| Index: srtp/srtp/srtp.c
|
| ===================================================================
|
| --- srtp/srtp/srtp.c (revision 294174)
|
| +++ srtp/srtp/srtp.c (working copy)
|
| @@ -43,9 +43,12 @@
|
| */
|
|
|
|
|
| -#include "srtp.h"
|
| +#include "srtp_priv.h"
|
| #include "ekt.h" /* for SRTP Encrypted Key Transport */
|
| #include "alloc.h" /* for crypto_alloc() */
|
| +#ifdef OPENSSL
|
| +#include "aes_gcm_ossl.h" /* for AES GCM mode */
|
| +#endif
|
|
|
| #ifndef SRTP_KERNEL
|
| # include <limits.h>
|
| @@ -95,6 +98,45 @@
|
| return err_status_ok;
|
| }
|
|
|
| +const char *srtp_get_version_string ()
|
| +{
|
| + /*
|
| + * Simply return the autotools generated string
|
| + */
|
| + return SRTP_VER_STRING;
|
| +}
|
| +
|
| +unsigned int srtp_get_version ()
|
| +{
|
| + unsigned int major = 0, minor = 0, micro = 0;
|
| + unsigned int rv = 0;
|
| + int parse_rv;
|
| +
|
| + /*
|
| + * Parse the autotools generated version
|
| + */
|
| + parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, µ);
|
| + if (parse_rv != 3) {
|
| + /*
|
| + * We're expected to parse all 3 version levels.
|
| + * If not, then this must not be an official release.
|
| + * Return all zeros on the version
|
| + */
|
| + return (0);
|
| + }
|
| +
|
| + /*
|
| + * We allow 8 bits for the major and minor, while
|
| + * allowing 16 bits for the micro. 16 bits for the micro
|
| + * may be beneficial for a continuous delivery model
|
| + * in the future.
|
| + */
|
| + rv |= (major & 0xFF) << 24;
|
| + rv |= (minor & 0xFF) << 16;
|
| + rv |= micro & 0xFF;
|
| + return rv;
|
| +}
|
| +
|
| err_status_t
|
| srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
|
| const srtp_policy_t *p) {
|
| @@ -118,7 +160,8 @@
|
| /* allocate cipher */
|
| stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
|
| &str->rtp_cipher,
|
| - p->rtp.cipher_key_len);
|
| + p->rtp.cipher_key_len,
|
| + p->rtp.auth_tag_len);
|
| if (stat) {
|
| crypto_free(str);
|
| return stat;
|
| @@ -150,7 +193,8 @@
|
| */
|
| stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
|
| &str->rtcp_cipher,
|
| - p->rtcp.cipher_key_len);
|
| + p->rtcp.cipher_key_len,
|
| + p->rtcp.auth_tag_len);
|
| if (stat) {
|
| auth_dealloc(str->rtp_auth);
|
| cipher_dealloc(str->rtp_cipher);
|
| @@ -257,6 +301,13 @@
|
| return status;
|
|
|
| /* DAM - need to deallocate EKT here */
|
| +
|
| + /*
|
| + * zeroize the salt value
|
| + */
|
| + memset(stream->salt, 0, SRTP_AEAD_SALT_LEN);
|
| + memset(stream->c_salt, 0, SRTP_AEAD_SALT_LEN);
|
| +
|
|
|
| /* deallocate srtp stream context */
|
| crypto_free(stream);
|
| @@ -296,14 +347,20 @@
|
|
|
| /* set key limit to point to that of the template */
|
| status = key_limit_clone(stream_template->limit, &str->limit);
|
| - if (status)
|
| + if (status) {
|
| + crypto_free(*str_ptr);
|
| + *str_ptr = NULL;
|
| return status;
|
| + }
|
|
|
| /* initialize replay databases */
|
| status = rdbx_init(&str->rtp_rdbx,
|
| rdbx_get_window_size(&stream_template->rtp_rdbx));
|
| - if (status)
|
| + if (status) {
|
| + crypto_free(*str_ptr);
|
| + *str_ptr = NULL;
|
| return status;
|
| + }
|
| rdb_init(&str->rtcp_rdb);
|
| str->allow_repeat_tx = stream_template->allow_repeat_tx;
|
|
|
| @@ -318,6 +375,10 @@
|
| /* set pointer to EKT data associated with stream */
|
| str->ekt = stream_template->ekt;
|
|
|
| + /* Copy the salt values */
|
| + memcpy(str->salt, stream_template->salt, SRTP_AEAD_SALT_LEN);
|
| + memcpy(str->c_salt, stream_template->c_salt, SRTP_AEAD_SALT_LEN);
|
| +
|
| /* defensive coding */
|
| str->next = NULL;
|
|
|
| @@ -364,11 +425,11 @@
|
| srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, int length) {
|
|
|
| err_status_t stat;
|
| - stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length);
|
| + stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length, 0);
|
| if (stat)
|
| return stat;
|
|
|
| - stat = cipher_init(kdf->cipher, key, direction_encrypt);
|
| + stat = cipher_init(kdf->cipher, key);
|
| if (stat) {
|
| cipher_dealloc(kdf->cipher);
|
| return stat;
|
| @@ -379,7 +440,7 @@
|
|
|
| err_status_t
|
| srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
|
| - uint8_t *key, unsigned length) {
|
| + uint8_t *key, unsigned int length) {
|
|
|
| v128_t nonce;
|
| err_status_t status;
|
| @@ -388,7 +449,7 @@
|
| v128_set_to_zero(&nonce);
|
| nonce.v8[7] = label;
|
|
|
| - status = cipher_set_iv(kdf->cipher, &nonce);
|
| + status = cipher_set_iv(kdf->cipher, &nonce, direction_encrypt);
|
| if (status)
|
| return status;
|
|
|
| @@ -424,13 +485,26 @@
|
| * Assumption is that for AES-ICM a key length < 30 is Ismacryp using
|
| * AES-128 and short salts; everything else uses a salt length of 14.
