Changeset 5614 for pjproject/trunk/third_party/srtp/srtp/srtp.c
- Timestamp:
- Jul 4, 2017 5:22:51 AM (7 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
pjproject/trunk/third_party/srtp/srtp/srtp.c
r5261 r5614 9 9 /* 10 10 * 11 * Copyright (c) 2001-20 06, Cisco Systems, Inc.11 * Copyright (c) 2001-2017, Cisco Systems, Inc. 12 12 * All rights reserved. 13 13 * … … 43 43 */ 44 44 45 // Leave this as the top level import. Ensures the existence of defines 46 #include "config.h" 45 47 46 48 #include "srtp_priv.h" 49 #include "crypto_types.h" 50 #include "err.h" 47 51 #include "ekt.h" /* for SRTP Encrypted Key Transport */ 48 #include "alloc.h" /* for crypto_alloc() */52 #include "alloc.h" /* for srtp_crypto_alloc() */ 49 53 #ifdef OPENSSL 50 54 #include "aes_gcm_ossl.h" /* for AES GCM mode */ 55 # ifdef OPENSSL_KDF 56 # include <openssl/kdf.h> 57 # include "aes_icm_ossl.h" /* for AES GCM mode */ 58 # endif 51 59 #endif 52 60 53 #ifndef SRTP_KERNEL 54 # include <limits.h> 55 # ifdef HAVE_NETINET_IN_H 56 # include <netinet/in.h> 57 # elif defined(HAVE_WINSOCK2_H) 58 # include <winsock2.h> 59 # endif 60 #endif /* ! SRTP_KERNEL */ 61 #include <limits.h> 62 #ifdef HAVE_NETINET_IN_H 63 # include <netinet/in.h> 64 #elif defined(HAVE_WINSOCK2_H) 65 # include <winsock2.h> 66 #endif 61 67 62 68 63 69 /* the debug module for srtp */ 64 70 65 debug_module_t mod_srtp = {71 srtp_debug_module_t mod_srtp = { 66 72 0, /* debugging is off by default */ 67 73 "srtp" /* printable name for module */ … … 74 80 #define octets_in_rtp_extn_hdr 4 75 81 76 static err_status_t82 static srtp_err_status_t 77 83 srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) { 78 84 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; 85 int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc; 86 87 if (*pkt_octet_len < octets_in_rtp_header) 88 return srtp_err_status_bad_param; 79 89 80 90 /* Check RTP header length */ 81 int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc;82 91 if (hdr->x == 1) 83 92 rtp_header_len += octets_in_rtp_extn_hdr; 84 93 85 94 if (*pkt_octet_len < rtp_header_len) 86 return err_status_bad_param;95 return srtp_err_status_bad_param; 87 96 88 97 /* Verifing profile length. */ … … 94 103 /* profile length counts the number of 32-bit words */ 95 104 if (*pkt_octet_len < rtp_header_len) 96 return err_status_bad_param;97 } 98 return err_status_ok;105 return srtp_err_status_bad_param; 106 } 107 return srtp_err_status_ok; 99 108 } 100 109 … … 138 147 } 139 148 140 err_status_t 149 /* Release (maybe partially allocated) stream. */ 150 static void 151 srtp_stream_free(srtp_stream_ctx_t *str) { 152 unsigned int i = 0; 153 srtp_session_keys_t *session_keys = NULL; 154 155 for (i = 0; i < str->num_master_keys; i++) { 156 session_keys = &str->session_keys[i]; 157 158 if (session_keys->rtp_xtn_hdr_cipher) { 159 srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher); 160 } 161 162 if (session_keys->rtcp_cipher) { 163 srtp_cipher_dealloc(session_keys->rtcp_cipher); 164 } 165 166 if (session_keys->rtcp_auth) { 167 srtp_auth_dealloc(session_keys->rtcp_auth); 168 } 169 170 if (session_keys->rtp_cipher) { 171 srtp_cipher_dealloc(session_keys->rtp_cipher); 172 } 173 174 if (session_keys->rtp_auth) { 175 srtp_auth_dealloc(session_keys->rtp_auth); 176 } 177 178 if (session_keys->mki_id) { 179 srtp_crypto_free(session_keys->mki_id); 180 } 181 182 if (session_keys->limit) { 183 srtp_crypto_free(session_keys->limit); 184 } 185 } 186 187 srtp_crypto_free(str->session_keys); 188 189 if (str->enc_xtn_hdr) { 190 srtp_crypto_free(str->enc_xtn_hdr); 191 } 192 193 srtp_crypto_free(str); 194 } 195 196 srtp_err_status_t 141 197 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, 142 198 const srtp_policy_t *p) { 143 199 srtp_stream_ctx_t *str; 144 err_status_t stat; 200 srtp_err_status_t stat; 201 unsigned int i = 0; 202 srtp_session_keys_t *session_keys = NULL; 145 203 146 204 /* … … 153 211 154 212 /* allocate srtp stream and set str_ptr */ 155 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));213 str = (srtp_stream_ctx_t *) srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); 156 214 if (str == NULL) 157 return err_status_alloc_fail; 158 *str_ptr = str; 159 160 /* allocate cipher */ 161 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type, 162 &str->rtp_cipher, 163 p->rtp.cipher_key_len, 164 p->rtp.auth_tag_len); 215 return srtp_err_status_alloc_fail; 216 217 memset(str, 0, sizeof(srtp_stream_ctx_t)); 218 *str_ptr = str; 219 220 /* To keep backwards API compatible if someone is using multiple master 221 * keys then key should be set to NULL 222 */ 223 if (p->key != NULL) { 224 str->num_master_keys = 1; 225 } else { 226 str->num_master_keys = p->num_master_keys; 227 } 228 229 str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( 230 sizeof(srtp_session_keys_t) * str->num_master_keys); 231 232 if (str->session_keys == NULL) { 233 srtp_stream_free(str); 234 return srtp_err_status_alloc_fail; 235 } 236 237 memset(str->session_keys, 0, sizeof(srtp_session_keys_t) * str->num_master_keys); 238 239 for (i = 0; i < str->num_master_keys; i++) { 240 session_keys = &str->session_keys[i]; 241 242 /* allocate cipher */ 243 stat = srtp_crypto_kernel_alloc_cipher(p->rtp.cipher_type, 244 &session_keys->rtp_cipher, 245 p->rtp.cipher_key_len, 246 p->rtp.auth_tag_len); 247 if (stat) { 248 srtp_stream_free(str); 249 return stat; 250 } 251 252 /* allocate auth function */ 253 stat = srtp_crypto_kernel_alloc_auth(p->rtp.auth_type, 254 &session_keys->rtp_auth, 255 p->rtp.auth_key_len, 256 p->rtp.auth_tag_len); 257 if (stat) { 258 srtp_stream_free(str); 259 return stat; 260 } 261 262 /* 263 * ...and now the RTCP-specific initialization - first, allocate 264 * the cipher 265 */ 266 stat = srtp_crypto_kernel_alloc_cipher(p->rtcp.cipher_type, 267 &session_keys->rtcp_cipher, 268 p->rtcp.cipher_key_len, 269 p->rtcp.auth_tag_len); 270 if (stat) { 271 srtp_stream_free(str); 272 return stat; 273 } 274 275 /* allocate auth function */ 276 stat = srtp_crypto_kernel_alloc_auth(p->rtcp.auth_type, 277 &session_keys->rtcp_auth, 278 p->rtcp.auth_key_len, 279 p->rtcp.auth_tag_len); 280 if (stat) { 281 srtp_stream_free(str); 282 return stat; 283 } 284 285 session_keys->mki_id = NULL; 286 287 /* allocate key limit structure */ 288 session_keys->limit = (srtp_key_limit_ctx_t*) srtp_crypto_alloc(sizeof(srtp_key_limit_ctx_t)); 289 if (session_keys->limit == NULL) { 290 srtp_stream_free(str); 291 return srtp_err_status_alloc_fail; 292 } 293 } 294 295 /* allocate ekt data associated with stream */ 296 stat = srtp_ekt_alloc(&str->ekt, p->ekt); 165 297 if (stat) { 166 crypto_free(str);298 srtp_stream_free(str); 167 299 return stat; 168 300 } 169 301 170 /* allocate auth function */ 171 stat = crypto_kernel_alloc_auth(p->rtp.auth_type, 172 &str->rtp_auth, 173 p->rtp.auth_key_len, 174 p->rtp.auth_tag_len); 175 if (stat) { 176 cipher_dealloc(str->rtp_cipher); 177 crypto_free(str); 178 return stat; 179 } 180 181 /* allocate key limit structure */ 182 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t)); 183 if (str->limit == NULL) { 184 auth_dealloc(str->rtp_auth); 185 cipher_dealloc(str->rtp_cipher); 186 crypto_free(str); 187 return err_status_alloc_fail; 188 } 189 190 /* 191 * ...and now the RTCP-specific initialization - first, allocate 192 * the cipher 193 */ 194 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type, 195 &str->rtcp_cipher, 196 p->rtcp.cipher_key_len, 197 p->rtcp.auth_tag_len); 198 if (stat) { 199 auth_dealloc(str->rtp_auth); 200 cipher_dealloc(str->rtp_cipher); 201 crypto_free(str->limit); 202 crypto_free(str); 203 return stat; 204 } 205 206 /* allocate auth function */ 207 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type, 208 &str->rtcp_auth, 209 p->rtcp.auth_key_len, 210 p->rtcp.auth_tag_len); 211 if (stat) { 212 cipher_dealloc(str->rtcp_cipher); 213 auth_dealloc(str->rtp_auth); 214 cipher_dealloc(str->rtp_cipher); 215 crypto_free(str->limit); 216 crypto_free(str); 217 return stat; 218 } 219 220 /* allocate ekt data associated with stream */ 221 stat = ekt_alloc(&str->ekt, p->ekt); 222 if (stat) { 223 auth_dealloc(str->rtcp_auth); 224 cipher_dealloc(str->rtcp_cipher); 225 auth_dealloc(str->rtp_auth); 226 cipher_dealloc(str->rtp_cipher); 227 crypto_free(str->limit); 228 crypto_free(str); 229 return stat; 230 } 231 232 return err_status_ok; 233 } 234 235 err_status_t 236 srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) { 237 err_status_t status; 238 302 if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) { 303 srtp_cipher_type_id_t enc_xtn_hdr_cipher_type; 304 int enc_xtn_hdr_cipher_key_len; 305 306 str->enc_xtn_hdr = (int*) srtp_crypto_alloc(p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); 307 if (!str->enc_xtn_hdr) { 308 srtp_stream_free(str); 309 return srtp_err_status_alloc_fail; 310 } 311 memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr, p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); 312 str->enc_xtn_hdr_count = p->enc_xtn_hdr_count; 313 314 /* For GCM ciphers, the corresponding ICM cipher is used for header extensions encryption. */ 315 switch (p->rtp.cipher_type) { 316 case SRTP_AES_GCM_128: 317 enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128; 318 enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; 319 break; 320 case SRTP_AES_GCM_256: 321 enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256; 322 enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; 323 break; 324 default: 325 enc_xtn_hdr_cipher_type = p->rtp.cipher_type; 326 enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len; 327 break; 328 } 329 330 for (i = 0; i < str->num_master_keys; i++) { 331 session_keys = &str->session_keys[i]; 332 333 /* allocate cipher for extensions header encryption */ 334 stat = srtp_crypto_kernel_alloc_cipher(enc_xtn_hdr_cipher_type, 335 &session_keys->rtp_xtn_hdr_cipher, 336 enc_xtn_hdr_cipher_key_len, 337 0); 338 if (stat) { 339 srtp_stream_free(str); 340 return stat; 341 } 342 } 343 } else { 344 for (i = 0; i < str->num_master_keys; i++) { 345 session_keys = &str->session_keys[i]; 346 session_keys->rtp_xtn_hdr_cipher = NULL; 347 } 348 349 str->enc_xtn_hdr = NULL; 350 str->enc_xtn_hdr_count = 0; 351 } 352 353 return srtp_err_status_ok; 354 } 355 356 srtp_err_status_t 357 srtp_stream_dealloc(srtp_stream_ctx_t *stream, srtp_stream_ctx_t *stream_template) { 358 srtp_err_status_t status; 359 unsigned int i = 0; 360 srtp_session_keys_t *session_keys = NULL; 361 srtp_session_keys_t *template_session_keys = NULL; 362 239 363 /* 240 364 * we use a conservative deallocation strategy - if any deallocation … … 242 366 * anything else 243 367 */ 244 245 /* deallocate cipher, if it is not