OLD | NEW |
1 /* | 1 /* |
2 * srtp.c | 2 * srtp.c |
3 * | 3 * |
4 * the secure real-time transport protocol | 4 * the secure real-time transport protocol |
5 * | 5 * |
6 * David A. McGrew | 6 * David A. McGrew |
7 * Cisco Systems, Inc. | 7 * Cisco Systems, Inc. |
8 */ | 8 */ |
9 /* | 9 /* |
10 * | 10 * |
(...skipping 25 matching lines...) Expand all Loading... |
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | 36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | 37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | 38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | 39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | 40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
41 * OF THE POSSIBILITY OF SUCH DAMAGE. | 41 * OF THE POSSIBILITY OF SUCH DAMAGE. |
42 * | 42 * |
43 */ | 43 */ |
44 | 44 |
45 | 45 |
46 #include "srtp.h" | 46 #include "srtp_priv.h" |
47 #include "ekt.h" /* for SRTP Encrypted Key Transport */ | 47 #include "ekt.h" /* for SRTP Encrypted Key Transport */ |
48 #include "alloc.h" /* for crypto_alloc() */ | 48 #include "alloc.h" /* for crypto_alloc() */ |
| 49 #ifdef OPENSSL |
| 50 #include "aes_gcm_ossl.h" /* for AES GCM mode */ |
| 51 #endif |
49 | 52 |
50 #ifndef SRTP_KERNEL | 53 #ifndef SRTP_KERNEL |
51 # include <limits.h> | 54 # include <limits.h> |
52 # ifdef HAVE_NETINET_IN_H | 55 # ifdef HAVE_NETINET_IN_H |
53 # include <netinet/in.h> | 56 # include <netinet/in.h> |
54 # elif defined(HAVE_WINSOCK2_H) | 57 # elif defined(HAVE_WINSOCK2_H) |
55 # include <winsock2.h> | 58 # include <winsock2.h> |
56 # endif | 59 # endif |
57 #endif /* ! SRTP_KERNEL */ | 60 #endif /* ! SRTP_KERNEL */ |
58 | 61 |
(...skipping 29 matching lines...) Expand all Loading... |
88 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc); | 91 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc); |
89 int profile_len = ntohs(xtn_hdr->length); | 92 int profile_len = ntohs(xtn_hdr->length); |
90 rtp_header_len += profile_len * 4; | 93 rtp_header_len += profile_len * 4; |
91 /* profile length counts the number of 32-bit words */ | 94 /* profile length counts the number of 32-bit words */ |
92 if (*pkt_octet_len < rtp_header_len) | 95 if (*pkt_octet_len < rtp_header_len) |
93 return err_status_bad_param; | 96 return err_status_bad_param; |
94 } | 97 } |
95 return err_status_ok; | 98 return err_status_ok; |
96 } | 99 } |
97 | 100 |
| 101 const char *srtp_get_version_string () |
| 102 { |
| 103 /* |
| 104 * Simply return the autotools generated string |
| 105 */ |
| 106 return SRTP_VER_STRING; |
| 107 } |
| 108 |
| 109 unsigned int srtp_get_version () |
| 110 { |
| 111 unsigned int major = 0, minor = 0, micro = 0; |
| 112 unsigned int rv = 0; |
| 113 int parse_rv; |
| 114 |
| 115 /* |
| 116 * Parse the autotools generated version |
| 117 */ |
| 118 parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, µ); |
| 119 if (parse_rv != 3) { |
| 120 /* |
| 121 * We're expected to parse all 3 version levels. |
| 122 * If not, then this must not be an official release. |
| 123 * Return all zeros on the version |
| 124 */ |
| 125 return (0); |
| 126 } |
| 127 |
| 128 /* |
| 129 * We allow 8 bits for the major and minor, while |
| 130 * allowing 16 bits for the micro. 16 bits for the micro |
| 131 * may be beneficial for a continuous delivery model |
| 132 * in the future. |
| 133 */ |
| 134 rv |= (major & 0xFF) << 24; |
| 135 rv |= (minor & 0xFF) << 16; |
| 136 rv |= micro & 0xFF; |
| 137 return rv; |
| 138 } |
| 139 |
98 err_status_t | 140 err_status_t |
99 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, | 141 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, |
100 const srtp_policy_t *p) { | 142 const srtp_policy_t *p) { |
101 srtp_stream_ctx_t *str; | 143 srtp_stream_ctx_t *str; |
102 err_status_t stat; | 144 err_status_t stat; |
103 | 145 |
104 /* | 146 /* |
105 * This function allocates the stream context, rtp and rtcp ciphers | 147 * This function allocates the stream context, rtp and rtcp ciphers |
106 * and auth functions, and key limit structure. If there is a | 148 * and auth functions, and key limit structure. If there is a |
107 * failure during allocation, we free all previously allocated | 149 * failure during allocation, we free all previously allocated |
108 * memory and return a failure code. The code could probably | 150 * memory and return a failure code. The code could probably |
109 * be improved, but it works and should be clear. | 151 * be improved, but it works and should be clear. |
110 */ | 152 */ |
111 | 153 |
112 /* allocate srtp stream and set str_ptr */ | 154 /* allocate srtp stream and set str_ptr */ |
113 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t)); | 155 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t)); |
114 if (str == NULL) | 156 if (str == NULL) |
115 return err_status_alloc_fail; | 157 return err_status_alloc_fail; |
116 *str_ptr = str; | 158 *str_ptr = str; |
117 | 159 |
118 /* allocate cipher */ | 160 /* allocate cipher */ |
119 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type, | 161 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type, |
120 &str->rtp_cipher, | 162 &str->rtp_cipher, |
121 » » » » p->rtp.cipher_key_len); | 163 » » » » p->rtp.cipher_key_len, |
| 164 » » » » p->rtp.auth_tag_len); |
122 if (stat) { | 165 if (stat) { |
123 crypto_free(str); | 166 crypto_free(str); |
124 return stat; | 167 return stat; |
125 } | 168 } |
126 | 169 |
127 /* allocate auth function */ | 170 /* allocate auth function */ |
128 stat = crypto_kernel_alloc_auth(p->rtp.auth_type, | 171 stat = crypto_kernel_alloc_auth(p->rtp.auth_type, |
129 &str->rtp_auth, | 172 &str->rtp_auth, |
130 p->rtp.auth_key_len, | 173 p->rtp.auth_key_len, |
131 p->rtp.auth_tag_len); | 174 p->rtp.auth_tag_len); |
(...skipping 11 matching lines...) Expand all Loading... |
143 crypto_free(str); | 186 crypto_free(str); |
144 return err_status_alloc_fail; | 187 return err_status_alloc_fail; |
145 } | 188 } |
146 | 189 |
147 /* | 190 /* |
148 * ...and now the RTCP-specific initialization - first, allocate | 191 * ...and now the RTCP-specific initialization - first, allocate |
149 * the cipher | 192 * the cipher |
150 */ | 193 */ |
151 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type, | 194 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type, |
152 &str->rtcp_cipher, | 195 &str->rtcp_cipher, |
153 » » » » p->rtcp.cipher_key_len); | 196 » » » » p->rtcp.cipher_key_len, |
| 197 » » » » p->rtcp.auth_tag_len); |
154 if (stat) { | 198 if (stat) { |
155 auth_dealloc(str->rtp_auth); | 199 auth_dealloc(str->rtp_auth); |
156 cipher_dealloc(str->rtp_cipher); | 200 cipher_dealloc(str->rtp_cipher); |
157 crypto_free(str->limit); | 201 crypto_free(str->limit); |
158 crypto_free(str); | 202 crypto_free(str); |
159 return stat; | 203 return stat; |
160 } | 204 } |
161 | 205 |
162 /* allocate auth function */ | 206 /* allocate auth function */ |
163 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type, | 207 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type, |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
250 status = auth_dealloc(stream->rtcp_auth); | 294 status = auth_dealloc(stream->rtcp_auth); |
251 if (status) | 295 if (status) |
252 return status; | 296 return status; |
253 } | 297 } |
254 | 298 |
255 status = rdbx_dealloc(&stream->rtp_rdbx); | 299 status = rdbx_dealloc(&stream->rtp_rdbx); |
256 if (status) | 300 if (status) |
257 return status; | 301 return status; |
258 | 302 |
259 /* DAM - need to deallocate EKT here */ | 303 /* DAM - need to deallocate EKT here */ |
| 304 |
| 305 /* |
| 306 * zeroize the salt value |
| 307 */ |
| 308 memset(stream->salt, 0, SRTP_AEAD_SALT_LEN); |
| 309 memset(stream->c_salt, 0, SRTP_AEAD_SALT_LEN); |
| 310 |
260 | 311 |
261 /* deallocate srtp stream context */ | 312 /* deallocate srtp stream context */ |
262 crypto_free(stream); | 313 crypto_free(stream); |
263 | 314 |
264 return err_status_ok; | 315 return err_status_ok; |
265 } | 316 } |
266 | 317 |
267 | 318 |
268 /* | 319 /* |
269 * srtp_stream_clone(stream_template, new) allocates a new stream and | 320 * srtp_stream_clone(stream_template, new) allocates a new stream and |
(...skipping 19 matching lines...) Expand all Loading... |
289 *str_ptr = str; | 340 *str_ptr = str; |
290 | 341 |
291 /* set cipher and auth pointers to those of the template */ | 342 /* set cipher and auth pointers to those of the template */ |
292 str->rtp_cipher = stream_template->rtp_cipher; | 343 str->rtp_cipher = stream_template->rtp_cipher; |
293 str->rtp_auth = stream_template->rtp_auth; | 344 str->rtp_auth = stream_template->rtp_auth; |
294 str->rtcp_cipher = stream_template->rtcp_cipher; | 345 str->rtcp_cipher = stream_template->rtcp_cipher; |
295 str->rtcp_auth = stream_template->rtcp_auth; | 346 str->rtcp_auth = stream_template->rtcp_auth; |
296 | 347 |
297 /* set key limit to point to that of the template */ | 348 /* set key limit to point to that of the template */ |
298 status = key_limit_clone(stream_template->limit, &str->limit); | 349 status = key_limit_clone(stream_template->limit, &str->limit); |
299 if (status) | 350 if (status) { |
| 351 crypto_free(*str_ptr); |
| 352 *str_ptr = NULL; |
300 return status; | 353 return status; |
| 354 } |
301 | 355 |
302 /* initialize replay databases */ | 356 /* initialize replay databases */ |
303 status = rdbx_init(&str->rtp_rdbx, | 357 status = rdbx_init(&str->rtp_rdbx, |
304 rdbx_get_window_size(&stream_template->rtp_rdbx)); | 358 rdbx_get_window_size(&stream_template->rtp_rdbx)); |
305 if (status) | 359 if (status) { |
| 360 crypto_free(*str_ptr); |
| 361 *str_ptr = NULL; |
306 return status; | 362 return status; |
| 363 } |
307 rdb_init(&str->rtcp_rdb); | 364 rdb_init(&str->rtcp_rdb); |
308 str->allow_repeat_tx = stream_template->allow_repeat_tx; | 365 str->allow_repeat_tx = stream_template->allow_repeat_tx; |
309 | 366 |
310 /* set ssrc to that provided */ | 367 /* set ssrc to that provided */ |
311 str->ssrc = ssrc; | 368 str->ssrc = ssrc; |
312 | 369 |
313 /* set direction and security services */ | 370 /* set direction and security services */ |
314 str->direction = stream_template->direction; | 371 str->direction = stream_template->direction; |
315 str->rtp_services = stream_template->rtp_services; | 372 str->rtp_services = stream_template->rtp_services; |
316 str->rtcp_services = stream_template->rtcp_services; | 373 str->rtcp_services = stream_template->rtcp_services; |
317 | 374 |
318 /* set pointer to EKT data associated with stream */ | 375 /* set pointer to EKT data associated with stream */ |
319 str->ekt = stream_template->ekt; | 376 str->ekt = stream_template->ekt; |
320 | 377 |
| 378 /* Copy the salt values */ |
| 379 memcpy(str->salt, stream_template->salt, SRTP_AEAD_SALT_LEN); |
| 380 memcpy(str->c_salt, stream_template->c_salt, SRTP_AEAD_SALT_LEN); |
| 381 |
321 /* defensive coding */ | 382 /* defensive coding */ |
322 str->next = NULL; | 383 str->next = NULL; |
323 | 384 |
324 return err_status_ok; | 385 return err_status_ok; |
325 } | 386 } |
326 | 387 |
327 | 388 |
328 /* | 389 /* |
329 * key derivation functions, internal to libSRTP | 390 * key derivation functions, internal to libSRTP |
330 * | 391 * |
(...skipping 26 matching lines...) Expand all Loading... |
357 */ | 418 */ |
358 | 419 |
359 typedef struct { | 420 typedef struct { |
360 cipher_t *cipher; /* cipher used for key derivation */ | 421 cipher_t *cipher; /* cipher used for key derivation */ |
361 } srtp_kdf_t; | 422 } srtp_kdf_t; |
362 | 423 |
363 err_status_t | 424 err_status_t |
364 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, i
nt length) { | 425 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, i
nt length) { |
365 | 426 |
366 err_status_t stat; | 427 err_status_t stat; |
367 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length); | 428 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length, 0); |
368 if (stat) | 429 if (stat) |
369 return stat; | 430 return stat; |
370 | 431 |
371 stat = cipher_init(kdf->cipher, key, direction_encrypt); | 432 stat = cipher_init(kdf->cipher, key); |
372 if (stat) { | 433 if (stat) { |
373 cipher_dealloc(kdf->cipher); | 434 cipher_dealloc(kdf->cipher); |
374 return stat; | 435 return stat; |
375 } | 436 } |
