need to allocate a new stream at this point, since
2584 * the authentication passed
2585 */
2586 if (stream == ctx->stream_template) {
2587 srtp_stream_ctx_t *new_stream;
2588
2589 /*
2590 * allocate and initialize a new stream
2591 *
2592 * note that we indicate failure if we can't allocate the new
2593 * stream, and some implementations will want to not return
2594 * failure here
2595 */
2596 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream) ;
2597 if (status) {
2598 return status;
2599 }
2600
2601 /* add new stream to the head of the stream_list */
2602 new_stream->next = ctx->stream_list;
2603 ctx->stream_list = new_stream;
2604
2605 /* set stream (the pointer used in this function) */
2606 stream = new_stream;
2607 }
2608
2609 /* we've passed the authentication check, so add seq_num to the rdb */
2610 rdb_add_index(&stream->rtcp_rdb, seq_num);
2611
2612 return err_status_ok;
2613 }
2614
1648 err_status_t 2615 err_status_t
1649 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) { 2616 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
1650 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; 2617 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
1651 uint32_t *enc_start; /* pointer to start of encrypted portion */ 2618 uint32_t *enc_start; /* pointer to start of encrypted portion */
1652 uint32_t *auth_start; /* pointer to start of auth. portion */ 2619 uint32_t *auth_start; /* pointer to start of auth. portion */
1653 uint32_t *trailer; /* pointer to start of trailer */ 2620 uint32_t *trailer; /* pointer to start of trailer */
1654 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ 2621 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
1655 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2622 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1656 err_status_t status; 2623 err_status_t status;
1657 int tag_len; 2624 int tag_len;
1658 srtp_stream_ctx_t *stream; 2625 srtp_stream_ctx_t *stream;
1659 int prefix_len; 2626 int prefix_len;
1660 uint32_t seq_num; 2627 uint32_t seq_num;
1661 2628
1662 /* we assume the hdr is 32-bit aligned to start */ 2629 /* we assume the hdr is 32-bit aligned to start */
2630
2631 /* check the packet length - it must at least contain a full header */
2632 if (*pkt_octet_len < octets_in_rtcp_header)
2633 return err_status_bad_param;
2634
1663 /* 2635 /*
1664 * look up ssrc in srtp_stream list, and process the packet with 2636 * look up ssrc in srtp_stream list, and process the packet with
1665 * the appropriate stream. if we haven't seen this stream before, 2637 * the appropriate stream. if we haven't seen this stream before,
1666 * there's only one key for this srtp_session, and the cipher 2638 * there's only one key for this srtp_session, and the cipher
1667 * supports key-sharing, then we assume that a new stream using 2639 * supports key-sharing, then we assume that a new stream using
1668 * that key has just started up 2640 * that key has just started up
1669 */ 2641 */
1670 stream = srtp_get_stream(ctx, hdr->ssrc); 2642 stream = srtp_get_stream(ctx, hdr->ssrc);
1671 if (stream == NULL) { 2643 if (stream == NULL) {
1672 if (ctx->stream_template != NULL) { 2644 if (ctx->stream_template != NULL) {
(...skipping 24 matching lines...) Expand all
1697 * those functions. 2669 * those functions.
1698 */ 2670 */
1699 if (stream->direction != dir_srtp_sender) { 2671 if (stream->direction != dir_srtp_sender) {
1700 if (stream->direction == dir_unknown) { 2672 if (stream->direction == dir_unknown) {
1701 stream->direction = dir_srtp_sender; 2673 stream->direction = dir_srtp_sender;
1702 } else { 2674 } else {
1703 srtp_handle_event(ctx, stream, event_ssrc_collision); 2675 srtp_handle_event(ctx, stream, event_ssrc_collision);
1704 } 2676 }
1705 } 2677 }
1706 2678
2679 /*
2680 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
2681 * the request to our AEAD handler.