the same as that in template */ 246 if (session->stream_template 247 && stream->rtp_cipher == session->stream_template->rtp_cipher) { 248 /* do nothing */ 368 for ( i = 0; i < stream->num_master_keys; i++) { 369 session_keys = &stream->session_keys[i]; 370 371 if (stream_template) { 372 template_session_keys = &stream_template->session_keys[i]; 373 } else { 374 template_session_keys = NULL; 375 } 376 377 /* deallocate cipher, if it is not the same as that in template */ 378 if (template_session_keys 379 && session_keys->rtp_cipher == template_session_keys->rtp_cipher) { 380 /* do nothing */ 381 } else { 382 status = srtp_cipher_dealloc(session_keys->rtp_cipher); 383 if (status) 384 return status; 385 } 386 387 /* deallocate auth function, if it is not the same as that in template */ 388 if (template_session_keys 389 && session_keys->rtp_auth == template_session_keys->rtp_auth) { 390 /* do nothing */ 391 } else { 392 status = srtp_auth_dealloc(session_keys->rtp_auth); 393 if (status) 394 return status; 395 } 396 397 if (template_session_keys 398 && session_keys->rtp_xtn_hdr_cipher == template_session_keys->rtp_xtn_hdr_cipher) { 399 /* do nothing */ 400 } else if (session_keys->rtp_xtn_hdr_cipher) { 401 status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher); 402 if (status) 403 return status; 404 } 405 406 /* 407 * deallocate rtcp cipher, if it is not the same as that in 408 * template 409 */ 410 if (template_session_keys 411 && session_keys->rtcp_cipher == template_session_keys->rtcp_cipher) { 412 /* do nothing */ 413 } else { 414 status = srtp_cipher_dealloc(session_keys->rtcp_cipher); 415 if (status) 416 return status; 417 } 418 419 /* 420 * deallocate rtcp auth function, if it is not the same as that in 421 * template 422 */ 423 if (template_session_keys 424 && session_keys->rtcp_auth == template_session_keys->rtcp_auth) { 425 /* do nothing */ 426 } else { 427 status = srtp_auth_dealloc(session_keys->rtcp_auth); 428 if (status) 429 return status; 430 } 431 432 /* 433 * zeroize the salt value 434 */ 435 octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN); 436 octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN); 437 438 if (session_keys->mki_id) { 439 octet_string_set_to_zero(session_keys->mki_id, session_keys->mki_size); 440 srtp_crypto_free(session_keys->mki_id); 441 session_keys->mki_id = NULL; 442 } 443 444 /* deallocate key usage limit, if it is not the same as that in template */ 445 if (template_session_keys 446 && session_keys->limit == template_session_keys->limit) { 447 /* do nothing */ 448 } else { 449 srtp_crypto_free(session_keys->limit); 450 } 451 452 } 453 454 if (stream_template 455 && stream->session_keys == stream_template->session_keys) { 456 /* do nothing */ 249 457 } else { 250 status = cipher_dealloc(stream->rtp_cipher); 251 if (status) 252 return status; 253 } 254 255 /* deallocate auth function, if it is not the same as that in template */ 256 if (session->stream_template 257 && stream->rtp_auth == session->stream_template->rtp_auth) { 258 /* do nothing */ 259 } else { 260 status = auth_dealloc(stream->rtp_auth); 261 if (status) 262 return status; 263 } 264 265 /* deallocate key usage limit, if it is not the same as that in template */ 266 if (session->stream_template 267 && stream->limit == session->stream_template->limit) { 268 /* do nothing */ 269 } else { 270 crypto_free(stream->limit); 271 } 272 273 /* 274 * deallocate rtcp cipher, if it is not the same as that in 275 * template 276 */ 277 if (session->stream_template 278 && stream->rtcp_cipher == session->stream_template->rtcp_cipher) { 279 /* do nothing */ 280 } else { 281 status = cipher_dealloc(stream->rtcp_cipher); 282 if (status) 283 return status; 284 } 285 286 /* 287 * deallocate rtcp auth function, if it is not the same as that in 288 * template 289 */ 290 if (session->stream_template 291 && stream->rtcp_auth == session->stream_template->rtcp_auth) { 292 /* do nothing */ 293 } else { 294 status = auth_dealloc(stream->rtcp_auth); 295 if (status) 296 return status; 297 } 298 299 status = rdbx_dealloc(&stream->rtp_rdbx); 458 srtp_crypto_free(stream->session_keys); 459 } 460 461 status = srtp_rdbx_dealloc(&stream->rtp_rdbx); 300 462 if (status) 301 463 return status; … … 303 465 /* DAM - need to deallocate EKT here */ 304 466 305 /*306 * zeroize the salt value307 */308 memset(stream->salt, 0, SRTP_AEAD_SALT_LEN);309 memset(stream->c_salt, 0, SRTP_AEAD_SALT_LEN);310 311 467 if (stream_template 468 && stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) { 469 /* do nothing */ 470 } else if (stream->enc_xtn_hdr) { 471 srtp_crypto_free(stream->enc_xtn_hdr); 472 } 473 312 474 /* deallocate srtp stream context */ 313 crypto_free(stream);314 315 return err_status_ok;475 srtp_crypto_free(stream); 476 477 return srtp_err_status_ok; 316 478 } 317 479 … … 325 487 */ 326 488 327 err_status_t489 srtp_err_status_t 328 490 srtp_stream_clone(const srtp_stream_ctx_t *stream_template, 329 491 uint32_t ssrc, 330 492 srtp_stream_ctx_t **str_ptr) { 331 err_status_t status;493 srtp_err_status_t status; 332 494 srtp_stream_ctx_t *str; 333 334 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc); 495 unsigned int i = 0; 496 srtp_session_keys_t *session_keys = NULL; 497 const srtp_session_keys_t *template_session_keys = NULL; 498 499 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc)); 335 500 336 501 /* allocate srtp stream and set str_ptr */ 337 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));502 str = (srtp_stream_ctx_t *) srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); 338 503 if (str == NULL) 339 return err_status_alloc_fail;504 return srtp_err_status_alloc_fail; 340 505 *str_ptr = str; 341 506 342 /* set cipher and auth pointers to those of the template */ 343 str->rtp_cipher = stream_template->rtp_cipher; 344 str->rtp_auth = stream_template->rtp_auth; 345 str->rtcp_cipher = stream_template->rtcp_cipher; 346 str->rtcp_auth = stream_template->rtcp_auth; 347 348 /* set key limit to point to that of the template */ 349 status = key_limit_clone(stream_template->limit, &str->limit); 350 if (status) { 351 crypto_free(*str_ptr); 507 str->num_master_keys = stream_template->num_master_keys; 508 str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( 509 sizeof(srtp_session_keys_t) * str->num_master_keys); 510 511 if (str->session_keys == NULL) { 512 srtp_crypto_free(*str_ptr); 513 *str_ptr = NULL; 514 return srtp_err_status_alloc_fail; 515 } 516 517 for (i = 0; i < stream_template->num_master_keys; i++){ 518 session_keys = &str->session_keys[i]; 519 template_session_keys = &stream_template->session_keys[i]; 520 521 /* set cipher and auth pointers to those of the template */ 522 session_keys->rtp_cipher = template_session_keys->rtp_cipher; 523 session_keys->rtp_auth = template_session_keys->rtp_auth; 524 session_keys->rtp_xtn_hdr_cipher = template_session_keys->rtp_xtn_hdr_cipher; 525 session_keys->rtcp_cipher = template_session_keys->rtcp_cipher; 526 session_keys->rtcp_auth = template_session_keys->rtcp_auth; 527 session_keys->mki_size = template_session_keys->mki_size; 528 529 if (template_session_keys->mki_size == 0) { 530 session_keys->mki_id = NULL; 531 } else { 532 session_keys->mki_id = srtp_crypto_alloc(template_session_keys->mki_size); 533 534 if (session_keys->mki_id == NULL) { 535 return srtp_err_status_init_fail; 536 } 537 memset(session_keys->mki_id, 0x0, session_keys->mki_size); 538 memcpy(session_keys->mki_id, template_session_keys->mki_id, session_keys->mki_size); 539 } 540 /* Copy the salt values */ 541 memcpy(session_keys->salt, template_session_keys->salt, SRTP_AEAD_SALT_LEN); 542 memcpy(session_keys->c_salt, template_session_keys->c_salt, SRTP_AEAD_SALT_LEN); 543 544 /* set key limit to point to that of the template */ 545 status = srtp_key_limit_clone(template_session_keys->limit, &session_keys->limit); 546 if (status) { 547 srtp_crypto_free(*str_ptr); 548 *str_ptr = NULL; 549 return status; 550 } 551 } 552 553 554 /* initialize replay databases */ 555 status = srtp_rdbx_init(&str->rtp_rdbx, 556 srtp_rdbx_get_window_size(&stream_template->rtp_rdbx)); 557 if (status) { 558 srtp_crypto_free(*str_ptr); 352 559 *str_ptr = NULL; 353 560 return status; 354 561 } 355 356 /* initialize replay databases */ 357 status = rdbx_init(&str->rtp_rdbx, 358 rdbx_get_window_size(&stream_template->rtp_rdbx)); 359 if (status) { 360 crypto_free(*str_ptr); 361 *str_ptr = NULL; 362 return status; 363 } 364 rdb_init(&str->rtcp_rdb); 562 srtp_rdb_init(&str->rtcp_rdb); 365 563 str->allow_repeat_tx = stream_template->allow_repeat_tx; 366 564 367 565 /* set ssrc to that provided */ 368 566 str->ssrc = ssrc; 567 568 /* reset pending ROC */ 569 str->pending_roc = 0; 369 570 370 571 /* set direction and security services */ … … 376 577 str->ekt = stream_template->ekt; 377 578 378 /* Copy the salt values*/379 memcpy(str->salt, stream_template->salt, SRTP_AEAD_SALT_LEN);380 memcpy(str->c_salt, stream_template->c_salt, SRTP_AEAD_SALT_LEN);579 /* copy information about extensions header encryption */ 580 str->enc_xtn_hdr = stream_template->enc_xtn_hdr; 581 str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count; 381 582 382 583 /* defensive coding */ 383 584 str->next = NULL; 384 385 return err_status_ok; 585 return srtp_err_status_ok; 386 586 } 387 587 … … 409 609 label_rtcp_encryption = 0x03, 410 610 label_rtcp_msg_auth = 0x04, 411 label_rtcp_salt = 0x05 611 label_rtcp_salt = 0x05, 612 label_rtp_header_encryption = 0x06, 613 label_rtp_header_salt = 0x07 412 614 } srtp_prf_label; 413 615 616 #define MAX_SRTP_KEY_LEN 256 617 618 #if defined(OPENSSL) && defined(OPENSSL_KDF) 619 #define MAX_SRTP_AESKEY_LEN 32 620 #define MAX_SRTP_SALT_LEN 14 414 621 415 622 /* … … 417 624 * default KDF is the only one implemented at present. 