Changeset 5261 for pjproject/trunk/third_party/srtp/srtp/srtp.c
- Timestamp:
- Mar 15, 2016 3:57:39 AM (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
pjproject/trunk/third_party/srtp/srtp/srtp.c
r2353 r5261 45 45 46 46 #include "srtp_priv.h" 47 #include " aes_icm.h" /* aes_icm is used in the KDF*/47 #include "ekt.h" /* for SRTP Encrypted Key Transport */ 48 48 #include "alloc.h" /* for crypto_alloc() */ 49 #ifdef OPENSSL 50 #include "aes_gcm_ossl.h" /* for AES GCM mode */ 51 #endif 49 52 50 53 #ifndef SRTP_KERNEL … … 58 61 59 62 60 extern cipher_type_t aes_icm;61 extern auth_type_t tmmhv2;62 63 63 /* the debug module for srtp */ 64 64 … … 72 72 #define octets_in_rtcp_header 8 73 73 #define uint32s_in_rtcp_header 2 74 74 #define octets_in_rtp_extn_hdr 4 75 76 static err_status_t 77 srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) { 78 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; 79 80 /* Check RTP header length */ 81 int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc; 82 if (hdr->x == 1) 83 rtp_header_len += octets_in_rtp_extn_hdr; 84 85 if (*pkt_octet_len < rtp_header_len) 86 return err_status_bad_param; 87 88 /* Verifing profile length. */ 89 if (hdr->x == 1) { 90 srtp_hdr_xtnd_t *xtn_hdr = 91 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc); 92 int profile_len = ntohs(xtn_hdr->length); 93 rtp_header_len += profile_len * 4; 94 /* profile length counts the number of 32-bit words */ 95 if (*pkt_octet_len < rtp_header_len) 96 return err_status_bad_param; 97 } 98 return err_status_ok; 99 } 100 101 const char *srtp_get_version_string () 102 { 103 /* 104 * Simply return the autotools generated string 105 */ 106 return SRTP_VER_STRING; 107 } 108 109 unsigned int srtp_get_version () 110 { 111 unsigned int major = 0, minor = 0, micro = 0; 112 unsigned int rv = 0; 113 int parse_rv; 114 115 /* 116 * Parse the autotools generated version 117 */ 118 parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, µ); 119 if (parse_rv != 3) { 120 /* 121 * We're expected to parse all 3 version levels. 122 * If not, then this must not be an official release. 123 * Return all zeros on the version 124 */ 125 return (0); 126 } 127 128 /* 129 * We allow 8 bits for the major and minor, while 130 * allowing 16 bits for the micro. 16 bits for the micro 131 * may be beneficial for a continuous delivery model 132 * in the future. 133 */ 134 rv |= (major & 0xFF) << 24; 135 rv |= (minor & 0xFF) << 16; 136 rv |= micro & 0xFF; 137 return rv; 138 } 75 139 76 140 err_status_t … … 97 161 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type, 98 162 &str->rtp_cipher, 99 p->rtp.cipher_key_len); 163 p->rtp.cipher_key_len, 164 p->rtp.auth_tag_len); 100 165 if (stat) { 101 166 crypto_free(str); … … 129 194 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type, 130 195 &str->rtcp_cipher, 131 p->rtcp.cipher_key_len); 196 p->rtcp.cipher_key_len, 197 p->rtcp.auth_tag_len); 132 198 if (stat) { 133 199 auth_dealloc(str->rtp_auth); … … 152 218 } 153 219 220 /* allocate ekt data associated with stream */ 221 stat = ekt_alloc(&str->ekt, p->ekt); 222 if (stat) { 223 auth_dealloc(str->rtcp_auth); 224 cipher_dealloc(str->rtcp_cipher); 225 auth_dealloc(str->rtp_auth); 226 cipher_dealloc(str->rtp_cipher); 227 crypto_free(str->limit); 228 crypto_free(str); 229 return stat; 230 } 231 154 232 return err_status_ok; 155 233 } … … 218 296 return status; 219 297 } 298 299 status = rdbx_dealloc(&stream->rtp_rdbx); 300 if (status) 301 return status; 302 303 /* DAM - need to deallocate EKT here */ 304 305 /* 306 * zeroize the salt value 307 */ 308 memset(stream->salt, 0, SRTP_AEAD_SALT_LEN); 309 memset(stream->c_salt, 0, SRTP_AEAD_SALT_LEN); 310 220 311 221 312 /* deallocate srtp stream context */ … … 257 348 /* set key limit to point to that of the template */ 258 349 status = key_limit_clone(stream_template->limit, &str->limit); 259 if (status) 350 if (status) { 351 crypto_free(*str_ptr); 352 *str_ptr = NULL; 260 353 return status; 354 } 261 355 262 356 /* initialize replay databases */ 263 rdbx_init(&str->rtp_rdbx); 357 status = rdbx_init(&str->rtp_rdbx, 358 rdbx_get_window_size(&stream_template->rtp_rdbx)); 359 if (status) { 360 crypto_free(*str_ptr); 361 *str_ptr = NULL; 362 return status; 363 } 264 364 rdb_init(&str->rtcp_rdb); 365 str->allow_repeat_tx = stream_template->allow_repeat_tx; 265 366 266 367 /* set ssrc to that provided */ … … 271 372 str->rtp_services = stream_template->rtp_services; 272 373 str->rtcp_services = stream_template->rtcp_services; 374 375 /* set pointer to EKT data associated with stream */ 376 str->ekt = stream_template->ekt; 377 378 /* Copy the salt values */ 379 memcpy(str->salt, stream_template->salt, SRTP_AEAD_SALT_LEN); 380 memcpy(str->c_salt, stream_template->c_salt, SRTP_AEAD_SALT_LEN); 273 381 274 382 /* defensive coding */ … … 284 392 * srtp_kdf_t is a key derivation context 285 393 * 286 * srtp_kdf_init(&kdf, k) initializes kdf with the key k 394 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher 395 * described by cipher_id, with the master key k with length in octets keylen. 287 396 * 288 397 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key … … 291 400 * should be called once for each subkey that is derived. 292 401 * 293 * srtp_kdf_clear(&kdf) zeroizes the kdf state402 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state 294 403 */ 295 404 … … 310 419 311 420 typedef struct { 312 aes_icm_ctx_t c; /* cipher used for key derivation */421 cipher_t *cipher; /* cipher used for key derivation */ 313 422 } srtp_kdf_t; 314 423 315 424 err_status_t 316 srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t key[30]) { 317 318 aes_icm_context_init(&kdf->c, key); 425 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, int length) { 426 427 err_status_t stat; 428 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length, 0); 429 if (stat) 430 return stat; 431 432 stat = cipher_init(kdf->cipher, key); 433 if (stat) { 434 cipher_dealloc(kdf->cipher); 435 return stat; 436 } 319 437 320 438 return err_status_ok; … … 323 441 err_status_t 324 442 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, 325 uint8_t *key, int length) {443 uint8_t *key, unsigned int length) { 326 444 327 445 v128_t nonce; 446 err_status_t status; 328 447 329 448 /* set eigth octet of nonce to <label>, set the rest of it to zero */ … … 331 450 nonce.v8[7] = label; 332 451 333 aes_icm_set_iv(&kdf->c, &nonce); 452 status = cipher_set_iv(kdf->cipher, &nonce, direction_encrypt); 453 if (status) 454 return status; 334 455 335 456 /* generate keystream output */ 336 aes_icm_output(&kdf->c, key, length); 457 octet_string_set_to_zero(key, length); 458 status = cipher_encrypt(kdf->cipher, key, &length); 459 if (status) 460 return status; 337 461 338 462 return err_status_ok; … … 341 465 err_status_t 342 466 srtp_kdf_clear(srtp_kdf_t *kdf) { 343 344 /* zeroize aes context */ 345 octet_string_set_to_zero((uint8_t *)kdf, sizeof(srtp_kdf_t)); 467 err_status_t status; 468 status = cipher_dealloc(kdf->cipher); 469 if (status) 470 return status; 471 kdf->cipher = NULL; 346 472 347 473 return err_status_ok; … … 354 480 #define MAX_SRTP_KEY_LEN 256 355 481 482 483 /* Get the base key length corresponding to a given combined key+salt 484 * length for the given cipher. 485 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using 486 * AES-128 and short salts; everything else uses a salt length of 14. 