|
| * TODO: key and salt lengths should be separate fields in the policy. */
|
| -static INLINE int base_key_length(const cipher_type_t *cipher, int key_length)
|
| +static inline int base_key_length(const cipher_type_t *cipher, int key_length)
|
| {
|
| - if (cipher->id != AES_ICM)
|
| + switch (cipher->id) {
|
| + case AES_128_ICM:
|
| + case AES_192_ICM:
|
| + case AES_256_ICM:
|
| + /* The legacy modes are derived from
|
| + * the configured key length on the policy */
|
| + return key_length - 14;
|
| + break;
|
| + case AES_128_GCM:
|
| + return 16;
|
| + break;
|
| + case AES_256_GCM:
|
| + return 32;
|
| + break;
|
| + default:
|
| return key_length;
|
| - else if (key_length > 16 && key_length < 30)
|
| - return 16;
|
| - return key_length - 14;
|
| + break;
|
| + }
|
| }
|
|
|
| err_status_t
|
| @@ -446,21 +520,37 @@
|
| /* TODO: kdf algorithm, master key length, and master salt length should
|
| * be part of srtp_policy_t. */
|
| rtp_keylen = cipher_get_key_length(srtp->rtp_cipher);
|
| - if (rtp_keylen > kdf_keylen)
|
| - kdf_keylen = rtp_keylen;
|
| -
|
| rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher);
|
| - if (rtcp_keylen > kdf_keylen)
|
| - kdf_keylen = rtcp_keylen;
|
| + rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
|
| + rtp_salt_len = rtp_keylen - rtp_base_key_len;
|
|
|
| + if (rtp_keylen > kdf_keylen) {
|
| + kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
|
| + }
|
| +
|
| + if (rtcp_keylen > kdf_keylen) {
|
| + kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
|
| + }
|
| +
|
| + debug_print(mod_srtp, "srtp key len: %d", rtp_keylen);
|
| + debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen);
|
| + debug_print(mod_srtp, "base key len: %d", rtp_base_key_len);
|
| + debug_print(mod_srtp, "kdf key len: %d", kdf_keylen);
|
| + debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len);
|
| +
|
| + /*
|
| + * Make sure the key given to us is 'zero' appended. GCM
|
| + * mode uses a shorter master SALT (96 bits), but still relies on
|
| + * the legacy CTR mode KDF, which uses a 112 bit master SALT.
|
| + */
|
| + memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN);
|
| + memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len));
|
| +
|
| /* initialize KDF state */
|
| - stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)key, kdf_keylen);
|
| + stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)tmp_key, kdf_keylen);
|
| if (stat) {
|
| return err_status_init_fail;
|
| }
|
| -
|
| - rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
|
| - rtp_salt_len = rtp_keylen - rtp_base_key_len;
|
|
|
| /* generate encryption key */
|
| stat = srtp_kdf_generate(&kdf, label_rtp_encryption,
|
| @@ -470,6 +560,8 @@
|
| octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
|
| return err_status_init_fail;
|
| }
|
| + debug_print(mod_srtp, "cipher key: %s",
|
| + octet_string_hex_string(tmp_key, rtp_base_key_len));
|
|
|
| /*
|
| * if the cipher in the srtp context uses a salt, then we need
|
| @@ -486,9 +578,8 @@
|
| octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
|
| return err_status_init_fail;
|
| }
|
| + memcpy(srtp->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN);
|
| }
|
| - debug_print(mod_srtp, "cipher key: %s",
|
| - octet_string_hex_string(tmp_key, rtp_base_key_len));
|
| if (rtp_salt_len > 0) {
|
| debug_print(mod_srtp, "cipher salt: %s",
|
| octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len));
|
| @@ -495,7 +586,7 @@
|
| }
|
|
|
| /* initialize cipher */
|
| - stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any);
|
| + stat = cipher_init(srtp->rtp_cipher, tmp_key);
|
| if (stat) {
|
| /* zeroize temp buffer */
|
| octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
|
| @@ -528,6 +619,7 @@
|
|
|
| rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen);
|
| rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
|
| + debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len);
|
|
|
| /* generate encryption key */
|
| stat = srtp_kdf_generate(&kdf, label_rtcp_encryption,
|
| @@ -554,6 +646,7 @@
|
| octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
|
| return err_status_init_fail;
|
| }
|
| + memcpy(srtp->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN);
|
| }
|
| debug_print(mod_srtp, "rtcp cipher key: %s",
|
| octet_string_hex_string(tmp_key, rtcp_base_key_len));
|
| @@ -563,7 +656,7 @@
|
| }
|
|
|
| /* initialize cipher */
|
| - stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any);
|
| + stat = cipher_init(srtp->rtcp_cipher, tmp_key);
|
| if (stat) {
|
| /* zeroize temp buffer */
|
| octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
|
| @@ -736,12 +829,373 @@
|
| return err_status_ok;
|
| }
|
|
|
| +/*
|
| + * AEAD uses a new IV formation method. This function implements
|
| + * section 9.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The
|
| + * calculation is defined as, where (+) is the xor operation:
|
| + *
|
| + *
|
| + * 0 0 0 0 0 0 0 0 0 0 1 1
|
| + * 0 1 2 3 4 5 6 7 8 9 0 1
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+
|
| + * |00|00| SSRC | ROC | SEQ |---+
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+ |
|
| + * |
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+ |
|
| + * | Encryption Salt |->(+)
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+ |
|
| + * |
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+ |
|
| + * | Initialization Vector |<--+
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+*
|
| + *
|
| + * Input: *stream - pointer to SRTP stream context, used to retrieve
|
| + * the SALT
|
| + * *iv - Pointer to receive the calculated IV
|
| + * *seq - The ROC and SEQ value to use for the
|
| + * IV calculation.
|
| + * *hdr - The RTP header, used to get the SSRC value
|
| + *
|
| + */
|
| +static void srtp_calc_aead_iv(srtp_stream_ctx_t *stream, v128_t *iv,
|
| + xtd_seq_num_t *seq, srtp_hdr_t *hdr)
|
| +{
|
| + v128_t in;
|
| + v128_t salt;
|
| +
|
| +#ifdef NO_64BIT_MATH
|
| + uint32_t local_roc = ((high32(*seq) << 16) |
|
| + (low32(*seq) >> 16));
|
| + uint16_t local_seq = (uint16_t) (low32(*seq));
|
| +#else
|
| + uint32_t local_roc = (uint32_t)(*seq >> 16);
|
| + uint16_t local_seq = (uint16_t) *seq;
|
| +#endif
|
| +
|
| + memset(&in, 0, sizeof(v128_t));
|
| + memset(&salt, 0, sizeof(v128_t));
|
| +
|
| + in.v16[5] = htons(local_seq);
|
| + local_roc = htonl(local_roc);
|
| + memcpy(&in.v16[3], &local_roc, sizeof(local_roc));
|
| +
|
| + /*
|
| + * Copy in the RTP SSRC value
|
| + */
|
| + memcpy(&in.v8[2], &hdr->ssrc, 4);
|
| + debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in));
|
| +
|
| + /*
|
| + * Get the SALT value from the context
|
| + */
|
| + memcpy(salt.v8, stream->salt, SRTP_AEAD_SALT_LEN);
|
| + debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt));
|
| +
|
| + /*
|
| + * Finally, apply tyhe SALT to the input
|
| + */
|
| + v128_xor(iv, &in, &salt);
|
| +}
|
| +
|
| +
|
| +/*
|
| + * This function handles outgoing SRTP packets while in AEAD mode,
|
| + * which currently supports AES-GCM encryption. All packets are
|
| + * encrypted and authenticated.