418 625 */ 419 420 626 typedef struct { 421 cipher_t *cipher; /* cipher used for key derivation */ 627 uint8_t master_key[MAX_SRTP_AESKEY_LEN]; 628 uint8_t master_salt[MAX_SRTP_SALT_LEN]; 629 const EVP_CIPHER *evp; 422 630 } srtp_kdf_t; 423 631 424 err_status_t 425 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, int length) { 426 427 err_status_t stat; 428 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length, 0); 429 if (stat) 430 return stat; 431 432 stat = cipher_init(kdf->cipher, key); 433 if (stat) { 434 cipher_dealloc(kdf->cipher); 435 return stat; 436 } 437 438 return err_status_ok; 439 } 440 441 err_status_t 442 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, 443 uint8_t *key, unsigned int length) { 444 445 v128_t nonce; 446 err_status_t status; 632 633 static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int key_len, int salt_len) 634 { 635 memset(kdf, 0x0, sizeof(srtp_kdf_t)); 636 637 /* The NULL cipher has zero key length */ 638 if (key_len == 0) return srtp_err_status_ok; 639 640 if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) { 641 return srtp_err_status_bad_param; 642 } 643 switch (key_len) { 644 case SRTP_AES_256_KEYSIZE: 645 kdf->evp = EVP_aes_256_ctr(); 646 break; 647 case SRTP_AES_192_KEYSIZE: 648 kdf->evp = EVP_aes_192_ctr(); 649 break; 650 case SRTP_AES_128_KEYSIZE: 651 kdf->evp = EVP_aes_128_ctr(); 652 break; 653 default: 654 return srtp_err_status_bad_param; 655 break; 656 } 657 memcpy(kdf->master_key, key, key_len); 658 memcpy(kdf->master_salt, key+key_len, salt_len); 659 return srtp_err_status_ok; 660 } 661 662 static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, uint8_t *key, unsigned int length) 663 { 664 int ret; 665 666 /* The NULL cipher will not have an EVP */ 667 if (!kdf->evp) return srtp_err_status_ok; 668 octet_string_set_to_zero(key, length); 669 670 /* 671 * Invoke the OpenSSL SRTP KDF function 672 * This is useful if OpenSSL is in FIPS mode and FIP 673 * compliance is required for SRTP. 674 */ 675 ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key, (char *)&kdf->master_salt, NULL, NULL, label, (char *)key); 676 if (ret == -1) { 677 return (srtp_err_status_algo_fail); 678 } 679 680 return srtp_err_status_ok; 681 } 682 683 static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) { 684 octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN); 685 octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN); 686 kdf->evp = NULL; 687 688 return srtp_err_status_ok; 689 } 690 691 #else /* if OPENSSL_KDF */ 692 693 /* 694 * srtp_kdf_t represents a key derivation function. The SRTP 695 * default KDF is the only one implemented at present. 696 */ 697 typedef struct { 698 srtp_cipher_t *cipher; /* cipher used for key derivation */ 699 } srtp_kdf_t; 700 701 static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int key_len) 702 { 703 srtp_cipher_type_id_t cipher_id; 704 srtp_err_status_t stat; 705 switch (key_len) { 706 case SRTP_AES_ICM_256_KEY_LEN_WSALT: 707 cipher_id = SRTP_AES_ICM_256; 708 break; 709 case SRTP_AES_ICM_192_KEY_LEN_WSALT: 710 cipher_id = SRTP_AES_ICM_192; 711 break; 712 case SRTP_AES_ICM_128_KEY_LEN_WSALT: 713 cipher_id = SRTP_AES_ICM_128; 714 break; 715 default: 716 return srtp_err_status_bad_param; 717 break; 718 } 719 720 stat = srtp_crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, key_len, 0); 721 if (stat) return stat; 722 723 stat = srtp_cipher_init(kdf->cipher, key); 724 if (stat) { 725 srtp_cipher_dealloc(kdf->cipher); 726 return stat; 727 } 728 return srtp_err_status_ok; 729 } 730 731 static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, uint8_t *key, unsigned int length) 732 { 733 srtp_err_status_t status; 734 v128_t nonce; 447 735 448 /* set eigth octet of nonce to <label>, set the rest of it to zero */449 v128_set_to_zero(&nonce);450 nonce.v8[7] = label;736 /* set eigth octet of nonce to <label>, set the rest of it to zero */ 737 v128_set_to_zero(&nonce); 738 nonce.v8[7] = label; 451 739 452 status = cipher_set_iv(kdf->cipher, &nonce, direction_encrypt); 453 if (status) 454 return status; 740 status = srtp_cipher_set_iv(kdf->cipher, (uint8_t*)&nonce, srtp_direction_encrypt); 741 if (status) return status; 455 742 456 /* generate keystream output */ 457 octet_string_set_to_zero(key, length); 458 status = cipher_encrypt(kdf->cipher, key, &length); 459 if (status) 460 return status; 461 462 return err_status_ok; 463 } 464 465 err_status_t 466 srtp_kdf_clear(srtp_kdf_t *kdf) { 467 err_status_t status; 468 status = cipher_dealloc(kdf->cipher); 469 if (status) 470 return status; 471 kdf->cipher = NULL; 472 473 return err_status_ok; 474 } 743 /* generate keystream output */ 744 octet_string_set_to_zero(key, length); 745 status = srtp_cipher_encrypt(kdf->cipher, key, &length); 746 if (status) return status; 747 748 return srtp_err_status_ok; 749 } 750 751 static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) { 752 srtp_err_status_t status; 753 status = srtp_cipher_dealloc(kdf->cipher); 754 if (status) return status; 755 kdf->cipher = NULL; 756 return srtp_err_status_ok; 757 } 758 #endif /* else OPENSSL_KDF */ 475 759 476 760 /* … … 478 762 */ 479 763 480 #define MAX_SRTP_KEY_LEN 256481 764 482 765 483 766 /* Get the base key length corresponding to a given combined key+salt 484 767 * length for the given cipher. 485 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using486 * AES-128 and short salts; everything else uses a salt length of 14.487 768 * TODO: key and salt lengths should be separate fields in the policy. */ 488 static inline int base_key_length(const cipher_type_t *cipher, int key_length)769 static inline int base_key_length(const srtp_cipher_type_t *cipher, int key_length) 489 770 { 490 771 switch (cipher->id) { 491 case AES_128_ICM:492 case AES_192_ICM:493 case AES_256_ICM:772 case SRTP_AES_ICM_128: 773 case SRTP_AES_ICM_192: 774 case SRTP_AES_ICM_256: 494 775 /* The legacy modes are derived from 495 776 * the configured key length on the policy */ 496 return key_length - 14;777 return key_length - SRTP_SALT_LEN; 497 778 break; 498 case AES_128_GCM:499 return 16;779 case SRTP_AES_GCM_128: 780 return key_length - SRTP_AEAD_SALT_LEN; 500 781 break; 501 case AES_256_GCM:502 return 32;782 case SRTP_AES_GCM_256: 783 return key_length - SRTP_AEAD_SALT_LEN; 503 784 break; 504 785 default: … … 508 789 } 509 790 510 err_status_t 511 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) { 512 err_status_t stat; 791 unsigned int 792 srtp_validate_policy_master_keys(const srtp_policy_t *policy) 793 { 794 int i = 0; 795 796 if (policy->key == NULL) { 797 if (policy->num_master_keys <= 0) 798 return 0; 799 800 if (policy->num_master_keys > SRTP_MAX_NUM_MASTER_KEYS) 801 return 0; 802 803 for (i = 0; i < policy->num_master_keys; i++) { 804 if (policy->keys[i]->key == NULL) 805 return 0; 806 if (policy->keys[i]->mki_size > SRTP_MAX_MKI_LEN) 807 return 0; 808 } 809 } 810 811 return 1; 812 } 813 814 srtp_session_keys_t* 815 srtp_get_session_keys_with_mki_index(srtp_stream_ctx_t *stream, 816 unsigned int use_mki, 817 unsigned int mki_index) { 818 if (use_mki) { 819 if (mki_index < stream->num_master_keys) { 820 return &stream->session_keys[mki_index]; 821 } 822 } 823 824 return &stream->session_keys[0]; 825 } 826 827 unsigned int 828 srtp_inject_mki(uint8_t *mki_tag_location, srtp_session_keys_t* session_keys, 829 unsigned int use_mki) 830 { 831 unsigned int mki_size = 0; 832 833 if (use_mki) { 834 mki_size = session_keys->mki_size; 835 836 if (mki_size != 0) { 837 // Write MKI into memory 838 memcpy(mki_tag_location, session_keys->mki_id, mki_size); 839 } 840 } 841 842 return mki_size; 843 } 844 845 srtp_err_status_t 846 srtp_stream_init_all_master_keys(srtp_stream_ctx_t *srtp, 847 unsigned char *key, 848 srtp_master_key_t **keys, 849 const unsigned int max_master_keys) { 850 int i = 0; 851 srtp_err_status_t status = srtp_err_status_ok; 852 srtp_master_key_t single_master_key; 853 854 if ( key != NULL ) { 855 srtp->num_master_keys = 1; 856 single_master_key.key = key; 857 single_master_key.mki_id = NULL; 858 single_master_key.mki_size = 0; 859 status = srtp_stream_init_keys(srtp, &single_master_key, 0); 860 } else { 861 srtp->num_master_keys = max_master_keys; 862 863 for (i = 0; i < srtp->num_master_keys && i < SRTP_MAX_NUM_MASTER_KEYS; i++) { 864 status = srtp_stream_init_keys(srtp, keys[i], i); 865 866 if (status) { 867 return status; 868 } 869 } 870 } 871 872 return status; 873 } 874 875 srtp_err_status_t 876 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, srtp_master_key_t *master_key, 877 const unsigned int current_mki_index) { 878 srtp_err_status_t stat; 513 879 srtp_kdf_t kdf; 514 880 uint8_t tmp_key[MAX_SRTP_KEY_LEN]; … … 516 882 int rtp_base_key_len, rtp_salt_len; 517 883 int rtcp_base_key_len, rtcp_salt_len; 884 srtp_session_keys_t *session_keys = NULL; 885 unsigned char *key = master_key->key; 518 886 519 887 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ 520 888 /* TODO: kdf algorithm, master key length, and master salt length should 521 889 * be part of srtp_policy_t. */ 522 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher); 523 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher); 524 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen); 890 session_keys = &srtp->session_keys[current_mki_index]; 891 892 /* initialize key limit to maximum value */ 893 #ifdef NO_64BIT_MATH 894 { 895 uint64_t temp; 896 temp = make64(UINT_MAX,UINT_MAX); 897 srtp_key_limit_set(session_keys->limit, temp); 898 } 899 #else 900 srtp_key_limit_set(session_keys->limit, 0xffffffffffffLL); 901 #endif 902 903 904 if ( master_key->mki_size != 0 ) { 905 session_keys->mki_id = srtp_crypto_alloc(master_key->mki_size); 906 907 if (session_keys->mki_id == NULL) { 908 return srtp_err_status_init_fail; 909 } 910 memset(session_keys->mki_id, 0x0, master_key->mki_size); 911 memcpy(session_keys->mki_id, master_key->mki_id, master_key->mki_size); 912 } else { 913 session_keys->mki_id = NULL; 914 } 915 916 session_keys->mki_size = master_key->mki_size; 917 918 rtp_keylen = srtp_cipher_get_key_length(session_keys->rtp_cipher); 919 rtcp_keylen = srtp_cipher_get_key_length(session_keys->rtcp_cipher); 920 rtp_base_key_len = base_key_length(session_keys->rtp_cipher->type, rtp_keylen); 525 921 rtp_salt_len = rtp_keylen - rtp_base_key_len; 526 922 … … 548 944 549 945 /* initialize KDF state */ 550 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)tmp_key, kdf_keylen); 946 #if defined(OPENSSL) && defined(OPENSSL_KDF) 947 stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, rtp_base_key_len, rtp_salt_len); 948 #else 949 stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, kdf_keylen); 950 #endif 551 951 if (stat) { 552 return err_status_init_fail; 952 /* zeroize temp buffer */ 953 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 954 return srtp_err_status_init_fail; 553 955 } 554 956 … … 559 961 /* zeroize temp buffer */ 560 962 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 561 return err_status_init_fail;963 return srtp_err_status_init_fail; 562 964 } 563 965 debug_print(mod_srtp, "cipher key: %s", 564 octet_string_hex_string(tmp_key, rtp_base_key_len));966 srtp_octet_string_hex_string(tmp_key, rtp_base_key_len)); 565 967 566 968 /* … … 577 979 /* zeroize temp buffer */ 578 980 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 579 return err_status_init_fail;580 } 581 memcpy(s rtp->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN);981 return srtp_err_status_init_fail; 982 } 983 memcpy(session_keys->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN); 