Changeset 5412

Timestamp:

Aug 8, 2016 9:09:29 AM (8 years ago)

Author:

ming

Message:

Re #1943: AES-GCM crypto support for SRTP

Special thanks to Alexander Traud for the patch.

Location:

pjproject/trunk

Files:

• aconfigure (modified) (3 diffs)
• aconfigure.ac (modified) (2 diffs)
• pjmedia/include/pjmedia/config.h (modified) (1 diff)
• pjmedia/include/pjmedia/transport_srtp.h (modified) (1 diff)
• pjmedia/src/pjmedia/transport_srtp.c (modified) (1 diff)
• third_party/build/os-auto.mak.in (modified) (1 diff)
• third_party/build/srtp/Makefile (modified) (4 diffs)

pjproject/trunk/aconfigure

@@ -641 +641 @@
 libssl_present
 openssl_h_present
+ac_ssl_has_aes_gcm
 ac_no_ssl
 ac_webrtc_ldflags
@@ -7838 +7839 @@
 
 
+ac_ssl_has_aes_gcm=0
+
 # Check whether --enable-ssl was given.
 if test "${enable_ssl+set}" = set; then :
@@ -7949 +7952 @@
                         { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL library found, SSL support enabled" >&5
 $as_echo "OpenSSL library found, SSL support enabled" >&6; }
+
+                        # Check if SRTP should be compiled with OpenSSL
+                        # support, to enable cryptos such as AES GCM    AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1])
+                        if test "x$ac_ssl_has_aes_gcm" = "x1"; then
+                                { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&5
+$as_echo "OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&6; }
+                        else
+                                { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&5
+$as_echo "OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&6; }
+                        fi
+
                         # PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
                         #AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)

pjproject/trunk/aconfigure.ac

@@ -1576 +1576 @@
 dnl # Include SSL support
 AC_SUBST(ac_no_ssl)
+AC_SUBST(ac_ssl_has_aes_gcm,0)
 AC_ARG_ENABLE(ssl,
               AS_HELP_STRING([--disable-ssl],
@@ -1601 +1602 @@
                 if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then
                         AC_MSG_RESULT([OpenSSL library found, SSL support enabled])
+                        
+                        # Check if SRTP should be compiled with OpenSSL
+                        # support, to enable cryptos such as AES GCM    AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1])
+                        if test "x$ac_ssl_has_aes_gcm" = "x1"; then
+                                AC_MSG_RESULT([OpenSSL has AES GCM support, SRTP will use OpenSSl version])
+                        else
+                                AC_MSG_RESULT([OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos])
+                        fi
+
                         # PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
                         #AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)

pjproject/trunk/pjmedia/include/pjmedia/config.h

@@ -954 +954 @@
 
 /**
+ * Maximum number of SRTP cryptos.
+ *
+ * Default: 16
+ */
+#ifndef PJMEDIA_SRTP_MAX_CRYPTOS
+#   define PJMEDIA_SRTP_MAX_CRYPTOS                 16
+#endif
+
+
+/**
+ * Enable AES_CM_256 cryptos in SRTP.
+ * Default: enabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_CM_256
+#   define PJMEDIA_SRTP_HAS_AES_CM_256              1
+#endif
+
+
+/**
+ * Enable AES_CM_192 cryptos in SRTP
+ * Default: disabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_CM_192
+#   define PJMEDIA_SRTP_HAS_AES_CM_192              0
+#endif
+
+
+/**
+ * Enable AES_CM_128 cryptos in SRTP.
+ * Default: enabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_CM_128
+#   define PJMEDIA_SRTP_HAS_AES_CM_128              1
+#endif
+
+
+/**
+ * Enable AES_GCM_256 cryptos in SRTP.
+ * Default: disabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_GCM_256
+#   define PJMEDIA_SRTP_HAS_AES_GCM_256             0
+#endif
+
+
+/**
+ * Enable AES_GCM_128 cryptos in SRTP.
+ * Default: disabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_GCM_128
+#   define PJMEDIA_SRTP_HAS_AES_GCM_128             0
+#endif
+
+
+/**
  * Let the library handle libsrtp initialization and deinitialization.
  * Application may want to disable this and manually perform libsrtp

pjproject/trunk/pjmedia/include/pjmedia/transport_srtp.h

@@ -156 +156 @@
      * Specify individual crypto suite setting.
      */
-    pjmedia_srtp_crypto         crypto[8];
+    pjmedia_srtp_crypto         crypto[PJMEDIA_SRTP_MAX_CRYPTOS];
 
 } pjmedia_srtp_setting;

pjproject/trunk/pjmedia/src/pjmedia/transport_srtp.c

@@ -85 +85 @@
 } crypto_suite;
 