376 | 437 |
377 return err_status_ok; | 438 return err_status_ok; |
378 } | 439 } |
379 | 440 |
380 err_status_t | 441 err_status_t |
381 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, | 442 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, |
382 » » uint8_t *key, unsigned length) { | 443 » » uint8_t *key, unsigned int length) { |
383 | 444 |
384 v128_t nonce; | 445 v128_t nonce; |
385 err_status_t status; | 446 err_status_t status; |
386 | 447 |
387 /* set eigth octet of nonce to <label>, set the rest of it to zero */ | 448 /* set eigth octet of nonce to <label>, set the rest of it to zero */ |
388 v128_set_to_zero(&nonce); | 449 v128_set_to_zero(&nonce); |
389 nonce.v8[7] = label; | 450 nonce.v8[7] = label; |
390 | 451 |
391 status = cipher_set_iv(kdf->cipher, &nonce); | 452 status = cipher_set_iv(kdf->cipher, &nonce, direction_encrypt); |
392 if (status) | 453 if (status) |
393 return status; | 454 return status; |
394 | 455 |
395 /* generate keystream output */ | 456 /* generate keystream output */ |
396 octet_string_set_to_zero(key, length); | 457 octet_string_set_to_zero(key, length); |
397 status = cipher_encrypt(kdf->cipher, key, &length); | 458 status = cipher_encrypt(kdf->cipher, key, &length); |
398 if (status) | 459 if (status) |
399 return status; | 460 return status; |
400 | 461 |
401 return err_status_ok; | 462 return err_status_ok; |
(...skipping 15 matching lines...) Expand all Loading... |
417 */ | 478 */ |
418 | 479 |
419 #define MAX_SRTP_KEY_LEN 256 | 480 #define MAX_SRTP_KEY_LEN 256 |
420 | 481 |
421 | 482 |
422 /* Get the base key length corresponding to a given combined key+salt | 483 /* Get the base key length corresponding to a given combined key+salt |
423 * length for the given cipher. | 484 * length for the given cipher. |
424 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using | 485 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using |
425 * AES-128 and short salts; everything else uses a salt length of 14. | 486 * AES-128 and short salts; everything else uses a salt length of 14. |
426 * TODO: key and salt lengths should be separate fields in the policy. */ | 487 * TODO: key and salt lengths should be separate fields in the policy. */ |
427 static INLINE int base_key_length(const cipher_type_t *cipher, int key_length) | 488 static inline int base_key_length(const cipher_type_t *cipher, int key_length) |
428 { | 489 { |
429 if (cipher->id != AES_ICM) | 490 switch (cipher->id) { |
| 491 case AES_128_ICM: |
| 492 case AES_192_ICM: |
| 493 case AES_256_ICM: |
| 494 /* The legacy modes are derived from |
| 495 * the configured key length on the policy */ |
| 496 return key_length - 14; |
| 497 break; |
| 498 case AES_128_GCM: |
| 499 return 16; |
| 500 break; |
| 501 case AES_256_GCM: |
| 502 return 32; |
| 503 break; |
| 504 default: |
430 return key_length; | 505 return key_length; |
431 else if (key_length > 16 && key_length < 30) | 506 break; |
432 return 16; | 507 } |
433 return key_length - 14; | |
434 } | 508 } |
435 | 509 |
436 err_status_t | 510 err_status_t |
437 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) { | 511 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) { |
438 err_status_t stat; | 512 err_status_t stat; |
439 srtp_kdf_t kdf; | 513 srtp_kdf_t kdf; |
440 uint8_t tmp_key[MAX_SRTP_KEY_LEN]; | 514 uint8_t tmp_key[MAX_SRTP_KEY_LEN]; |
441 int kdf_keylen = 30, rtp_keylen, rtcp_keylen; | 515 int kdf_keylen = 30, rtp_keylen, rtcp_keylen; |
442 int rtp_base_key_len, rtp_salt_len; | 516 int rtp_base_key_len, rtp_salt_len; |
443 int rtcp_base_key_len, rtcp_salt_len; | 517 int rtcp_base_key_len, rtcp_salt_len; |
444 | 518 |
445 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ | 519 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ |
446 /* TODO: kdf algorithm, master key length, and master salt length should | 520 /* TODO: kdf algorithm, master key length, and master salt length should |
447 * be part of srtp_policy_t. */ | 521 * be part of srtp_policy_t. */ |
448 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher); | 522 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher); |
449 if (rtp_keylen > kdf_keylen) | 523 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher); |
450 kdf_keylen = rtp_keylen; | 524 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen); |
| 525 rtp_salt_len = rtp_keylen - rtp_base_key_len; |
451 | 526 |
452 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher); | 527 if (rtp_keylen > kdf_keylen) { |
453 if (rtcp_keylen > kdf_keylen) | 528 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ |
454 kdf_keylen = rtcp_keylen; | 529 } |
| 530 |
| 531 if (rtcp_keylen > kdf_keylen) { |
| 532 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ |
| 533 } |
| 534 |
| 535 debug_print(mod_srtp, "srtp key len: %d", rtp_keylen); |
| 536 debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen); |
| 537 debug_print(mod_srtp, "base key len: %d", rtp_base_key_len); |
| 538 debug_print(mod_srtp, "kdf key len: %d", kdf_keylen); |
| 539 debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len); |
| 540 |
| 541 /* |
| 542 * Make sure the key given to us is 'zero' appended. GCM |
| 543 * mode uses a shorter master SALT (96 bits), but still relies on |
| 544 * the legacy CTR mode KDF, which uses a 112 bit master SALT. |
| 545 */ |
| 546 memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN); |
| 547 memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len)); |
455 | 548 |
456 /* initialize KDF state */ | 549 /* initialize KDF state */ |
457 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)key, kdf_keylen); | 550 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)tmp_key, kdf_keylen); |
458 if (stat) { | 551 if (stat) { |
459 return err_status_init_fail; | 552 return err_status_init_fail; |
460 } | 553 } |
461 | |
462 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen); | |
463 rtp_salt_len = rtp_keylen - rtp_base_key_len; | |
464 | 554 |
465 /* generate encryption key */ | 555 /* generate encryption key */ |
466 stat = srtp_kdf_generate(&kdf, label_rtp_encryption, | 556 stat = srtp_kdf_generate(&kdf, label_rtp_encryption, |
467 tmp_key, rtp_base_key_len); | 557 tmp_key, rtp_base_key_len); |
468 if (stat) { | 558 if (stat) { |
469 /* zeroize temp buffer */ | 559 /* zeroize temp buffer */ |
470 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | 560 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); |
471 return err_status_init_fail; | 561 return err_status_init_fail; |
472 } | 562 } |
| 563 debug_print(mod_srtp, "cipher key: %s", |
| 564 octet_string_hex_string(tmp_key, rtp_base_key_len)); |
473 | 565 |
474 /* | 566 /* |
475 * if the cipher in the srtp context uses a salt, then we need | 567 * if the cipher in the srtp context uses a salt, then we need |
476 * to generate the salt value | 568 * to generate the salt value |
477 */ | 569 */ |
478 if (rtp_salt_len > 0) { | 570 if (rtp_salt_len > 0) { |
479 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); | 571 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); |
480 | 572 |
481 /* generate encryption salt, put after encryption key */ | 573 /* generate encryption salt, put after encryption key */ |
482 stat = srtp_kdf_generate(&kdf, label_rtp_salt, | 574 stat = srtp_kdf_generate(&kdf, label_rtp_salt, |
483 tmp_key + rtp_base_key_len, rtp_salt_len); | 575 tmp_key + rtp_base_key_len, rtp_salt_len); |
484 if (stat) { | 576 if (stat) { |
485 /* zeroize temp buffer */ | 577 /* zeroize temp buffer */ |
486 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | 578 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); |
487 return err_status_init_fail; | 579 return err_status_init_fail; |
488 } | 580 } |
| 581 memcpy(srtp->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN); |
489 } | 582 } |
490 debug_print(mod_srtp, "cipher key: %s", | |
491 octet_string_hex_string(tmp_key, rtp_base_key_len)); | |
492 if (rtp_salt_len > 0) { | 583 if (rtp_salt_len > 0) { |
493 debug_print(mod_srtp, "cipher salt: %s", | 584 debug_print(mod_srtp, "cipher salt: %s", |
494 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len
)); | 585 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len
)); |
495 } | 586 } |
496 | 587 |
497 /* initialize cipher */ | 588 /* initialize cipher */ |
498 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any); | 589 stat = cipher_init(srtp->rtp_cipher, tmp_key); |
499 if (stat) { | 590 if (stat) { |
500 /* zeroize temp buffer */ | 591 /* zeroize temp buffer */ |
501 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | 592 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); |
502 return err_status_init_fail; | 593 return err_status_init_fail; |
503 } | 594 } |
504 | 595 |
505 /* generate authentication key */ | 596 /* generate authentication key */ |
506 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, | 597 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, |
507 tmp_key, auth_get_key_length(srtp->rtp_auth)); | 598 tmp_key, auth_get_key_length(srtp->rtp_auth)); |
508 if (stat) { | 599 if (stat) { |
(...skipping 12 matching lines...) Expand all Loading... |
521 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | 612 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); |
522 return err_status_init_fail; | 613 return err_status_init_fail; |
523 } | 614 } |
524 | 615 |
525 /* | 616 /* |
526 * ...now initialize SRTCP keys | 617 * ...now initialize SRTCP keys |
527 */ | 618 */ |
528 | 619 |
529 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen); | 620 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen); |
530 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; | 621 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; |
| 622 debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len); |
531 | 623 |
532 /* generate encryption key */ | 624 /* generate encryption key */ |
533 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, | 625 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, |
534 tmp_key, rtcp_base_key_len); | 626 tmp_key, rtcp_base_key_len); |
535 if (stat) { | 627 if (stat) { |
536 /* zeroize temp buffer */ | 628 /* zeroize temp buffer */ |
537 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | 629 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); |
538 return err_status_init_fail; | 630 return err_status_init_fail; |
539 } | 631 } |
540 | 632 |
541 /* | 633 /* |
542 * if the cipher in the srtp context uses a salt, then we need | 634 * if the cipher in the srtp context uses a salt, then we need |
543 * to generate the salt value | 635 * to generate the salt value |
544 */ | 636 */ |
545 if (rtcp_salt_len > 0) { | 637 if (rtcp_salt_len > 0) { |
546 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", | 638 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", |
547 NULL); | 639 NULL); |
548 | 640 |
549 /* generate encryption salt, put after encryption key */ | 641 /* generate encryption salt, put after encryption key */ |
550 stat = srtp_kdf_generate(&kdf, label_rtcp_salt, | 642 stat = srtp_kdf_generate(&kdf, label_rtcp_salt, |
551 tmp_key + rtcp_base_key_len, rtcp_salt_len); | 643 tmp_key + rtcp_base_key_len, rtcp_salt_len); |
552 if (stat) { | 644 if (stat) { |
553 /* zeroize temp buffer */ | 645 /* zeroize temp buffer */ |
554 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | 646 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); |
555 return err_status_init_fail; | 647 return err_status_init_fail; |
556 } | 648 } |
| 649 memcpy(srtp->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN); |
557 } | 650 } |
558 debug_print(mod_srtp, "rtcp cipher key: %s", | 651 debug_print(mod_srtp, "rtcp cipher key: %s", |
559 octet_string_hex_string(tmp_key, rtcp_base_key_len)); | 652 octet_string_hex_string(tmp_key, rtcp_base_key_len)); |
560 if (rtcp_salt_len > 0) { | 653 if (rtcp_salt_len > 0) { |
561 debug_print(mod_srtp, "rtcp cipher salt: %s", | 654 debug_print(mod_srtp, "rtcp cipher salt: %s", |
562 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_l
en)); | 655 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_l
en)); |
563 } | 656 } |
564 | 657 |
565 /* initialize cipher */ | 658 /* initialize cipher */ |