|
| + */
|
| +static err_status_t
|
| +srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream,
|
| + void *rtp_hdr, unsigned int *pkt_octet_len)
|
| +{
|
| + srtp_hdr_t *hdr = (srtp_hdr_t*)rtp_hdr;
|
| + uint32_t *enc_start; /* pointer to start of encrypted portion */
|
| + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
|
| + xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
|
| + int delta; /* delta of local pkt idx and that in hdr */
|
| + err_status_t status;
|
| + int tag_len;
|
| + v128_t iv;
|
| + unsigned int aad_len;
|
| +
|
| + debug_print(mod_srtp, "function srtp_protect_aead", NULL);
|
| +
|
| + /*
|
| + * update the key usage limit, and check it to make sure that we
|
| + * didn't just hit either the soft limit or the hard limit, and call
|
| + * the event handler if we hit either.
|
| + */
|
| + switch (key_limit_update(stream->limit)) {
|
| + case key_event_normal:
|
| + break;
|
| + case key_event_hard_limit:
|
| + srtp_handle_event(ctx, stream, event_key_hard_limit);
|
| + return err_status_key_expired;
|
| + case key_event_soft_limit:
|
| + default:
|
| + srtp_handle_event(ctx, stream, event_key_soft_limit);
|
| + break;
|
| + }
|
| +
|
| + /* get tag length from stream */
|
| + tag_len = auth_get_tag_length(stream->rtp_auth);
|
| +
|
| + /*
|
| + * find starting point for encryption and length of data to be
|
| + * encrypted - the encrypted portion starts after the rtp header
|
| + * extension, if present; otherwise, it starts after the last csrc,
|
| + * if any are present
|
| + */
|
| + enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc;
|
| + if (hdr->x == 1) {
|
| + srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
|
| + enc_start += (ntohs(xtn_hdr->length) + 1);
|
| + }
|
| + if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
|
| + return err_status_parse_err;
|
| + enc_octet_len = (unsigned int)(*pkt_octet_len -
|
| + ((uint8_t*)enc_start - (uint8_t*)hdr));
|
| +
|
| + /*
|
| + * estimate the packet index using the start of the replay window
|
| + * and the sequence number from the header
|
| + */
|
| + delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
|
| + status = rdbx_check(&stream->rtp_rdbx, delta);
|
| + if (status) {
|
| + if (status != err_status_replay_fail || !stream->allow_repeat_tx) {
|
| + return status; /* we've been asked to reuse an index */
|
| + }
|
| + } else {
|
| + rdbx_add_index(&stream->rtp_rdbx, delta);
|
| + }
|
| +
|
| +#ifdef NO_64BIT_MATH
|
| + debug_print2(mod_srtp, "estimated packet index: %08x%08x",
|
| + high32(est), low32(est));
|
| +#else
|
| + debug_print(mod_srtp, "estimated packet index: %016llx", est);
|
| +#endif
|
| +
|
| + /*
|
| + * AEAD uses a new IV formation method
|
| + */
|
| + srtp_calc_aead_iv(stream, &iv, &est, hdr);
|
| + status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
|
| + if (status) {
|
| + return err_status_cipher_fail;
|
| + }
|
| +
|
| + /* shift est, put into network byte order */
|
| +#ifdef NO_64BIT_MATH
|
| + est = be64_to_cpu(make64((high32(est) << 16) |
|
| + (low32(est) >> 16),
|
| + low32(est) << 16));
|
| +#else
|
| + est = be64_to_cpu(est << 16);
|
| +#endif
|
| +
|
| + /*
|
| + * Set the AAD over the RTP header
|
| + */
|
| + aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
|
| + status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len);
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| +
|
| + /* Encrypt the payload */
|
| + status = cipher_encrypt(stream->rtp_cipher,
|
| + (uint8_t*)enc_start, &enc_octet_len);
|
| + if (status) {
|
| + return err_status_cipher_fail;
|
| + }
|
| + /*
|
| + * If we're doing GCM, we need to get the tag
|
| + * and append that to the output
|
| + */
|
| + status = cipher_get_tag(stream->rtp_cipher,
|
| + (uint8_t*)enc_start+enc_octet_len, &tag_len);
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| + enc_octet_len += tag_len;
|
| +
|
| + /* increase the packet length by the length of the auth tag */
|
| + *pkt_octet_len += tag_len;
|
| +
|
| + return err_status_ok;
|
| +}
|
| +
|
| +
|
| +/*
|
| + * This function handles incoming SRTP packets while in AEAD mode,
|
| + * which currently supports AES-GCM encryption. All packets are
|
| + * encrypted and authenticated. Note, the auth tag is at the end
|
| + * of the packet stream and is automatically checked by GCM
|
| + * when decrypting the payload.
|
| + */
|
| +static err_status_t
|
| +srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta,
|
| + xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_len)
|
| +{
|
| + srtp_hdr_t *hdr = (srtp_hdr_t*)srtp_hdr;
|
| + uint32_t *enc_start; /* pointer to start of encrypted portion */
|
| + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
|
| + v128_t iv;
|
| + err_status_t status;
|
| + int tag_len;
|
| + unsigned int aad_len;
|
| +
|
| + debug_print(mod_srtp, "function srtp_unprotect_aead", NULL);
|
| +
|
| +#ifdef NO_64BIT_MATH
|
| + debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), low32(est));
|
| +#else
|
| + debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
|
| +#endif
|
| +
|
| + /* get tag length from stream */
|
| + tag_len = auth_get_tag_length(stream->rtp_auth);
|
| +
|
| + /*
|
| + * AEAD uses a new IV formation method
|
| + */
|
| + srtp_calc_aead_iv(stream, &iv, &est, hdr);
|
| + status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
|
| + if (status) {
|
| + return err_status_cipher_fail;
|
| + }
|
| +
|
| + /*
|
| + * find starting point for decryption and length of data to be
|
| + * decrypted - the encrypted portion starts after the rtp header
|
| + * extension, if present; otherwise, it starts after the last csrc,
|
| + * if any are present
|
| + */
|
| + enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc;
|
| + if (hdr->x == 1) {
|
| + srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
|
| + enc_start += (ntohs(xtn_hdr->length) + 1);
|
| + }
|
| + if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
|
| + return err_status_parse_err;
|
| + /*
|
| + * We pass the tag down to the cipher when doing GCM mode
|
| + */
|
| + enc_octet_len = (unsigned int)(*pkt_octet_len -
|
| + ((uint8_t*)enc_start - (uint8_t*)hdr));
|
| +
|
| + /*
|
| + * Sanity check the encrypted payload length against
|
| + * the tag size. It must always be at least as large
|
| + * as the tag length.
|
| + */
|
| + if (enc_octet_len < tag_len) {
|
| + return err_status_cipher_fail;
|
| + }
|
| +
|
| + /*
|
| + * update the key usage limit, and check it to make sure that we
|
| + * didn't just hit either the soft limit or the hard limit, and call
|
| + * the event handler if we hit either.