582 984 } 583 985 if (rtp_salt_len > 0) { 584 986 debug_print(mod_srtp, "cipher salt: %s", 585 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len));987 srtp_octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len)); 586 988 } 587 989 588 990 /* initialize cipher */ 589 stat = cipher_init(srtp->rtp_cipher, tmp_key);991 stat = srtp_cipher_init(session_keys->rtp_cipher, tmp_key); 590 992 if (stat) { 591 993 /* zeroize temp buffer */ 592 994 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 593 return err_status_init_fail; 995 return srtp_err_status_init_fail; 996 } 997 998 if (session_keys->rtp_xtn_hdr_cipher) { 999 /* generate extensions header encryption key */ 1000 int rtp_xtn_hdr_keylen; 1001 int rtp_xtn_hdr_base_key_len; 1002 int rtp_xtn_hdr_salt_len; 1003 srtp_kdf_t tmp_kdf; 1004 srtp_kdf_t *xtn_hdr_kdf; 1005 1006 if (session_keys->rtp_xtn_hdr_cipher->type != session_keys->rtp_cipher->type) { 1007 /* With GCM ciphers, the header extensions are still encrypted using the corresponding ICM cipher. */ 1008 /* See https://tools.ietf.org/html/rfc7714#section-8.3 */ 1009 uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN]; 1010 rtp_xtn_hdr_keylen = srtp_cipher_get_key_length(session_keys->rtp_xtn_hdr_cipher); 1011 rtp_xtn_hdr_base_key_len = base_key_length(session_keys->rtp_xtn_hdr_cipher->type, 1012 rtp_xtn_hdr_keylen); 1013 rtp_xtn_hdr_salt_len = rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len; 1014 if (rtp_xtn_hdr_salt_len > rtp_salt_len) { 1015 switch (session_keys->rtp_cipher->type->id) { 1016 case SRTP_AES_GCM_128: 1017 case SRTP_AES_GCM_256: 1018 /* The shorter GCM salt is padded to the required ICM salt length. */ 1019 rtp_xtn_hdr_salt_len = rtp_salt_len; 1020 break; 1021 default: 1022 /* zeroize temp buffer */ 1023 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1024 return srtp_err_status_bad_param; 1025 } 1026 } 1027 memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN); 1028 memcpy(tmp_xtn_hdr_key, key, (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_len)); 1029 xtn_hdr_kdf = &tmp_kdf; 1030 1031 /* initialize KDF state */ 1032 #if defined(OPENSSL) && defined(OPENSSL_KDF) 1033 stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len); 1034 #else 1035 stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, kdf_keylen); 1036 #endif 1037 octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN); 1038 if (stat) { 1039 /* zeroize temp buffer */ 1040 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1041 return srtp_err_status_init_fail; 1042 } 1043 } else { 1044 /* Reuse main KDF. */ 1045 rtp_xtn_hdr_keylen = rtp_keylen; 1046 rtp_xtn_hdr_base_key_len = rtp_base_key_len; 1047 rtp_xtn_hdr_salt_len = rtp_salt_len; 1048 xtn_hdr_kdf = &kdf; 1049 } 1050 1051 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption, 1052 tmp_key, rtp_xtn_hdr_base_key_len); 1053 if (stat) { 1054 /* zeroize temp buffer */ 1055 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1056 return srtp_err_status_init_fail; 1057 } 1058 debug_print(mod_srtp, "extensions cipher key: %s", 1059 srtp_octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len)); 1060 1061 /* 1062 * if the cipher in the srtp context uses a salt, then we need 1063 * to generate the salt value 1064 */ 1065 if (rtp_xtn_hdr_salt_len > 0) { 1066 debug_print(mod_srtp, "found rtp_xtn_hdr_salt_len > 0, generating salt", NULL); 1067 1068 /* generate encryption salt, put after encryption key */ 1069 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt, 1070 tmp_key + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len); 1071 if (stat) { 1072 /* zeroize temp buffer */ 1073 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1074 return srtp_err_status_init_fail; 1075 } 1076 } 1077 if (rtp_xtn_hdr_salt_len > 0) { 1078 debug_print(mod_srtp, "extensions cipher salt: %s", 1079 srtp_octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len)); 1080 } 1081 1082 /* initialize extensions header cipher */ 1083 stat = srtp_cipher_init(session_keys->rtp_xtn_hdr_cipher, tmp_key); 1084 if (stat) { 1085 /* zeroize temp buffer */ 1086 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1087 return srtp_err_status_init_fail; 1088 } 1089 1090 if (xtn_hdr_kdf != &kdf) { 1091 /* release memory for custom header extension encryption kdf */ 1092 stat = srtp_kdf_clear(xtn_hdr_kdf); 1093 if (stat) { 1094 /* zeroize temp buffer */ 1095 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1096 return srtp_err_status_init_fail; 1097 } 1098 } 594 1099 } 595 1100 596 1101 /* generate authentication key */ 597 1102 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, 598 tmp_key, auth_get_key_length(srtp->rtp_auth));1103 tmp_key, srtp_auth_get_key_length(session_keys->rtp_auth)); 599 1104 if (stat) { 600 1105 /* zeroize temp buffer */ 601 1106 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 602 return err_status_init_fail;1107 return srtp_err_status_init_fail; 603 1108 } 604 1109 debug_print(mod_srtp, "auth key: %s", 605 octet_string_hex_string(tmp_key,606 auth_get_key_length(srtp->rtp_auth)));1110 srtp_octet_string_hex_string(tmp_key, 1111 srtp_auth_get_key_length(session_keys->rtp_auth))); 607 1112 608 1113 /* initialize auth function */ 609 stat = auth_init(srtp->rtp_auth, tmp_key);1114 stat = srtp_auth_init(session_keys->rtp_auth, tmp_key); 610 1115 if (stat) { 611 1116 /* zeroize temp buffer */ 612 1117 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 613 return err_status_init_fail;1118 return srtp_err_status_init_fail; 614 1119 } 615 1120 … … 618 1123 */ 619 1124 620 rtcp_base_key_len = base_key_length(s rtp->rtcp_cipher->type, rtcp_keylen);1125 rtcp_base_key_len = base_key_length(session_keys->rtcp_cipher->type, rtcp_keylen); 621 1126 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; 622 1127 debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len); … … 628 1133 /* zeroize temp buffer */ 629 1134 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 630 return err_status_init_fail;1135 return srtp_err_status_init_fail; 631 1136 } 632 1137 … … 645 1150 /* zeroize temp buffer */ 646 1151 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 647 return err_status_init_fail;648 } 649 memcpy(s rtp->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN);1152 return srtp_err_status_init_fail; 1153 } 1154 memcpy(session_keys->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN); 650 1155 } 651 1156 debug_print(mod_srtp, "rtcp cipher key: %s", 652 octet_string_hex_string(tmp_key, rtcp_base_key_len));1157 srtp_octet_string_hex_string(tmp_key, rtcp_base_key_len)); 653 1158 if (rtcp_salt_len > 0) { 654 1159 debug_print(mod_srtp, "rtcp cipher salt: %s", 655 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_len));1160 srtp_octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_len)); 656 1161 } 657 1162 658 1163 /* initialize cipher */ 659 stat = cipher_init(srtp->rtcp_cipher, tmp_key);1164 stat = srtp_cipher_init(session_keys->rtcp_cipher, tmp_key); 660 1165 if (stat) { 661 1166 /* zeroize temp buffer */ 662 1167 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 663 return err_status_init_fail;1168 return srtp_err_status_init_fail; 664 1169 } 665 1170 666 1171 /* generate authentication key */ 667 1172 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, 668 tmp_key, auth_get_key_length(srtp->rtcp_auth));1173 tmp_key, srtp_auth_get_key_length(session_keys->rtcp_auth)); 669 1174 if (stat) { 670 1175 /* zeroize temp buffer */ 671 1176 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 672 return err_status_init_fail;1177 return srtp_err_status_init_fail; 673 1178 } 674 1179 675 1180 debug_print(mod_srtp, "rtcp auth key: %s", 676 octet_string_hex_string(tmp_key,677 auth_get_key_length(srtp->rtcp_auth)));1181 srtp_octet_string_hex_string(tmp_key, 1182 srtp_auth_get_key_length(session_keys->rtcp_auth))); 678 1183 679 1184 /* initialize auth function */ 680 stat = auth_init(srtp->rtcp_auth, tmp_key);1185 stat = srtp_auth_init(session_keys->rtcp_auth, tmp_key); 681 1186 if (stat) { 682 1187 /* zeroize temp buffer */ 683 1188 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 684 return err_status_init_fail;1189 return srtp_err_status_init_fail; 685 1190 } 686 1191 687 1192 /* clear memory then return */ 688 1193 stat = srtp_kdf_clear(&kdf); 689 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1194 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 690 1195 if (stat) 691 return err_status_init_fail;692 693 return err_status_ok;694 } 695 696 err_status_t1196 return srtp_err_status_init_fail; 1197 1198 return srtp_err_status_ok; 1199 } 1200 1201 srtp_err_status_t 697 1202 srtp_stream_init(srtp_stream_ctx_t *srtp, 698 1203 const srtp_policy_t *p) { 699 err_status_t err;1204 srtp_err_status_t err; 700 1205 701 1206 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", … … 708 1213 709 1214 if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000)) 710 return err_status_bad_param;1215 return srtp_err_status_bad_param; 711 1216 712 1217 if (p->window_size != 0) 713 err = rdbx_init(&srtp->rtp_rdbx, p->window_size);1218 err = srtp_rdbx_init(&srtp->rtp_rdbx, p->window_size); 714 1219 else 715 err = rdbx_init(&srtp->rtp_rdbx, 128);1220 err = srtp_rdbx_init(&srtp->rtp_rdbx, 128); 716 1221 if (err) return err; 717 718 /* initialize key limit to maximum value */719 #ifdef NO_64BIT_MATH720 {721 uint64_t temp;722 temp = make64(UINT_MAX,UINT_MAX);723 key_limit_set(srtp->limit, temp);724 }725 #else726 key_limit_set(srtp->limit, 0xffffffffffffLL);727 #endif728 1222 729 1223 /* set the SSRC value */ 730 1224 srtp->ssrc = htonl(p->ssrc.value); 1225 1226 /* reset pending ROC */ 1227 srtp->pending_roc = 0; 731 1228 732 1229 /* set the security service flags */ … … 742 1239 743 1240 /* initialize SRTCP replay database */ 744 rdb_init(&srtp->rtcp_rdb);1241 srtp_rdb_init(&srtp->rtcp_rdb); 745 1242 746 1243 /* initialize allow_repeat_tx */ 747 1244 /* guard against uninitialized memory: allow only 0 or 1 here */ 748 1245 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) { 749 rdbx_dealloc(&srtp->rtp_rdbx);750 return err_status_bad_param;1246 srtp_rdbx_dealloc(&srtp->rtp_rdbx); 1247 return srtp_err_status_bad_param; 751 1248 } 752 1249 srtp->allow_repeat_tx = p->allow_repeat_tx; … … 755 1252 756 1253 /* initialize keys */ 757 err = srtp_stream_init_ keys(srtp, p->key);1254 err = srtp_stream_init_all_master_keys(srtp, p->key, p->keys, p->num_master_keys); 758 1255 if (err) { 759 rdbx_dealloc(&srtp->rtp_rdbx);1256 srtp_rdbx_dealloc(&srtp->rtp_rdbx); 760 1257 return err; 761 1258 } … … 765 1262 * the stream 766 1263 */ 767 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt);1264 err = srtp_ekt_stream_init_from_policy(srtp->ekt, p->ekt); 