566 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any); | 659 stat = cipher_init(srtp->rtcp_cipher, tmp_key); |
567 if (stat) { | 660 if (stat) { |
568 /* zeroize temp buffer */ | 661 /* zeroize temp buffer */ |
569 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); | 662 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); |
570 return err_status_init_fail; | 663 return err_status_init_fail; |
571 } | 664 } |
572 | 665 |
573 /* generate authentication key */ | 666 /* generate authentication key */ |
574 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, | 667 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, |
575 tmp_key, auth_get_key_length(srtp->rtcp_auth)); | 668 tmp_key, auth_get_key_length(srtp->rtcp_auth)); |
576 if (stat) { | 669 if (stat) { |
(...skipping 152 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
729 * note that we accept NULL arguments intentionally - calling this | 822 * note that we accept NULL arguments intentionally - calling this |
730 * function with a NULL arguments removes an event handler that's | 823 * function with a NULL arguments removes an event handler that's |
731 * been previously installed | 824 * been previously installed |
732 */ | 825 */ |
733 | 826 |
734 /* set global event handling function */ | 827 /* set global event handling function */ |
735 srtp_event_handler = func; | 828 srtp_event_handler = func; |
736 return err_status_ok; | 829 return err_status_ok; |
737 } | 830 } |
738 | 831 |
| 832 /* |
| 833 * AEAD uses a new IV formation method. This function implements |
| 834 * section 9.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The |
| 835 * calculation is defined as, where (+) is the xor operation: |
| 836 * |
| 837 * |
| 838 * 0 0 0 0 0 0 0 0 0 0 1 1 |
| 839 * 0 1 2 3 4 5 6 7 8 9 0 1 |
| 840 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
| 841 * |00|00| SSRC | ROC | SEQ |---+ |
| 842 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
| 843 * | |
| 844 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
| 845 * | Encryption Salt |->(+) |
| 846 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
| 847 * | |
| 848 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
| 849 * | Initialization Vector |<--+ |
| 850 * +--+--+--+--+--+--+--+--+--+--+--+--+* |
| 851 * |
| 852 * Input: *stream - pointer to SRTP stream context, used to retrieve |
| 853 * the SALT |
| 854 * *iv - Pointer to receive the calculated IV |
| 855 * *seq - The ROC and SEQ value to use for the |
| 856 * IV calculation. |
| 857 * *hdr - The RTP header, used to get the SSRC value |
| 858 * |
| 859 */ |
| 860 static void srtp_calc_aead_iv(srtp_stream_ctx_t *stream, v128_t *iv, |
| 861 xtd_seq_num_t *seq, srtp_hdr_t *hdr) |
| 862 { |
| 863 v128_t in; |
| 864 v128_t salt; |
| 865 |
| 866 #ifdef NO_64BIT_MATH |
| 867 uint32_t local_roc = ((high32(*seq) << 16) | |
| 868 (low32(*seq) >> 16)); |
| 869 uint16_t local_seq = (uint16_t) (low32(*seq)); |
| 870 #else |
| 871 uint32_t local_roc = (uint32_t)(*seq >> 16); |
| 872 uint16_t local_seq = (uint16_t) *seq; |
| 873 #endif |
| 874 |
| 875 memset(&in, 0, sizeof(v128_t)); |
| 876 memset(&salt, 0, sizeof(v128_t)); |
| 877 |
| 878 in.v16[5] = htons(local_seq); |
| 879 local_roc = htonl(local_roc); |
| 880 memcpy(&in.v16[3], &local_roc, sizeof(local_roc)); |
| 881 |
| 882 /* |
| 883 * Copy in the RTP SSRC value |
| 884 */ |
| 885 memcpy(&in.v8[2], &hdr->ssrc, 4); |
| 886 debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in)); |
| 887 |
| 888 /* |
| 889 * Get the SALT value from the context |
| 890 */ |
| 891 memcpy(salt.v8, stream->salt, SRTP_AEAD_SALT_LEN); |
| 892 debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt)); |
| 893 |
| 894 /* |
| 895 * Finally, apply tyhe SALT to the input |
| 896 */ |
| 897 v128_xor(iv, &in, &salt); |
| 898 } |
| 899 |
| 900 |
| 901 /* |
| 902 * This function handles outgoing SRTP packets while in AEAD mode, |
| 903 * which currently supports AES-GCM encryption. All packets are |
| 904 * encrypted and authenticated. |
| 905 */ |
| 906 static err_status_t |
| 907 srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, |
| 908 void *rtp_hdr, unsigned int *pkt_octet_len) |
| 909 { |
| 910 srtp_hdr_t *hdr = (srtp_hdr_t*)rtp_hdr; |
| 911 uint32_t *enc_start; /* pointer to start of encrypted portion */ |
| 912 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ |
| 913 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ |
| 914 int delta; /* delta of local pkt idx and that in hdr */ |
| 915 err_status_t status; |
| 916 int tag_len; |
| 917 v128_t iv; |
| 918 unsigned int aad_len; |
| 919 |
| 920 debug_print(mod_srtp, "function srtp_protect_aead", NULL); |
| 921 |
| 922 /* |
| 923 * update the key usage limit, and check it to make sure that we |
| 924 * didn't just hit either the soft limit or the hard limit, and call |
| 925 * the event handler if we hit either. |
| 926 */ |
| 927 switch (key_limit_update(stream->limit)) { |
| 928 case key_event_normal: |
| 929 break; |
| 930 case key_event_hard_limit: |
| 931 srtp_handle_event(ctx, stream, event_key_hard_limit); |
| 932 return err_status_key_expired; |
| 933 case key_event_soft_limit: |
| 934 default: |
| 935 srtp_handle_event(ctx, stream, event_key_soft_limit); |
| 936 break; |
| 937 } |
| 938 |
| 939 /* get tag length from stream */ |
| 940 tag_len = auth_get_tag_length(stream->rtp_auth); |
| 941 |
| 942 /* |
| 943 * find starting point for encryption and length of data to be |
| 944 * encrypted - the encrypted portion starts after the rtp header |
| 945 * extension, if present; otherwise, it starts after the last csrc, |
| 946 * if any are present |
| 947 */ |
| 948 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; |
| 949 if (hdr->x == 1) { |
| 950 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; |
| 951 enc_start += (ntohs(xtn_hdr->length) + 1); |
| 952 } |
| 953 if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len)) |
| 954 return err_status_parse_err; |
| 955 enc_octet_len = (unsigned int)(*pkt_octet_len - |
| 956 ((uint8_t*)enc_start - (uint8_t*)hdr)); |
| 957 |
| 958 /* |
| 959 * estimate the packet index using the start of the replay window |
| 960 * and the sequence number from the header |
| 961 */ |
| 962 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); |
| 963 status = rdbx_check(&stream->rtp_rdbx, delta); |
| 964 if (status) { |
| 965 if (status != err_status_replay_fail || !stream->allow_repeat_tx) { |
| 966 return status; /* we've been asked to reuse an index */ |
| 967 } |
| 968 } else { |
| 969 rdbx_add_index(&stream->rtp_rdbx, delta); |
| 970 } |
| 971 |
| 972 #ifdef NO_64BIT_MATH |
| 973 debug_print2(mod_srtp, "estimated packet index: %08x%08x", |
| 974 high32(est), low32(est)); |
| 975 #else |
| 976 debug_print(mod_srtp, "estimated packet index: %016llx", est); |
| 977 #endif |
| 978 |
| 979 /* |
| 980 * AEAD uses a new IV formation method |
| 981 */ |
| 982 srtp_calc_aead_iv(stream, &iv, &est, hdr); |
| 983 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); |
| 984 if (status) { |
| 985 return err_status_cipher_fail; |
| 986 } |
| 987 |
| 988 /* shift est, put into network byte order */ |
| 989 #ifdef NO_64BIT_MATH |
| 990 est = be64_to_cpu(make64((high32(est) << 16) | |
| 991 (low32(est) >> 16), |
| 992 low32(est) << 16)); |
| 993 #else |
| 994 est = be64_to_cpu(est << 16); |
| 995 #endif |
| 996 |
| 997 /* |
| 998 * Set the AAD over the RTP header |
| 999 */ |
| 1000 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; |
| 1001 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len); |
| 1002 if (status) { |
| 1003 return ( err_status_cipher_fail); |
| 1004 } |
| 1005 |
| 1006 /* Encrypt the payload */ |
| 1007 status = cipher_encrypt(stream->rtp_cipher, |
| 1008 (uint8_t*)enc_start, &enc_octet_len); |
| 1009 if (status) { |
| 1010 return err_status_cipher_fail; |
| 1011 } |
| 1012 /* |
| 1013 * If we're doing GCM, we need to get the tag |
| 1014 * and append that to the output |
| 1015 */ |
| 1016 status = cipher_get_tag(stream->rtp_cipher, |
| 1017 (uint8_t*)enc_start+enc_octet_len, &tag_len); |
| 1018 if (status) { |
| 1019 return ( err_status_cipher_fail); |
| 1020 } |
| 1021 enc_octet_len += tag_len; |
| 1022 |
| 1023 /* increase the packet length by the length of the auth tag */ |
| 1024 *pkt_octet_len += tag_len; |
| 1025 |
| 1026 return err_status_ok; |
| 1027 } |
| 1028 |
| 1029 |
| 1030 /* |
| 1031 * This function handles incoming SRTP packets while in AEAD mode, |
| 1032 * which currently supports AES-GCM encryption. All packets are |
| 1033 * encrypted and authenticated. Note, the auth tag is at the end |
| 1034 * of the packet stream and is automatically checked by GCM |
| 1035 * when decrypting the payload. |
| 1036 */ |
| 1037 static err_status_t |
| 1038 srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, |
| 1039 xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_
len) |
| 1040 { |
| 1041 srtp_hdr_t *hdr = (srtp_hdr_t*)srtp_hdr; |
| 1042 uint32_t *enc_start; /* pointer to start of encrypted portion */ |
| 1043 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ |
| 1044 v128_t iv; |
| 1045 err_status_t status; |
| 1046 int tag_len; |
| 1047 unsigned int aad_len; |
| 1048 |
| 1049 debug_print(mod_srtp, "function srtp_unprotect_aead", NULL); |
| 1050 |
| 1051 #ifdef NO_64BIT_MATH |
| 1052 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), lo
w32(est)); |
| 1053 #else |
| 1054 debug_print(mod_srtp, "estimated u_packet index: %016llx", est); |
| 1055 #endif |
| 1056 |
| 1057 /* get tag length from stream */ |
| 1058 tag_len = auth_get_tag_length(stream->rtp_auth); |
| 1059 |
| 1060 /* |
| 1061 * AEAD uses a new IV formation method |
| 1062 */ |
| 1063 srtp_calc_aead_iv(stream, &iv, &est, hdr); |
| 1064 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); |
| 1065 if (status) { |
| 1066 return err_status_cipher_fail; |
| 1067 } |
| 1068 |
| 1069 /* |
| 1070 * find starting point for decryption and length of data to be |
| 1071 * decrypted - the encrypted portion starts after the rtp header |
| 1072 * extension, if present; otherwise, it starts after the last csrc, |
| 1073 * if any are present |
| 1074 */ |
| 1075 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; |
| 1076 if (hdr->x == 1) { |
| 1077 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; |
| 1078 enc_start += (ntohs(xtn_hdr->length) + 1); |
| 1079 } |
| 1080 if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len)) |
| 1081 return err_status_parse_err; |
| 1082 /* |
| 1083 * We pass the tag down to the cipher when doing GCM mode |
| 1084 */ |
| 1085 enc_octet_len = (unsigned int)(*pkt_octet_len - |
| 1086 ((uint8_t*)enc_start - (uint8_t*)hdr)); |
| 1087 |
| 1088 /* |
| 1089 * Sanity check the encrypted payload length against |
| 1090 * the tag size. It must always be at least as large |
| 1091 * as the tag length. |
| 1092 */ |
| 1093 if (enc_octet_len < tag_len) { |
| 1094 return err_status_cipher_fail; |
| 1095 } |
| 1096 |
| 1097 /* |
| 1098 * update the key usage limit, and check it to make sure that we |
| 1099 * didn't just hit either the soft limit or the hard limit, and call |
| 1100 * the event handler if we hit either. |
| 1101 */ |
| 1102 switch (key_limit_update(stream->limit)) { |
| 1103 case key_event_normal: |
| 1104 break; |
| 1105 case key_event_soft_limit: |
| 1106 srtp_handle_event(ctx, stream, event_key_soft_limit); |
| 1107 break; |
| 1108 case key_event_hard_limit: |
| 1109 srtp_handle_event(ctx, stream, event_key_hard_limit); |
| 1110 return err_status_key_expired; |
| 1111 default: |
| 1112 break; |
| 1113 } |
| 1114 |
| 1115 /* |
| 1116 * Set the AAD for AES-GCM, which is the RTP header |
| 1117 */ |
| 1118 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; |
| 1119 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len); |
| 1120 if (status) { |
| 1121 return ( err_status_cipher_fail); |
| 1122 } |
| 1123 |
| 1124 /* Decrypt the ciphertext. This also checks the auth tag based |
| 1125 * on the AAD we just specified above */ |
| 1126 status = cipher_decrypt(stream->rtp_cipher, |
| 1127 (uint8_t*)enc_start, &enc_octet_len); |
| 1128 if (status) { |
| 1129 return status; |
| 1130 } |
| 1131 |
| 1132 /* |
| 1133 * verify that stream is for received traffic - this check will |
| 1134 * detect SSRC collisions, since a stream that appears in both |