487 * TODO: key and salt lengths should be separate fields in the policy. */ 488 static inline int base_key_length(const cipher_type_t *cipher, int key_length) 489 { 490 switch (cipher->id) { 491 case AES_128_ICM: 492 case AES_192_ICM: 493 case AES_256_ICM: 494 /* The legacy modes are derived from 495 * the configured key length on the policy */ 496 return key_length - 14; 497 break; 498 case AES_128_GCM: 499 return 16; 500 break; 501 case AES_256_GCM: 502 return 32; 503 break; 504 default: 505 return key_length; 506 break; 507 } 508 } 356 509 357 510 err_status_t … … 360 513 srtp_kdf_t kdf; 361 514 uint8_t tmp_key[MAX_SRTP_KEY_LEN]; 362 515 int kdf_keylen = 30, rtp_keylen, rtcp_keylen; 516 int rtp_base_key_len, rtp_salt_len; 517 int rtcp_base_key_len, rtcp_salt_len; 518 519 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ 520 /* TODO: kdf algorithm, master key length, and master salt length should 521 * be part of srtp_policy_t. */ 522 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher); 523 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher); 524 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen); 525 rtp_salt_len = rtp_keylen - rtp_base_key_len; 526 527 if (rtp_keylen > kdf_keylen) { 528 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ 529 } 530 531 if (rtcp_keylen > kdf_keylen) { 532 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ 533 } 534 535 debug_print(mod_srtp, "srtp key len: %d", rtp_keylen); 536 debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen); 537 debug_print(mod_srtp, "base key len: %d", rtp_base_key_len); 538 debug_print(mod_srtp, "kdf key len: %d", kdf_keylen); 539 debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len); 540 541 /* 542 * Make sure the key given to us is 'zero' appended. GCM 543 * mode uses a shorter master SALT (96 bits), but still relies on 544 * the legacy CTR mode KDF, which uses a 112 bit master SALT. 545 */ 546 memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN); 547 memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len)); 548 363 549 /* initialize KDF state */ 364 srtp_kdf_init(&kdf, (const uint8_t *)key); 550 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)tmp_key, kdf_keylen); 551 if (stat) { 552 return err_status_init_fail; 553 } 365 554 366 555 /* generate encryption key */ 367 srtp_kdf_generate(&kdf, label_rtp_encryption, 368 tmp_key, cipher_get_key_length(srtp->rtp_cipher)); 369 /* 370 * if the cipher in the srtp context is aes_icm, then we need 371 * to generate the salt value 372 */ 373 if (srtp->rtp_cipher->type == &aes_icm) { 374 /* FIX!!! this is really the cipher key length; rest is salt */ 375 int base_key_len = 16; 376 int salt_len = cipher_get_key_length(srtp->rtp_cipher) - base_key_len; 377 378 debug_print(mod_srtp, "found aes_icm, generating salt", NULL); 379 380 /* generate encryption salt, put after encryption key */ 381 srtp_kdf_generate(&kdf, label_rtp_salt, 382 tmp_key + base_key_len, salt_len); 383 } 384 debug_print(mod_srtp, "cipher key: %s", 385 octet_string_hex_string(tmp_key, 386 cipher_get_key_length(srtp->rtp_cipher))); 387 388 /* initialize cipher */ 389 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any); 556 stat = srtp_kdf_generate(&kdf, label_rtp_encryption, 557 tmp_key, rtp_base_key_len); 390 558 if (stat) { 391 559 /* zeroize temp buffer */ … … 393 561 return err_status_init_fail; 394 562 } 563 debug_print(mod_srtp, "cipher key: %s", 564 octet_string_hex_string(tmp_key, rtp_base_key_len)); 565 566 /* 567 * if the cipher in the srtp context uses a salt, then we need 568 * to generate the salt value 569 */ 570 if (rtp_salt_len > 0) { 571 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); 572 573 /* generate encryption salt, put after encryption key */ 574 stat = srtp_kdf_generate(&kdf, label_rtp_salt, 575 tmp_key + rtp_base_key_len, rtp_salt_len); 576 if (stat) { 577 /* zeroize temp buffer */ 578 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 579 return err_status_init_fail; 580 } 581 memcpy(srtp->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN); 582 } 583 if (rtp_salt_len > 0) { 584 debug_print(mod_srtp, "cipher salt: %s", 585 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len)); 586 } 587 588 /* initialize cipher */ 589 stat = cipher_init(srtp->rtp_cipher, tmp_key); 590 if (stat) { 591 /* zeroize temp buffer */ 592 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 593 return err_status_init_fail; 594 } 395 595 396 596 /* generate authentication key */ 397 srtp_kdf_generate(&kdf, label_rtp_msg_auth, 398 tmp_key, auth_get_key_length(srtp->rtp_auth)); 597 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, 598 tmp_key, auth_get_key_length(srtp->rtp_auth)); 599 if (stat) { 600 /* zeroize temp buffer */ 601 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 602 return err_status_init_fail; 603 } 399 604 debug_print(mod_srtp, "auth key: %s", 400 605 octet_string_hex_string(tmp_key, … … 413 618 */ 414 619 620 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen); 621 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; 622 debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len); 623 415 624 /* generate encryption key */ 416 srtp_kdf_generate(&kdf, label_rtcp_encryption, 417 tmp_key, cipher_get_key_length(srtp->rtcp_cipher)); 418 /* 419 * if the cipher in the srtp context is aes_icm, then we need 420 * to generate the salt value 421 */ 422 if (srtp->rtcp_cipher->type == &aes_icm) { 423 /* FIX!!! this is really the cipher key length; rest is salt */ 424 int base_key_len = 16; 425 int salt_len = cipher_get_key_length(srtp->rtcp_cipher) - base_key_len; 426 427 debug_print(mod_srtp, "found aes_icm, generating rtcp salt", NULL); 428 429 /* generate encryption salt, put after encryption key */ 430 srtp_kdf_generate(&kdf, label_rtcp_salt, 431 tmp_key + base_key_len, salt_len); 432 } 433 debug_print(mod_srtp, "rtcp cipher key: %s", 434 octet_string_hex_string(tmp_key, 435 cipher_get_key_length(srtp->rtcp_cipher))); 436 437 /* initialize cipher */ 438 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any); 625 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, 626 tmp_key, rtcp_base_key_len); 439 627 if (stat) { 440 628 /* zeroize temp buffer */ … … 443 631 } 444 632 633 /* 634 * if the cipher in the srtp context uses a salt, then we need 635 * to generate the salt value 636 */ 637 if (rtcp_salt_len > 0) { 638 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", 639 NULL); 640 641 /* generate encryption salt, put after encryption key */ 642 stat = srtp_kdf_generate(&kdf, label_rtcp_salt, 643 tmp_key + rtcp_base_key_len, rtcp_salt_len); 644 if (stat) { 645 /* zeroize temp buffer */ 646 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 647 return err_status_init_fail; 648 } 649 memcpy(srtp->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN); 650 } 651 debug_print(mod_srtp, "rtcp cipher key: %s", 652 octet_string_hex_string(tmp_key, rtcp_base_key_len)); 653 if (rtcp_salt_len > 0) { 654 debug_print(mod_srtp, "rtcp cipher salt: %s", 655 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_len)); 656 } 657 658 /* initialize cipher */ 659 stat = cipher_init(srtp->rtcp_cipher, tmp_key); 660 if (stat) { 661 /* zeroize temp buffer */ 662 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 663 return err_status_init_fail; 664 } 665 445 666 /* generate authentication key */ 446 srtp_kdf_generate(&kdf, label_rtcp_msg_auth, 447 tmp_key, auth_get_key_length(srtp->rtcp_auth)); 667 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, 668 tmp_key, auth_get_key_length(srtp->rtcp_auth)); 669 if (stat) { 670 /* zeroize temp buffer */ 671 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 672 return err_status_init_fail; 673 } 674 448 675 debug_print(mod_srtp, "rtcp auth key: %s", 449 676 octet_string_hex_string(tmp_key, … … 459 686 460 687 /* clear memory then return */ 461 s rtp_kdf_clear(&kdf);688 stat = srtp_kdf_clear(&kdf); 462 689 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 690 if (stat) 691 return err_status_init_fail; 463 692 464 693 return err_status_ok; … … 474 703 475 704 /* initialize replay database */ 476 rdbx_init(&srtp->rtp_rdbx); 705 /* window size MUST be at least 64. MAY be larger. Values more than 706 * 2^15 aren't meaningful due to how extended sequence numbers are 707 * calculated. Let a window size of 0 imply the default value. */ 708 709 if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000)) 710 return err_status_bad_param; 711 712 if (p->window_size != 0) 713 err = rdbx_init(&srtp->rtp_rdbx, p->window_size); 714 else 715 err = rdbx_init(&srtp->rtp_rdbx, 