-/* Crypto suites as defined on RFC 4568 */
+/* https://www.iana.org/assignments/sdp-security-descriptions/sdp-security-descriptions.xhtml */
 static crypto_suite crypto_suites[] = {
     /* plain RTP/RTCP (no cipher & no auth) */
     {"NULL", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none},
-
+#if defined(PJMEDIA_SRTP_HAS_AES_GCM_256) && \
+    (PJMEDIA_SRTP_HAS_AES_GCM_256 != 0)
+    /* cipher AES_GCM, NULL auth, auth tag len = 16 octets */
+    {"AEAD_AES_256_GCM", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT,
+        NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth},
+    /* cipher AES_GCM, NULL auth, auth tag len = 8 octets */
+    {"AEAD_AES_256_GCM_8", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT,
+        NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth},
+#endif
+#if defined(PJMEDIA_SRTP_HAS_AES_CM_256) && \
+    (PJMEDIA_SRTP_HAS_AES_CM_256 != 0)
     /* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
     {"AES_256_CM_HMAC_SHA1_80", AES_ICM, 46, HMAC_SHA1, 20, 10, 10,
         sec_serv_conf_and_auth},
-
     /* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
     {"AES_256_CM_HMAC_SHA1_32", AES_ICM, 46, HMAC_SHA1, 20, 4, 10,
-        sec_serv_conf_and_auth},
-
-    /* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 10 octets */
-    //{"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10,
-        //sec_serv_conf_and_auth},
-
-    /* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 4 octets */
-    //{"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10,
-        //sec_serv_conf_and_auth},
-
-    /* cipher AES_CM, auth HMAC_SHA1, auth tag len = 10 octets */
-    {"AES_CM_128_HMAC_SHA1_80", AES_128_ICM, 30, HMAC_SHA1, 20, 10, 10,
         sec_serv_conf_and_auth},
-
-    /* cipher AES_CM, auth HMAC_SHA1, auth tag len = 4 octets */
-    {"AES_CM_128_HMAC_SHA1_32", AES_128_ICM, 30, HMAC_SHA1, 20, 4, 10,
+#endif
+#if defined(PJMEDIA_SRTP_HAS_AES_CM_192) && \
+    (PJMEDIA_SRTP_HAS_AES_CM_192 != 0)
+    /* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 10 octets */
+    {"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10,
         sec_serv_conf_and_auth},
-
+    /* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 4 octets */
+    {"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10,
+        sec_serv_conf_and_auth},
+#endif
+#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128) && \
+    (PJMEDIA_SRTP_HAS_AES_GCM_128 != 0)
+    /* cipher AES_GCM, NULL auth, auth tag len = 16 octets */
+    {"AEAD_AES_128_GCM", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT,
+        NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth},
+
+    /* cipher AES_GCM, NULL auth, auth tag len = 8 octets */
+    {"AEAD_AES_128_GCM_8", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT,
+        NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth},
+#endif
+#if defined(PJMEDIA_SRTP_HAS_AES_CM_128) && \
+    (PJMEDIA_SRTP_HAS_AES_CM_128 != 0)
+    /* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 10 octets */
+    {"AES_CM_128_HMAC_SHA1_80", AES_ICM, 30, HMAC_SHA1, 20, 10, 10,
+        sec_serv_conf_and_auth},
+    /* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 4 octets */
+    {"AES_CM_128_HMAC_SHA1_32", AES_ICM, 30, HMAC_SHA1, 20, 4, 10,
+        sec_serv_conf_and_auth},
+#endif
     /*
      * F8_128_HMAC_SHA1_8 not supported by libsrtp?

pjproject/trunk/third_party/build/os-auto.mak.in

@@ -36 +36 @@
 else
 DIRS += srtp
+
+ifeq (@ac_ssl_has_aes_gcm@,0)
+CIPHERS_SRC = crypto/cipher/aes.o crypto/cipher/aes_icm.o       \
+              crypto/cipher/aes_cbc.o
+HASHES_SRC  = crypto/hash/sha1.o crypto/hash/hmac.o             \
+              # crypto/hash/tmmhv2.o
+RNG_SRC     = crypto/rng/rand_source.o crypto/rng/prng.o        \
+              crypto/rng/ctr_prng.o
+else
+CIPHERS_SRC = crypto/cipher/aes_icm_ossl.o crypto/cipher/aes_gcm_ossl.o
+HASHES_SRC  = crypto/hash/hmac_ossl.o
+RNG_SRC     = crypto/rng/rand_source_ossl.o
+SRTP_OTHER_CFLAGS = -DOPENSSL
+endif
+
+
 endif
 

pjproject/trunk/third_party/build/srtp/Makefile

@@ -1 +1 @@
 include ../../../build.mak
 include ../../../build/common.mak
+include ../os-$(OS_NAME).mak
 
 export LIBDIR := ../../lib
@@ -29 +30 @@
 # libcrypt.a (the crypto engine) 
 ciphers = crypto/cipher/cipher.o crypto/cipher/null_cipher.o      \
-          crypto/cipher/aes.o crypto/cipher/aes_icm.o             \
-          crypto/cipher/aes_cbc.o
+          $(CIPHERS_SRC)
 
-hashes  = crypto/hash/null_auth.o crypto/hash/sha1.o \
-          crypto/hash/hmac.o crypto/hash/auth.o # crypto/hash/tmmhv2.o 
+hashes  = crypto/hash/null_auth.o crypto/hash/auth.o $(HASHES_SRC)
 
 replay  = crypto/replay/rdb.o crypto/replay/rdbx.o               \
@@ -42 +41 @@
 ust     = crypto/ust/ust.o 
 
-rng     = crypto/rng/rand_source.o crypto/rng/prng.o crypto/rng/ctr_prng.o
+rng     = $(RNG_SRC)
 
 err     = pjlib/srtp_err.o
@@ -55 +54 @@
 export SRTP_SRCDIR = ../../srtp
 export SRTP_OBJS = $(cryptobj) $(srtpobj)
-export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS)
+export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS) $(SRTP_OTHER_CFLAGS)
 export SRTP_LDFLAGS = $(PJLIB_LDLIB) $(_LDFLAGS)