| 1135 * srtp_protect() and srtp_unprotect() will fail this test in one of |
| 1136 * those functions. |
| 1137 * |
| 1138 * we do this check *after* the authentication check, so that the |
| 1139 * latter check will catch any attempts to fool us into thinking |
| 1140 * that we've got a collision |
| 1141 */ |
| 1142 if (stream->direction != dir_srtp_receiver) { |
| 1143 if (stream->direction == dir_unknown) { |
| 1144 stream->direction = dir_srtp_receiver; |
| 1145 } else { |
| 1146 srtp_handle_event(ctx, stream, event_ssrc_collision); |
| 1147 } |
| 1148 } |
| 1149 |
| 1150 /* |
| 1151 * if the stream is a 'provisional' one, in which the template context |
| 1152 * is used, then we need to allocate a new stream at this point, since |
| 1153 * the authentication passed |
| 1154 */ |
| 1155 if (stream == ctx->stream_template) { |
| 1156 srtp_stream_ctx_t *new_stream; |
| 1157 |
| 1158 /* |
| 1159 * allocate and initialize a new stream |
| 1160 * |
| 1161 * note that we indicate failure if we can't allocate the new |
| 1162 * stream, and some implementations will want to not return |
| 1163 * failure here |
| 1164 */ |
| 1165 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream)
; |
| 1166 if (status) { |
| 1167 return status; |
| 1168 } |
| 1169 |
| 1170 /* add new stream to the head of the stream_list */ |
| 1171 new_stream->next = ctx->stream_list; |
| 1172 ctx->stream_list = new_stream; |
| 1173 |
| 1174 /* set stream (the pointer used in this function) */ |
| 1175 stream = new_stream; |
| 1176 } |
| 1177 |
| 1178 /* |
| 1179 * the message authentication function passed, so add the packet |
| 1180 * index into the replay database |
| 1181 */ |
| 1182 rdbx_add_index(&stream->rtp_rdbx, delta); |
| 1183 |
| 1184 /* decrease the packet length by the length of the auth tag */ |
| 1185 *pkt_octet_len -= tag_len; |
| 1186 |
| 1187 return err_status_ok; |
| 1188 } |
| 1189 |
| 1190 |
| 1191 |
| 1192 |
739 err_status_t | 1193 err_status_t |
740 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { | 1194 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { |
741 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; | 1195 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; |
742 uint32_t *enc_start; /* pointer to start of encrypted portion */ | 1196 uint32_t *enc_start; /* pointer to start of encrypted portion */ |
743 uint32_t *auth_start; /* pointer to start of auth. portion */ | 1197 uint32_t *auth_start; /* pointer to start of auth. portion */ |
744 unsigned enc_octet_len = 0; /* number of octets in encrypted portion */ | 1198 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ |
745 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ | 1199 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ |
746 int delta; /* delta of local pkt idx and that in hdr */ | 1200 int delta; /* delta of local pkt idx and that in hdr */ |
747 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | 1201 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ |
748 err_status_t status; | 1202 err_status_t status; |
749 int tag_len; | 1203 int tag_len; |
750 srtp_stream_ctx_t *stream; | 1204 srtp_stream_ctx_t *stream; |
751 int prefix_len; | 1205 int prefix_len; |
752 | 1206 |
753 debug_print(mod_srtp, "function srtp_protect", NULL); | 1207 debug_print(mod_srtp, "function srtp_protect", NULL); |
754 | 1208 |
755 /* we assume the hdr is 32-bit aligned to start */ | 1209 /* we assume the hdr is 32-bit aligned to start */ |
756 | 1210 |
757 /* Verify RTP header */ | 1211 /* Verify RTP header */ |
758 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); | 1212 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); |
759 if (status) | 1213 if (status) |
760 return status; | 1214 return status; |
761 | 1215 |
| 1216 /* check the packet length - it must at least contain a full header */ |
| 1217 if (*pkt_octet_len < octets_in_rtp_header) |
| 1218 return err_status_bad_param; |
| 1219 |
762 /* | 1220 /* |
763 * look up ssrc in srtp_stream list, and process the packet with | 1221 * look up ssrc in srtp_stream list, and process the packet with |
764 * the appropriate stream. if we haven't seen this stream before, | 1222 * the appropriate stream. if we haven't seen this stream before, |
765 * there's a template key for this srtp_session, and the cipher | 1223 * there's a template key for this srtp_session, and the cipher |
766 * supports key-sharing, then we assume that a new stream using | 1224 * supports key-sharing, then we assume that a new stream using |
767 * that key has just started up | 1225 * that key has just started up |
768 */ | 1226 */ |
769 stream = srtp_get_stream(ctx, hdr->ssrc); | 1227 stream = srtp_get_stream(ctx, hdr->ssrc); |
770 if (stream == NULL) { | 1228 if (stream == NULL) { |
771 if (ctx->stream_template != NULL) { | 1229 if (ctx->stream_template != NULL) { |
(...skipping 19 matching lines...) Expand all Loading... |
791 return err_status_no_ctx; | 1249 return err_status_no_ctx; |
792 } | 1250 } |
793 } | 1251 } |
794 | 1252 |
795 /* | 1253 /* |
796 * verify that stream is for sending traffic - this check will | 1254 * verify that stream is for sending traffic - this check will |
797 * detect SSRC collisions, since a stream that appears in both | 1255 * detect SSRC collisions, since a stream that appears in both |
798 * srtp_protect() and srtp_unprotect() will fail this test in one of | 1256 * srtp_protect() and srtp_unprotect() will fail this test in one of |
799 * those functions. | 1257 * those functions. |
800 */ | 1258 */ |
801 if (stream->direction != dir_srtp_sender) { | 1259 if (stream->direction != dir_srtp_sender) { |
802 if (stream->direction == dir_unknown) { | 1260 if (stream->direction == dir_unknown) { |
803 stream->direction = dir_srtp_sender; | 1261 stream->direction = dir_srtp_sender; |
804 } else { | 1262 } else { |
805 srtp_handle_event(ctx, stream, event_ssrc_collision); | 1263 srtp_handle_event(ctx, stream, event_ssrc_collision); |
806 } | 1264 } |
807 } | 1265 } |
| 1266 |
| 1267 /* |
| 1268 * Check if this is an AEAD stream (GCM mode). If so, then dispatch |
| 1269 * the request to our AEAD handler. |
| 1270 */ |
| 1271 if (stream->rtp_cipher->algorithm == AES_128_GCM || |
| 1272 stream->rtp_cipher->algorithm == AES_256_GCM) { |
| 1273 return srtp_protect_aead(ctx, stream, rtp_hdr, (unsigned int*)pkt_octet_le
n); |
| 1274 } |
808 | 1275 |
809 /* | 1276 /* |
810 * update the key usage limit, and check it to make sure that we | 1277 * update the key usage limit, and check it to make sure that we |
811 * didn't just hit either the soft limit or the hard limit, and call | 1278 * didn't just hit either the soft limit or the hard limit, and call |
812 * the event handler if we hit either. | 1279 * the event handler if we hit either. |
813 */ | 1280 */ |
814 switch(key_limit_update(stream->limit)) { | 1281 switch(key_limit_update(stream->limit)) { |
815 case key_event_normal: | 1282 case key_event_normal: |
816 break; | 1283 break; |
817 case key_event_soft_limit: | 1284 case key_event_soft_limit: |
(...skipping 15 matching lines...) Expand all Loading... |
833 * extension, if present; otherwise, it starts after the last csrc, | 1300 * extension, if present; otherwise, it starts after the last csrc, |
834 * if any are present | 1301 * if any are present |
835 * | 1302 * |
836 * if we're not providing confidentiality, set enc_start to NULL | 1303 * if we're not providing confidentiality, set enc_start to NULL |
837 */ | 1304 */ |
838 if (stream->rtp_services & sec_serv_conf) { | 1305 if (stream->rtp_services & sec_serv_conf) { |
839 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; | 1306 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; |
840 if (hdr->x == 1) { | 1307 if (hdr->x == 1) { |
841 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; | 1308 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; |
842 enc_start += (ntohs(xtn_hdr->length) + 1); | 1309 enc_start += (ntohs(xtn_hdr->length) + 1); |
| 1310 if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len)) |
| 1311 return err_status_parse_err; |
843 } | 1312 } |
844 enc_octet_len = (unsigned int)(*pkt_octet_len | 1313 enc_octet_len = (unsigned int)(*pkt_octet_len - |
845 » » » » - ((enc_start - (uint32_t *)hdr) << 2)); | 1314 ((uint8_t*)enc_start - (uint8_t*)hdr)); |
846 } else { | 1315 } else { |
847 enc_start = NULL; | 1316 enc_start = NULL; |
848 } | 1317 } |
849 | 1318 |
850 /* | 1319 /* |
851 * if we're providing authentication, set the auth_start and auth_tag | 1320 * if we're providing authentication, set the auth_start and auth_tag |
852 * pointers to the proper locations; otherwise, set auth_start to NULL | 1321 * pointers to the proper locations; otherwise, set auth_start to NULL |
853 * to indicate that no authentication is needed | 1322 * to indicate that no authentication is needed |
854 */ | 1323 */ |
855 if (stream->rtp_services & sec_serv_auth) { | 1324 if (stream->rtp_services & sec_serv_auth) { |
(...skipping 20 matching lines...) Expand all Loading... |
876 #ifdef NO_64BIT_MATH | 1345 #ifdef NO_64BIT_MATH |
877 debug_print2(mod_srtp, "estimated packet index: %08x%08x", | 1346 debug_print2(mod_srtp, "estimated packet index: %08x%08x", |
878 high32(est),low32(est)); | 1347 high32(est),low32(est)); |
879 #else | 1348 #else |
880 debug_print(mod_srtp, "estimated packet index: %016llx", est); | 1349 debug_print(mod_srtp, "estimated packet index: %016llx", est); |
881 #endif | 1350 #endif |
882 | 1351 |
883 /* | 1352 /* |
884 * if we're using rindael counter mode, set nonce and seq | 1353 * if we're using rindael counter mode, set nonce and seq |
885 */ | 1354 */ |
886 if (stream->rtp_cipher->type->id == AES_ICM) { | 1355 if (stream->rtp_cipher->type->id == AES_ICM || |
| 1356 stream->rtp_cipher->type->id == AES_256_ICM) { |
887 v128_t iv; | 1357 v128_t iv; |
888 | 1358 |
889 iv.v32[0] = 0; | 1359 iv.v32[0] = 0; |
890 iv.v32[1] = hdr->ssrc; | 1360 iv.v32[1] = hdr->ssrc; |
891 #ifdef NO_64BIT_MATH | 1361 #ifdef NO_64BIT_MATH |
892 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), | 1362 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), |
893 low32(est) << 1
6)); | 1363 low32(est) << 1
6)); |
894 #else | 1364 #else |
895 iv.v64[1] = be64_to_cpu(est << 16); | 1365 iv.v64[1] = be64_to_cpu(est << 16); |
896 #endif | 1366 #endif |
897 status = cipher_set_iv(stream->rtp_cipher, &iv); | 1367 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); |
898 | 1368 |
899 } else { | 1369 } else { |
900 v128_t iv; | 1370 v128_t iv; |
901 | 1371 |
902 /* otherwise, set the index to est */ | 1372 /* otherwise, set the index to est */ |
903 #ifdef NO_64BIT_MATH | 1373 #ifdef NO_64BIT_MATH |
904 iv.v32[0] = 0; | 1374 iv.v32[0] = 0; |
905 iv.v32[1] = 0; | 1375 iv.v32[1] = 0; |
906 #else | 1376 #else |
907 iv.v64[0] = 0; | 1377 iv.v64[0] = 0; |
908 #endif | 1378 #endif |
909 iv.v64[1] = be64_to_cpu(est); | 1379 iv.v64[1] = be64_to_cpu(est); |
910 status = cipher_set_iv(stream->rtp_cipher, &iv); | 1380 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); |
911 } | 1381 } |
912 if (status) | 1382 if (status) |
913 return err_status_cipher_fail; | 1383 return err_status_cipher_fail; |
914 | 1384 |
915 /* shift est, put into network byte order */ | 1385 /* shift est, put into network byte order */ |
916 #ifdef NO_64BIT_MATH | 1386 #ifdef NO_64BIT_MATH |
917 est = be64_to_cpu(make64((high32(est) << 16) | | 1387 est = be64_to_cpu(make64((high32(est) << 16) | |
918 (low32(est) >> 16), | 1388 (low32(est) >> 16), |
919 low32(est) << 16)); | 1389 low32(est) << 16)); |
920 #else | 1390 #else |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
978 | 1448 |
979 return err_status_ok; | 1449 return err_status_ok; |
980 } | 1450 } |
981 | 1451 |
982 | 1452 |
983 err_status_t | 1453 err_status_t |
984 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) { | 1454 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) { |
985 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; | 1455 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; |
986 uint32_t *enc_start; /* pointer to start of encrypted portion */ | 1456 uint32_t *enc_start; /* pointer to start of encrypted portion */ |