128); 716 if (err) return err; 477 717 478 718 /* initialize key limit to maximum value */ … … 484 724 } 485 725 #else 486 key_limit_set(srtp->limit, PJ_UINT64(0xffffffffffff));726 key_limit_set(srtp->limit, 0xffffffffffffLL); 487 727 #endif 488 728 … … 504 744 rdb_init(&srtp->rtcp_rdb); 505 745 746 /* initialize allow_repeat_tx */ 747 /* guard against uninitialized memory: allow only 0 or 1 here */ 748 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) { 749 rdbx_dealloc(&srtp->rtp_rdbx); 750 return err_status_bad_param; 751 } 752 srtp->allow_repeat_tx = p->allow_repeat_tx; 753 506 754 /* DAM - no RTCP key limit at present */ 507 755 508 756 /* initialize keys */ 509 757 err = srtp_stream_init_keys(srtp, p->key); 510 if (err) return err; 758 if (err) { 759 rdbx_dealloc(&srtp->rtp_rdbx); 760 return err; 761 } 762 763 /* 764 * if EKT is in use, then initialize the EKT data associated with 765 * the stream 766 */ 767 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt); 768 if (err) { 769 rdbx_dealloc(&srtp->rtp_rdbx); 770 return err; 771 } 511 772 512 773 return err_status_ok; … … 569 830 } 570 831 832 /* 833 * AEAD uses a new IV formation method. This function implements 834 * section 9.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The 835 * calculation is defined as, where (+) is the xor operation: 836 * 837 * 838 * 0 0 0 0 0 0 0 0 0 0 1 1 839 * 0 1 2 3 4 5 6 7 8 9 0 1 840 * +--+--+--+--+--+--+--+--+--+--+--+--+ 841 * |00|00| SSRC | ROC | SEQ |---+ 842 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 843 * | 844 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 845 * | Encryption Salt |->(+) 846 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 847 * | 848 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 849 * | Initialization Vector |<--+ 850 * +--+--+--+--+--+--+--+--+--+--+--+--+* 851 * 852 * Input: *stream - pointer to SRTP stream context, used to retrieve 853 * the SALT 854 * *iv - Pointer to receive the calculated IV 855 * *seq - The ROC and SEQ value to use for the 856 * IV calculation. 857 * *hdr - The RTP header, used to get the SSRC value 858 * 859 */ 860 static void srtp_calc_aead_iv(srtp_stream_ctx_t *stream, v128_t *iv, 861 xtd_seq_num_t *seq, srtp_hdr_t *hdr) 862 { 863 v128_t in; 864 v128_t salt; 865 866 #ifdef NO_64BIT_MATH 867 uint32_t local_roc = ((high32(*seq) << 16) | 868 (low32(*seq) >> 16)); 869 uint16_t local_seq = (uint16_t) (low32(*seq)); 870 #else 871 uint32_t local_roc = (uint32_t)(*seq >> 16); 872 uint16_t local_seq = (uint16_t) *seq; 873 #endif 874 875 memset(&in, 0, sizeof(v128_t)); 876 memset(&salt, 0, sizeof(v128_t)); 877 878 in.v16[5] = htons(local_seq); 879 local_roc = htonl(local_roc); 880 memcpy(&in.v16[3], &local_roc, sizeof(local_roc)); 881 882 /* 883 * Copy in the RTP SSRC value 884 */ 885 memcpy(&in.v8[2], &hdr->ssrc, 4); 886 debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in)); 887 888 /* 889 * Get the SALT value from the context 890 */ 891 memcpy(salt.v8, stream->salt, SRTP_AEAD_SALT_LEN); 892 debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt)); 893 894 /* 895 * Finally, apply tyhe SALT to the input 896 */ 897 v128_xor(iv, &in, &salt); 898 } 899 900 901 /* 902 * This function handles outgoing SRTP packets while in AEAD mode, 903 * which currently supports AES-GCM encryption. All packets are 904 * encrypted and authenticated. 905 */ 906 static err_status_t 907 srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, 908 void *rtp_hdr, unsigned int *pkt_octet_len) 909 { 910 srtp_hdr_t *hdr = (srtp_hdr_t*)rtp_hdr; 911 uint32_t *enc_start; /* pointer to start of encrypted portion */ 912 int enc_octet_len = 0; /* number of octets in encrypted portion */ 913 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 914 int delta; /* delta of local pkt idx and that in hdr */ 915 err_status_t status; 916 int tag_len; 917 v128_t iv; 918 unsigned int aad_len; 919 920 debug_print(mod_srtp, "function srtp_protect_aead", NULL); 921 922 /* 923 * update the key usage limit, and check it to make sure that we 924 * didn't just hit either the soft limit or the hard limit, and call 925 * the event handler if we hit either. 926 */ 927 switch (key_limit_update(stream->limit)) { 928 case key_event_normal: 929 break; 930 case key_event_hard_limit: 931 srtp_handle_event(ctx, stream, event_key_hard_limit); 932 return err_status_key_expired; 933 case key_event_soft_limit: 934 default: 935 srtp_handle_event(ctx, stream, event_key_soft_limit); 936 break; 937 } 938 939 /* get tag length from stream */ 940 tag_len = auth_get_tag_length(stream->rtp_auth); 941 942 /* 943 * find starting point for encryption and length of data to be 944 * encrypted - the encrypted portion starts after the rtp header 945 * extension, if present; otherwise, it starts after the last csrc, 946 * if any are present 947 */ 948 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; 949 if (hdr->x == 1) { 950 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; 951 enc_start += (ntohs(xtn_hdr->length) + 1); 952 } 953 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len)) 954 return err_status_parse_err; 955 enc_octet_len = (int)(*pkt_octet_len - 956 ((uint8_t*)enc_start - (uint8_t*)hdr)); 957 if (enc_octet_len < 0) return err_status_parse_err; 958 959 /* 960 * estimate the packet index using the start of the replay window 961 * and the sequence number from the header 962 */ 963 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); 964 status = rdbx_check(&stream->rtp_rdbx, delta); 965 if (status) { 966 if (status != err_status_replay_fail || !stream->allow_repeat_tx) { 967 return status; /* we've been asked to reuse an index */ 968 } 969 } else { 970 rdbx_add_index(&stream->rtp_rdbx, delta); 971 } 972 973 #ifdef NO_64BIT_MATH 974 debug_print2(mod_srtp, "estimated packet index: %08x%08x", 975 high32(est), low32(est)); 976 #else 977 debug_print(mod_srtp, "estimated packet index: %016llx", est); 978 #endif 979 980 /* 981 * AEAD uses a new IV formation method 982 */ 983 srtp_calc_aead_iv(stream, &iv, &est, hdr); 984 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); 985 if (status) { 986 return err_status_cipher_fail; 987 } 988 989 /* shift est, put into network byte order */ 990 #ifdef NO_64BIT_MATH 991 est = be64_to_cpu(make64((high32(est) << 16) | 992 (low32(est) >> 16), 993 low32(est) << 16)); 994 #else 995 est = be64_to_cpu(est << 16); 996 #endif 997 998 /* 999 * Set the AAD over the RTP header 1000 */ 1001 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; 1002 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len); 1003 if (status) { 1004 return ( err_status_cipher_fail); 1005 } 1006 1007 /* Encrypt the payload */ 1008 status = cipher_encrypt(stream->rtp_cipher, 1009 (uint8_t*)enc_start, (unsigned int *)&enc_octet_len); 1010 if (status) { 1011 return err_status_cipher_fail; 1012 } 1013 /* 1014 * If we're doing GCM, we need to get the tag 1015 * and append that to the output 1016 */ 1017 status = cipher_get_tag(stream->rtp_cipher, 1018 (uint8_t*)enc_start+enc_octet_len, &tag_len); 1019 if (status) { 1020 return ( err_status_cipher_fail); 1021 } 1022 1023 /* increase the packet length by the length of the auth tag */ 1024 *pkt_octet_len += tag_len; 1025 1026 return err_status_ok; 1027 } 1028 1029 1030 /* 1031 * This function handles incoming SRTP packets while in AEAD mode, 1032 * which currently supports AES-GCM encryption. All packets are 1033 * encrypted and authenticated. Note, the auth tag is at the end 1034 * of the packet stream and is automatically checked by GCM 1035 * when decrypting the payload. 