|
| + */
|
| + switch (key_limit_update(stream->limit)) {
|
| + case key_event_normal:
|
| + break;
|
| + case key_event_soft_limit:
|
| + srtp_handle_event(ctx, stream, event_key_soft_limit);
|
| + break;
|
| + case key_event_hard_limit:
|
| + srtp_handle_event(ctx, stream, event_key_hard_limit);
|
| + return err_status_key_expired;
|
| + default:
|
| + break;
|
| + }
|
| +
|
| + /*
|
| + * Set the AAD for AES-GCM, which is the RTP header
|
| + */
|
| + aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
|
| + status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len);
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| +
|
| + /* Decrypt the ciphertext. This also checks the auth tag based
|
| + * on the AAD we just specified above */
|
| + status = cipher_decrypt(stream->rtp_cipher,
|
| + (uint8_t*)enc_start, &enc_octet_len);
|
| + if (status) {
|
| + return status;
|
| + }
|
| +
|
| + /*
|
| + * verify that stream is for received traffic - this check will
|
| + * detect SSRC collisions, since a stream that appears in both
|
| + * srtp_protect() and srtp_unprotect() will fail this test in one of
|
| + * those functions.
|
| + *
|
| + * we do this check *after* the authentication check, so that the
|
| + * latter check will catch any attempts to fool us into thinking
|
| + * that we've got a collision
|
| + */
|
| + if (stream->direction != dir_srtp_receiver) {
|
| + if (stream->direction == dir_unknown) {
|
| + stream->direction = dir_srtp_receiver;
|
| + } else {
|
| + srtp_handle_event(ctx, stream, event_ssrc_collision);
|
| + }
|
| + }
|
| +
|
| + /*
|
| + * if the stream is a 'provisional' one, in which the template context
|
| + * is used, then we need to allocate a new stream at this point, since
|
| + * the authentication passed
|
| + */
|
| + if (stream == ctx->stream_template) {
|
| + srtp_stream_ctx_t *new_stream;
|
| +
|
| + /*
|
| + * allocate and initialize a new stream
|
| + *
|
| + * note that we indicate failure if we can't allocate the new
|
| + * stream, and some implementations will want to not return
|
| + * failure here
|
| + */
|
| + status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
|
| + if (status) {
|
| + return status;
|
| + }
|
| +
|
| + /* add new stream to the head of the stream_list */
|
| + new_stream->next = ctx->stream_list;
|
| + ctx->stream_list = new_stream;
|
| +
|
| + /* set stream (the pointer used in this function) */
|
| + stream = new_stream;
|
| + }
|
| +
|
| + /*
|
| + * the message authentication function passed, so add the packet
|
| + * index into the replay database
|
| + */
|
| + rdbx_add_index(&stream->rtp_rdbx, delta);
|
| +
|
| + /* decrease the packet length by the length of the auth tag */
|
| + *pkt_octet_len -= tag_len;
|
| +
|
| + return err_status_ok;
|
| +}
|
| +
|
| +
|
| +
|
| +
|
| err_status_t
|
| srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
|
| srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
|
| uint32_t *enc_start; /* pointer to start of encrypted portion */
|
| uint32_t *auth_start; /* pointer to start of auth. portion */
|
| - unsigned enc_octet_len = 0; /* number of octets in encrypted portion */
|
| + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
|
| xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
|
| int delta; /* delta of local pkt idx and that in hdr */
|
| uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
|
| @@ -759,6 +1213,10 @@
|
| if (status)
|
| return status;
|
|
|
| + /* check the packet length - it must at least contain a full header */
|
| + if (*pkt_octet_len < octets_in_rtp_header)
|
| + return err_status_bad_param;
|
| +
|
| /*
|
| * look up ssrc in srtp_stream list, and process the packet with
|
| * the appropriate stream. if we haven't seen this stream before,
|
| @@ -798,14 +1256,23 @@
|
| * srtp_protect() and srtp_unprotect() will fail this test in one of
|
| * those functions.
|
| */
|
| - if (stream->direction != dir_srtp_sender) {
|
| + if (stream->direction != dir_srtp_sender) {
|
| if (stream->direction == dir_unknown) {
|
| stream->direction = dir_srtp_sender;
|
| } else {
|
| srtp_handle_event(ctx, stream, event_ssrc_collision);
|
| }
|
| - }
|
| + }
|
|
|
| + /*
|
| + * Check if this is an AEAD stream (GCM mode). If so, then dispatch
|
| + * the request to our AEAD handler.
|
| + */
|
| + if (stream->rtp_cipher->algorithm == AES_128_GCM ||
|
| + stream->rtp_cipher->algorithm == AES_256_GCM) {
|
| + return srtp_protect_aead(ctx, stream, rtp_hdr, (unsigned int*)pkt_octet_len);
|
| + }
|
| +
|
| /*
|
| * update the key usage limit, and check it to make sure that we
|
| * didn't just hit either the soft limit or the hard limit, and call
|
| @@ -840,9 +1307,11 @@
|
| if (hdr->x == 1) {
|
| srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
|
| enc_start += (ntohs(xtn_hdr->length) + 1);
|
| + if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
|
| + return err_status_parse_err;
|
| }
|
| - enc_octet_len = (unsigned int)(*pkt_octet_len
|
| - - ((enc_start - (uint32_t *)hdr) << 2));
|
| + enc_octet_len = (unsigned int)(*pkt_octet_len -
|
| + ((uint8_t*)enc_start - (uint8_t*)hdr));
|
| } else {
|
| enc_start = NULL;
|
| }
|
| @@ -883,7 +1352,8 @@
|
| /*
|
| * if we're using rindael counter mode, set nonce and seq
|
| */
|
| - if (stream->rtp_cipher->type->id == AES_ICM) {
|
| + if (stream->rtp_cipher->type->id == AES_ICM ||
|
| + stream->rtp_cipher->type->id == AES_256_ICM) {
|
| v128_t iv;
|
|
|
| iv.v32[0] = 0;
|
| @@ -894,7 +1364,7 @@
|
| #else
|
| iv.v64[1] = be64_to_cpu(est << 16);
|
| #endif
|
| - status = cipher_set_iv(stream->rtp_cipher, &iv);
|
| + status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
|
|
|
| } else {
|
| v128_t iv;
|
| @@ -907,7 +1377,7 @@
|
| iv.v64[0] = 0;
|
| #endif
|
| iv.v64[1] = be64_to_cpu(est);
|
| - status = cipher_set_iv(stream->rtp_cipher, &iv);
|
| + status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt);
|
| }
|
| if (status)
|
| return err_status_cipher_fail;
|
| @@ -985,7 +1455,7 @@
|
| srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
|
| uint32_t *enc_start; /* pointer to start of encrypted portion */
|
| uint32_t *auth_start; /* pointer to start of auth. portion */
|
| - unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
|
| + unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
|
| uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
|
| xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
|
| int delta; /* delta of local pkt idx and that in hdr */
|
| @@ -1004,6 +1474,10 @@
|
| if (status)
|
| return status;
|
|
|
| + /* check the packet length - it must at least contain a full header */
|
| + if (*pkt_octet_len < octets_in_rtp_header)
|
| + return err_status_bad_param;
|
| +
|
| /*
|
| * look up ssrc in srtp_stream list, and process the packet with
|
| * the appropriate stream. if we haven't seen this stream before,
|
| @@ -1054,6 +1528,15 @@
|
| debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
|
| #endif
|
|
|
| + /*
|
| + * Check if this is an AEAD stream (GCM mode). If so, then dispatch
|
| + * the request to our AEAD handler.