987 uint32_t *auth_start; /* pointer to start of auth. portion */ | 1457 uint32_t *auth_start; /* pointer to start of auth. portion */ |
988 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ | 1458 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ |
989 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | 1459 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ |
990 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ | 1460 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ |
991 int delta; /* delta of local pkt idx and that in hdr */ | 1461 int delta; /* delta of local pkt idx and that in hdr */ |
992 v128_t iv; | 1462 v128_t iv; |
993 err_status_t status; | 1463 err_status_t status; |
994 srtp_stream_ctx_t *stream; | 1464 srtp_stream_ctx_t *stream; |
995 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; | 1465 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; |
996 int tag_len, prefix_len; | 1466 int tag_len, prefix_len; |
997 | 1467 |
998 debug_print(mod_srtp, "function srtp_unprotect", NULL); | 1468 debug_print(mod_srtp, "function srtp_unprotect", NULL); |
999 | 1469 |
1000 /* we assume the hdr is 32-bit aligned to start */ | 1470 /* we assume the hdr is 32-bit aligned to start */ |
1001 | 1471 |
1002 /* Verify RTP header */ | 1472 /* Verify RTP header */ |
1003 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); | 1473 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); |
1004 if (status) | 1474 if (status) |
1005 return status; | 1475 return status; |
1006 | 1476 |
| 1477 /* check the packet length - it must at least contain a full header */ |
| 1478 if (*pkt_octet_len < octets_in_rtp_header) |
| 1479 return err_status_bad_param; |
| 1480 |
1007 /* | 1481 /* |
1008 * look up ssrc in srtp_stream list, and process the packet with | 1482 * look up ssrc in srtp_stream list, and process the packet with |
1009 * the appropriate stream. if we haven't seen this stream before, | 1483 * the appropriate stream. if we haven't seen this stream before, |
1010 * there's only one key for this srtp_session, and the cipher | 1484 * there's only one key for this srtp_session, and the cipher |
1011 * supports key-sharing, then we assume that a new stream using | 1485 * supports key-sharing, then we assume that a new stream using |
1012 * that key has just started up | 1486 * that key has just started up |
1013 */ | 1487 */ |
1014 stream = srtp_get_stream(ctx, hdr->ssrc); | 1488 stream = srtp_get_stream(ctx, hdr->ssrc); |
1015 if (stream == NULL) { | 1489 if (stream == NULL) { |
1016 if (ctx->stream_template != NULL) { | 1490 if (ctx->stream_template != NULL) { |
(...skipping 30 matching lines...) Expand all Loading... |
1047 if (status) | 1521 if (status) |
1048 return status; | 1522 return status; |
1049 } | 1523 } |
1050 | 1524 |
1051 #ifdef NO_64BIT_MATH | 1525 #ifdef NO_64BIT_MATH |
1052 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32
(est)); | 1526 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32
(est)); |
1053 #else | 1527 #else |
1054 debug_print(mod_srtp, "estimated u_packet index: %016llx", est); | 1528 debug_print(mod_srtp, "estimated u_packet index: %016llx", est); |
1055 #endif | 1529 #endif |
1056 | 1530 |
| 1531 /* |
| 1532 * Check if this is an AEAD stream (GCM mode). If so, then dispatch |
| 1533 * the request to our AEAD handler. |
| 1534 */ |
| 1535 if (stream->rtp_cipher->algorithm == AES_128_GCM || |
| 1536 stream->rtp_cipher->algorithm == AES_256_GCM) { |
| 1537 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, (unsigned in
t*)pkt_octet_len); |
| 1538 } |
| 1539 |
1057 /* get tag length from stream */ | 1540 /* get tag length from stream */ |
1058 tag_len = auth_get_tag_length(stream->rtp_auth); | 1541 tag_len = auth_get_tag_length(stream->rtp_auth); |
1059 | 1542 |
1060 /* | 1543 /* |
1061 * set the cipher's IV properly, depending on whatever cipher we | 1544 * set the cipher's IV properly, depending on whatever cipher we |
1062 * happen to be using | 1545 * happen to be using |
1063 */ | 1546 */ |
1064 if (stream->rtp_cipher->type->id == AES_ICM) { | 1547 if (stream->rtp_cipher->type->id == AES_ICM || |
| 1548 stream->rtp_cipher->type->id == AES_256_ICM) { |
1065 | 1549 |
1066 /* aes counter mode */ | 1550 /* aes counter mode */ |
1067 iv.v32[0] = 0; | 1551 iv.v32[0] = 0; |
1068 iv.v32[1] = hdr->ssrc; /* still in network order */ | 1552 iv.v32[1] = hdr->ssrc; /* still in network order */ |
1069 #ifdef NO_64BIT_MATH | 1553 #ifdef NO_64BIT_MATH |
1070 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), | 1554 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), |
1071 low32(est) << 16)); | 1555 low32(est) << 16)); |
1072 #else | 1556 #else |
1073 iv.v64[1] = be64_to_cpu(est << 16); | 1557 iv.v64[1] = be64_to_cpu(est << 16); |
1074 #endif | 1558 #endif |
1075 status = cipher_set_iv(stream->rtp_cipher, &iv); | 1559 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); |
1076 } else { | 1560 } else { |
1077 | 1561 |
1078 /* no particular format - set the iv to the pakcet index */ | 1562 /* no particular format - set the iv to the pakcet index */ |
1079 #ifdef NO_64BIT_MATH | 1563 #ifdef NO_64BIT_MATH |
1080 iv.v32[0] = 0; | 1564 iv.v32[0] = 0; |
1081 iv.v32[1] = 0; | 1565 iv.v32[1] = 0; |
1082 #else | 1566 #else |
1083 iv.v64[0] = 0; | 1567 iv.v64[0] = 0; |
1084 #endif | 1568 #endif |
1085 iv.v64[1] = be64_to_cpu(est); | 1569 iv.v64[1] = be64_to_cpu(est); |
1086 status = cipher_set_iv(stream->rtp_cipher, &iv); | 1570 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); |
1087 } | 1571 } |
1088 if (status) | 1572 if (status) |
1089 return err_status_cipher_fail; | 1573 return err_status_cipher_fail; |
1090 | 1574 |
1091 /* shift est, put into network byte order */ | 1575 /* shift est, put into network byte order */ |
1092 #ifdef NO_64BIT_MATH | 1576 #ifdef NO_64BIT_MATH |
1093 est = be64_to_cpu(make64((high32(est) << 16) | | 1577 est = be64_to_cpu(make64((high32(est) << 16) | |
1094 (low32(est) >> 16), | 1578 (low32(est) >> 16), |
1095 low32(est) << 16)); | 1579 low32(est) << 16)); |
1096 #else | 1580 #else |
1097 est = be64_to_cpu(est << 16); | 1581 est = be64_to_cpu(est << 16); |
1098 #endif | 1582 #endif |
1099 | 1583 |
1100 /* | 1584 /* |
1101 * find starting point for decryption and length of data to be | 1585 * find starting point for decryption and length of data to be |
1102 * decrypted - the encrypted portion starts after the rtp header | 1586 * decrypted - the encrypted portion starts after the rtp header |
1103 * extension, if present; otherwise, it starts after the last csrc, | 1587 * extension, if present; otherwise, it starts after the last csrc, |
1104 * if any are present | 1588 * if any are present |
1105 * | 1589 * |
1106 * if we're not providing confidentiality, set enc_start to NULL | 1590 * if we're not providing confidentiality, set enc_start to NULL |
1107 */ | 1591 */ |
1108 if (stream->rtp_services & sec_serv_conf) { | 1592 if (stream->rtp_services & sec_serv_conf) { |
1109 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; | 1593 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; |
1110 if (hdr->x == 1) { | 1594 if (hdr->x == 1) { |
1111 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; | 1595 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; |
1112 enc_start += (ntohs(xtn_hdr->length) + 1); | 1596 enc_start += (ntohs(xtn_hdr->length) + 1); |
1113 } | 1597 } |
1114 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len | 1598 if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len)) |
1115 » » » - ((enc_start - (uint32_t *)hdr) << 2)); | 1599 return err_status_parse_err; |
| 1600 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - |
| 1601 ((uint8_t*)enc_start - (uint8_t*)hdr)); |
1116 } else { | 1602 } else { |
1117 enc_start = NULL; | 1603 enc_start = NULL; |
1118 } | 1604 } |
1119 | 1605 |
1120 /* | 1606 /* |
1121 * if we're providing authentication, set the auth_start and auth_tag | 1607 * if we're providing authentication, set the auth_start and auth_tag |
1122 * pointers to the proper locations; otherwise, set auth_start to NULL | 1608 * pointers to the proper locations; otherwise, set auth_start to NULL |
1123 * to indicate that no authentication is needed | 1609 * to indicate that no authentication is needed |
1124 */ | 1610 */ |
1125 if (stream->rtp_services & sec_serv_auth) { | 1611 if (stream->rtp_services & sec_serv_auth) { |
(...skipping 330 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1456 if (ctx == NULL) | 1942 if (ctx == NULL) |
1457 return err_status_alloc_fail; | 1943 return err_status_alloc_fail; |
1458 *session = ctx; | 1944 *session = ctx; |
1459 | 1945 |
1460 /* | 1946 /* |
1461 * loop over elements in the policy list, allocating and | 1947 * loop over elements in the policy list, allocating and |
1462 * initializing a stream for each element | 1948 * initializing a stream for each element |
1463 */ | 1949 */ |
1464 ctx->stream_template = NULL; | 1950 ctx->stream_template = NULL; |
1465 ctx->stream_list = NULL; | 1951 ctx->stream_list = NULL; |
| 1952 ctx->user_data = NULL; |
1466 while (policy != NULL) { | 1953 while (policy != NULL) { |
1467 | 1954 |
1468 stat = srtp_add_stream(ctx, policy); | 1955 stat = srtp_add_stream(ctx, policy); |
1469 if (stat) { | 1956 if (stat) { |
1470 /* clean up everything */ | 1957 /* clean up everything */ |
1471 srtp_dealloc(*session); | 1958 srtp_dealloc(*session); |
1472 return stat; | 1959 return stat; |
1473 } | 1960 } |
1474 | 1961 |
1475 /* set policy to next item in list */ | 1962 /* set policy to next item in list */ |
(...skipping 157 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1633 */ | 2120 */ |
1634 | 2121 |
1635 p->cipher_type = AES_ICM; | 2122 p->cipher_type = AES_ICM; |
1636 p->cipher_key_len = 46; | 2123 p->cipher_key_len = 46; |
1637 p->auth_type = HMAC_SHA1; | 2124 p->auth_type = HMAC_SHA1; |
1638 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ | 2125 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ |
1639 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ | 2126 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ |
1640 p->sec_serv = sec_serv_conf_and_auth; | 2127 p->sec_serv = sec_serv_conf_and_auth; |
1641 } | 2128 } |
1642 | 2129 |
| 2130 /* |
| 2131 * AES-256 with no authentication. |
| 2132 */ |
| 2133 void |
| 2134 crypto_policy_set_aes_cm_256_null_auth (crypto_policy_t *p) |
| 2135 { |
| 2136 p->cipher_type = AES_ICM; |
| 2137 p->cipher_key_len = 46; |
| 2138 p->auth_type = NULL_AUTH; |
| 2139 p->auth_key_len = 0; |
| 2140 p->auth_tag_len = 0; |
| 2141 p->sec_serv = sec_serv_conf; |
| 2142 } |
| 2143 |
| 2144 #ifdef OPENSSL |
| 2145 /* |
| 2146 * AES-128 GCM mode with 8 octet auth tag. |
| 2147 */ |
| 2148 void |
| 2149 crypto_policy_set_aes_gcm_128_8_auth(crypto_policy_t *p) { |
| 2150 p->cipher_type = AES_128_GCM; |
| 2151 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; |
| 2152 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ |
| 2153 p->auth_key_len = 0; |
| 2154 p->auth_tag_len = 8; /* 8 octet tag length */ |
| 2155 p->sec_serv = sec_serv_conf_and_auth; |
| 2156 } |
| 2157 |
| 2158 /* |
| 2159 * AES-256 GCM mode with 8 octet auth tag. |
| 2160 */ |
| 2161 void |
| 2162 crypto_policy_set_aes_gcm_256_8_auth(crypto_policy_t *p) { |
| 2163 p->cipher_type = AES_256_GCM; |
| 2164 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; |
| 2165 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ |
| 2166 p->auth_key_len = 0; |
| 2167 p->auth_tag_len = 8; /* 8 octet tag length */ |
| 2168 p->sec_serv = sec_serv_conf_and_auth; |
| 2169 } |
| 2170 |
| 2171 /* |
| 2172 * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption. |
| 2173 */ |
| 2174 void |
| 2175 crypto_policy_set_aes_gcm_128_8_only_auth(crypto_policy_t *p) { |
| 2176 p->cipher_type = AES_128_GCM; |
| 2177 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; |
| 2178 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ |
| 2179 p->auth_key_len = 0; |
| 2180 p->auth_tag_len = 8; /* 8 octet tag length */ |
| 2181 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ |
| 2182 } |
| 2183 |
| 2184 /* |
| 2185 * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption. |
| 2186 */ |
| 2187 void |
| 2188 crypto_policy_set_aes_gcm_256_8_only_auth(crypto_policy_t *p) { |