1036 */ 1037 static err_status_t 1038 srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, 1039 xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_len) 1040 { 1041 srtp_hdr_t *hdr = (srtp_hdr_t*)srtp_hdr; 1042 uint32_t *enc_start; /* pointer to start of encrypted portion */ 1043 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 1044 v128_t iv; 1045 err_status_t status; 1046 int tag_len; 1047 unsigned int aad_len; 1048 1049 debug_print(mod_srtp, "function srtp_unprotect_aead", NULL); 1050 1051 #ifdef NO_64BIT_MATH 1052 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), low32(est)); 1053 #else 1054 debug_print(mod_srtp, "estimated u_packet index: %016llx", est); 1055 #endif 1056 1057 /* get tag length from stream */ 1058 tag_len = auth_get_tag_length(stream->rtp_auth); 1059 1060 /* 1061 * AEAD uses a new IV formation method 1062 */ 1063 srtp_calc_aead_iv(stream, &iv, &est, hdr); 1064 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); 1065 if (status) { 1066 return err_status_cipher_fail; 1067 } 1068 1069 /* 1070 * find starting point for decryption and length of data to be 1071 * decrypted - the encrypted portion starts after the rtp header 1072 * extension, if present; otherwise, it starts after the last csrc, 1073 * if any are present 1074 */ 1075 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; 1076 if (hdr->x == 1) { 1077 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; 1078 enc_start += (ntohs(xtn_hdr->length) + 1); 1079 } 1080 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len))) 1081 return err_status_parse_err; 1082 /* 1083 * We pass the tag down to the cipher when doing GCM mode 1084 */ 1085 enc_octet_len = (unsigned int)(*pkt_octet_len - 1086 ((uint8_t*)enc_start - (uint8_t*)hdr)); 1087 1088 /* 1089 * Sanity check the encrypted payload length against 1090 * the tag size. It must always be at least as large 1091 * as the tag length. 1092 */ 1093 if (enc_octet_len < (unsigned int) tag_len) { 1094 return err_status_cipher_fail; 1095 } 1096 1097 /* 1098 * update the key usage limit, and check it to make sure that we 1099 * didn't just hit either the soft limit or the hard limit, and call 1100 * the event handler if we hit either. 1101 */ 1102 switch (key_limit_update(stream->limit)) { 1103 case key_event_normal: 1104 break; 1105 case key_event_soft_limit: 1106 srtp_handle_event(ctx, stream, event_key_soft_limit); 1107 break; 1108 case key_event_hard_limit: 1109 srtp_handle_event(ctx, stream, event_key_hard_limit); 1110 return err_status_key_expired; 1111 default: 1112 break; 1113 } 1114 1115 /* 1116 * Set the AAD for AES-GCM, which is the RTP header 1117 */ 1118 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; 1119 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len); 1120 if (status) { 1121 return ( err_status_cipher_fail); 1122 } 1123 1124 /* Decrypt the ciphertext. This also checks the auth tag based 1125 * on the AAD we just specified above */ 1126 status = cipher_decrypt(stream->rtp_cipher, 1127 (uint8_t*)enc_start, &enc_octet_len); 1128 if (status) { 1129 return status; 1130 } 1131 1132 /* 1133 * verify that stream is for received traffic - this check will 1134 * detect SSRC collisions, since a stream that appears in both 1135 * srtp_protect() and srtp_unprotect() will fail this test in one of 1136 * those functions. 1137 * 1138 * we do this check *after* the authentication check, so that the 1139 * latter check will catch any attempts to fool us into thinking 1140 * that we've got a collision 1141 */ 1142 if (stream->direction != dir_srtp_receiver) { 1143 if (stream->direction == dir_unknown) { 1144 stream->direction = dir_srtp_receiver; 1145 } else { 1146 srtp_handle_event(ctx, stream, event_ssrc_collision); 1147 } 1148 } 1149 1150 /* 1151 * if the stream is a 'provisional' one, in which the template context 1152 * is used, then we need to allocate a new stream at this point, since 1153 * the authentication passed 1154 */ 1155 if (stream == ctx->stream_template) { 1156 srtp_stream_ctx_t *new_stream; 1157 1158 /* 1159 * allocate and initialize a new stream 1160 * 1161 * note that we indicate failure if we can't allocate the new 1162 * stream, and some implementations will want to not return 1163 * failure here 1164 */ 1165 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 1166 if (status) { 1167 return status; 1168 } 1169 1170 /* add new stream to the head of the stream_list */ 1171 new_stream->next = ctx->stream_list; 1172 ctx->stream_list = new_stream; 1173 1174 /* set stream (the pointer used in this function) */ 1175 stream = new_stream; 1176 } 1177 1178 /* 1179 * the message authentication function passed, so add the packet 1180 * index into the replay database 1181 */ 1182 rdbx_add_index(&stream->rtp_rdbx, delta); 1183 1184 /* decrease the packet length by the length of the auth tag */ 1185 *pkt_octet_len -= tag_len; 1186 1187 return err_status_ok; 1188 } 1189 1190 1191 1192 571 1193 err_status_t 572 1194 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { … … 574 1196 uint32_t *enc_start; /* pointer to start of encrypted portion */ 575 1197 uint32_t *auth_start; /* pointer to start of auth. portion */ 576 unsignedenc_octet_len = 0; /* number of octets in encrypted portion */1198 int enc_octet_len = 0; /* number of octets in encrypted portion */ 577 1199 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 578 1200 int delta; /* delta of local pkt idx and that in hdr */ … … 586 1208 587 1209 /* we assume the hdr is 32-bit aligned to start */ 1210 1211 /* Verify RTP header */ 1212 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); 1213 if (status) 1214 return status; 588 1215 589 1216 /* check the packet length - it must at least contain a full header */ … … 630 1257 * those functions. 631 1258 */ 632 1259 if (stream->direction != dir_srtp_sender) { 633 1260 if (stream->direction == dir_unknown) { 634 1261 stream->direction = dir_srtp_sender; … … 636 1263 srtp_handle_event(ctx, stream, event_ssrc_collision); 637 1264 } 638 } 1265 } 1266 1267 /* 1268 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 1269 * the request to our AEAD handler. 1270 */ 1271 if (stream->rtp_cipher->algorithm == AES_128_GCM || 1272 stream->rtp_cipher->algorithm == AES_256_GCM) { 1273 return srtp_protect_aead(ctx, stream, rtp_hdr, (unsigned int*)pkt_octet_len); 1274 } 639 1275 640 1276 /* … … 673 1309 enc_start += (ntohs(xtn_hdr->length) + 1); 674 1310 } 675 enc_octet_len = (unsigned int)(*pkt_octet_len 676 - ((enc_start - (uint32_t *)hdr) << 2)); 1311 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len)) 1312 return err_status_parse_err; 1313 enc_octet_len = (int)(*pkt_octet_len - 1314 ((uint8_t*)enc_start - (uint8_t*)hdr)); 1315 if (enc_octet_len < 0) return err_status_parse_err; 677 1316 } else { 678 1317 enc_start = NULL; … … 698 1337 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); 699 1338 status = rdbx_check(&stream->rtp_rdbx, delta); 700 if (status) 701 return status; /* we've been asked to reuse an index */ 702 rdbx_add_index(&stream->rtp_rdbx, delta); 1339 if (status) { 1340 if (status != err_status_replay_fail || !stream->allow_repeat_tx) 1341 return status; /* we've been asked to reuse an index */ 1342 } 1343 else 1344 rdbx_add_index(&stream->rtp_rdbx, delta); 703 1345 704 1346 #ifdef NO_64BIT_MATH … … 712 1354 * if we're using rindael counter mode, set nonce and seq 713 1355 */ 714 if (stream->rtp_cipher->type == &aes_icm) { 1356 if (stream->rtp_cipher->type->id == AES_ICM || 1357 stream->rtp_cipher->type->id == AES_256_ICM) { 715 1358 v128_t iv; 716 1359 … … 723 1366 iv.v64[1] = be64_to_cpu(est << 16); 724 1367 #endif 725 status = cipher_set_iv(stream->rtp_cipher, &iv );1368 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); 726 1369 727 1370 } else { … … 736 1379 #endif 737 1380 iv.v64[1] = be64_to_cpu(est); 738 status = cipher_set_iv(stream->rtp_cipher, &iv );1381 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); 739 1382 } 740 1383 if (status) … … 769 1412 if (enc_start) { 770 1413 status = cipher_encrypt(stream->rtp_cipher, 771 (uint8_t *)enc_start, &enc_octet_len);1414 (uint8_t *)enc_start, (unsigned int*)&enc_octet_len); 772 1415 if (status) 773 1416 return err_status_cipher_fail; … … 814 1457 uint32_t *enc_start; /* pointer to start of encrypted portion */ 815 1458 uint32_t *auth_start; /* pointer to start of auth. portion */ 816 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */1459 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ 817 1460 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 818 1461 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ … … 827 1470 828 1471 /* we assume the hdr is 32-bit aligned to start */ 1472 1473 /* Verify RTP header */ 1474 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); 1475 if (status) 1476 return status; 829 1477 830 1478 /* check the packet length - it must at least contain a full header */ … … 882 1530 #endif 883 1531 1532 /* 1533 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 1534 * the request to our AEAD handler. 