2682 */
2683 if (stream->rtp_cipher->algorithm == AES_128_GCM ||
2684 stream->rtp_cipher->algorithm == AES_256_GCM) {
2685 return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, (unsigned int*)pkt_oc tet_len);
2686 }
2687
1707 /* get tag length from stream context */ 2688 /* get tag length from stream context */
1708 tag_len = auth_get_tag_length(stream->rtcp_auth); 2689 tag_len = auth_get_tag_length(stream->rtcp_auth);
1709 2690
1710 /* 2691 /*
1711 * set encryption start and encryption length - if we're not 2692 * set encryption start and encryption length - if we're not
1712 * providing confidentiality, set enc_start to NULL 2693 * providing confidentiality, set enc_start to NULL
1713 */ 2694 */
1714 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; 2695 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1715 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; 2696 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
1716 2697
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after
1756 /* 2737 /*
1757 * if we're using rindael counter mode, set nonce and seq 2738 * if we're using rindael counter mode, set nonce and seq
1758 */ 2739 */
1759 if (stream->rtcp_cipher->type->id == AES_ICM) { 2740 if (stream->rtcp_cipher->type->id == AES_ICM) {
1760 v128_t iv; 2741 v128_t iv;
1761 2742
1762 iv.v32[0] = 0; 2743 iv.v32[0] = 0;
1763 iv.v32[1] = hdr->ssrc; /* still in network order! */ 2744 iv.v32[1] = hdr->ssrc; /* still in network order! */
1764 iv.v32[2] = htonl(seq_num >> 16); 2745 iv.v32[2] = htonl(seq_num >> 16);
1765 iv.v32[3] = htonl(seq_num << 16); 2746 iv.v32[3] = htonl(seq_num << 16);
1766 status = cipher_set_iv(stream->rtcp_cipher, &iv); 2747 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
1767 2748
1768 } else { 2749 } else {
1769 v128_t iv; 2750 v128_t iv;
1770 2751
1771 /* otherwise, just set the index to seq_num */ 2752 /* otherwise, just set the index to seq_num */
1772 iv.v32[0] = 0; 2753 iv.v32[0] = 0;
1773 iv.v32[1] = 0; 2754 iv.v32[1] = 0;
1774 iv.v32[2] = 0; 2755 iv.v32[2] = 0;
1775 iv.v32[3] = htonl(seq_num); 2756 iv.v32[3] = htonl(seq_num);
1776 status = cipher_set_iv(stream->rtcp_cipher, &iv); 2757 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
1777 } 2758 }
1778 if (status) 2759 if (status)
1779 return err_status_cipher_fail; 2760 return err_status_cipher_fail;
1780 2761
1781 /* 2762 /*
1782 * if we're authenticating using a universal hash, put the keystream 2763 * if we're authenticating using a universal hash, put the keystream
1783 * prefix into the authentication tag 2764 * prefix into the authentication tag
1784 */ 2765 */
1785 2766
1786 /* if auth_start is non-null, then put keystream into tag */ 2767 /* if auth_start is non-null, then put keystream into tag */
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
1827 return err_status_ok; 2808 return err_status_ok;
1828 } 2809 }
1829 2810
1830 2811
1831 err_status_t 2812 err_status_t
1832 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) { 2813 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
1833 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; 2814 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
1834 uint32_t *enc_start; /* pointer to start of encrypted portion */ 2815 uint32_t *enc_start; /* pointer to start of encrypted portion */
1835 uint32_t *auth_start; /* pointer to start of auth. portion */ 2816 uint32_t *auth_start; /* pointer to start of auth. portion */
1836 uint32_t *trailer; /* pointer to start of trailer */ 2817 uint32_t *trailer; /* pointer to start of trailer */
1837 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ 2818 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
1838 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2819 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1839 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 2820 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
1840 uint8_t tag_copy[SRTP_MAX_TAG_LEN]; 2821 uint8_t tag_copy[SRTP_MAX_TAG_LEN];
1841 err_status_t status; 2822 err_status_t status;
1842 unsigned auth_len; 2823 unsigned int auth_len;
1843 int tag_len; 2824 int tag_len;
1844 srtp_stream_ctx_t *stream; 2825 srtp_stream_ctx_t *stream;
1845 int prefix_len; 2826 int prefix_len;