| 2189 p->cipher_type = AES_256_GCM; |
| 2190 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; |
| 2191 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ |
| 2192 p->auth_key_len = 0; |
| 2193 p->auth_tag_len = 8; /* 8 octet tag length */ |
| 2194 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ |
| 2195 } |
| 2196 |
| 2197 /* |
| 2198 * AES-128 GCM mode with 16 octet auth tag. |
| 2199 */ |
| 2200 void |
| 2201 crypto_policy_set_aes_gcm_128_16_auth(crypto_policy_t *p) { |
| 2202 p->cipher_type = AES_128_GCM; |
| 2203 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; |
| 2204 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ |
| 2205 p->auth_key_len = 0; |
| 2206 p->auth_tag_len = 16; /* 16 octet tag length */ |
| 2207 p->sec_serv = sec_serv_conf_and_auth; |
| 2208 } |
| 2209 |
| 2210 /* |
| 2211 * AES-256 GCM mode with 16 octet auth tag. |
| 2212 */ |
| 2213 void |
| 2214 crypto_policy_set_aes_gcm_256_16_auth(crypto_policy_t *p) { |
| 2215 p->cipher_type = AES_256_GCM; |
| 2216 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; |
| 2217 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ |
| 2218 p->auth_key_len = 0; |
| 2219 p->auth_tag_len = 16; /* 16 octet tag length */ |
| 2220 p->sec_serv = sec_serv_conf_and_auth; |
| 2221 } |
| 2222 |
| 2223 #endif |
1643 | 2224 |
1644 /* | 2225 /* |
1645 * secure rtcp functions | 2226 * secure rtcp functions |
1646 */ | 2227 */ |
1647 | 2228 |
| 2229 /* |
| 2230 * AEAD uses a new IV formation method. This function implements |
| 2231 * section 10.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The |
| 2232 * calculation is defined as, where (+) is the xor operation: |
| 2233 * |
| 2234 * 0 1 2 3 4 5 6 7 8 9 10 11 |
| 2235 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
| 2236 * |00|00| SSRC |00|00|0+SRTCP Idx|---+ |
| 2237 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
| 2238 * | |
| 2239 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
| 2240 * | Encryption Salt |->(+) |
| 2241 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
| 2242 * | |
| 2243 * +--+--+--+--+--+--+--+--+--+--+--+--+ | |
| 2244 * | Initialization Vector |<--+ |
| 2245 * +--+--+--+--+--+--+--+--+--+--+--+--+* |
| 2246 * |
| 2247 * Input: *stream - pointer to SRTP stream context, used to retrieve |
| 2248 * the SALT |
| 2249 * *iv - Pointer to recieve the calculated IV |
| 2250 * seq_num - The SEQ value to use for the IV calculation. |
| 2251 * *hdr - The RTP header, used to get the SSRC value |
| 2252 * |
| 2253 */ |
| 2254 static void srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv, |
| 2255 uint32_t seq_num, srtcp_hdr_t *hdr) |
| 2256 { |
| 2257 v128_t in; |
| 2258 v128_t salt; |
| 2259 |
| 2260 memset(&in, 0, sizeof(v128_t)); |
| 2261 memset(&salt, 0, sizeof(v128_t)); |
| 2262 |
| 2263 in.v16[0] = 0; |
| 2264 memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */ |
| 2265 in.v16[3] = 0; |
| 2266 in.v32[2] = 0x7FFFFFFF & htonl(seq_num); /* bit 32 is suppose to be zero */ |
| 2267 |
| 2268 debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in)); |
| 2269 |
| 2270 /* |
| 2271 * Get the SALT value from the context |
| 2272 */ |
| 2273 memcpy(salt.v8, stream->c_salt, 12); |
| 2274 debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt)); |
| 2275 |
| 2276 /* |
| 2277 * Finally, apply the SALT to the input |
| 2278 */ |
| 2279 v128_xor(iv, &in, &salt); |
| 2280 } |
| 2281 |
| 2282 /* |
| 2283 * This code handles AEAD ciphers for outgoing RTCP. We currently support |
| 2284 * AES-GCM mode with 128 or 256 bit keys. |
| 2285 */ |
| 2286 static err_status_t |
| 2287 srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, |
| 2288 void *rtcp_hdr, unsigned int *pkt_octet_len) |
| 2289 { |
| 2290 srtcp_hdr_t *hdr = (srtcp_hdr_t*)rtcp_hdr; |
| 2291 uint32_t *enc_start; /* pointer to start of encrypted portion */ |
| 2292 uint32_t *trailer; /* pointer to start of trailer */ |
| 2293 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ |
| 2294 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ |
| 2295 err_status_t status; |
| 2296 int tag_len; |
| 2297 uint32_t seq_num; |
| 2298 v128_t iv; |
| 2299 uint32_t tseq; |
| 2300 |
| 2301 /* get tag length from stream context */ |
| 2302 tag_len = auth_get_tag_length(stream->rtcp_auth); |
| 2303 |
| 2304 /* |
| 2305 * set encryption start and encryption length - if we're not |
| 2306 * providing confidentiality, set enc_start to NULL |
| 2307 */ |
| 2308 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header; |
| 2309 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; |
| 2310 |
| 2311 /* NOTE: hdr->length is not usable - it refers to only the first |
| 2312 RTCP report in the compound packet! */ |
| 2313 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always |
| 2314 multiples of 32-bits (RFC 3550 6.1) */ |
| 2315 trailer = (uint32_t*)((char*)enc_start + enc_octet_len + tag_len); |
| 2316 |
| 2317 if (stream->rtcp_services & sec_serv_conf) { |
| 2318 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ |
| 2319 } else { |
| 2320 enc_start = NULL; |
| 2321 enc_octet_len = 0; |
| 2322 /* 0 is network-order independant */ |
| 2323 *trailer = 0x00000000; /* set encrypt bit */ |
| 2324 } |
| 2325 |
| 2326 /* |
| 2327 * set the auth_tag pointer to the proper location, which is after |
| 2328 * the payload, but before the trailer |
| 2329 * (note that srtpc *always* provides authentication, unlike srtp) |
| 2330 */ |
| 2331 /* Note: This would need to change for optional mikey data */ |
| 2332 auth_tag = (uint8_t*)hdr + *pkt_octet_len; |
| 2333 |
| 2334 /* |
| 2335 * check sequence number for overruns, and copy it into the packet |
| 2336 * if its value isn't too big |
| 2337 */ |
| 2338 status = rdb_increment(&stream->rtcp_rdb); |
| 2339 if (status) { |
| 2340 return status; |
| 2341 } |
| 2342 seq_num = rdb_get_value(&stream->rtcp_rdb); |
| 2343 *trailer |= htonl(seq_num); |
| 2344 debug_print(mod_srtp, "srtcp index: %x", seq_num); |
| 2345 |
| 2346 /* |
| 2347 * Calculating the IV and pass it down to the cipher |
| 2348 */ |
| 2349 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr); |
| 2350 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); |
| 2351 if (status) { |
| 2352 return err_status_cipher_fail; |
| 2353 } |
| 2354 |
| 2355 /* |
| 2356 * Set the AAD for GCM mode |
| 2357 */ |
| 2358 if (enc_start) { |
| 2359 /* |
| 2360 * If payload encryption is enabled, then the AAD consist of |
| 2361 * the RTCP header and the seq# at the end of the packet |
| 2362 */ |
| 2363 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, |
| 2364 octets_in_rtcp_header); |
| 2365 if (status) { |
| 2366 return ( err_status_cipher_fail); |
| 2367 } |
| 2368 } else { |
| 2369 /* |
| 2370 * Since payload encryption is not enabled, we must authenticate |
| 2371 * the entire packet as described in section 10.3 in revision 07 |
| 2372 * of the draft. |
| 2373 */ |
| 2374 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, |
| 2375 *pkt_octet_len); |
| 2376 if (status) { |
| 2377 return ( err_status_cipher_fail); |
| 2378 } |
| 2379 } |
| 2380 /* |
| 2381 * put the idx# into network byte order and process it as AAD |
| 2382 */ |
| 2383 tseq = htonl(*trailer); |
| 2384 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq, |
| 2385 sizeof(srtcp_trailer_t)); |
| 2386 if (status) { |
| 2387 return ( err_status_cipher_fail); |
| 2388 } |
| 2389 |
| 2390 /* if we're encrypting, exor keystream into the message */ |
| 2391 if (enc_start) { |
| 2392 status = cipher_encrypt(stream->rtcp_cipher, |
| 2393 (uint8_t*)enc_start, &enc_octet_len); |
| 2394 if (status) { |
| 2395 return err_status_cipher_fail; |
| 2396 } |
| 2397 /* |
| 2398 * Get the tag and append that to the output |
| 2399 */ |
| 2400 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag, |
| 2401 &tag_len); |
| 2402 if (status) { |
| 2403 return ( err_status_cipher_fail); |
| 2404 } |
| 2405 enc_octet_len += tag_len; |
| 2406 } else { |
| 2407 /* |
| 2408 * Even though we're not encrypting the payload, we need |
| 2409 * to run the cipher to get the auth tag. |
| 2410 */ |
| 2411 unsigned int nolen = 0; |
| 2412 status = cipher_encrypt(stream->rtcp_cipher, NULL, &nolen); |
| 2413 if (status) { |
| 2414 return err_status_cipher_fail; |
| 2415 } |
| 2416 /* |
| 2417 * Get the tag and append that to the output |
| 2418 */ |
| 2419 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag, |
| 2420 &tag_len); |
| 2421 if (status) { |
| 2422 return ( err_status_cipher_fail); |
| 2423 } |
| 2424 enc_octet_len += tag_len; |
| 2425 } |
| 2426 |
| 2427 /* increase the packet length by the length of the auth tag and seq_num*/ |
| 2428 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); |
| 2429 |
| 2430 return err_status_ok; |
| 2431 } |
| 2432 |
| 2433 /* |
| 2434 * This function handles incoming SRTCP packets while in AEAD mode, |
| 2435 * which currently supports AES-GCM encryption. Note, the auth tag is |
| 2436 * at the end of the packet stream and is automatically checked by GCM |
| 2437 * when decrypting the payload. |
| 2438 */ |
| 2439 static err_status_t |
| 2440 srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, |
| 2441 void *srtcp_hdr, unsigned int *pkt_octet_len) |
| 2442 { |
| 2443 srtcp_hdr_t *hdr = (srtcp_hdr_t*)srtcp_hdr; |
| 2444 uint32_t *enc_start; /* pointer to start of encrypted portion */ |
| 2445 uint32_t *trailer; /* pointer to start of trailer */ |
| 2446 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ |
| 2447 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ |
| 2448 err_status_t status; |
| 2449 int tag_len; |
| 2450 unsigned int tmp_len; |
| 2451 uint32_t seq_num; |
| 2452 v128_t iv; |
| 2453 uint32_t tseq; |
| 2454 |
| 2455 /* get tag length from stream context */ |
| 2456 tag_len = auth_get_tag_length(stream->rtcp_auth); |
| 2457 |
| 2458 /* |
| 2459 * set encryption start, encryption length, and trailer |
| 2460 */ |
| 2461 /* index & E (encryption) bit follow normal data. hdr->len |
| 2462 is the number of words (32-bit) in the normal packet minus 1 */ |
| 2463 /* This should point trailer to the word past the end of the |
| 2464 normal data. */ |
| 2465 /* This would need to be modified for optional mikey data */ |
| 2466 /* |
| 2467 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always |
| 2468 * multiples of 32-bits (RFC 3550 6.1) |
| 2469 */ |
| 2470 trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t))
; |
| 2471 /* |
| 2472 * We pass the tag down to the cipher when doing GCM mode |
| 2473 */ |
| 2474 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + |
| 2475 sizeof(srtcp_trailer_t)); |
| 2476 auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - sizeof(srtcp_trailer_t
); |
| 2477 |
| 2478 if (*((unsigned char*)trailer) & SRTCP_E_BYTE_BIT) { |
| 2479 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header; |
| 2480 } else { |
| 2481 enc_octet_len = 0; |
| 2482 enc_start = NULL; /* this indicates that there's no encryption */ |
| 2483 } |
| 2484 |
| 2485 /* |
| 2486 * check the sequence number for replays |
| 2487 */ |
| 2488 /* this is easier than dealing with bitfield access */ |
| 2489 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; |
| 2490 debug_print(mod_srtp, "srtcp index: %x", seq_num); |
| 2491 status = rdb_check(&stream->rtcp_rdb, seq_num); |
| 2492 if (status) { |
| 2493 return status; |
| 2494 } |
| 2495 |
| 2496 /* |
| 2497 * Calculate and set the IV |
| 2498 */ |
| 2499 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr); |
| 2500 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); |
| 2501 if (status) { |
| 2502 return err_status_cipher_fail; |
| 2503 } |
| 2504 |
| 2505 /* |
| 2506 * Set the AAD for GCM mode |
| 2507 */ |
| 2508 if (enc_start) { |
| 2509 /* |
| 2510 * If payload encryption is enabled, then the AAD consist of |
| 2511 * the RTCP header and the seq# at the end of the packet |
| 2512 */ |
| 2513 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, |
| 2514 octets_in_rtcp_header); |
| 2515 if (status) { |
| 2516 return ( err_status_cipher_fail); |
| 2517 } |
| 2518 } else { |
| 2519 /* |
| 2520 * Since payload encryption is not enabled, we must authenticate |
| 2521 * the entire packet as described in section 10.3 in revision 07 |
| 2522 * of the draft. |
| 2523 */ |