768 1265 if (err) { 769 rdbx_dealloc(&srtp->rtp_rdbx);1266 srtp_rdbx_dealloc(&srtp->rtp_rdbx); 770 1267 return err; 771 1268 } 772 1269 773 return err_status_ok;1270 return srtp_err_status_ok; 774 1271 } 775 1272 … … 783 1280 srtp_event_reporter(srtp_event_data_t *data) { 784 1281 785 err_report(err_level_warning, "srtp: in stream 0x%x: ",786 data->stream->ssrc);1282 srtp_err_report(srtp_err_level_warning, "srtp: in stream 0x%x: ", 1283 data->ssrc); 787 1284 788 1285 switch(data->event) { 789 1286 case event_ssrc_collision: 790 err_report(err_level_warning, "\tSSRC collision\n");1287 srtp_err_report(srtp_err_level_warning, "\tSSRC collision\n"); 791 1288 break; 792 1289 case event_key_soft_limit: 793 err_report(err_level_warning, "\tkey usage soft limit reached\n");1290 srtp_err_report(srtp_err_level_warning, "\tkey usage soft limit reached\n"); 794 1291 break; 795 1292 case event_key_hard_limit: 796 err_report(err_level_warning, "\tkey usage hard limit reached\n");1293 srtp_err_report(srtp_err_level_warning, "\tkey usage hard limit reached\n"); 797 1294 break; 798 1295 case event_packet_index_limit: 799 err_report(err_level_warning, "\tpacket index limit reached\n");1296 srtp_err_report(srtp_err_level_warning, "\tpacket index limit reached\n"); 800 1297 break; 801 1298 default: 802 err_report(err_level_warning, "\tunknown event reported to handler\n");1299 srtp_err_report(srtp_err_level_warning, "\tunknown event reported to handler\n"); 803 1300 } 804 1301 } … … 816 1313 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter; 817 1314 818 err_status_t1315 srtp_err_status_t 819 1316 srtp_install_event_handler(srtp_event_handler_func_t func) { 820 1317 … … 827 1324 /* set global event handling function */ 828 1325 srtp_event_handler = func; 829 return err_status_ok;1326 return srtp_err_status_ok; 830 1327 } 1328 1329 1330 /* 1331 * Check if the given extension header id is / should be encrypted. 1332 * Returns 1 if yes, otherwise 0. 1333 */ 1334 static int 1335 srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id) { 1336 int* enc_xtn_hdr = stream->enc_xtn_hdr; 1337 int count = stream->enc_xtn_hdr_count; 1338 1339 if (!enc_xtn_hdr || count <= 0) { 1340 return 0; 1341 } 1342 1343 while (count > 0) { 1344 if (*enc_xtn_hdr == id) { 1345 return 1; 1346 } 1347 1348 enc_xtn_hdr++; 1349 count--; 1350 } 1351 return 0; 1352 } 1353 1354 1355 /* 1356 * extensions header encryption RFC 6904 1357 */ 1358 static srtp_err_status_t 1359 srtp_process_header_encryption(srtp_stream_ctx_t *stream, 1360 srtp_hdr_xtnd_t *xtn_hdr, 1361 srtp_session_keys_t *session_keys) { 1362 srtp_err_status_t status; 1363 uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */ 1364 int keystream_pos; 1365 uint8_t* xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr; 1366 uint8_t* xtn_hdr_end = xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_t)); 1367 1368 if (ntohs(xtn_hdr->profile_specific) == 0xbede) { 1369 /* RFC 5285, section 4.2. One-Byte Header */ 1370 while (xtn_hdr_data < xtn_hdr_end) { 1371 uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4; 1372 unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1; 1373 uint32_t xlen_with_header = 1+xlen; 1374 xtn_hdr_data++; 1375 1376 if (xtn_hdr_data + xlen > xtn_hdr_end) 1377 return srtp_err_status_parse_err; 1378 1379 if (xid == 15) { 1380 /* found header 15, stop further processing. */ 1381 break; 1382 } 1383 1384 status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, 1385 keystream, &xlen_with_header); 1386 if (status) 1387 return srtp_err_status_cipher_fail; 1388 1389 if (srtp_protect_extension_header(stream, xid)) { 1390 keystream_pos = 1; 1391 while (xlen > 0) { 1392 *xtn_hdr_data ^= keystream[keystream_pos++]; 1393 xtn_hdr_data++; 1394 xlen--; 1395 } 1396 } else { 1397 xtn_hdr_data += xlen; 1398 } 1399 1400 /* skip padding bytes. */ 1401 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { 1402 xtn_hdr_data++; 1403 } 1404 } 1405 } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) { 1406 /* RFC 5285, section 4.3. Two-Byte Header */ 1407 while (xtn_hdr_data + 1 < xtn_hdr_end) { 1408 uint8_t xid = *xtn_hdr_data; 1409 unsigned int xlen = *(xtn_hdr_data+1); 1410 uint32_t xlen_with_header = 2+xlen; 1411 xtn_hdr_data += 2; 1412 1413 if (xtn_hdr_data + xlen > xtn_hdr_end) 1414 return srtp_err_status_parse_err; 1415 1416 status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, 1417 keystream, &xlen_with_header); 1418 if (status) 1419 return srtp_err_status_cipher_fail; 1420 1421 if (xlen > 0 && srtp_protect_extension_header(stream, xid)) { 1422 keystream_pos = 2; 1423 while (xlen > 0) { 1424 *xtn_hdr_data ^= keystream[keystream_pos++]; 1425 xtn_hdr_data++; 1426 xlen--; 1427 } 1428 } else { 1429 xtn_hdr_data += xlen; 1430 } 1431 1432 /* skip padding bytes. */ 1433 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { 1434 xtn_hdr_data++; 1435 } 1436 } 1437 } else { 1438 /* unsupported extension header format. */ 1439 return srtp_err_status_parse_err; 1440 } 1441 1442 return srtp_err_status_ok; 1443 } 1444 831 1445 832 1446 /* 833 1447 * AEAD uses a new IV formation method. This function implements 834 * section 9.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The835 * calculation is defined as, where (+) is the xor operation:1448 * section 8.1. (SRTP IV Formation for AES-GCM) of RFC7714. 1449 * The calculation is defined as, where (+) is the xor operation: 836 1450 * 837 1451 * … … 850 1464 * +--+--+--+--+--+--+--+--+--+--+--+--+* 851 1465 * 852 * Input: *s tream - pointer to SRTP stream context, used to retrieve853 * the SALT1466 * Input: *session_keys - pointer to SRTP stream context session keys, 1467 * used to retrieve the SALT 854 1468 * *iv - Pointer to receive the calculated IV 855 1469 * *seq - The ROC and SEQ value to use for the … … 858 1472 * 859 1473 */ 860 static void srtp_calc_aead_iv(srtp_stream_ctx_t *stream, v128_t *iv, 861 xtd_seq_num_t *seq, srtp_hdr_t *hdr) 1474 1475 static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys, v128_t *iv, 1476 srtp_xtd_seq_num_t *seq, srtp_hdr_t *hdr) 862 1477 { 863 1478 v128_t in; … … 889 1504 * Get the SALT value from the context 890 1505 */ 891 memcpy(salt.v8, s tream->salt, SRTP_AEAD_SALT_LEN);1506 memcpy(salt.v8, session_keys->salt, SRTP_AEAD_SALT_LEN); 892 1507 debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt)); 893 1508 … … 898 1513 } 899 1514 1515 1516 srtp_session_keys_t* 1517 srtp_get_session_keys(srtp_stream_ctx_t *stream, uint8_t* hdr, 1518 const unsigned int* pkt_octet_len, 1519 unsigned int* mki_size) { 1520 unsigned int base_mki_start_location = *pkt_octet_len; 1521 unsigned int mki_start_location = 0; 1522 unsigned int tag_len = 0; 1523 unsigned int i = 0; 1524 1525 // Determine the authentication tag size 1526 if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 || 1527 stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) { 1528 tag_len = 0; 1529 } else { 1530 tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); 1531 } 1532 1533 if (tag_len > base_mki_start_location) { 1534 *mki_size = 0; 1535 return NULL; 1536 } 1537 1538 base_mki_start_location -= tag_len; 1539 1540 for (i = 0; i < stream->num_master_keys; i++) { 1541 if (stream->session_keys[i].mki_size != 0) { 1542 *mki_size = stream->session_keys[i].mki_size; 1543 mki_start_location = base_mki_start_location - *mki_size; 1544 1545 if ( mki_start_location >= *mki_size && 1546 memcmp(hdr + mki_start_location, stream->session_keys[i].mki_id, *mki_size) == 0 ) { 1547 return &stream->session_keys[i]; 1548 } 1549 } 1550 } 1551 1552 *mki_size = 0; 1553 return NULL; 1554 } 1555 1556 static srtp_err_status_t 1557 srtp_estimate_index(srtp_rdbx_t *rdbx, 1558 uint32_t roc, 1559 srtp_xtd_seq_num_t *est, 1560 srtp_sequence_number_t seq, 1561 int *delta) 1562 { 1563 #ifdef NO_64BIT_MATH 1564 uint32_t internal_pkt_idx_reduced; 1565 uint32_t external_pkt_idx_reduced; 1566 uint32_t internal_roc; 1567 uint32_t roc_difference; 1568 #endif 1569 1570 #ifdef NO_64BIT_MATH 1571 *est = (srtp_xtd_seq_num_t)make64(roc >> 16, (roc << 16) | seq); 1572 *delta = low32(est) - rdbx->index; 1573 #else 1574 *est = (srtp_xtd_seq_num_t)(((uint64_t)roc) << 16) | seq; 1575 *delta = (int)(*est - rdbx->index); 1576 #endif 1577 1578 if (*est > rdbx->index) { 1579 #ifdef NO_64BIT_MATH 1580 internal_roc = (uint32_t)(rdbx->index >> 16); 1581 roc_difference = roc - internal_roc; 1582 if (roc_difference > 1) { 1583 *delta = 0; 1584 return srtp_err_status_pkt_idx_adv; 1585 } 1586 1587 internal_pkt_idx_reduced = (uint32_t)(rdbx->index & 0xFFFF); 1588 external_pkt_idx_reduced = (uint32_t)((roc_difference << 16) | seq); 1589 1590 if (external_pkt_idx_reduced - internal_pkt_idx_reduced > 1591 seq_num_median) { 1592 *delta = 0; 1593 return srtp_err_status_pkt_idx_adv; 1594 } 1595 #else 1596 if (*est - rdbx->index > seq_num_median) { 1597 *delta = 0; 1598 return srtp_err_status_pkt_idx_adv; 1599 } 1600 #endif 1601 } else if (*est < rdbx->index) { 1602 #ifdef NO_64BIT_MATH 1603 1604 internal_roc = (uint32_t)(rdbx->index >> 16); 1605 roc_difference = internal_roc - roc; 1606 if (roc_difference > 1) { 1607 *delta = 0; 1608 return srtp_err_status_pkt_idx_adv; 1609 } 1610 1611 internal_pkt_idx_reduced = 1612 (uint32_t)((roc_difference << 16) | rdbx->index & 0xFFFF); 1613 external_pkt_idx_reduced = (uint32_t)(seq); 1614 1615 if (internal_pkt_idx_reduced - external_pkt_idx_reduced > 1616 seq_num_median) { 1617 *delta = 0; 1618 return srtp_err_status_pkt_idx_old; 1619 } 1620 #else 1621 if (rdbx->index - *est > seq_num_median) { 1622 *delta = 0; 1623 return srtp_err_status_pkt_idx_old; 1624 } 1625 #endif 1626 } 1627 1628 return srtp_err_status_ok; 1629 } 1630 1631 static srtp_err_status_t 1632 srtp_get_est_pkt_index(srtp_hdr_t *hdr, 1633 srtp_stream_ctx_t *stream, 1634 srtp_xtd_seq_num_t *est, 1635 int *delta) 1636 { 1637 srtp_err_status_t result = srtp_err_status_ok; 1638 1639 if (stream->pending_roc) { 1640 result = srtp_estimate_index(&stream->rtp_rdbx, 1641 stream->pending_roc, 1642 est, 1643 ntohs(hdr->seq), 1644 delta); 1645 } else { 1646 /* estimate packet index from seq. num. in header */ 1647 *delta = srtp_rdbx_estimate_index(&stream->rtp_rdbx, 1648 est, 1649 ntohs(hdr->seq)); 1650 } 1651 1652 #ifdef NO_64BIT_MATH 1653 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(*est), low32(*est)); 1654 #else 1655 debug_print(mod_srtp, "estimated u_packet index: %016llx", *est); 1656 #endif 1657 return result; 1658 } 900 1659 901 1660 /* … … 904 1663 * encrypted and authenticated. 