1846 uint32_t seq_num; 2827 uint32_t seq_num;
2828 int e_bit_in_packet; /* whether the E-bit was found in the packet */
2829 int sec_serv_confidentiality; /* whether confidentiality was requested */
1847 2830
1848 /* we assume the hdr is 32-bit aligned to start */ 2831 /* we assume the hdr is 32-bit aligned to start */
2832
2833 /* check that the length value is sane; we'll check again once we
2834 know the tag length, but we at least want to know that it is
2835 a positive value */
2836 if (*pkt_octet_len < octets_in_rtcp_header + sizeof(srtcp_trailer_t))
2837 return err_status_bad_param;
2838
1849 /* 2839 /*
1850 * look up ssrc in srtp_stream list, and process the packet with 2840 * look up ssrc in srtp_stream list, and process the packet with
1851 * the appropriate stream. if we haven't seen this stream before, 2841 * the appropriate stream. if we haven't seen this stream before,
1852 * there's only one key for this srtp_session, and the cipher 2842 * there's only one key for this srtp_session, and the cipher
1853 * supports key-sharing, then we assume that a new stream using 2843 * supports key-sharing, then we assume that a new stream using
1854 * that key has just started up 2844 * that key has just started up
1855 */ 2845 */
1856 stream = srtp_get_stream(ctx, hdr->ssrc); 2846 stream = srtp_get_stream(ctx, hdr->ssrc);
1857 if (stream == NULL) { 2847 if (stream == NULL) {
1858 if (ctx->stream_template != NULL) { 2848 if (ctx->stream_template != NULL) {
(...skipping 17 matching lines...) Expand all
1876 2866
1877 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", 2867 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
1878 hdr->ssrc); 2868 hdr->ssrc);
1879 } else { 2869 } else {
1880 /* no template stream, so we return an error */ 2870 /* no template stream, so we return an error */
1881 return err_status_no_ctx; 2871 return err_status_no_ctx;
1882 } 2872 }
1883 } 2873 }
1884 2874
1885 /* get tag length from stream context */ 2875 /* get tag length from stream context */
1886 tag_len = auth_get_tag_length(stream->rtcp_auth); 2876 tag_len = auth_get_tag_length(stream->rtcp_auth);
2877
2878 /* check the packet length - it must contain at least a full RTCP
2879 header, an auth tag (if applicable), and the SRTCP encrypted flag
2880 and 31-bit index value */
2881 if (*pkt_octet_len < (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t ))) {
2882 return err_status_bad_param;
2883 }
2884
2885 /*
2886 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
2887 * the request to our AEAD handler.
2888 */
2889 if (stream->rtp_cipher->algorithm == AES_128_GCM ||
2890 stream->rtp_cipher->algorithm == AES_256_GCM) {
2891 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, (unsigned int*)pkt _octet_len);
2892 }
2893
2894 sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf ||
2895 stream->rtcp_services == sec_serv_conf_and_auth;
1887 2896
1888 /* 2897 /*
1889 * set encryption start, encryption length, and trailer 2898 * set encryption start, encryption length, and trailer
1890 */ 2899 */
1891 enc_octet_len = *pkt_octet_len - 2900 enc_octet_len = *pkt_octet_len -
1892 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t)); 2901 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
1893 /* index & E (encryption) bit follow normal data. hdr->len 2902 /* index & E (encryption) bit follow normal data. hdr->len
1894 is the number of words (32-bit) in the normal packet minus 1 */ 2903 is the number of words (32-bit) in the normal packet minus 1 */
1895 /* This should point trailer to the word past the end of the 2904 /* This should point trailer to the word past the end of the
1896 normal data. */ 2905 normal data. */
1897 /* This would need to be modified for optional mikey data */ 2906 /* This would need to be modified for optional mikey data */
1898 /* 2907 /*
1899 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always 2908 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1900 * multiples of 32-bits (RFC 3550 6.1) 2909 * multiples of 32-bits (RFC 3550 6.1)
1901 */ 2910 */
1902 trailer = (uint32_t *) ((char *) hdr + 2911 trailer = (uint32_t *) ((char *) hdr +
1903 » » *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); 2912 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