| 2524 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, |
| 2525 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_
t))); |
| 2526 if (status) { |
| 2527 return ( err_status_cipher_fail); |
| 2528 } |
| 2529 } |
| 2530 |
| 2531 /* |
| 2532 * put the idx# into network byte order, and process it as AAD |
| 2533 */ |
| 2534 tseq = htonl(*trailer); |
| 2535 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq, |
| 2536 sizeof(srtcp_trailer_t)); |
| 2537 if (status) { |
| 2538 return ( err_status_cipher_fail); |
| 2539 } |
| 2540 |
| 2541 /* if we're decrypting, exor keystream into the message */ |
| 2542 if (enc_start) { |
| 2543 status = cipher_decrypt(stream->rtcp_cipher, |
| 2544 (uint8_t*)enc_start, &enc_octet_len); |
| 2545 if (status) { |
| 2546 return status; |
| 2547 } |
| 2548 } else { |
| 2549 /* |
| 2550 * Still need to run the cipher to check the tag |
| 2551 */ |
| 2552 tmp_len = tag_len; |
| 2553 status = cipher_decrypt(stream->rtcp_cipher, (uint8_t*)auth_tag, |
| 2554 &tmp_len); |
| 2555 if (status) { |
| 2556 return status; |
| 2557 } |
| 2558 } |
| 2559 |
| 2560 /* decrease the packet length by the length of the auth tag and seq_num*/ |
| 2561 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); |
| 2562 |
| 2563 /* |
| 2564 * verify that stream is for received traffic - this check will |
| 2565 * detect SSRC collisions, since a stream that appears in both |
| 2566 * srtp_protect() and srtp_unprotect() will fail this test in one of |
| 2567 * those functions. |
| 2568 * |
| 2569 * we do this check *after* the authentication check, so that the |
| 2570 * latter check will catch any attempts to fool us into thinking |
| 2571 * that we've got a collision |
| 2572 */ |
| 2573 if (stream->direction != dir_srtp_receiver) { |
| 2574 if (stream->direction == dir_unknown) { |
| 2575 stream->direction = dir_srtp_receiver; |
| 2576 } else { |
| 2577 srtp_handle_event(ctx, stream, event_ssrc_collision); |
| 2578 } |
| 2579 } |
| 2580 |
| 2581 /* |
| 2582 * if the stream is a 'provisional' one, in which the template context |
| 2583 * is used, then we need to allocate a new stream at this point, since |
| 2584 * the authentication passed |
| 2585 */ |
| 2586 if (stream == ctx->stream_template) { |
| 2587 srtp_stream_ctx_t *new_stream; |
| 2588 |
| 2589 /* |
| 2590 * allocate and initialize a new stream |
| 2591 * |
| 2592 * note that we indicate failure if we can't allocate the new |
| 2593 * stream, and some implementations will want to not return |
| 2594 * failure here |
| 2595 */ |
| 2596 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream)
; |
| 2597 if (status) { |
| 2598 return status; |
| 2599 } |
| 2600 |
| 2601 /* add new stream to the head of the stream_list */ |
| 2602 new_stream->next = ctx->stream_list; |
| 2603 ctx->stream_list = new_stream; |
| 2604 |
| 2605 /* set stream (the pointer used in this function) */ |
| 2606 stream = new_stream; |
| 2607 } |
| 2608 |
| 2609 /* we've passed the authentication check, so add seq_num to the rdb */ |
| 2610 rdb_add_index(&stream->rtcp_rdb, seq_num); |
| 2611 |
| 2612 return err_status_ok; |
| 2613 } |
| 2614 |
1648 err_status_t | 2615 err_status_t |
1649 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) { | 2616 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) { |
1650 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; | 2617 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; |
1651 uint32_t *enc_start; /* pointer to start of encrypted portion */ | 2618 uint32_t *enc_start; /* pointer to start of encrypted portion */ |
1652 uint32_t *auth_start; /* pointer to start of auth. portion */ | 2619 uint32_t *auth_start; /* pointer to start of auth. portion */ |
1653 uint32_t *trailer; /* pointer to start of trailer */ | 2620 uint32_t *trailer; /* pointer to start of trailer */ |
1654 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ | 2621 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ |
1655 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | 2622 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ |
1656 err_status_t status; | 2623 err_status_t status; |
1657 int tag_len; | 2624 int tag_len; |
1658 srtp_stream_ctx_t *stream; | 2625 srtp_stream_ctx_t *stream; |
1659 int prefix_len; | 2626 int prefix_len; |
1660 uint32_t seq_num; | 2627 uint32_t seq_num; |
1661 | 2628 |
1662 /* we assume the hdr is 32-bit aligned to start */ | 2629 /* we assume the hdr is 32-bit aligned to start */ |
| 2630 |
| 2631 /* check the packet length - it must at least contain a full header */ |
| 2632 if (*pkt_octet_len < octets_in_rtcp_header) |
| 2633 return err_status_bad_param; |
| 2634 |
1663 /* | 2635 /* |
1664 * look up ssrc in srtp_stream list, and process the packet with | 2636 * look up ssrc in srtp_stream list, and process the packet with |
1665 * the appropriate stream. if we haven't seen this stream before, | 2637 * the appropriate stream. if we haven't seen this stream before, |
1666 * there's only one key for this srtp_session, and the cipher | 2638 * there's only one key for this srtp_session, and the cipher |
1667 * supports key-sharing, then we assume that a new stream using | 2639 * supports key-sharing, then we assume that a new stream using |
1668 * that key has just started up | 2640 * that key has just started up |
1669 */ | 2641 */ |
1670 stream = srtp_get_stream(ctx, hdr->ssrc); | 2642 stream = srtp_get_stream(ctx, hdr->ssrc); |
1671 if (stream == NULL) { | 2643 if (stream == NULL) { |
1672 if (ctx->stream_template != NULL) { | 2644 if (ctx->stream_template != NULL) { |
(...skipping 24 matching lines...) Expand all Loading... |
1697 * those functions. | 2669 * those functions. |
1698 */ | 2670 */ |
1699 if (stream->direction != dir_srtp_sender) { | 2671 if (stream->direction != dir_srtp_sender) { |
1700 if (stream->direction == dir_unknown) { | 2672 if (stream->direction == dir_unknown) { |
1701 stream->direction = dir_srtp_sender; | 2673 stream->direction = dir_srtp_sender; |
1702 } else { | 2674 } else { |
1703 srtp_handle_event(ctx, stream, event_ssrc_collision); | 2675 srtp_handle_event(ctx, stream, event_ssrc_collision); |
1704 } | 2676 } |
1705 } | 2677 } |
1706 | 2678 |
| 2679 /* |
| 2680 * Check if this is an AEAD stream (GCM mode). If so, then dispatch |
| 2681 * the request to our AEAD handler. |
| 2682 */ |
| 2683 if (stream->rtp_cipher->algorithm == AES_128_GCM || |
| 2684 stream->rtp_cipher->algorithm == AES_256_GCM) { |
| 2685 return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, (unsigned int*)pkt_oc
tet_len); |
| 2686 } |
| 2687 |
1707 /* get tag length from stream context */ | 2688 /* get tag length from stream context */ |
1708 tag_len = auth_get_tag_length(stream->rtcp_auth); | 2689 tag_len = auth_get_tag_length(stream->rtcp_auth); |
1709 | 2690 |
1710 /* | 2691 /* |
1711 * set encryption start and encryption length - if we're not | 2692 * set encryption start and encryption length - if we're not |
1712 * providing confidentiality, set enc_start to NULL | 2693 * providing confidentiality, set enc_start to NULL |
1713 */ | 2694 */ |
1714 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; | 2695 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; |
1715 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; | 2696 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; |
1716 | 2697 |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1756 /* | 2737 /* |
1757 * if we're using rindael counter mode, set nonce and seq | 2738 * if we're using rindael counter mode, set nonce and seq |
1758 */ | 2739 */ |
1759 if (stream->rtcp_cipher->type->id == AES_ICM) { | 2740 if (stream->rtcp_cipher->type->id == AES_ICM) { |
1760 v128_t iv; | 2741 v128_t iv; |
1761 | 2742 |
1762 iv.v32[0] = 0; | 2743 iv.v32[0] = 0; |
1763 iv.v32[1] = hdr->ssrc; /* still in network order! */ | 2744 iv.v32[1] = hdr->ssrc; /* still in network order! */ |
1764 iv.v32[2] = htonl(seq_num >> 16); | 2745 iv.v32[2] = htonl(seq_num >> 16); |
1765 iv.v32[3] = htonl(seq_num << 16); | 2746 iv.v32[3] = htonl(seq_num << 16); |
1766 status = cipher_set_iv(stream->rtcp_cipher, &iv); | 2747 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); |
1767 | 2748 |
1768 } else { | 2749 } else { |
1769 v128_t iv; | 2750 v128_t iv; |
1770 | 2751 |
1771 /* otherwise, just set the index to seq_num */ | 2752 /* otherwise, just set the index to seq_num */ |
1772 iv.v32[0] = 0; | 2753 iv.v32[0] = 0; |
1773 iv.v32[1] = 0; | 2754 iv.v32[1] = 0; |
1774 iv.v32[2] = 0; | 2755 iv.v32[2] = 0; |
1775 iv.v32[3] = htonl(seq_num); | 2756 iv.v32[3] = htonl(seq_num); |
1776 status = cipher_set_iv(stream->rtcp_cipher, &iv); | 2757 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); |
1777 } | 2758 } |
1778 if (status) | 2759 if (status) |
1779 return err_status_cipher_fail; | 2760 return err_status_cipher_fail; |
1780 | 2761 |
1781 /* | 2762 /* |
1782 * if we're authenticating using a universal hash, put the keystream | 2763 * if we're authenticating using a universal hash, put the keystream |
1783 * prefix into the authentication tag | 2764 * prefix into the authentication tag |
1784 */ | 2765 */ |
1785 | 2766 |
1786 /* if auth_start is non-null, then put keystream into tag */ | 2767 /* if auth_start is non-null, then put keystream into tag */ |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1827 return err_status_ok; | 2808 return err_status_ok; |
1828 } | 2809 } |
1829 | 2810 |
1830 | 2811 |
1831 err_status_t | 2812 err_status_t |
1832 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) { | 2813 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) { |
1833 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; | 2814 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; |
1834 uint32_t *enc_start; /* pointer to start of encrypted portion */ | 2815 uint32_t *enc_start; /* pointer to start of encrypted portion */ |
1835 uint32_t *auth_start; /* pointer to start of auth. portion */ | 2816 uint32_t *auth_start; /* pointer to start of auth. portion */ |
1836 uint32_t *trailer; /* pointer to start of trailer */ | 2817 uint32_t *trailer; /* pointer to start of trailer */ |
1837 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ | 2818 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ |
1838 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ | 2819 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ |
1839 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; | 2820 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; |
1840 uint8_t tag_copy[SRTP_MAX_TAG_LEN]; | 2821 uint8_t tag_copy[SRTP_MAX_TAG_LEN]; |
1841 err_status_t status; | 2822 err_status_t status; |
1842 unsigned auth_len; | 2823 unsigned int auth_len; |
1843 int tag_len; | 2824 int tag_len; |
1844 srtp_stream_ctx_t *stream; | 2825 srtp_stream_ctx_t *stream; |
1845 int prefix_len; | 2826 int prefix_len; |
1846 uint32_t seq_num; | 2827 uint32_t seq_num; |
| 2828 int e_bit_in_packet; /* whether the E-bit was found in the packet */ |
| 2829 int sec_serv_confidentiality; /* whether confidentiality was requested */ |
1847 | 2830 |
1848 /* we assume the hdr is 32-bit aligned to start */ | 2831 /* we assume the hdr is 32-bit aligned to start */ |
| 2832 |
| 2833 /* check that the length value is sane; we'll check again once we |
| 2834 know the tag length, but we at least want to know that it is |
| 2835 a positive value */ |
| 2836 if (*pkt_octet_len < octets_in_rtcp_header + sizeof(srtcp_trailer_t)) |
| 2837 return err_status_bad_param; |
| 2838 |
1849 /* | 2839 /* |
1850 * look up ssrc in srtp_stream list, and process the packet with | 2840 * look up ssrc in srtp_stream list, and process the packet with |
1851 * the appropriate stream. if we haven't seen this stream before, | 2841 * the appropriate stream. if we haven't seen this stream before, |
1852 * there's only one key for this srtp_session, and the cipher | 2842 * there's only one key for this srtp_session, and the cipher |
1853 * supports key-sharing, then we assume that a new stream using | 2843 * supports key-sharing, then we assume that a new stream using |
1854 * that key has just started up | 2844 * that key has just started up |
1855 */ | 2845 */ |
1856 stream = srtp_get_stream(ctx, hdr->ssrc); | 2846 stream = srtp_get_stream(ctx, hdr->ssrc); |
