Changeset 5412


Ignore:
Timestamp:
Aug 8, 2016 9:09:29 AM (8 years ago)
Author:
ming
Message:

Re #1943: AES-GCM crypto support for SRTP

Special thanks to Alexander Traud for the patch.

Location:
pjproject/trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • pjproject/trunk/aconfigure

    r5403 r5412  
    641641libssl_present 
    642642openssl_h_present 
     643ac_ssl_has_aes_gcm 
    643644ac_no_ssl 
    644645ac_webrtc_ldflags 
     
    78387839 
    78397840 
     7841ac_ssl_has_aes_gcm=0 
     7842 
    78407843# Check whether --enable-ssl was given. 
    78417844if test "${enable_ssl+set}" = set; then : 
     
    79497952                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL library found, SSL support enabled" >&5 
    79507953$as_echo "OpenSSL library found, SSL support enabled" >&6; } 
     7954 
     7955                        # Check if SRTP should be compiled with OpenSSL 
     7956                        # support, to enable cryptos such as AES GCM    AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1]) 
     7957                        if test "x$ac_ssl_has_aes_gcm" = "x1"; then 
     7958                                { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&5 
     7959$as_echo "OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&6; } 
     7960                        else 
     7961                                { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&5 
     7962$as_echo "OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&6; } 
     7963                        fi 
     7964 
    79517965                        # PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK 
    79527966                        #AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1) 
  • pjproject/trunk/aconfigure.ac

    r5403 r5412  
    15761576dnl # Include SSL support 
    15771577AC_SUBST(ac_no_ssl) 
     1578AC_SUBST(ac_ssl_has_aes_gcm,0) 
    15781579AC_ARG_ENABLE(ssl, 
    15791580              AS_HELP_STRING([--disable-ssl], 
     
    16011602                if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then 
    16021603                        AC_MSG_RESULT([OpenSSL library found, SSL support enabled]) 
     1604                         
     1605                        # Check if SRTP should be compiled with OpenSSL 
     1606                        # support, to enable cryptos such as AES GCM    AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1]) 
     1607                        if test "x$ac_ssl_has_aes_gcm" = "x1"; then 
     1608                                AC_MSG_RESULT([OpenSSL has AES GCM support, SRTP will use OpenSSl version]) 
     1609                        else 
     1610                                AC_MSG_RESULT([OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos]) 
     1611                        fi 
     1612 
    16031613                        # PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK 
    16041614                        #AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1) 
  • pjproject/trunk/pjmedia/include/pjmedia/config.h

    r5410 r5412  
    954954 
    955955/** 
     956 * Maximum number of SRTP cryptos. 
     957 * 
     958 * Default: 16 
     959 */ 
     960#ifndef PJMEDIA_SRTP_MAX_CRYPTOS 
     961#   define PJMEDIA_SRTP_MAX_CRYPTOS                 16 
     962#endif 
     963 
     964 
     965/** 
     966 * Enable AES_CM_256 cryptos in SRTP. 
     967 * Default: enabled. 
     968 */ 
     969#ifndef PJMEDIA_SRTP_HAS_AES_CM_256 
     970#   define PJMEDIA_SRTP_HAS_AES_CM_256              1 
     971#endif 
     972 
     973 
     974/** 
     975 * Enable AES_CM_192 cryptos in SRTP 
     976 * Default: disabled. 
     977 */ 
     978#ifndef PJMEDIA_SRTP_HAS_AES_CM_192 
     979#   define PJMEDIA_SRTP_HAS_AES_CM_192              0 
     980#endif 
     981 
     982 
     983/** 
     984 * Enable AES_CM_128 cryptos in SRTP. 
     985 * Default: enabled. 
     986 */ 
     987#ifndef PJMEDIA_SRTP_HAS_AES_CM_128 
     988#   define PJMEDIA_SRTP_HAS_AES_CM_128              1 
     989#endif 
     990 
     991 
     992/** 
     993 * Enable AES_GCM_256 cryptos in SRTP. 
     994 * Default: disabled. 
     995 */ 
     996#ifndef PJMEDIA_SRTP_HAS_AES_GCM_256 
     997#   define PJMEDIA_SRTP_HAS_AES_GCM_256             0 
     998#endif 
     999 
     1000 
     1001/** 
     1002 * Enable AES_GCM_128 cryptos in SRTP. 
     1003 * Default: disabled. 
     1004 */ 
     1005#ifndef PJMEDIA_SRTP_HAS_AES_GCM_128 
     1006#   define PJMEDIA_SRTP_HAS_AES_GCM_128             0 
     1007#endif 
     1008 
     1009 
     1010/** 
    9561011 * Let the library handle libsrtp initialization and deinitialization. 
    9571012 * Application may want to disable this and manually perform libsrtp 
  • pjproject/trunk/pjmedia/include/pjmedia/transport_srtp.h