1904 if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) { 2913 e_bit_in_packet =
2914 (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT;
2915 if (e_bit_in_packet != sec_serv_confidentiality) {
2916 return err_status_cant_check;
2917 }
2918 if (sec_serv_confidentiality) {
1905 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; 2919 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1906 } else { 2920 } else {
1907 enc_octet_len = 0; 2921 enc_octet_len = 0;
1908 enc_start = NULL; /* this indicates that there's no encryption */ 2922 enc_start = NULL; /* this indicates that there's no encryption */
1909 } 2923 }
1910 2924
1911 /* 2925 /*
1912 * set the auth_start and auth_tag pointers to the proper locations 2926 * set the auth_start and auth_tag pointers to the proper locations
1913 * (note that srtcp *always* uses authentication, unlike srtp) 2927 * (note that srtcp *always* uses authentication, unlike srtp)
1914 */ 2928 */
(...skipping 29 matching lines...) Expand all
1944 /* 2958 /*
1945 * if we're using aes counter mode, set nonce and seq 2959 * if we're using aes counter mode, set nonce and seq
1946 */ 2960 */
1947 if (stream->rtcp_cipher->type->id == AES_ICM) { 2961 if (stream->rtcp_cipher->type->id == AES_ICM) {
1948 v128_t iv; 2962 v128_t iv;
1949 2963
1950 iv.v32[0] = 0; 2964 iv.v32[0] = 0;
1951 iv.v32[1] = hdr->ssrc; /* still in network order! */ 2965 iv.v32[1] = hdr->ssrc; /* still in network order! */
1952 iv.v32[2] = htonl(seq_num >> 16); 2966 iv.v32[2] = htonl(seq_num >> 16);
1953 iv.v32[3] = htonl(seq_num << 16); 2967 iv.v32[3] = htonl(seq_num << 16);
1954 status = cipher_set_iv(stream->rtcp_cipher, &iv); 2968 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
1955 2969
1956 } else { 2970 } else {
1957 v128_t iv; 2971 v128_t iv;
1958 2972
1959 /* otherwise, just set the index to seq_num */ 2973 /* otherwise, just set the index to seq_num */
1960 iv.v32[0] = 0; 2974 iv.v32[0] = 0;
1961 iv.v32[1] = 0; 2975 iv.v32[1] = 0;
1962 iv.v32[2] = 0; 2976 iv.v32[2] = 0;
1963 iv.v32[3] = htonl(seq_num); 2977 iv.v32[3] = htonl(seq_num);
1964 status = cipher_set_iv(stream->rtcp_cipher, &iv); 2978 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
1965 2979
1966 } 2980 }
1967 if (status) 2981 if (status)
1968 return err_status_cipher_fail; 2982 return err_status_cipher_fail;
1969 2983
1970 /* initialize auth func context */ 2984 /* initialize auth func context */
1971 auth_start(stream->rtcp_auth); 2985 auth_start(stream->rtcp_auth);
1972 2986
1973 /* run auth func over packet, put result into tmp_tag */ 2987 /* run auth func over packet, put result into tmp_tag */
1974 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start, 2988 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after
2060 } 3074 }
2061 3075
2062 /* we've passed the authentication check, so add seq_num to the rdb */ 3076 /* we've passed the authentication check, so add seq_num to the rdb */
2063 rdb_add_index(&stream->rtcp_rdb, seq_num); 3077 rdb_add_index(&stream->rtcp_rdb, seq_num);
2064 3078
2065 3079
2066 return err_status_ok; 3080 return err_status_ok;
2067 } 3081 }
2068 3082
2069 3083
3084 /*
3085 * user data within srtp_t context
3086 */
3087
3088 void
3089 srtp_set_user_data(srtp_t ctx, void *data) {
3090 ctx->user_data = data;
3091 }
3092
3093 void*
3094 srtp_get_user_data(srtp_t ctx) {
3095 return ctx->user_data;
3096 }
3097
2070 3098
2071 /* 3099 /*
2072 * dtls keying for srtp 3100 * dtls keying for srtp
2073 */ 3101 */
2074 3102
2075 err_status_t 3103 err_status_t
2076 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy, 3104 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
2077 srtp_profile_t profile) { 3105 srtp_profile_t profile) {
2078 3106
2079 /* set SRTP policy from the SRTP profile in the key set */ 3107 /* set SRTP policy from the SRTP profile in the key set */
2080 switch(profile) { 3108 switch(profile) {
2081 case srtp_profile_aes128_cm_sha1_80: 3109 case srtp_profile_aes128_cm_sha1_80:
2082 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 3110 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2083 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2084 break; 3111 break;
2085 case srtp_profile_aes128_cm_sha1_32: 3112 case srtp_profile_aes128_cm_sha1_32:
2086 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); 3113 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
2087 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2088 break; 3114 break;
2089 case srtp_profile_null_sha1_80: 3115 case srtp_profile_null_sha1_80:
2090 crypto_policy_set_null_cipher_hmac_sha1_80(policy); 3116 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2091 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2092 break; 3117 break;
2093 case srtp_profile_aes256_cm_sha1_80: 3118 case srtp_profile_aes256_cm_sha1_80:
2094 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 3119 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2095 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2096 break; 3120 break;
2097 case srtp_profile_aes256_cm_sha1_32: 3121 case srtp_profile_aes256_cm_sha1_32:
2098 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy); 3122 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
2099 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2100 break; 3123 break;
2101 /* the following profiles are not (yet) supported */ 3124 /* the following profiles are not (yet) supported */
2102 case srtp_profile_null_sha1_32: 3125 case srtp_profile_null_sha1_32:
2103 default: 3126 default:
2104 return err_status_bad_param; 3127 return err_status_bad_param;
2105 } 3128 }
2106 3129
2107 return err_status_ok; 3130 return err_status_ok;
2108 } 3131 }
2109 3132
2110 err_status_t 3133 err_status_t
2111 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy, 3134 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
2112 srtp_profile_t profile) { 3135 srtp_profile_t profile) {
2113 3136
2114 /* set SRTP policy from the SRTP profile in the key set */ 3137 /* set SRTP policy from the SRTP profile in the key set */
2115 switch(profile) { 3138 switch(profile) {
2116 case srtp_profile_aes128_cm_sha1_80: 3139 case srtp_profile_aes128_cm_sha1_80:
2117 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 3140 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2118 break; 3141 break;
2119 case srtp_profile_aes128_cm_sha1_32: 3142 case srtp_profile_aes128_cm_sha1_32:
3143 /* We do not honor the 32-bit auth tag request since
3144 * this is not compliant with RFC 3711 */
2120 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 3145 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2121 break; 3146 break;
2122 case srtp_profile_null_sha1_80: 3147 case srtp_profile_null_sha1_80:
2123 crypto_policy_set_null_cipher_hmac_sha1_80(policy); 3148 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2124 break; 3149 break;
2125 case srtp_profile_aes256_cm_sha1_80: 3150 case srtp_profile_aes256_cm_sha1_80:
2126 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 3151 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2127 break; 3152 break;
2128 case srtp_profile_aes256_cm_sha1_32: 3153 case srtp_profile_aes256_cm_sha1_32:
3154 /* We do not honor the 32-bit auth tag request since
3155 * this is not compliant with RFC 3711 */
2129 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 3156 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2130 break; 3157 break;
2131 /* the following profiles are not (yet) supported */ 3158 /* the following profiles are not (yet) supported */
2132 case srtp_profile_null_sha1_32: 3159 case srtp_profile_null_sha1_32:
2133 default: 3160 default:
2134 return err_status_bad_param; 3161 return err_status_bad_param;
2135 } 3162 }
2136 3163
2137 return err_status_ok; 3164 return err_status_ok;
2138 } 3165 }
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after
2189 break; 3216 break;
2190 case srtp_profile_aes256_cm_sha1_32: 3217 case srtp_profile_aes256_cm_sha1_32:
2191 return 14; 3218 return 14;
2192 break; 3219 break;
2193 /* the following profiles are not (yet) supported */ 3220 /* the following profiles are not (yet) supported */
2194 case srtp_profile_null_sha1_32: 3221 case srtp_profile_null_sha1_32:
2195 default: 3222 default:
2196 return 0; /* indicate error by returning a zero */ 3223 return 0; /* indicate error by returning a zero */
2197 } 3224 }
2198 } 3225 }
OLDNEW
« no previous file with comments | « srtp/srtp/ekt.c ('k') | srtp/tables/aes_tables.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698