|
| + */
|
| + if (stream->rtp_cipher->algorithm == AES_128_GCM ||
|
| + stream->rtp_cipher->algorithm == AES_256_GCM) {
|
| + return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, (unsigned int*)pkt_octet_len);
|
| + }
|
| +
|
| /* get tag length from stream */
|
| tag_len = auth_get_tag_length(stream->rtp_auth);
|
|
|
| @@ -1061,7 +1544,8 @@
|
| * set the cipher's IV properly, depending on whatever cipher we
|
| * happen to be using
|
| */
|
| - if (stream->rtp_cipher->type->id == AES_ICM) {
|
| + if (stream->rtp_cipher->type->id == AES_ICM ||
|
| + stream->rtp_cipher->type->id == AES_256_ICM) {
|
|
|
| /* aes counter mode */
|
| iv.v32[0] = 0;
|
| @@ -1072,7 +1556,7 @@
|
| #else
|
| iv.v64[1] = be64_to_cpu(est << 16);
|
| #endif
|
| - status = cipher_set_iv(stream->rtp_cipher, &iv);
|
| + status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
|
| } else {
|
|
|
| /* no particular format - set the iv to the pakcet index */
|
| @@ -1083,7 +1567,7 @@
|
| iv.v64[0] = 0;
|
| #endif
|
| iv.v64[1] = be64_to_cpu(est);
|
| - status = cipher_set_iv(stream->rtp_cipher, &iv);
|
| + status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt);
|
| }
|
| if (status)
|
| return err_status_cipher_fail;
|
| @@ -1111,8 +1595,10 @@
|
| srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
|
| enc_start += (ntohs(xtn_hdr->length) + 1);
|
| }
|
| - enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
|
| - - ((enc_start - (uint32_t *)hdr) << 2));
|
| + if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
|
| + return err_status_parse_err;
|
| + enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len -
|
| + ((uint8_t*)enc_start - (uint8_t*)hdr));
|
| } else {
|
| enc_start = NULL;
|
| }
|
| @@ -1463,6 +1949,7 @@
|
| */
|
| ctx->stream_template = NULL;
|
| ctx->stream_list = NULL;
|
| + ctx->user_data = NULL;
|
| while (policy != NULL) {
|
|
|
| stat = srtp_add_stream(ctx, policy);
|
| @@ -1640,11 +2127,491 @@
|
| p->sec_serv = sec_serv_conf_and_auth;
|
| }
|
|
|
| +/*
|
| + * AES-256 with no authentication.
|
| + */
|
| +void
|
| +crypto_policy_set_aes_cm_256_null_auth (crypto_policy_t *p)
|
| +{
|
| + p->cipher_type = AES_ICM;
|
| + p->cipher_key_len = 46;
|
| + p->auth_type = NULL_AUTH;
|
| + p->auth_key_len = 0;
|
| + p->auth_tag_len = 0;
|
| + p->sec_serv = sec_serv_conf;
|
| +}
|
|
|
| +#ifdef OPENSSL
|
| +/*
|
| + * AES-128 GCM mode with 8 octet auth tag.
|
| + */
|
| +void
|
| +crypto_policy_set_aes_gcm_128_8_auth(crypto_policy_t *p) {
|
| + p->cipher_type = AES_128_GCM;
|
| + p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
|
| + p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
|
| + p->auth_key_len = 0;
|
| + p->auth_tag_len = 8; /* 8 octet tag length */
|
| + p->sec_serv = sec_serv_conf_and_auth;
|
| +}
|
| +
|
| +/*
|
| + * AES-256 GCM mode with 8 octet auth tag.
|
| + */
|
| +void
|
| +crypto_policy_set_aes_gcm_256_8_auth(crypto_policy_t *p) {
|
| + p->cipher_type = AES_256_GCM;
|
| + p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
|
| + p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
|
| + p->auth_key_len = 0;
|
| + p->auth_tag_len = 8; /* 8 octet tag length */
|
| + p->sec_serv = sec_serv_conf_and_auth;
|
| +}
|
| +
|
| +/*
|
| + * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption.
|
| + */
|
| +void
|
| +crypto_policy_set_aes_gcm_128_8_only_auth(crypto_policy_t *p) {
|
| + p->cipher_type = AES_128_GCM;
|
| + p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
|
| + p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
|
| + p->auth_key_len = 0;
|
| + p->auth_tag_len = 8; /* 8 octet tag length */
|
| + p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
|
| +}
|
| +
|
| +/*
|
| + * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption.
|
| + */
|
| +void
|
| +crypto_policy_set_aes_gcm_256_8_only_auth(crypto_policy_t *p) {
|
| + p->cipher_type = AES_256_GCM;
|
| + p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
|
| + p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
|
| + p->auth_key_len = 0;
|
| + p->auth_tag_len = 8; /* 8 octet tag length */
|
| + p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
|
| +}
|
| +
|
| +/*
|
| + * AES-128 GCM mode with 16 octet auth tag.
|
| + */
|
| +void
|
| +crypto_policy_set_aes_gcm_128_16_auth(crypto_policy_t *p) {
|
| + p->cipher_type = AES_128_GCM;
|
| + p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;
|
| + p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
|
| + p->auth_key_len = 0;
|
| + p->auth_tag_len = 16; /* 16 octet tag length */
|
| + p->sec_serv = sec_serv_conf_and_auth;
|
| +}
|
| +
|
| +/*
|
| + * AES-256 GCM mode with 16 octet auth tag.
|
| + */
|
| +void
|
| +crypto_policy_set_aes_gcm_256_16_auth(crypto_policy_t *p) {
|
| + p->cipher_type = AES_256_GCM;
|
| + p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;
|
| + p->auth_type = NULL_AUTH; /* GCM handles the auth for us */
|
| + p->auth_key_len = 0;
|
| + p->auth_tag_len = 16; /* 16 octet tag length */
|
| + p->sec_serv = sec_serv_conf_and_auth;
|
| +}
|
| +
|
| +#endif
|
| +
|
| /*
|
| * secure rtcp functions
|
| */
|
|
|
| +/*
|
| + * AEAD uses a new IV formation method. This function implements
|
| + * section 10.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The
|
| + * calculation is defined as, where (+) is the xor operation:
|
| + *
|
| + * 0 1 2 3 4 5 6 7 8 9 10 11
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+
|
| + * |00|00| SSRC |00|00|0+SRTCP Idx|---+
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+ |
|
| + * |
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+ |
|
| + * | Encryption Salt |->(+)
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+ |
|
| + * |
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+ |
|
| + * | Initialization Vector |<--+
|
| + * +--+--+--+--+--+--+--+--+--+--+--+--+*
|
| + *
|
| + * Input: *stream - pointer to SRTP stream context, used to retrieve
|
| + * the SALT
|
| + * *iv - Pointer to recieve the calculated IV
|
| + * seq_num - The SEQ value to use for the IV calculation.