1857 if (stream == NULL) { | 2847 if (stream == NULL) { |
1858 if (ctx->stream_template != NULL) { | 2848 if (ctx->stream_template != NULL) { |
(...skipping 17 matching lines...) Expand all Loading... |
1876 | 2866 |
1877 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", | 2867 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", |
1878 hdr->ssrc); | 2868 hdr->ssrc); |
1879 } else { | 2869 } else { |
1880 /* no template stream, so we return an error */ | 2870 /* no template stream, so we return an error */ |
1881 return err_status_no_ctx; | 2871 return err_status_no_ctx; |
1882 } | 2872 } |
1883 } | 2873 } |
1884 | 2874 |
1885 /* get tag length from stream context */ | 2875 /* get tag length from stream context */ |
1886 tag_len = auth_get_tag_length(stream->rtcp_auth); | 2876 tag_len = auth_get_tag_length(stream->rtcp_auth); |
| 2877 |
| 2878 /* check the packet length - it must contain at least a full RTCP |
| 2879 header, an auth tag (if applicable), and the SRTCP encrypted flag |
| 2880 and 31-bit index value */ |
| 2881 if (*pkt_octet_len < (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t
))) { |
| 2882 return err_status_bad_param; |
| 2883 } |
| 2884 |
| 2885 /* |
| 2886 * Check if this is an AEAD stream (GCM mode). If so, then dispatch |
| 2887 * the request to our AEAD handler. |
| 2888 */ |
| 2889 if (stream->rtp_cipher->algorithm == AES_128_GCM || |
| 2890 stream->rtp_cipher->algorithm == AES_256_GCM) { |
| 2891 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, (unsigned int*)pkt
_octet_len); |
| 2892 } |
| 2893 |
| 2894 sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf || |
| 2895 stream->rtcp_services == sec_serv_conf_and_auth; |
1887 | 2896 |
1888 /* | 2897 /* |
1889 * set encryption start, encryption length, and trailer | 2898 * set encryption start, encryption length, and trailer |
1890 */ | 2899 */ |
1891 enc_octet_len = *pkt_octet_len - | 2900 enc_octet_len = *pkt_octet_len - |
1892 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t)); | 2901 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t)); |
1893 /* index & E (encryption) bit follow normal data. hdr->len | 2902 /* index & E (encryption) bit follow normal data. hdr->len |
1894 is the number of words (32-bit) in the normal packet minus 1 */ | 2903 is the number of words (32-bit) in the normal packet minus 1 */ |
1895 /* This should point trailer to the word past the end of the | 2904 /* This should point trailer to the word past the end of the |
1896 normal data. */ | 2905 normal data. */ |
1897 /* This would need to be modified for optional mikey data */ | 2906 /* This would need to be modified for optional mikey data */ |
1898 /* | 2907 /* |
1899 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always | 2908 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always |
1900 * multiples of 32-bits (RFC 3550 6.1) | 2909 * multiples of 32-bits (RFC 3550 6.1) |
1901 */ | 2910 */ |
1902 trailer = (uint32_t *) ((char *) hdr + | 2911 trailer = (uint32_t *) ((char *) hdr + |
1903 » » *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); | 2912 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); |
1904 if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) { | 2913 e_bit_in_packet = |
| 2914 (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; |
| 2915 if (e_bit_in_packet != sec_serv_confidentiality) { |
| 2916 return err_status_cant_check; |
| 2917 } |
| 2918 if (sec_serv_confidentiality) { |
1905 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; | 2919 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; |
1906 } else { | 2920 } else { |
1907 enc_octet_len = 0; | 2921 enc_octet_len = 0; |
1908 enc_start = NULL; /* this indicates that there's no encryption */ | 2922 enc_start = NULL; /* this indicates that there's no encryption */ |
1909 } | 2923 } |
1910 | 2924 |
1911 /* | 2925 /* |
1912 * set the auth_start and auth_tag pointers to the proper locations | 2926 * set the auth_start and auth_tag pointers to the proper locations |
1913 * (note that srtcp *always* uses authentication, unlike srtp) | 2927 * (note that srtcp *always* uses authentication, unlike srtp) |
1914 */ | 2928 */ |
(...skipping 29 matching lines...) Expand all Loading... |
1944 /* | 2958 /* |
1945 * if we're using aes counter mode, set nonce and seq | 2959 * if we're using aes counter mode, set nonce and seq |
1946 */ | 2960 */ |
1947 if (stream->rtcp_cipher->type->id == AES_ICM) { | 2961 if (stream->rtcp_cipher->type->id == AES_ICM) { |
1948 v128_t iv; | 2962 v128_t iv; |
1949 | 2963 |
1950 iv.v32[0] = 0; | 2964 iv.v32[0] = 0; |
1951 iv.v32[1] = hdr->ssrc; /* still in network order! */ | 2965 iv.v32[1] = hdr->ssrc; /* still in network order! */ |
1952 iv.v32[2] = htonl(seq_num >> 16); | 2966 iv.v32[2] = htonl(seq_num >> 16); |
1953 iv.v32[3] = htonl(seq_num << 16); | 2967 iv.v32[3] = htonl(seq_num << 16); |
1954 status = cipher_set_iv(stream->rtcp_cipher, &iv); | 2968 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); |
1955 | 2969 |
1956 } else { | 2970 } else { |
1957 v128_t iv; | 2971 v128_t iv; |
1958 | 2972 |
1959 /* otherwise, just set the index to seq_num */ | 2973 /* otherwise, just set the index to seq_num */ |
1960 iv.v32[0] = 0; | 2974 iv.v32[0] = 0; |
1961 iv.v32[1] = 0; | 2975 iv.v32[1] = 0; |
1962 iv.v32[2] = 0; | 2976 iv.v32[2] = 0; |
1963 iv.v32[3] = htonl(seq_num); | 2977 iv.v32[3] = htonl(seq_num); |
1964 status = cipher_set_iv(stream->rtcp_cipher, &iv); | 2978 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); |
1965 | 2979 |
1966 } | 2980 } |
1967 if (status) | 2981 if (status) |
1968 return err_status_cipher_fail; | 2982 return err_status_cipher_fail; |
1969 | 2983 |
1970 /* initialize auth func context */ | 2984 /* initialize auth func context */ |
1971 auth_start(stream->rtcp_auth); | 2985 auth_start(stream->rtcp_auth); |
1972 | 2986 |
1973 /* run auth func over packet, put result into tmp_tag */ | 2987 /* run auth func over packet, put result into tmp_tag */ |
1974 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start, | 2988 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start, |
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2060 } | 3074 } |
2061 | 3075 |
2062 /* we've passed the authentication check, so add seq_num to the rdb */ | 3076 /* we've passed the authentication check, so add seq_num to the rdb */ |
2063 rdb_add_index(&stream->rtcp_rdb, seq_num); | 3077 rdb_add_index(&stream->rtcp_rdb, seq_num); |
2064 | 3078 |
2065 | 3079 |
2066 return err_status_ok; | 3080 return err_status_ok; |
2067 } | 3081 } |
2068 | 3082 |
2069 | 3083 |
| 3084 /* |
| 3085 * user data within srtp_t context |
| 3086 */ |
| 3087 |
| 3088 void |
| 3089 srtp_set_user_data(srtp_t ctx, void *data) { |
| 3090 ctx->user_data = data; |
| 3091 } |
| 3092 |
| 3093 void* |
| 3094 srtp_get_user_data(srtp_t ctx) { |
| 3095 return ctx->user_data; |
| 3096 } |
| 3097 |
2070 | 3098 |
2071 /* | 3099 /* |
2072 * dtls keying for srtp | 3100 * dtls keying for srtp |
2073 */ | 3101 */ |
2074 | 3102 |
2075 err_status_t | 3103 err_status_t |
2076 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy, | 3104 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy, |
2077 srtp_profile_t profile) { | 3105 srtp_profile_t profile) { |
2078 | 3106 |
2079 /* set SRTP policy from the SRTP profile in the key set */ | 3107 /* set SRTP policy from the SRTP profile in the key set */ |
2080 switch(profile) { | 3108 switch(profile) { |
2081 case srtp_profile_aes128_cm_sha1_80: | 3109 case srtp_profile_aes128_cm_sha1_80: |
2082 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); | 3110 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); |
2083 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); | |
2084 break; | 3111 break; |
2085 case srtp_profile_aes128_cm_sha1_32: | 3112 case srtp_profile_aes128_cm_sha1_32: |
2086 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); | 3113 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); |
2087 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); | |
2088 break; | 3114 break; |
2089 case srtp_profile_null_sha1_80: | 3115 case srtp_profile_null_sha1_80: |
2090 crypto_policy_set_null_cipher_hmac_sha1_80(policy); | 3116 crypto_policy_set_null_cipher_hmac_sha1_80(policy); |
2091 crypto_policy_set_null_cipher_hmac_sha1_80(policy); | |
2092 break; | 3117 break; |
2093 case srtp_profile_aes256_cm_sha1_80: | 3118 case srtp_profile_aes256_cm_sha1_80: |
2094 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); | 3119 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); |
2095 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); | |
2096 break; | 3120 break; |
2097 case srtp_profile_aes256_cm_sha1_32: | 3121 case srtp_profile_aes256_cm_sha1_32: |
2098 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy); | 3122 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy); |
2099 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); | |
2100 break; | 3123 break; |
2101 /* the following profiles are not (yet) supported */ | 3124 /* the following profiles are not (yet) supported */ |
2102 case srtp_profile_null_sha1_32: | 3125 case srtp_profile_null_sha1_32: |
2103 default: | 3126 default: |
2104 return err_status_bad_param; | 3127 return err_status_bad_param; |
2105 } | 3128 } |
2106 | 3129 |
2107 return err_status_ok; | 3130 return err_status_ok; |
2108 } | 3131 } |
2109 | 3132 |
2110 err_status_t | 3133 err_status_t |
2111 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy, | 3134 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy, |
2112 srtp_profile_t profile) { | 3135 srtp_profile_t profile) { |
2113 | 3136 |
2114 /* set SRTP policy from the SRTP profile in the key set */ | 3137 /* set SRTP policy from the SRTP profile in the key set */ |
2115 switch(profile) { | 3138 switch(profile) { |
2116 case srtp_profile_aes128_cm_sha1_80: | 3139 case srtp_profile_aes128_cm_sha1_80: |
2117 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); | 3140 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); |
2118 break; | 3141 break; |
2119 case srtp_profile_aes128_cm_sha1_32: | 3142 case srtp_profile_aes128_cm_sha1_32: |
| 3143 /* We do not honor the 32-bit auth tag request since |
| 3144 * this is not compliant with RFC 3711 */ |
2120 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); | 3145 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); |
2121 break; | 3146 break; |
2122 case srtp_profile_null_sha1_80: | 3147 case srtp_profile_null_sha1_80: |
2123 crypto_policy_set_null_cipher_hmac_sha1_80(policy); | 3148 crypto_policy_set_null_cipher_hmac_sha1_80(policy); |
2124 break; | 3149 break; |
2125 case srtp_profile_aes256_cm_sha1_80: | 3150 case srtp_profile_aes256_cm_sha1_80: |
2126 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); | 3151 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); |
2127 break; | 3152 break; |
2128 case srtp_profile_aes256_cm_sha1_32: | 3153 case srtp_profile_aes256_cm_sha1_32: |
| 3154 /* We do not honor the 32-bit auth tag request since |
| 3155 * this is not compliant with RFC 3711 */ |
2129 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); | 3156 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); |
2130 break; | 3157 break; |
2131 /* the following profiles are not (yet) supported */ | 3158 /* the following profiles are not (yet) supported */ |
2132 case srtp_profile_null_sha1_32: | 3159 case srtp_profile_null_sha1_32: |
2133 default: | 3160 default: |
2134 return err_status_bad_param; | 3161 return err_status_bad_param; |
2135 } | 3162 } |
2136 | 3163 |
2137 return err_status_ok; | 3164 return err_status_ok; |
2138 } | 3165 } |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2189 break; | 3216 break; |
2190 case srtp_profile_aes256_cm_sha1_32: | 3217 case srtp_profile_aes256_cm_sha1_32: |
2191 return 14; | 3218 return 14; |
2192 break; | 3219 break; |
2193 /* the following profiles are not (yet) supported */ | 3220 /* the following profiles are not (yet) supported */ |
2194 case srtp_profile_null_sha1_32: | 3221 case srtp_profile_null_sha1_32: |
2195 default: | 3222 default: |
2196 return 0; /* indicate error by returning a zero */ | 3223 return 0; /* indicate error by returning a zero */ |
2197 } | 3224 } |
2198 } | 3225 } |
OLD | NEW |