1535 */ 1536 if (stream->rtp_cipher->algorithm == AES_128_GCM || 1537 stream->rtp_cipher->algorithm == AES_256_GCM) { 1538 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, (unsigned int*)pkt_octet_len); 1539 } 1540 884 1541 /* get tag length from stream */ 885 1542 tag_len = auth_get_tag_length(stream->rtp_auth); … … 889 1546 * happen to be using 890 1547 */ 891 if (stream->rtp_cipher->type == &aes_icm) { 1548 if (stream->rtp_cipher->type->id == AES_ICM || 1549 stream->rtp_cipher->type->id == AES_256_ICM) { 892 1550 893 1551 /* aes counter mode */ … … 900 1558 iv.v64[1] = be64_to_cpu(est << 16); 901 1559 #endif 902 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtp_cipher->state, &iv);1560 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); 903 1561 } else { 904 1562 … … 911 1569 #endif 912 1570 iv.v64[1] = be64_to_cpu(est); 913 status = cipher_set_iv(stream->rtp_cipher, &iv );1571 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); 914 1572 } 915 1573 if (status) … … 939 1597 enc_start += (ntohs(xtn_hdr->length) + 1); 940 1598 } 941 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 942 - ((enc_start - (uint32_t *)hdr) << 2)); 1599 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len))) 1600 return err_status_parse_err; 1601 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - 1602 ((uint8_t*)enc_start - (uint8_t*)hdr)); 943 1603 } else { 944 1604 enc_start = NULL; … … 1021 1681 } 1022 1682 1023 /* if we're encrypting, add keystream into ciphertext */1683 /* if we're decrypting, add keystream into ciphertext */ 1024 1684 if (enc_start) { 1025 status = cipher_ encrypt(stream->rtp_cipher,1685 status = cipher_decrypt(stream->rtp_cipher, 1026 1686 (uint8_t *)enc_start, &enc_octet_len); 1027 1687 if (status) … … 1104 1764 1105 1765 err_status_t 1106 srtp_ deinit() {1766 srtp_shutdown() { 1107 1767 err_status_t status; 1108 1768 1769 /* shut down crypto kernel */ 1109 1770 status = crypto_kernel_shutdown(); 1110 1111 return status; 1112 } 1771 if (status) 1772 return status; 1773 1774 /* shutting down crypto kernel frees the srtp debug module as well */ 1775 1776 return err_status_ok; 1777 } 1778 1113 1779 1114 1780 /* … … 1190 1856 if (status) 1191 1857 return status; 1858 status = rdbx_dealloc(&session->stream_template->rtp_rdbx); 1859 if (status) 1860 return status; 1192 1861 crypto_free(session->stream_template); 1193 1862 } … … 1282 1951 ctx->stream_template = NULL; 1283 1952 ctx->stream_list = NULL; 1953 ctx->user_data = NULL; 1284 1954 while (policy != NULL) { 1285 1955 … … 1318 1988 1319 1989 /* remove stream from the list */ 1320 last_stream->next = stream->next; 1990 if (last_stream == stream) 1991 /* stream was first in list */ 1992 session->stream_list = stream->next; 1993 else 1994 last_stream->next = stream->next; 1321 1995 1322 1996 /* deallocate the stream */ … … 1346 2020 crypto_policy_set_rtp_default(crypto_policy_t *p) { 1347 2021 1348 p->cipher_type = AES_ 128_ICM;2022 p->cipher_type = AES_ICM; 1349 2023 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */ 1350 2024 p->auth_type = HMAC_SHA1; … … 1358 2032 crypto_policy_set_rtcp_default(crypto_policy_t *p) { 1359 2033 1360 p->cipher_type = AES_ 128_ICM;2034 p->cipher_type = AES_ICM; 1361 2035 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */ 1362 2036 p->auth_type = HMAC_SHA1; … … 1371 2045 1372 2046 /* 1373 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt2047 * corresponds to RFC 4568 1374 2048 * 1375 2049 * note that this crypto policy is intended for SRTP, but not SRTCP 1376 2050 */ 1377 2051 1378 p->cipher_type = AES_ 128_ICM;2052 p->cipher_type = AES_ICM; 1379 2053 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */ 1380 2054 p->auth_type = HMAC_SHA1; … … 1390 2064 1391 2065 /* 1392 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt2066 * corresponds to RFC 4568 1393 2067 * 1394 2068 * note that this crypto policy is intended for SRTP, but not SRTCP 1395 2069 */ 1396 2070 1397 p->cipher_type = AES_ 128_ICM;2071 p->cipher_type = AES_ICM; 1398 2072 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */ 1399 2073 p->auth_type = NULL_AUTH; … … 1409 2083 1410 2084 /* 1411 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt2085 * corresponds to RFC 4568 1412 2086 */ 1413 2087 … … 1422 2096 1423 2097 2098 void 2099 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) { 2100 2101 /* 2102 * corresponds to draft-ietf-avt-big-aes-03.txt 2103 */ 2104 2105 p->cipher_type = AES_ICM; 2106 p->cipher_key_len = 46; 2107 p->auth_type = HMAC_SHA1; 2108 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 2109 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 2110 p->sec_serv = sec_serv_conf_and_auth; 2111 } 2112 2113 2114 void 2115 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) { 2116 2117 /* 2118 * corresponds to draft-ietf-avt-big-aes-03.txt 2119 * 2120 * note that this crypto policy is intended for SRTP, but not SRTCP 2121 */ 2122 2123 p->cipher_type = AES_ICM; 2124 p->cipher_key_len = 46; 2125 p->auth_type = HMAC_SHA1; 2126 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 2127 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ 2128 p->sec_serv = sec_serv_conf_and_auth; 2129 } 2130 2131 /* 2132 * AES-256 with no authentication. 2133 */ 2134 void 2135 crypto_policy_set_aes_cm_256_null_auth (crypto_policy_t *p) 2136 { 2137 p->cipher_type = AES_ICM; 2138 p->cipher_key_len = 46; 2139 p->auth_type = NULL_AUTH; 2140 p->auth_key_len = 0; 2141 p->auth_tag_len = 0; 2142 p->sec_serv = sec_serv_conf; 2143 } 2144 2145 #ifdef OPENSSL 2146 /* 2147 * AES-128 GCM mode with 8 octet auth tag. 2148 */ 2149 void 2150 crypto_policy_set_aes_gcm_128_8_auth(crypto_policy_t *p) { 2151 p->cipher_type = AES_128_GCM; 2152 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; 2153 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ 2154 p->auth_key_len = 0; 2155 p->auth_tag_len = 8; /* 8 octet tag length */ 2156 p->sec_serv = sec_serv_conf_and_auth; 2157 } 2158 2159 /* 2160 * AES-256 GCM mode with 8 octet auth tag. 2161 */ 2162 void 2163 crypto_policy_set_aes_gcm_256_8_auth(crypto_policy_t *p) { 2164 p->cipher_type = AES_256_GCM; 2165 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; 2166 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ 2167 p->auth_key_len = 0; 2168 p->auth_tag_len = 8; /* 8 octet tag length */ 2169 p->sec_serv = sec_serv_conf_and_auth; 2170 } 2171 2172 /* 2173 * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption. 2174 */ 2175 void 2176 crypto_policy_set_aes_gcm_128_8_only_auth(crypto_policy_t *p) { 2177 p->cipher_type = AES_128_GCM; 2178 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; 2179 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ 2180 p->auth_key_len = 0; 2181 p->auth_tag_len = 8; /* 8 octet tag length */ 2182 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ 2183 } 2184 2185 /* 2186 * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption. 