    r3999 r5412  
    156156     * Specify individual crypto suite setting. 
    157157     */ 
    158     pjmedia_srtp_crypto         crypto[8]; 
     158    pjmedia_srtp_crypto         crypto[PJMEDIA_SRTP_MAX_CRYPTOS]; 
    159159 
    160160} pjmedia_srtp_setting; 
  • pjproject/trunk/pjmedia/src/pjmedia/transport_srtp.c

    r5408 r5412  
    8585} crypto_suite; 
    8686 
    87 /* Crypto suites as defined on RFC 4568 */ 
     87/* https://www.iana.org/assignments/sdp-security-descriptions/sdp-security-descriptions.xhtml */ 
    8888static crypto_suite crypto_suites[] = { 
    8989    /* plain RTP/RTCP (no cipher & no auth) */ 
    9090    {"NULL", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none}, 
    91  
     91#if defined(PJMEDIA_SRTP_HAS_AES_GCM_256) && \ 
     92    (PJMEDIA_SRTP_HAS_AES_GCM_256 != 0) 
     93    /* cipher AES_GCM, NULL auth, auth tag len = 16 octets */ 
     94    {"AEAD_AES_256_GCM", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT, 
     95        NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth}, 
     96    /* cipher AES_GCM, NULL auth, auth tag len = 8 octets */ 
     97    {"AEAD_AES_256_GCM_8", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT, 
     98        NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth}, 
     99#endif 
     100#if defined(PJMEDIA_SRTP_HAS_AES_CM_256) && \ 
     101    (PJMEDIA_SRTP_HAS_AES_CM_256 != 0) 
    92102    /* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */ 
    93103    {"AES_256_CM_HMAC_SHA1_80", AES_ICM, 46, HMAC_SHA1, 20, 10, 10, 
    94104        sec_serv_conf_and_auth}, 
    95  
    96105    /* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */ 
    97106    {"AES_256_CM_HMAC_SHA1_32", AES_ICM, 46, HMAC_SHA1, 20, 4, 10, 
    98         sec_serv_conf_and_auth}, 
    99  
    100     /* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 10 octets */ 
    101     //{"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10, 
    102         //sec_serv_conf_and_auth}, 
    103  
    104     /* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 4 octets */ 
    105     //{"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10, 
    106         //sec_serv_conf_and_auth}, 
    107  
    108     /* cipher AES_CM, auth HMAC_SHA1, auth tag len = 10 octets */ 
    109     {"AES_CM_128_HMAC_SHA1_80", AES_128_ICM, 30, HMAC_SHA1, 20, 10, 10, 
    110107        sec_serv_conf_and_auth}, 
    111  
    112     /* cipher AES_CM, auth HMAC_SHA1, auth tag len = 4 octets */ 
    113     {"AES_CM_128_HMAC_SHA1_32", AES_128_ICM, 30, HMAC_SHA1, 20, 4, 10, 
     108#endif 
     109#if defined(PJMEDIA_SRTP_HAS_AES_CM_192) && \ 
     110    (PJMEDIA_SRTP_HAS_AES_CM_192 != 0) 
     111    /* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 10 octets */ 
     112    {"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10, 
    114113        sec_serv_conf_and_auth}, 
    115  
     114    /* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 4 octets */ 
     115    {"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10, 
     116        sec_serv_conf_and_auth}, 
     117#endif 
     118#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128) && \ 
     119    (PJMEDIA_SRTP_HAS_AES_GCM_128 != 0) 
     120    /* cipher AES_GCM, NULL auth, auth tag len = 16 octets */ 
     121    {"AEAD_AES_128_GCM", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT, 
     122        NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth}, 
     123 
     124    /* cipher AES_GCM, NULL auth, auth tag len = 8 octets */ 
     125    {"AEAD_AES_128_GCM_8", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT, 
     126        NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth}, 
     127#endif 
     128#if defined(PJMEDIA_SRTP_HAS_AES_CM_128) && \ 
     129    (PJMEDIA_SRTP_HAS_AES_CM_128 != 0) 
     130    /* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 10 octets */ 
     131    {"AES_CM_128_HMAC_SHA1_80", AES_ICM, 30, HMAC_SHA1, 20, 10, 10, 
     132        sec_serv_conf_and_auth}, 
     133    /* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 4 octets */ 
     134    {"AES_CM_128_HMAC_SHA1_32", AES_ICM, 30, HMAC_SHA1, 20, 4, 10, 
     135        sec_serv_conf_and_auth}, 
     136#endif 
    116137    /* 
    117138     * F8_128_HMAC_SHA1_8 not supported by libsrtp? 
  • pjproject/trunk/third_party/build/os-auto.mak.in