|
| + * *hdr - The RTP header, used to get the SSRC value
|
| + *
|
| + */
|
| +static void srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv,
|
| + uint32_t seq_num, srtcp_hdr_t *hdr)
|
| +{
|
| + v128_t in;
|
| + v128_t salt;
|
| +
|
| + memset(&in, 0, sizeof(v128_t));
|
| + memset(&salt, 0, sizeof(v128_t));
|
| +
|
| + in.v16[0] = 0;
|
| + memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */
|
| + in.v16[3] = 0;
|
| + in.v32[2] = 0x7FFFFFFF & htonl(seq_num); /* bit 32 is suppose to be zero */
|
| +
|
| + debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in));
|
| +
|
| + /*
|
| + * Get the SALT value from the context
|
| + */
|
| + memcpy(salt.v8, stream->c_salt, 12);
|
| + debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt));
|
| +
|
| + /*
|
| + * Finally, apply the SALT to the input
|
| + */
|
| + v128_xor(iv, &in, &salt);
|
| +}
|
| +
|
| +/*
|
| + * This code handles AEAD ciphers for outgoing RTCP. We currently support
|
| + * AES-GCM mode with 128 or 256 bit keys.
|
| + */
|
| +static err_status_t
|
| +srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream,
|
| + void *rtcp_hdr, unsigned int *pkt_octet_len)
|
| +{
|
| + srtcp_hdr_t *hdr = (srtcp_hdr_t*)rtcp_hdr;
|
| + uint32_t *enc_start; /* pointer to start of encrypted portion */
|
| + uint32_t *trailer; /* pointer to start of trailer */
|
| + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
|
| + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
|
| + err_status_t status;
|
| + int tag_len;
|
| + uint32_t seq_num;
|
| + v128_t iv;
|
| + uint32_t tseq;
|
| +
|
| + /* get tag length from stream context */
|
| + tag_len = auth_get_tag_length(stream->rtcp_auth);
|
| +
|
| + /*
|
| + * set encryption start and encryption length - if we're not
|
| + * providing confidentiality, set enc_start to NULL
|
| + */
|
| + enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header;
|
| + enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
|
| +
|
| + /* NOTE: hdr->length is not usable - it refers to only the first
|
| + RTCP report in the compound packet! */
|
| + /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
|
| + multiples of 32-bits (RFC 3550 6.1) */
|
| + trailer = (uint32_t*)((char*)enc_start + enc_octet_len + tag_len);
|
| +
|
| + if (stream->rtcp_services & sec_serv_conf) {
|
| + *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
|
| + } else {
|
| + enc_start = NULL;
|
| + enc_octet_len = 0;
|
| + /* 0 is network-order independant */
|
| + *trailer = 0x00000000; /* set encrypt bit */
|
| + }
|
| +
|
| + /*
|
| + * set the auth_tag pointer to the proper location, which is after
|
| + * the payload, but before the trailer
|
| + * (note that srtpc *always* provides authentication, unlike srtp)
|
| + */
|
| + /* Note: This would need to change for optional mikey data */
|
| + auth_tag = (uint8_t*)hdr + *pkt_octet_len;
|
| +
|
| + /*
|
| + * check sequence number for overruns, and copy it into the packet
|
| + * if its value isn't too big
|
| + */
|
| + status = rdb_increment(&stream->rtcp_rdb);
|
| + if (status) {
|
| + return status;
|
| + }
|
| + seq_num = rdb_get_value(&stream->rtcp_rdb);
|
| + *trailer |= htonl(seq_num);
|
| + debug_print(mod_srtp, "srtcp index: %x", seq_num);
|
| +
|
| + /*
|
| + * Calculating the IV and pass it down to the cipher
|
| + */
|
| + srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
|
| + status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
|
| + if (status) {
|
| + return err_status_cipher_fail;
|
| + }
|
| +
|
| + /*
|
| + * Set the AAD for GCM mode
|
| + */
|
| + if (enc_start) {
|
| + /*
|
| + * If payload encryption is enabled, then the AAD consist of
|
| + * the RTCP header and the seq# at the end of the packet
|
| + */
|
| + status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
|
| + octets_in_rtcp_header);
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| + } else {
|
| + /*
|
| + * Since payload encryption is not enabled, we must authenticate
|
| + * the entire packet as described in section 10.3 in revision 07
|
| + * of the draft.
|
| + */
|
| + status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
|
| + *pkt_octet_len);
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| + }
|
| + /*
|
| + * put the idx# into network byte order and process it as AAD
|
| + */
|
| + tseq = htonl(*trailer);
|
| + status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq,
|
| + sizeof(srtcp_trailer_t));
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| +
|
| + /* if we're encrypting, exor keystream into the message */
|
| + if (enc_start) {
|
| + status = cipher_encrypt(stream->rtcp_cipher,
|
| + (uint8_t*)enc_start, &enc_octet_len);
|
| + if (status) {
|
| + return err_status_cipher_fail;
|
| + }
|
| + /*
|
| + * Get the tag and append that to the output
|
| + */
|
| + status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag,
|
| + &tag_len);
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| + enc_octet_len += tag_len;
|
| + } else {
|
| + /*
|
| + * Even though we're not encrypting the payload, we need
|
| + * to run the cipher to get the auth tag.
|
| + */
|
| + unsigned int nolen = 0;
|
| + status = cipher_encrypt(stream->rtcp_cipher, NULL, &nolen);
|
| + if (status) {
|
| + return err_status_cipher_fail;
|
| + }
|
| + /*
|
| + * Get the tag and append that to the output
|
| + */
|
| + status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag,
|
| + &tag_len);
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| + enc_octet_len += tag_len;
|
| + }
|
| +
|
| + /* increase the packet length by the length of the auth tag and seq_num*/
|
| + *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
|
| +
|
| + return err_status_ok;
|
| +}
|
| +
|
| +/*
|
| + * This function handles incoming SRTCP packets while in AEAD mode,
|
| + * which currently supports AES-GCM encryption. Note, the auth tag is
|
| + * at the end of the packet stream and is automatically checked by GCM
|
| + * when decrypting the payload.