2187 */ 2188 void 2189 crypto_policy_set_aes_gcm_256_8_only_auth(crypto_policy_t *p) { 2190 p->cipher_type = AES_256_GCM; 2191 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; 2192 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ 2193 p->auth_key_len = 0; 2194 p->auth_tag_len = 8; /* 8 octet tag length */ 2195 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ 2196 } 2197 2198 /* 2199 * AES-128 GCM mode with 16 octet auth tag. 2200 */ 2201 void 2202 crypto_policy_set_aes_gcm_128_16_auth(crypto_policy_t *p) { 2203 p->cipher_type = AES_128_GCM; 2204 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT; 2205 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ 2206 p->auth_key_len = 0; 2207 p->auth_tag_len = 16; /* 16 octet tag length */ 2208 p->sec_serv = sec_serv_conf_and_auth; 2209 } 2210 2211 /* 2212 * AES-256 GCM mode with 16 octet auth tag. 2213 */ 2214 void 2215 crypto_policy_set_aes_gcm_256_16_auth(crypto_policy_t *p) { 2216 p->cipher_type = AES_256_GCM; 2217 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT; 2218 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */ 2219 p->auth_key_len = 0; 2220 p->auth_tag_len = 16; /* 16 octet tag length */ 2221 p->sec_serv = sec_serv_conf_and_auth; 2222 } 2223 2224 #endif 2225 1424 2226 /* 1425 2227 * secure rtcp functions 1426 2228 */ 2229 2230 /* 2231 * AEAD uses a new IV formation method. This function implements 2232 * section 10.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The 2233 * calculation is defined as, where (+) is the xor operation: 2234 * 2235 * 0 1 2 3 4 5 6 7 8 9 10 11 2236 * +--+--+--+--+--+--+--+--+--+--+--+--+ 2237 * |00|00| SSRC |00|00|0+SRTCP Idx|---+ 2238 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 2239 * | 2240 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 2241 * | Encryption Salt |->(+) 2242 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 2243 * | 2244 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 2245 * | Initialization Vector |<--+ 2246 * +--+--+--+--+--+--+--+--+--+--+--+--+* 2247 * 2248 * Input: *stream - pointer to SRTP stream context, used to retrieve 2249 * the SALT 2250 * *iv - Pointer to recieve the calculated IV 2251 * seq_num - The SEQ value to use for the IV calculation. 2252 * *hdr - The RTP header, used to get the SSRC value 2253 * 2254 */ 2255 static void srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv, 2256 uint32_t seq_num, srtcp_hdr_t *hdr) 2257 { 2258 v128_t in; 2259 v128_t salt; 2260 2261 memset(&in, 0, sizeof(v128_t)); 2262 memset(&salt, 0, sizeof(v128_t)); 2263 2264 in.v16[0] = 0; 2265 memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */ 2266 in.v16[3] = 0; 2267 in.v32[2] = 0x7FFFFFFF & htonl(seq_num); /* bit 32 is suppose to be zero */ 2268 2269 debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in)); 2270 2271 /* 2272 * Get the SALT value from the context 2273 */ 2274 memcpy(salt.v8, stream->c_salt, 12); 2275 debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt)); 2276 2277 /* 2278 * Finally, apply the SALT to the input 2279 */ 2280 v128_xor(iv, &in, &salt); 2281 } 2282 2283 /* 2284 * This code handles AEAD ciphers for outgoing RTCP. We currently support 2285 * AES-GCM mode with 128 or 256 bit keys. 2286 */ 2287 static err_status_t 2288 srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, 2289 void *rtcp_hdr, unsigned int *pkt_octet_len) 2290 { 2291 srtcp_hdr_t *hdr = (srtcp_hdr_t*)rtcp_hdr; 2292 uint32_t *enc_start; /* pointer to start of encrypted portion */ 2293 uint32_t *trailer; /* pointer to start of trailer */ 2294 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 2295 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2296 err_status_t status; 2297 int tag_len; 2298 uint32_t seq_num; 2299 v128_t iv; 2300 uint32_t tseq; 2301 2302 /* get tag length from stream context */ 2303 tag_len = auth_get_tag_length(stream->rtcp_auth); 2304 2305 /* 2306 * set encryption start and encryption length - if we're not 2307 * providing confidentiality, set enc_start to NULL 2308 */ 2309 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header; 2310 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; 2311 2312 /* NOTE: hdr->length is not usable - it refers to only the first 2313 RTCP report in the compound packet! */ 2314 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always 2315 multiples of 32-bits (RFC 3550 6.1) */ 2316 trailer = (uint32_t*)((char*)enc_start + enc_octet_len + tag_len); 2317 2318 if (stream->rtcp_services & sec_serv_conf) { 2319 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ 2320 } else { 2321 enc_start = NULL; 2322 enc_octet_len = 0; 2323 /* 0 is network-order independant */ 2324 *trailer = 0x00000000; /* set encrypt bit */ 2325 } 2326 2327 /* 2328 * set the auth_tag pointer to the proper location, which is after 2329 * the payload, but before the trailer 2330 * (note that srtpc *always* provides authentication, unlike srtp) 2331 */ 2332 /* Note: This would need to change for optional mikey data */ 2333 auth_tag = (uint8_t*)hdr + *pkt_octet_len; 2334 2335 /* 2336 * check sequence number for overruns, and copy it into the packet 2337 * if its value isn't too big 2338 */ 2339 status = rdb_increment(&stream->rtcp_rdb); 2340 if (status) { 2341 return status; 2342 } 2343 seq_num = rdb_get_value(&stream->rtcp_rdb); 2344 *trailer |= htonl(seq_num); 2345 debug_print(mod_srtp, "srtcp index: %x", seq_num); 2346 2347 /* 2348 * Calculating the IV and pass it down to the cipher 2349 */ 2350 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr); 2351 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); 2352 if (status) { 2353 return err_status_cipher_fail; 2354 } 2355 2356 /* 2357 * Set the AAD for GCM mode 2358 */ 2359 if (enc_start) { 2360 /* 2361 * If payload encryption is enabled, then the AAD consist of 2362 * the RTCP header and the seq# at the end of the packet 2363 */ 2364 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, 2365 octets_in_rtcp_header); 2366 if (status) { 2367 return ( err_status_cipher_fail); 2368 } 2369 } else { 2370 /* 2371 * Since payload encryption is not enabled, we must authenticate 2372 * the entire packet as described in section 10.3 in revision 07 2373 * of the draft. 2374 */ 2375 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, 2376 *pkt_octet_len); 2377 if (status) { 2378 return ( err_status_cipher_fail); 2379 } 2380 } 2381 /* 2382 * Process the sequence# as AAD 2383 */ 2384 tseq = *trailer; 2385 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq, 2386 sizeof(srtcp_trailer_t)); 2387 if (status) { 2388 return ( err_status_cipher_fail); 2389 } 2390 2391 /* if we're encrypting, exor keystream into the message */ 2392 if (enc_start) { 2393 status = cipher_encrypt(stream->rtcp_cipher, 2394 (uint8_t*)enc_start, &enc_octet_len); 2395 if (status) { 2396 return err_status_cipher_fail; 2397 } 2398 /* 2399 * Get the tag and append that to the output 2400 */ 2401 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag, 2402 &tag_len); 2403 if (status) { 2404 return ( err_status_cipher_fail); 2405 } 2406 enc_octet_len += tag_len; 2407 } else { 2408 /* 2409 * Even though we're not encrypting the payload, we need 2410 * to run the cipher to get the auth tag. 2411 */ 2412 unsigned int nolen = 0; 2413 status = cipher_encrypt(stream->rtcp_cipher, NULL, &nolen); 2414 if (status) { 2415 return err_status_cipher_fail; 2416 } 2417 /* 2418 * Get the tag and append that to the output 2419 */ 2420 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag, 2421 &tag_len); 2422 if (status) { 2423 return ( err_status_cipher_fail); 2424 } 2425 enc_octet_len += tag_len; 2426 } 2427 2428 /* increase the packet length by the length of the auth tag and seq_num*/ 2429 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); 2430 2431 return err_status_ok; 2432 } 2433 2434 /* 2435 * This function handles incoming SRTCP packets while in AEAD mode, 2436 * which currently supports AES-GCM encryption. Note, the auth tag is 2437 * at the end of the packet stream and is automatically checked by GCM 2438 * when decrypting the payload. 