    r5361 r5412  
    3636else 
    3737DIRS += srtp 
     38 
     39ifeq (@ac_ssl_has_aes_gcm@,0) 
     40CIPHERS_SRC = crypto/cipher/aes.o crypto/cipher/aes_icm.o       \ 
     41              crypto/cipher/aes_cbc.o 
     42HASHES_SRC  = crypto/hash/sha1.o crypto/hash/hmac.o             \ 
     43              # crypto/hash/tmmhv2.o 
     44RNG_SRC     = crypto/rng/rand_source.o crypto/rng/prng.o        \ 
     45              crypto/rng/ctr_prng.o 
     46else 
     47CIPHERS_SRC = crypto/cipher/aes_icm_ossl.o crypto/cipher/aes_gcm_ossl.o 
     48HASHES_SRC  = crypto/hash/hmac_ossl.o 
     49RNG_SRC     = crypto/rng/rand_source_ossl.o 
     50SRTP_OTHER_CFLAGS = -DOPENSSL 
     51endif 
     52 
     53 
    3854endif 
    3955 
  • pjproject/trunk/third_party/build/srtp/Makefile

    r5261 r5412  
    11include ../../../build.mak 
    22include ../../../build/common.mak 
     3include ../os-$(OS_NAME).mak 
    34 
    45export LIBDIR := ../../lib 
     
    2930# libcrypt.a (the crypto engine)  
    3031ciphers = crypto/cipher/cipher.o crypto/cipher/null_cipher.o      \ 
    31           crypto/cipher/aes.o crypto/cipher/aes_icm.o             \ 
    32           crypto/cipher/aes_cbc.o 
     32          $(CIPHERS_SRC) 
    3333 
    34 hashes  = crypto/hash/null_auth.o crypto/hash/sha1.o \ 
    35           crypto/hash/hmac.o crypto/hash/auth.o # crypto/hash/tmmhv2.o  
     34hashes  = crypto/hash/null_auth.o crypto/hash/auth.o $(HASHES_SRC) 
    3635 
    3736replay  = crypto/replay/rdb.o crypto/replay/rdbx.o               \ 
     
    4241ust     = crypto/ust/ust.o  
    4342 
    44 rng     = crypto/rng/rand_source.o crypto/rng/prng.o crypto/rng/ctr_prng.o 
     43rng     = $(RNG_SRC) 
    4544 
    4645err     = pjlib/srtp_err.o 
     
    5554export SRTP_SRCDIR = ../../srtp 
    5655export SRTP_OBJS = $(cryptobj) $(srtpobj) 
    57 export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS) 
     56export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS) $(SRTP_OTHER_CFLAGS) 
    5857export SRTP_LDFLAGS = $(PJLIB_LDLIB) $(_LDFLAGS) 
    5958 
Note: See TracChangeset for help on using the changeset viewer.