905 1664 */ 906 static err_status_t 907 srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, 908 void *rtp_hdr, unsigned int *pkt_octet_len) 1665 static srtp_err_status_t 1666 srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, 1667 void *rtp_hdr, unsigned int *pkt_octet_len, 1668 srtp_session_keys_t *session_keys, unsigned int use_mki) 909 1669 { 910 1670 srtp_hdr_t *hdr = (srtp_hdr_t*)rtp_hdr; 911 1671 uint32_t *enc_start; /* pointer to start of encrypted portion */ 912 1672 int enc_octet_len = 0; /* number of octets in encrypted portion */ 913 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */1673 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 914 1674 int delta; /* delta of local pkt idx and that in hdr */ 915 err_status_t status;916 int tag_len;1675 srtp_err_status_t status; 1676 uint32_t tag_len; 917 1677 v128_t iv; 918 1678 unsigned int aad_len; 1679 srtp_hdr_xtnd_t *xtn_hdr = NULL; 1680 unsigned int mki_size = 0; 1681 uint8_t *mki_location = NULL; 919 1682 920 1683 debug_print(mod_srtp, "function srtp_protect_aead", NULL); … … 925 1688 * the event handler if we hit either. 926 1689 */ 927 switch ( key_limit_update(stream->limit)) {928 case key_event_normal:1690 switch (srtp_key_limit_update(session_keys->limit)) { 1691 case srtp_key_event_normal: 929 1692 break; 930 case key_event_hard_limit:1693 case srtp_key_event_hard_limit: 931 1694 srtp_handle_event(ctx, stream, event_key_hard_limit); 932 return err_status_key_expired;933 case key_event_soft_limit:1695 return srtp_err_status_key_expired; 1696 case srtp_key_event_soft_limit: 934 1697 default: 935 1698 srtp_handle_event(ctx, stream, event_key_soft_limit); … … 938 1701 939 1702 /* get tag length from stream */ 940 tag_len = auth_get_tag_length(stream->rtp_auth);1703 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); 941 1704 942 1705 /* … … 948 1711 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; 949 1712 if (hdr->x == 1) { 950 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;1713 xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; 951 1714 enc_start += (ntohs(xtn_hdr->length) + 1); 952 1715 } 1716 /* note: the passed size is without the auth tag */ 953 1717 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len)) 954 return err_status_parse_err;1718 return srtp_err_status_parse_err; 955 1719 enc_octet_len = (int)(*pkt_octet_len - 956 1720 ((uint8_t*)enc_start - (uint8_t*)hdr)); 957 if (enc_octet_len < 0) return err_status_parse_err;1721 if (enc_octet_len < 0) return srtp_err_status_parse_err; 958 1722 959 1723 /* … … 961 1725 * and the sequence number from the header 962 1726 */ 963 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));964 status = rdbx_check(&stream->rtp_rdbx, delta);1727 delta = srtp_rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); 1728 status = srtp_rdbx_check(&stream->rtp_rdbx, delta); 965 1729 if (status) { 966 if (status != err_status_replay_fail || !stream->allow_repeat_tx) {1730 if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) { 967 1731 return status; /* we've been asked to reuse an index */ 968 1732 } 969 1733 } else { 970 rdbx_add_index(&stream->rtp_rdbx, delta);1734 srtp_rdbx_add_index(&stream->rtp_rdbx, delta); 971 1735 } 972 1736 … … 981 1745 * AEAD uses a new IV formation method 982 1746 */ 983 srtp_calc_aead_iv(stream, &iv, &est, hdr); 984 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); 985 if (status) { 986 return err_status_cipher_fail; 987 } 988 1747 srtp_calc_aead_iv(session_keys, &iv, &est, hdr); 989 1748 /* shift est, put into network byte order */ 990 1749 #ifdef NO_64BIT_MATH … … 996 1755 #endif 997 1756 1757 status = srtp_cipher_set_iv(session_keys->rtp_cipher, 1758 (uint8_t*)&iv, srtp_direction_encrypt); 1759 if (!status && session_keys->rtp_xtn_hdr_cipher) { 1760 iv.v32[0] = 0; 1761 iv.v32[1] = hdr->ssrc; 1762 iv.v64[1] = est; 1763 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, 1764 (uint8_t*)&iv, srtp_direction_encrypt); 1765 } 1766 if (status) { 1767 return srtp_err_status_cipher_fail; 1768 } 1769 1770 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { 1771 /* 1772 * extensions header encryption RFC 6904 1773 */ 1774 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); 1775 if (status) { 1776 return status; 1777 } 1778 } 1779 998 1780 /* 999 1781 * Set the AAD over the RTP header 1000 1782 */ 1001 1783 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; 1002 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len);1784 status = srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t*)hdr, aad_len); 1003 1785 if (status) { 1004 return ( err_status_cipher_fail);1786 return ( srtp_err_status_cipher_fail); 1005 1787 } 1006 1788 1007 1789 /* Encrypt the payload */ 1008 status = cipher_encrypt(stream->rtp_cipher,1790 status = srtp_cipher_encrypt(session_keys->rtp_cipher, 1009 1791 (uint8_t*)enc_start, (unsigned int *)&enc_octet_len); 1010 1792 if (status) { 1011 return err_status_cipher_fail;1793 return srtp_err_status_cipher_fail; 1012 1794 } 1013 1795 /* … … 1015 1797 * and append that to the output 1016 1798 */ 1017 status = cipher_get_tag(stream->rtp_cipher,1799 status = srtp_cipher_get_tag(session_keys->rtp_cipher, 1018 1800 (uint8_t*)enc_start+enc_octet_len, &tag_len); 1019 1801 if (status) { 1020 return ( err_status_cipher_fail); 1021 } 1802 return ( srtp_err_status_cipher_fail); 1803 } 1804 1805 mki_location = (uint8_t *)hdr + *pkt_octet_len + tag_len; 1806 mki_size = srtp_inject_mki(mki_location, session_keys, use_mki); 1022 1807 1023 1808 /* increase the packet length by the length of the auth tag */ 1024 1809 *pkt_octet_len += tag_len; 1025 1810 1026 return err_status_ok; 1811 /* increase the packet length by the length of the mki_size */ 1812 *pkt_octet_len += mki_size; 1813 1814 return srtp_err_status_ok; 1027 1815 } 1028 1816 … … 1035 1823 * when decrypting the payload. 1036 1824 */ 1037 static err_status_t1825 static srtp_err_status_t 1038 1826 srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, 1039 xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_len) 1827 srtp_xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_len, 1828 srtp_session_keys_t *session_keys, unsigned int mki_size) 1040 1829 { 1041 1830 srtp_hdr_t *hdr = (srtp_hdr_t*)srtp_hdr; … … 1043 1832 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 1044 1833 v128_t iv; 1045 err_status_t status;1834 srtp_err_status_t status; 1046 1835 int tag_len; 1047 1836 unsigned int aad_len; 1837 srtp_hdr_xtnd_t *xtn_hdr = NULL; 1048 1838 1049 1839 debug_print(mod_srtp, "function srtp_unprotect_aead", NULL); … … 1056 1846 1057 1847 /* get tag length from stream */ 1058 tag_len = auth_get_tag_length(stream->rtp_auth);1848 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); 1059 1849 1060 1850 /* 1061 1851 * AEAD uses a new IV formation method 1062 1852 */ 1063 srtp_calc_aead_iv(stream, &iv, &est, hdr); 1064 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); 1853 srtp_calc_aead_iv(session_keys, &iv, &est, hdr); 1854 status = srtp_cipher_set_iv(session_keys->rtp_cipher, 1855 (uint8_t*)&iv, srtp_direction_decrypt); 1856 if (!status && session_keys->rtp_xtn_hdr_cipher) { 1857 iv.v32[0] = 0; 1858 iv.v32[1] = hdr->ssrc; 1859 #ifdef NO_64BIT_MATH 1860 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), 1861 low32(est) << 16)); 1862 #else 1863 iv.v64[1] = be64_to_cpu(est << 16); 1864 #endif 1865 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, (uint8_t*)&iv, srtp_direction_encrypt); 1866 } 1065 1867 if (status) { 1066 return err_status_cipher_fail;1868 return srtp_err_status_cipher_fail; 1067 1869 } 1068 1870 … … 1075 1877 enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; 1076 1878 if (hdr->x == 1) { 1077 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;1879 xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; 1078 1880 enc_start += (ntohs(xtn_hdr->length) + 1); 1079 1881 } 1080 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len )))1081 return err_status_parse_err;1882 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len - mki_size))) 1883 return srtp_err_status_parse_err; 1082 1884 /* 1083 1885 * We pass the tag down to the cipher when doing GCM mode 1084 1886 */ 1085 enc_octet_len = (unsigned int)(*pkt_octet_len - 1887 enc_octet_len = (unsigned int)(*pkt_octet_len - mki_size - 1086 1888 ((uint8_t*)enc_start - (uint8_t*)hdr)); 1087 1889 … … 1092 1894 */ 1093 1895 if (enc_octet_len < (unsigned int) tag_len) { 1094 return err_status_cipher_fail;1896 return srtp_err_status_cipher_fail; 1095 1897 } 1096 1898 … … 1100 1902 * the event handler if we hit either. 1101 1903 */ 1102 switch ( key_limit_update(stream->limit)) {1103 case key_event_normal:1904 switch (srtp_key_limit_update(session_keys->limit)) { 1905 case srtp_key_event_normal: 1104 1906 break; 1105 case key_event_soft_limit:1907 case srtp_key_event_soft_limit: 1106 1908 srtp_handle_event(ctx, stream, event_key_soft_limit); 1107 1909 break; 1108 case key_event_hard_limit:1910 case srtp_key_event_hard_limit: 1109 1911 srtp_handle_event(ctx, stream, event_key_hard_limit); 1110 return err_status_key_expired;1912 return srtp_err_status_key_expired; 1111 1913 default: 1112 1914 break; … … 1117 1919 */ 1118 1920 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; 1119 status = cipher_set_aad(stream->rtp_cipher, (uint8_t*)hdr, aad_len);1921 status = srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t*)hdr, aad_len); 1120 1922 if (status) { 1121 return ( err_status_cipher_fail);1122 } 1123 1124 /* Decrypt the ciphertext. This also checks the auth tag based 1923 return ( srtp_err_status_cipher_fail); 1924 } 1925 1926 /* Decrypt the ciphertext. This also checks the auth tag based 1125 1927 * on the AAD we just specified above */ 1126 status = cipher_decrypt(stream->rtp_cipher,1127 (uint8_t*)enc_start, &enc_octet_len);1928 status = srtp_cipher_decrypt(session_keys->rtp_cipher, 1929 (uint8_t*)enc_start, &enc_octet_len); 1128 1930 if (status) { 1129 1931 return status; 1932 } 1933 1934 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { 1935 /* 1936 * extensions header encryption RFC 6904 1937 */ 1938 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); 1939 if (status) { 1940 return status; 1941 } 1130 1942 } 1131 1943 … … 1180 1992 * index into the replay database 1181 1993 */ 1182 rdbx_add_index(&stream->rtp_rdbx, delta);1994 srtp_rdbx_add_index(&stream->rtp_rdbx, delta); 1183 1995 1184 1996 /* decrease the packet length by the length of the auth tag */ 1185 1997 *pkt_octet_len -= tag_len; 1186 1998 1187 return err_status_ok; 1188 } 1189 1190 1191 1192 1193 err_status_t 1999 /* decrease the packet length by the length of the mki_size */ 2000 *pkt_octet_len -= mki_size; 2001 2002 return srtp_err_status_ok; 2003 } 2004 2005 2006 srtp_err_status_t 1194 2007 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { 2008 return srtp_protect_mki(ctx, rtp_hdr, pkt_octet_len, 0, 0); 2009 } 2010 2011 srtp_err_status_t 2012 srtp_protect_mki(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len, 2013 unsigned int use_mki, unsigned int mki_index ) { 1195 2014 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; 1196 2015 uint32_t *enc_start; /* pointer to start of encrypted portion */ 1197 2016 uint32_t *auth_start; /* pointer to start of auth. portion */ 1198 2017 int enc_octet_len = 0; /* number of octets in encrypted portion */ 1199 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */2018 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 1200 2019 int delta; /* delta of local pkt idx and that in hdr */ 1201 2020 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 1202 err_status_t status;2021 srtp_err_status_t status; 1203 2022 int tag_len; 1204 2023 srtp_stream_ctx_t *stream; 1205 int prefix_len; 2024 uint32_t prefix_len; 2025 srtp_hdr_xtnd_t *xtn_hdr = NULL; 2026 unsigned int mki_size = 0; 2027 srtp_session_keys_t *session_keys = NULL; 2028 uint8_t* mki_location = NULL; 2029 int advance_packet_index = 0; 1206 2030 1207 2031 debug_print(mod_srtp, "function srtp_protect", NULL); … … 1216 2040 /* check the packet length - it must at least contain a full header */ 1217 2041 if (*pkt_octet_len < octets_in_rtp_header) 1218 return err_status_bad_param;2042 return srtp_err_status_bad_param; 1219 2043 1220 2044 /* … … 1247 2071 } else { 1248 2072 /* no template stream, so we return an error */ 1249 return err_status_no_ctx;2073 return srtp_err_status_no_ctx; 1250 2074 } 1251 2075 } … … 1257 2081 * those functions. 