2439 */ 2440 static err_status_t 2441 srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, 2442 void *srtcp_hdr, unsigned int *pkt_octet_len) 2443 { 2444 srtcp_hdr_t *hdr = (srtcp_hdr_t*)srtcp_hdr; 2445 uint32_t *enc_start; /* pointer to start of encrypted portion */ 2446 uint32_t *trailer; /* pointer to start of trailer */ 2447 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 2448 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2449 err_status_t status; 2450 int tag_len; 2451 unsigned int tmp_len; 2452 uint32_t seq_num; 2453 v128_t iv; 2454 uint32_t tseq; 2455 2456 /* get tag length from stream context */ 2457 tag_len = auth_get_tag_length(stream->rtcp_auth); 2458 2459 /* 2460 * set encryption start, encryption length, and trailer 2461 */ 2462 /* index & E (encryption) bit follow normal data. hdr->len 2463 is the number of words (32-bit) in the normal packet minus 1 */ 2464 /* This should point trailer to the word past the end of the 2465 normal data. */ 2466 /* This would need to be modified for optional mikey data */ 2467 /* 2468 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always 2469 * multiples of 32-bits (RFC 3550 6.1) 2470 */ 2471 trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t)); 2472 /* 2473 * We pass the tag down to the cipher when doing GCM mode 2474 */ 2475 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + 2476 sizeof(srtcp_trailer_t)); 2477 auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - sizeof(srtcp_trailer_t); 2478 2479 if (*((unsigned char*)trailer) & SRTCP_E_BYTE_BIT) { 2480 enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header; 2481 } else { 2482 enc_octet_len = 0; 2483 enc_start = NULL; /* this indicates that there's no encryption */ 2484 } 2485 2486 /* 2487 * check the sequence number for replays 2488 */ 2489 /* this is easier than dealing with bitfield access */ 2490 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; 2491 debug_print(mod_srtp, "srtcp index: %x", seq_num); 2492 status = rdb_check(&stream->rtcp_rdb, seq_num); 2493 if (status) { 2494 return status; 2495 } 2496 2497 /* 2498 * Calculate and set the IV 2499 */ 2500 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr); 2501 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); 2502 if (status) { 2503 return err_status_cipher_fail; 2504 } 2505 2506 /* 2507 * Set the AAD for GCM mode 2508 */ 2509 if (enc_start) { 2510 /* 2511 * If payload encryption is enabled, then the AAD consist of 2512 * the RTCP header and the seq# at the end of the packet 2513 */ 2514 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, 2515 octets_in_rtcp_header); 2516 if (status) { 2517 return ( err_status_cipher_fail); 2518 } 2519 } else { 2520 /* 2521 * Since payload encryption is not enabled, we must authenticate 2522 * the entire packet as described in section 10.3 in revision 07 2523 * of the draft. 2524 */ 2525 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, 2526 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t))); 2527 if (status) { 2528 return ( err_status_cipher_fail); 2529 } 2530 } 2531 2532 /* 2533 * Process the sequence# as AAD 2534 */ 2535 tseq = *trailer; 2536 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq, 2537 sizeof(srtcp_trailer_t)); 2538 if (status) { 2539 return ( err_status_cipher_fail); 2540 } 2541 2542 /* if we're decrypting, exor keystream into the message */ 2543 if (enc_start) { 2544 status = cipher_decrypt(stream->rtcp_cipher, 2545 (uint8_t*)enc_start, &enc_octet_len); 2546 if (status) { 2547 return status; 2548 } 2549 } else { 2550 /* 2551 * Still need to run the cipher to check the tag 2552 */ 2553 tmp_len = tag_len; 2554 status = cipher_decrypt(stream->rtcp_cipher, (uint8_t*)auth_tag, 2555 &tmp_len); 2556 if (status) { 2557 return status; 2558 } 2559 } 2560 2561 /* decrease the packet length by the length of the auth tag and seq_num*/ 2562 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); 2563 2564 /* 2565 * verify that stream is for received traffic - this check will 2566 * detect SSRC collisions, since a stream that appears in both 2567 * srtp_protect() and srtp_unprotect() will fail this test in one of 2568 * those functions. 2569 * 2570 * we do this check *after* the authentication check, so that the 2571 * latter check will catch any attempts to fool us into thinking 2572 * that we've got a collision 2573 */ 2574 if (stream->direction != dir_srtp_receiver) { 2575 if (stream->direction == dir_unknown) { 2576 stream->direction = dir_srtp_receiver; 2577 } else { 2578 srtp_handle_event(ctx, stream, event_ssrc_collision); 2579 } 2580 } 2581 2582 /* 2583 * if the stream is a 'provisional' one, in which the template context 2584 * is used, then we need to allocate a new stream at this point, since 2585 * the authentication passed 2586 */ 2587 if (stream == ctx->stream_template) { 2588 srtp_stream_ctx_t *new_stream; 2589 2590 /* 2591 * allocate and initialize a new stream 2592 * 2593 * note that we indicate failure if we can't allocate the new 2594 * stream, and some implementations will want to not return 2595 * failure here 2596 */ 2597 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 2598 if (status) { 2599 return status; 2600 } 2601 2602 /* add new stream to the head of the stream_list */ 2603 new_stream->next = ctx->stream_list; 2604 ctx->stream_list = new_stream; 2605 2606 /* set stream (the pointer used in this function) */ 2607 stream = new_stream; 2608 } 2609 2610 /* we've passed the authentication check, so add seq_num to the rdb */ 2611 rdb_add_index(&stream->rtcp_rdb, seq_num); 2612 2613 return err_status_ok; 2614 } 1427 2615 1428 2616 err_status_t … … 1432 2620 uint32_t *auth_start; /* pointer to start of auth. portion */ 1433 2621 uint32_t *trailer; /* pointer to start of trailer */ 1434 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */2622 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ 1435 2623 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 1436 2624 err_status_t status; … … 1441 2629 1442 2630 /* we assume the hdr is 32-bit aligned to start */ 2631 2632 /* check the packet length - it must at least contain a full header */ 2633 if (*pkt_octet_len < octets_in_rtcp_header) 2634 return err_status_bad_param; 2635 1443 2636 /* 1444 2637 * look up ssrc in srtp_stream list, and process the packet with … … 1485 2678 } 1486 2679 2680 /* 2681 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 2682 * the request to our AEAD handler. 2683 */ 2684 if (stream->rtp_cipher->algorithm == AES_128_GCM || 2685 stream->rtp_cipher->algorithm == AES_256_GCM) { 2686 return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, (unsigned int*)pkt_octet_len); 2687 } 2688 1487 2689 /* get tag length from stream context */ 1488 2690 tag_len = auth_get_tag_length(stream->rtcp_auth); … … 1519 2721 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t); 1520 2722 2723 /* perform EKT processing if needed */ 2724 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len, 2725 rdbx_get_packet_index(&stream->rtp_rdbx)); 2726 1521 2727 /* 1522 2728 * check sequence number for overruns, and copy it into the packet … … 1533 2739 * if we're using rindael counter mode, set nonce and seq 1534 2740 */ 1535 if (stream->rtcp_cipher->type == &aes_icm) {2741 if (stream->rtcp_cipher->type->id == AES_ICM) { 1536 2742 v128_t iv; 1537 2743 … … 1540 2746 iv.v32[2] = htonl(seq_num >> 16); 1541 2747 iv.v32[3] = htonl(seq_num << 16); 1542 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtcp_cipher->state, &iv);2748 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); 1543 2749 1544 2750 } else { … … 1550 2756 iv.v32[2] = 0; 1551 2757 iv.v32[3] = htonl(seq_num); 1552 status = cipher_set_iv(stream->rtcp_cipher, &iv );2758 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); 1553 2759 } 1554 2760 if (status) … … 1611 2817 uint32_t *auth_start; /* pointer to start of auth. portion */ 1612 2818 uint32_t *trailer; /* pointer to start of trailer */ 1613 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */2819 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ 1614 2820 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 1615 2821 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 2822 uint8_t tag_copy[SRTP_MAX_TAG_LEN]; 1616 2823 err_status_t status; 2824 unsigned int auth_len; 1617 2825 int tag_len; 1618 2826 srtp_stream_ctx_t *stream; 1619 2827 int prefix_len; 1620 2828 uint32_t seq_num; 2829 int e_bit_in_packet; /* whether the E-bit was found in the packet */ 