|
| + */
|
| +static err_status_t
|
| +srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream,
|
| + void *srtcp_hdr, unsigned int *pkt_octet_len)
|
| +{
|
| + srtcp_hdr_t *hdr = (srtcp_hdr_t*)srtcp_hdr;
|
| + uint32_t *enc_start; /* pointer to start of encrypted portion */
|
| + uint32_t *trailer; /* pointer to start of trailer */
|
| + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
|
| + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
|
| + err_status_t status;
|
| + int tag_len;
|
| + unsigned int tmp_len;
|
| + uint32_t seq_num;
|
| + v128_t iv;
|
| + uint32_t tseq;
|
| +
|
| + /* get tag length from stream context */
|
| + tag_len = auth_get_tag_length(stream->rtcp_auth);
|
| +
|
| + /*
|
| + * set encryption start, encryption length, and trailer
|
| + */
|
| + /* index & E (encryption) bit follow normal data. hdr->len
|
| + is the number of words (32-bit) in the normal packet minus 1 */
|
| + /* This should point trailer to the word past the end of the
|
| + normal data. */
|
| + /* This would need to be modified for optional mikey data */
|
| + /*
|
| + * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
|
| + * multiples of 32-bits (RFC 3550 6.1)
|
| + */
|
| + trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t));
|
| + /*
|
| + * We pass the tag down to the cipher when doing GCM mode
|
| + */
|
| + enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header +
|
| + sizeof(srtcp_trailer_t));
|
| + auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - sizeof(srtcp_trailer_t);
|
| +
|
| + if (*((unsigned char*)trailer) & SRTCP_E_BYTE_BIT) {
|
| + enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header;
|
| + } else {
|
| + enc_octet_len = 0;
|
| + enc_start = NULL; /* this indicates that there's no encryption */
|
| + }
|
| +
|
| + /*
|
| + * check the sequence number for replays
|
| + */
|
| + /* this is easier than dealing with bitfield access */
|
| + seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
|
| + debug_print(mod_srtp, "srtcp index: %x", seq_num);
|
| + status = rdb_check(&stream->rtcp_rdb, seq_num);
|
| + if (status) {
|
| + return status;
|
| + }
|
| +
|
| + /*
|
| + * Calculate and set the IV
|
| + */
|
| + srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
|
| + status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
|
| + if (status) {
|
| + return err_status_cipher_fail;
|
| + }
|
| +
|
| + /*
|
| + * Set the AAD for GCM mode
|
| + */
|
| + if (enc_start) {
|
| + /*
|
| + * If payload encryption is enabled, then the AAD consist of
|
| + * the RTCP header and the seq# at the end of the packet
|
| + */
|
| + status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
|
| + octets_in_rtcp_header);
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| + } else {
|
| + /*
|
| + * Since payload encryption is not enabled, we must authenticate
|
| + * the entire packet as described in section 10.3 in revision 07
|
| + * of the draft.
|
| + */
|
| + status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr,
|
| + (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t)));
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| + }
|
| +
|
| + /*
|
| + * put the idx# into network byte order, and process it as AAD
|
| + */
|
| + tseq = htonl(*trailer);
|
| + status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq,
|
| + sizeof(srtcp_trailer_t));
|
| + if (status) {
|
| + return ( err_status_cipher_fail);
|
| + }
|
| +
|
| + /* if we're decrypting, exor keystream into the message */
|
| + if (enc_start) {
|
| + status = cipher_decrypt(stream->rtcp_cipher,
|
| + (uint8_t*)enc_start, &enc_octet_len);
|
| + if (status) {
|
| + return status;
|
| + }
|
| + } else {
|
| + /*
|
| + * Still need to run the cipher to check the tag
|
| + */
|
| + tmp_len = tag_len;
|
| + status = cipher_decrypt(stream->rtcp_cipher, (uint8_t*)auth_tag,
|
| + &tmp_len);
|
| + if (status) {
|
| + return status;
|
| + }
|
| + }
|
| +
|
| + /* decrease the packet length by the length of the auth tag and seq_num*/
|
| + *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
|
| +
|
| + /*
|
| + * verify that stream is for received traffic - this check will
|
| + * detect SSRC collisions, since a stream that appears in both
|
| + * srtp_protect() and srtp_unprotect() will fail this test in one of
|
| + * those functions.
|
| + *
|
| + * we do this check *after* the authentication check, so that the
|
| + * latter check will catch any attempts to fool us into thinking
|
| + * that we've got a collision
|
| + */
|
| + if (stream->direction != dir_srtp_receiver) {
|
| + if (stream->direction == dir_unknown) {
|
| + stream->direction = dir_srtp_receiver;
|
| + } else {
|
| + srtp_handle_event(ctx, stream, event_ssrc_collision);
|
| + }
|
| + }
|
| +
|
| + /*
|
| + * if the stream is a 'provisional' one, in which the template context
|
| + * is used, then we need to allocate a new stream at this point, since
|
| + * the authentication passed
|
| + */
|
| + if (stream == ctx->stream_template) {
|
| + srtp_stream_ctx_t *new_stream;
|
| +
|
| + /*
|
| + * allocate and initialize a new stream
|
| + *
|
| + * note that we indicate failure if we can't allocate the new
|
| + * stream, and some implementations will want to not return
|
| + * failure here
|
| + */
|
| + status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
|
| + if (status) {
|
| + return status;
|
| + }
|
| +
|
| + /* add new stream to the head of the stream_list */
|
| + new_stream->next = ctx->stream_list;
|
| + ctx->stream_list = new_stream;
|
| +
|
| + /* set stream (the pointer used in this function) */
|
| + stream = new_stream;
|
| + }
|
| +
|
| + /* we've passed the authentication check, so add seq_num to the rdb */
|
| + rdb_add_index(&stream->rtcp_rdb, seq_num);
|
| +
|
| + return err_status_ok;
|
| +}
|
| +
|
| err_status_t
|
| srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
|
| srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
|
| @@ -1651,7 +2618,7 @@
|
| uint32_t *enc_start; /* pointer to start of encrypted portion */
|
| uint32_t *auth_start; /* pointer to start of auth. portion */
|
| uint32_t *trailer; /* pointer to start of trailer */
|
| - unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
|
| + unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
|
| uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
|
| err_status_t status;
|
| int tag_len;
|
| @@ -1660,6 +2627,11 @@
|
| uint32_t seq_num;
|
|
|
| /* we assume the hdr is 32-bit aligned to start */
|
| +
|
| + /* check the packet length - it must at least contain a full header */
|
| + if (*pkt_octet_len < octets_in_rtcp_header)
|
| + return err_status_bad_param;
|
| +
|
| /*
|
| * look up ssrc in srtp_stream list, and process the packet with
|
| * the appropriate stream. if we haven't seen this stream before,
|
| @@ -1704,6 +2676,15 @@
|
| }
|
| }
|
|
|
| + /*
|
| + * Check if this is an AEAD stream (GCM mode). If so, then dispatch
|
| + * the request to our AEAD handler.