1258 2082 */ 2083 1259 2084 if (stream->direction != dir_srtp_sender) { 1260 2085 if (stream->direction == dir_unknown) { … … 1265 2090 } 1266 2091 2092 session_keys = srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); 2093 1267 2094 /* 1268 2095 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 1269 2096 * the request to our AEAD handler. 1270 2097 */ 1271 if (stream->rtp_cipher->algorithm == AES_128_GCM || 1272 stream->rtp_cipher->algorithm == AES_256_GCM) { 1273 return srtp_protect_aead(ctx, stream, rtp_hdr, (unsigned int*)pkt_octet_len); 2098 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || 2099 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { 2100 return srtp_protect_aead(ctx, stream, rtp_hdr, 2101 (unsigned int*)pkt_octet_len, session_keys, 2102 use_mki); 1274 2103 } 1275 2104 … … 1279 2108 * the event handler if we hit either. 1280 2109 */ 1281 switch( key_limit_update(stream->limit)) {1282 case key_event_normal:2110 switch(srtp_key_limit_update(session_keys->limit)) { 2111 case srtp_key_event_normal: 1283 2112 break; 1284 case key_event_soft_limit:2113 case srtp_key_event_soft_limit: 1285 2114 srtp_handle_event(ctx, stream, event_key_soft_limit); 1286 2115 break; 1287 case key_event_hard_limit:2116 case srtp_key_event_hard_limit: 1288 2117 srtp_handle_event(ctx, stream, event_key_hard_limit); 1289 return err_status_key_expired;2118 return srtp_err_status_key_expired; 1290 2119 default: 1291 2120 break; … … 1293 2122 1294 2123 /* get tag length from stream */ 1295 tag_len = auth_get_tag_length(stream->rtp_auth);2124 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); 1296 2125 1297 2126 /* … … 1306 2135 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; 1307 2136 if (hdr->x == 1) { 1308 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;2137 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; 1309 2138 enc_start += (ntohs(xtn_hdr->length) + 1); 1310 2139 } 2140 /* note: the passed size is without the auth tag */ 1311 2141 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len)) 1312 return err_status_parse_err;2142 return srtp_err_status_parse_err; 1313 2143 enc_octet_len = (int)(*pkt_octet_len - 1314 2144 ((uint8_t*)enc_start - (uint8_t*)hdr)); 1315 if (enc_octet_len < 0) return err_status_parse_err;2145 if (enc_octet_len < 0) return srtp_err_status_parse_err; 1316 2146 } else { 1317 2147 enc_start = NULL; 1318 2148 } 2149 2150 mki_location = (uint8_t *)hdr + *pkt_octet_len; 2151 mki_size = srtp_inject_mki(mki_location, session_keys, use_mki); 1319 2152 1320 2153 /* … … 1325 2158 if (stream->rtp_services & sec_serv_auth) { 1326 2159 auth_start = (uint32_t *)hdr; 1327 auth_tag = (uint8_t *)hdr + *pkt_octet_len ;2160 auth_tag = (uint8_t *)hdr + *pkt_octet_len + mki_size; 1328 2161 } else { 1329 2162 auth_start = NULL; … … 1331 2164 } 1332 2165 1333 /* 1334 * estimate the packet index using the start of the replay window 1335 * and the sequence number from the header 1336 */ 1337 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); 1338 status = rdbx_check(&stream->rtp_rdbx, delta); 1339 if (status) { 1340 if (status != err_status_replay_fail || !stream->allow_repeat_tx) 1341 return status; /* we've been asked to reuse an index */ 1342 } 1343 else 1344 rdbx_add_index(&stream->rtp_rdbx, delta); 2166 /* 2167 * estimate the packet index using the start of the replay window 2168 * and the sequence number from the header 2169 */ 2170 status = srtp_get_est_pkt_index(hdr, 2171 stream, 2172 &est, 2173 &delta); 2174 2175 if (status && (status != srtp_err_status_pkt_idx_adv)) 2176 return status; 2177 2178 if (status == srtp_err_status_pkt_idx_adv) 2179 advance_packet_index = 1; 2180 2181 if (advance_packet_index) { 2182 srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, 2183 (uint32_t)(est >> 16), 2184 (uint16_t)(est & 0xFFFF)); 2185 stream->pending_roc = 0; 2186 srtp_rdbx_add_index(&stream->rtp_rdbx, 0); 2187 } else { 2188 status = srtp_rdbx_check(&stream->rtp_rdbx, delta); 2189 if (status) { 2190 if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) 2191 return status; /* we've been asked to reuse an index */ 2192 } 2193 srtp_rdbx_add_index(&stream->rtp_rdbx, delta); 2194 } 1345 2195 1346 2196 #ifdef NO_64BIT_MATH … … 1354 2204 * if we're using rindael counter mode, set nonce and seq 1355 2205 */ 1356 if (stream->rtp_cipher->type->id == AES_ICM || 1357 stream->rtp_cipher->type->id == AES_256_ICM) { 2206 if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || 2207 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || 2208 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { 1358 2209 v128_t iv; 1359 2210 … … 1366 2217 iv.v64[1] = be64_to_cpu(est << 16); 1367 2218 #endif 1368 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); 1369 2219 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t*)&iv, srtp_direction_encrypt); 2220 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2221 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, (uint8_t*)&iv, srtp_direction_encrypt); 2222 } 1370 2223 } else { 1371 2224 v128_t iv; … … 1379 2232 #endif 1380 2233 iv.v64[1] = be64_to_cpu(est); 1381 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_encrypt); 2234 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t*)&iv, srtp_direction_encrypt); 2235 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2236 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, (uint8_t*)&iv, srtp_direction_encrypt); 2237 } 1382 2238 } 1383 2239 if (status) 1384 return err_status_cipher_fail;2240 return srtp_err_status_cipher_fail; 1385 2241 1386 2242 /* shift est, put into network byte order */ … … 1399 2255 if (auth_start) { 1400 2256 1401 prefix_len = auth_get_prefix_length(stream->rtp_auth);2257 prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); 1402 2258 if (prefix_len) { 1403 status = cipher_output(stream->rtp_cipher, auth_tag,prefix_len);2259 status = srtp_cipher_output(session_keys->rtp_cipher, auth_tag, &prefix_len); 1404 2260 if (status) 1405 return err_status_cipher_fail;2261 return srtp_err_status_cipher_fail; 1406 2262 debug_print(mod_srtp, "keystream prefix: %s", 1407 octet_string_hex_string(auth_tag, prefix_len)); 2263 srtp_octet_string_hex_string(auth_tag, prefix_len)); 2264 } 2265 } 2266 2267 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { 2268 /* 2269 * extensions header encryption RFC 6904 2270 */ 2271 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); 2272 if (status) { 2273 return status; 1408 2274 } 1409 2275 } … … 1411 2277 /* if we're encrypting, exor keystream into the message */ 1412 2278 if (enc_start) { 1413 status = cipher_encrypt(stream->rtp_cipher,1414 (uint8_t *)enc_start, (unsigned int*)&enc_octet_len);2279 status = srtp_cipher_encrypt(session_keys->rtp_cipher, 2280 (uint8_t *)enc_start, (unsigned int *)&enc_octet_len); 1415 2281 if (status) 1416 return err_status_cipher_fail;2282 return srtp_err_status_cipher_fail; 1417 2283 } 1418 2284 … … 1424 2290 1425 2291 /* initialize auth func context */ 1426 status = auth_start(stream->rtp_auth);2292 status = srtp_auth_start(session_keys->rtp_auth); 1427 2293 if (status) return status; 1428 2294 1429 2295 /* run auth func over packet */ 1430 status = auth_update(stream->rtp_auth,2296 status = srtp_auth_update(session_keys->rtp_auth, 1431 2297 (uint8_t *)auth_start, *pkt_octet_len); 1432 2298 if (status) return status; … … 1434 2300 /* run auth func over ROC, put result into auth_tag */ 1435 2301 debug_print(mod_srtp, "estimated packet index: %016llx", est); 1436 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);2302 status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, auth_tag); 1437 2303 debug_print(mod_srtp, "srtp auth tag: %s", 1438 octet_string_hex_string(auth_tag, tag_len));2304 srtp_octet_string_hex_string(auth_tag, tag_len)); 1439 2305 if (status) 1440 return err_status_auth_fail;2306 return srtp_err_status_auth_fail; 1441 2307 1442 2308 } … … 1448 2314 } 1449 2315 1450 return err_status_ok; 1451 } 1452 1453 1454 err_status_t 2316 if (use_mki) { 2317 /* increate the packet length by the mki size */ 2318 *pkt_octet_len += mki_size; 2319 } 2320 2321 return srtp_err_status_ok; 2322 } 2323 2324 2325 srtp_err_status_t 1455 2326 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) { 2327 return srtp_unprotect_mki(ctx, srtp_hdr, pkt_octet_len, 0); 2328 } 2329 2330 srtp_err_status_t 2331 srtp_unprotect_mki(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len, 2332 unsigned int use_mki) { 1456 2333 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; 1457 2334 uint32_t *enc_start; /* pointer to start of encrypted portion */ … … 1459 2336 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ 1460 2337 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 1461 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */2338 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 1462 2339 int delta; /* delta of local pkt idx and that in hdr */ 1463 2340 v128_t iv; 1464 err_status_t status;2341 srtp_err_status_t status; 1465 2342 srtp_stream_ctx_t *stream; 1466 2343 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 