2830 int sec_serv_confidentiality; /* whether confidentiality was requested */ 1621 2831 1622 2832 /* we assume the hdr is 32-bit aligned to start */ 2833 2834 /* check that the length value is sane; we'll check again once we 2835 know the tag length, but we at least want to know that it is 2836 a positive value */ 2837 if (*pkt_octet_len < octets_in_rtcp_header + sizeof(srtcp_trailer_t)) 2838 return err_status_bad_param; 2839 1623 2840 /* 1624 2841 * look up ssrc in srtp_stream list, and process the packet with … … 1632 2849 if (ctx->stream_template != NULL) { 1633 2850 stream = ctx->stream_template; 2851 2852 /* 2853 * check to see if stream_template has an EKT data structure, in 2854 * which case we initialize the template using the EKT policy 2855 * referenced by that data (which consists of decrypting the 2856 * master key from the EKT field) 2857 * 2858 * this function initializes a *provisional* stream, and this 2859 * stream should not be accepted until and unless the packet 2860 * passes its authentication check 2861 */ 2862 if (stream->ekt != NULL) { 2863 status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len); 2864 if (status) 2865 return status; 2866 } 2867 1634 2868 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", 1635 2869 hdr->ssrc); … … 1641 2875 1642 2876 /* get tag length from stream context */ 1643 tag_len = auth_get_tag_length(stream->rtcp_auth); 2877 tag_len = auth_get_tag_length(stream->rtcp_auth); 2878 2879 /* check the packet length - it must contain at least a full RTCP 2880 header, an auth tag (if applicable), and the SRTCP encrypted flag 2881 and 31-bit index value */ 2882 if (*pkt_octet_len < (int) (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t))) { 2883 return err_status_bad_param; 2884 } 2885 2886 /* 2887 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 2888 * the request to our AEAD handler. 2889 */ 2890 if (stream->rtp_cipher->algorithm == AES_128_GCM || 2891 stream->rtp_cipher->algorithm == AES_256_GCM) { 2892 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, (unsigned int*)pkt_octet_len); 2893 } 2894 2895 sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf || 2896 stream->rtcp_services == sec_serv_conf_and_auth; 1644 2897 1645 2898 /* … … 1658 2911 */ 1659 2912 trailer = (uint32_t *) ((char *) hdr + 1660 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); 1661 if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) { 2913 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); 2914 e_bit_in_packet = 2915 (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; 2916 if (e_bit_in_packet != sec_serv_confidentiality) { 2917 return err_status_cant_check; 2918 } 2919 if (sec_serv_confidentiality) { 1662 2920 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; 1663 2921 } else { … … 1671 2929 */ 1672 2930 auth_start = (uint32_t *)hdr; 1673 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len; 2931 auth_len = *pkt_octet_len - tag_len; 2932 auth_tag = (uint8_t *)hdr + auth_len; 2933 2934 /* 2935 * if EKT is in use, then we make a copy of the tag from the packet, 2936 * and then zeroize the location of the base tag 2937 * 2938 * we first re-position the auth_tag pointer so that it points to 2939 * the base tag 2940 */ 2941 if (stream->ekt) { 2942 auth_tag -= ekt_octets_after_base_tag(stream->ekt); 2943 memcpy(tag_copy, auth_tag, tag_len); 2944 octet_string_set_to_zero(auth_tag, tag_len); 2945 auth_tag = tag_copy; 2946 auth_len += tag_len; 2947 } 1674 2948 1675 2949 /* … … 1686 2960 * if we're using aes counter mode, set nonce and seq 1687 2961 */ 1688 if (stream->rtcp_cipher->type == &aes_icm) {2962 if (stream->rtcp_cipher->type->id == AES_ICM) { 1689 2963 v128_t iv; 1690 2964 … … 1693 2967 iv.v32[2] = htonl(seq_num >> 16); 1694 2968 iv.v32[3] = htonl(seq_num << 16); 1695 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtcp_cipher->state, &iv);2969 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); 1696 2970 1697 2971 } else { … … 1703 2977 iv.v32[2] = 0; 1704 2978 iv.v32[3] = htonl(seq_num); 1705 status = cipher_set_iv(stream->rtcp_cipher, &iv );2979 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); 1706 2980 1707 2981 } … … 1714 2988 /* run auth func over packet, put result into tmp_tag */ 1715 2989 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start, 1716 *pkt_octet_len - tag_len, 1717 tmp_tag); 2990 auth_len, tmp_tag); 1718 2991 debug_print(mod_srtp, "srtcp computed tag: %s", 1719 2992 octet_string_hex_string(tmp_tag, tag_len)); … … 1742 3015 /* if we're decrypting, exor keystream into the message */ 1743 3016 if (enc_start) { 1744 status = cipher_ encrypt(stream->rtcp_cipher,3017 status = cipher_decrypt(stream->rtcp_cipher, 1745 3018 (uint8_t *)enc_start, &enc_octet_len); 1746 3019 if (status) … … 1748 3021 } 1749 3022 1750 /* decrease the packet length by the length of the auth tag and seq_num */3023 /* decrease the packet length by the length of the auth tag and seq_num */ 1751 3024 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); 3025 3026 /* 3027 * if EKT is in effect, subtract the EKT data out of the packet 3028 * length 3029 */ 3030 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt); 1752 3031 1753 3032 /* … … 1803 3082 } 1804 3083 3084 3085 /* 3086 * user data within srtp_t context 3087 */ 3088 3089 void 3090 srtp_set_user_data(srtp_t ctx, void *data) { 3091 ctx->user_data = data; 3092 } 3093 3094 void* 3095 srtp_get_user_data(srtp_t ctx) { 3096 return ctx->user_data; 3097 } 1805 3098 1806 3099 … … 1824 3117 crypto_policy_set_null_cipher_hmac_sha1_80(policy); 1825 3118 break; 3119 case srtp_profile_aes256_cm_sha1_80: 3120 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 3121 break; 3122 case srtp_profile_aes256_cm_sha1_32: 3123 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy); 3124 break; 1826 3125 /* the following profiles are not (yet) supported */ 1827 3126 case srtp_profile_null_sha1_32: 1828 case srtp_profile_aes256_cm_sha1_80:1829 case srtp_profile_aes256_cm_sha1_32:1830 3127 default: 1831 3128 return err_status_bad_param; … … 1845 3142 break; 1846 3143 case srtp_profile_aes128_cm_sha1_32: 1847 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); 3144 /* We do not honor the 32-bit auth tag request since 3145 * this is not compliant with RFC 3711 */ 3146 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 1848 3147 break; 1849 3148 case srtp_profile_null_sha1_80: 1850 3149 crypto_policy_set_null_cipher_hmac_sha1_80(policy); 1851 3150 break; 3151 case srtp_profile_aes256_cm_sha1_80: 3152 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 3153 break; 3154 case srtp_profile_aes256_cm_sha1_32: 3155 /* We do not honor the 32-bit auth tag request since 3156 * this is not compliant with RFC 3711 */ 3157 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 3158 break; 1852 3159 /* the following profiles are not (yet) supported */ 1853 3160 case srtp_profile_null_sha1_32: 1854 case srtp_profile_aes256_cm_sha1_80:1855 case srtp_profile_aes256_cm_sha1_32:1856 3161 default: 1857 3162 return err_status_bad_param; … … 1882 3187 return 16; 1883 3188 break; 3189 case srtp_profile_aes256_cm_sha1_80: 3190 return 32; 3191 break; 3192 case srtp_profile_aes256_cm_sha1_32: 3193 return 32; 3194 break; 1884 3195 /* the following profiles are not (yet) supported */ 1885 3196 case srtp_profile_null_sha1_32: 1886 case srtp_profile_aes256_cm_sha1_80:1887 case srtp_profile_aes256_cm_sha1_32:1888 3197 default: 1889 3198 return 0; /* indicate error by returning a zero */ … … 1904 3213 return 14; 1905 3214 break; 3215 case srtp_profile_aes256_cm_sha1_80: 3216 return 14; 3217 break; 3218 case srtp_profile_aes256_cm_sha1_32: 3219 return 14; 3220 break; 1906 3221 /* the following profiles are not (yet) supported */ 1907 3222 case srtp_profile_null_sha1_32: 1908 case srtp_profile_aes256_cm_sha1_80:1909 case srtp_profile_aes256_cm_sha1_32:1910 3223 default: 1911 3224 return 0; /* indicate error by returning a zero */
Note: See TracChangeset
for help on using the changeset viewer.