|
| + */
|
| + if (stream->rtp_cipher->algorithm == AES_128_GCM ||
|
| + stream->rtp_cipher->algorithm == AES_256_GCM) {
|
| + return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, (unsigned int*)pkt_octet_len);
|
| + }
|
| +
|
| /* get tag length from stream context */
|
| tag_len = auth_get_tag_length(stream->rtcp_auth);
|
|
|
| @@ -1763,7 +2744,7 @@
|
| iv.v32[1] = hdr->ssrc; /* still in network order! */
|
| iv.v32[2] = htonl(seq_num >> 16);
|
| iv.v32[3] = htonl(seq_num << 16);
|
| - status = cipher_set_iv(stream->rtcp_cipher, &iv);
|
| + status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
|
|
|
| } else {
|
| v128_t iv;
|
| @@ -1773,7 +2754,7 @@
|
| iv.v32[1] = 0;
|
| iv.v32[2] = 0;
|
| iv.v32[3] = htonl(seq_num);
|
| - status = cipher_set_iv(stream->rtcp_cipher, &iv);
|
| + status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
|
| }
|
| if (status)
|
| return err_status_cipher_fail;
|
| @@ -1834,18 +2815,27 @@
|
| uint32_t *enc_start; /* pointer to start of encrypted portion */
|
| uint32_t *auth_start; /* pointer to start of auth. portion */
|
| uint32_t *trailer; /* pointer to start of trailer */
|
| - unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
|
| + unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */
|
| uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
|
| uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
|
| uint8_t tag_copy[SRTP_MAX_TAG_LEN];
|
| err_status_t status;
|
| - unsigned auth_len;
|
| + unsigned int auth_len;
|
| int tag_len;
|
| srtp_stream_ctx_t *stream;
|
| int prefix_len;
|
| uint32_t seq_num;
|
| + int e_bit_in_packet; /* whether the E-bit was found in the packet */
|
| + int sec_serv_confidentiality; /* whether confidentiality was requested */
|
|
|
| /* we assume the hdr is 32-bit aligned to start */
|
| +
|
| + /* check that the length value is sane; we'll check again once we
|
| + know the tag length, but we at least want to know that it is
|
| + a positive value */
|
| + if (*pkt_octet_len < octets_in_rtcp_header + sizeof(srtcp_trailer_t))
|
| + return err_status_bad_param;
|
| +
|
| /*
|
| * look up ssrc in srtp_stream list, and process the packet with
|
| * the appropriate stream. if we haven't seen this stream before,
|
| @@ -1883,9 +2873,28 @@
|
| }
|
|
|
| /* get tag length from stream context */
|
| - tag_len = auth_get_tag_length(stream->rtcp_auth);
|
| + tag_len = auth_get_tag_length(stream->rtcp_auth);
|
|
|
| + /* check the packet length - it must contain at least a full RTCP
|
| + header, an auth tag (if applicable), and the SRTCP encrypted flag
|
| + and 31-bit index value */
|
| + if (*pkt_octet_len < (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t))) {
|
| + return err_status_bad_param;
|
| + }
|
| +
|
| /*
|
| + * Check if this is an AEAD stream (GCM mode). If so, then dispatch
|
| + * the request to our AEAD handler.
|
| + */
|
| + if (stream->rtp_cipher->algorithm == AES_128_GCM ||
|
| + stream->rtp_cipher->algorithm == AES_256_GCM) {
|
| + return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, (unsigned int*)pkt_octet_len);
|
| + }
|
| +
|
| + sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf ||
|
| + stream->rtcp_services == sec_serv_conf_and_auth;
|
| +
|
| + /*
|
| * set encryption start, encryption length, and trailer
|
| */
|
| enc_octet_len = *pkt_octet_len -
|
| @@ -1900,8 +2909,13 @@
|
| * multiples of 32-bits (RFC 3550 6.1)
|
| */
|
| trailer = (uint32_t *) ((char *) hdr +
|
| - *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
|
| - if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) {
|
| + *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
|
| + e_bit_in_packet =
|
| + (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT;
|
| + if (e_bit_in_packet != sec_serv_confidentiality) {
|
| + return err_status_cant_check;
|
| + }
|
| + if (sec_serv_confidentiality) {
|
| enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
|
| } else {
|
| enc_octet_len = 0;
|
| @@ -1951,7 +2965,7 @@
|
| iv.v32[1] = hdr->ssrc; /* still in network order! */
|
| iv.v32[2] = htonl(seq_num >> 16);
|
| iv.v32[3] = htonl(seq_num << 16);
|
| - status = cipher_set_iv(stream->rtcp_cipher, &iv);
|
| + status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
|
|
|
| } else {
|
| v128_t iv;
|
| @@ -1961,7 +2975,7 @@
|
| iv.v32[1] = 0;
|
| iv.v32[2] = 0;
|
| iv.v32[3] = htonl(seq_num);
|
| - status = cipher_set_iv(stream->rtcp_cipher, &iv);
|
| + status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
|
|
|
| }
|
| if (status)
|
| @@ -2067,7 +3081,21 @@
|
| }
|
|
|
|
|
| +/*
|
| + * user data within srtp_t context
|
| + */
|
|
|
| +void
|
| +srtp_set_user_data(srtp_t ctx, void *data) {
|
| + ctx->user_data = data;
|
| +}
|
| +
|
| +void*
|
| +srtp_get_user_data(srtp_t ctx) {
|
| + return ctx->user_data;
|
| +}
|
| +
|
| +
|
| /*
|
| * dtls keying for srtp
|
| */
|
| @@ -2080,23 +3108,18 @@
|
| switch(profile) {
|
| case srtp_profile_aes128_cm_sha1_80:
|
| crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
|
| - crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
|
| break;
|
| case srtp_profile_aes128_cm_sha1_32:
|
| crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
|
| - crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
|
| break;
|
| case srtp_profile_null_sha1_80:
|
| crypto_policy_set_null_cipher_hmac_sha1_80(policy);
|
| - crypto_policy_set_null_cipher_hmac_sha1_80(policy);
|
| break;
|
| case srtp_profile_aes256_cm_sha1_80:
|
| crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
|
| - crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
|
| break;
|
| case srtp_profile_aes256_cm_sha1_32:
|
| crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
|
| - crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
|
| break;
|
| /* the following profiles are not (yet) supported */
|
| case srtp_profile_null_sha1_32:
|
| @@ -2117,6 +3140,8 @@
|
| crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
|
| break;
|
| case srtp_profile_aes128_cm_sha1_32:
|
| + /* We do not honor the 32-bit auth tag request since
|
| + * this is not compliant with RFC 3711 */
|
| crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
|
| break;
|
| case srtp_profile_null_sha1_80:
|
| @@ -2126,6 +3151,8 @@
|
| crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
|
| break;
|
| case srtp_profile_aes256_cm_sha1_32:
|
| + /* We do not honor the 32-bit auth tag request since
|
| + * this is not compliant with RFC 3711 */
|
| crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
|
| break;
|
| /* the following profiles are not (yet) supported */
|
|
|
Chromium Code Reviews
Issue 936663005:
Land https://codereview.chromium.org/889083003/ to update libsrtp to upstream 1.5.0 (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/libsrtp/