1467 int tag_len, prefix_len; 2344 uint32_t tag_len, prefix_len; 2345 srtp_hdr_xtnd_t *xtn_hdr = NULL; 2346 unsigned int mki_size = 0; 2347 srtp_session_keys_t *session_keys = NULL; 2348 int advance_packet_index = 0; 2349 uint32_t roc_to_set = 0; 2350 uint16_t seq_to_set = 0; 1468 2351 1469 2352 debug_print(mod_srtp, "function srtp_unprotect", NULL); … … 1478 2361 /* check the packet length - it must at least contain a full header */ 1479 2362 if (*pkt_octet_len < octets_in_rtp_header) 1480 return err_status_bad_param;2363 return srtp_err_status_bad_param; 1481 2364 1482 2365 /* … … 1492 2375 stream = ctx->stream_template; 1493 2376 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)", 1494 hdr->ssrc);2377 ntohl(hdr->ssrc)); 1495 2378 1496 2379 /* … … 1499 2382 */ 1500 2383 #ifdef NO_64BIT_MATH 1501 est = ( xtd_seq_num_t) make64(0,ntohs(hdr->seq));2384 est = (srtp_xtd_seq_num_t) make64(0,ntohs(hdr->seq)); 1502 2385 delta = low32(est); 1503 2386 #else 1504 est = ( xtd_seq_num_t) ntohs(hdr->seq);2387 est = (srtp_xtd_seq_num_t) ntohs(hdr->seq); 1505 2388 delta = (int)est; 1506 2389 #endif … … 1511 2394 * key-sharing, so return an error 1512 2395 */ 1513 return err_status_no_ctx;2396 return srtp_err_status_no_ctx; 1514 2397 } 1515 2398 } else { 1516 1517 /* estimate packet index from seq. num. in header */ 1518 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); 1519 2399 status = srtp_get_est_pkt_index(hdr, 2400 stream, 2401 &est, 2402 &delta); 2403 2404 if (status && (status != srtp_err_status_pkt_idx_adv)) 2405 return status; 2406 2407 if (status == srtp_err_status_pkt_idx_adv) { 2408 advance_packet_index = 1; 2409 roc_to_set = (uint32_t)(est >> 16); 2410 seq_to_set = (uint16_t)(est & 0xFFFF); 2411 } 2412 1520 2413 /* check replay database */ 1521 status = rdbx_check(&stream->rtp_rdbx, delta); 1522 if (status) 1523 return status; 2414 if (!advance_packet_index) { 2415 status = srtp_rdbx_check(&stream->rtp_rdbx, delta); 2416 if (status) 2417 return status; 2418 } 1524 2419 } 1525 2420 … … 1531 2426 1532 2427 /* 2428 * Determine if MKI is being used and what session keys should be used 2429 */ 2430 if (use_mki) { 2431 session_keys = srtp_get_session_keys(stream, (uint8_t *)hdr, 2432 (const unsigned int*)pkt_octet_len, 2433 &mki_size); 2434 2435 if (session_keys == NULL) 2436 return srtp_err_status_bad_mki; 2437 } else { 2438 session_keys = &stream->session_keys[0]; 2439 } 2440 2441 /* 1533 2442 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 1534 2443 * the request to our AEAD handler. 1535 2444 */ 1536 if (stream->rtp_cipher->algorithm == AES_128_GCM || 1537 stream->rtp_cipher->algorithm == AES_256_GCM) { 1538 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, (unsigned int*)pkt_octet_len); 2445 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || 2446 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { 2447 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, 2448 (unsigned int*)pkt_octet_len, session_keys, 2449 mki_size); 1539 2450 } 1540 2451 1541 2452 /* get tag length from stream */ 1542 tag_len = auth_get_tag_length(stream->rtp_auth);2453 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); 1543 2454 1544 2455 /* … … 1546 2457 * happen to be using 1547 2458 */ 1548 if (s tream->rtp_cipher->type->id == AES_ICM||1549 s tream->rtp_cipher->type->id == AES_256_ICM) {1550 2459 if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || 2460 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || 2461 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { 1551 2462 /* aes counter mode */ 1552 2463 iv.v32[0] = 0; … … 1558 2469 iv.v64[1] = be64_to_cpu(est << 16); 1559 2470 #endif 1560 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); 2471 status = srtp_cipher_set_iv(session_keys->rtp_cipher, 2472 (uint8_t*)&iv, srtp_direction_decrypt); 2473 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2474 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, 2475 (uint8_t*)&iv, srtp_direction_decrypt); 2476 } 1561 2477 } else { 1562 2478 … … 1569 2485 #endif 1570 2486 iv.v64[1] = be64_to_cpu(est); 1571 status = cipher_set_iv(stream->rtp_cipher, &iv, direction_decrypt); 2487 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t*)&iv, srtp_direction_decrypt); 2488 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2489 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, (uint8_t*)&iv, srtp_direction_decrypt); 2490 } 1572 2491 } 1573 2492 if (status) 1574 return err_status_cipher_fail;2493 return srtp_err_status_cipher_fail; 1575 2494 1576 2495 /* shift est, put into network byte order */ … … 1594 2513 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; 1595 2514 if (hdr->x == 1) { 1596 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;2515 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; 1597 2516 enc_start += (ntohs(xtn_hdr->length) + 1); 1598 2517 } 1599 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len )))1600 return err_status_parse_err;1601 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - 2518 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len - mki_size))) 2519 return srtp_err_status_parse_err; 2520 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - mki_size - 1602 2521 ((uint8_t*)enc_start - (uint8_t*)hdr)); 1603 2522 } else { … … 1631 2550 * the authenticator isn't using a universal hash function 1632 2551 */ 1633 if (s tream->rtp_auth->prefix_len != 0) {2552 if (session_keys->rtp_auth->prefix_len != 0) { 1634 2553 1635 prefix_len = auth_get_prefix_length(stream->rtp_auth);1636 status = cipher_output(stream->rtp_cipher, tmp_tag,prefix_len);2554 prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); 2555 status = srtp_cipher_output(session_keys->rtp_cipher, tmp_tag, &prefix_len); 1637 2556 debug_print(mod_srtp, "keystream prefix: %s", 1638 octet_string_hex_string(tmp_tag, prefix_len));2557 srtp_octet_string_hex_string(tmp_tag, prefix_len)); 1639 2558 if (status) 1640 return err_status_cipher_fail;2559 return srtp_err_status_cipher_fail; 1641 2560 } 1642 2561 1643 2562 /* initialize auth func context */ 1644 status = auth_start(stream->rtp_auth);2563 status = srtp_auth_start(session_keys->rtp_auth); 1645 2564 if (status) return status; 1646 2565 1647 2566 /* now compute auth function over packet */ 1648 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,1649 *pkt_octet_len - tag_len );2567 status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start, 2568 *pkt_octet_len - tag_len - mki_size); 1650 2569 1651 2570 /* run auth func over ROC, then write tmp tag */ 1652 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);2571 status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, tmp_tag); 1653 2572 1654 2573 debug_print(mod_srtp, "computed auth tag: %s", 1655 octet_string_hex_string(tmp_tag, tag_len));2574 srtp_octet_string_hex_string(tmp_tag, tag_len)); 1656 2575 debug_print(mod_srtp, "packet auth tag: %s", 1657 octet_string_hex_string(auth_tag, tag_len));2576 srtp_octet_string_hex_string(auth_tag, tag_len)); 1658 2577 if (status) 1659 return err_status_auth_fail;2578 return srtp_err_status_auth_fail; 1660 2579 1661 2580 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) 1662 return err_status_auth_fail;2581 return srtp_err_status_auth_fail; 1663 2582 } 1664 2583 … … 1668 2587 * the event handler if we hit either. 1669 2588 */ 1670 switch( key_limit_update(stream->limit)) {1671 case key_event_normal:2589 switch(srtp_key_limit_update(session_keys->limit)) { 2590 case srtp_key_event_normal: 1672 2591 break; 1673 case key_event_soft_limit:2592 case srtp_key_event_soft_limit: 1674 2593 srtp_handle_event(ctx, stream, event_key_soft_limit); 1675 2594 break; 1676 case key_event_hard_limit:2595 case srtp_key_event_hard_limit: 1677 2596 srtp_handle_event(ctx, stream, event_key_hard_limit); 1678 return err_status_key_expired;2597 return srtp_err_status_key_expired; 1679 2598 default: 1680 2599 break; 1681 2600 } 1682 2601 2602 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { 2603 /* 2604 * extensions header encryption RFC 6904 2605 */ 2606 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); 2607 if (status) { 2608 return status; 2609 } 2610 } 2611 1683 2612 /* if we're decrypting, add keystream into ciphertext */ 1684 2613 if (enc_start) { 1685 status = cipher_decrypt(stream->rtp_cipher,1686 2614 status = srtp_cipher_decrypt(session_keys->rtp_cipher, 2615 (uint8_t *)enc_start, &enc_octet_len); 1687 2616 if (status) 1688 return err_status_cipher_fail;2617 return srtp_err_status_cipher_fail; 1689 2618 } 1690 2619 … … 1733 2662 stream = new_stream; 1734 2663 } 1735 2664 1736 2665 /* 1737 2666 * the message authentication function passed, so add the packet 1738 2667 * index into the replay database 1739 2668 */ 1740 rdbx_add_index(&stream->rtp_rdbx, delta); 2669 if (advance_packet_index) { 2670 srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, 2671 roc_to_set, 2672 seq_to_set); 2673 stream->pending_roc = 0; 2674 srtp_rdbx_add_index(&stream->rtp_rdbx, 0); 2675 } else { 2676 srtp_rdbx_add_index(&stream->rtp_rdbx, delta); 2677 } 1741 2678 1742 2679 /* decrease the packet length by the length of the auth tag */ 1743 2680 *pkt_octet_len -= tag_len; 1744 2681 1745 return err_status_ok; 1746 } 1747 1748 err_status_t 2682 /* decrease the packet length by the mki size */ 2683 *pkt_octet_len -= mki_size; 2684 2685 return srtp_err_status_ok; 2686 } 2687 2688 srtp_err_status_t 1749 2689 srtp_init() { 1750 err_status_t status;2690 srtp_err_status_t status; 1751 2691 1752 2692 /* initialize crypto kernel */ 1753 status = crypto_kernel_init();2693 status = srtp_crypto_kernel_init(); 1754 2694 if (status) 1755 2695 return status; 1756 2696 1757 2697 /* load srtp debug module into the kernel */ 1758 status = crypto_kernel_load_debug_module(&mod_srtp);2698 status = srtp_crypto_kernel_load_debug_module(&mod_srtp); 1759 2699 if (status) 1760 2700 return status; 1761 2701 1762 return err_status_ok;1763 } 1764 1765 err_status_t2702 return srtp_err_status_ok; 2703 } 2704 2705 srtp_err_status_t 1766 2706 srtp_shutdown() { 1767 err_status_t status;2707 srtp_err_status_t status; 1768 2708 1769 2709 /* shut down crypto kernel */ 1770 status = crypto_kernel_shutdown();2710 status = srtp_crypto_kernel_shutdown(); 1771 2711 if (status) 1772 2712 return status; … … 1774 2714 /* shutting down crypto kernel frees the srtp debug module as well */ 1775 2715 1776 return err_status_ok;2716 return srtp_err_status_ok; 1777 2717 } 1778 2718 … … 1792 2732 int 1793 2733 srtp_get_trailer_length(const srtp_stream_t s) { 1794 return auth_get_tag_length(s->rtp_auth);2734 return srtp_auth_get_tag_length(s->rtp_auth); 1795 2735 } 1796 2736 … … 1820 2760 } 1821 2761 1822 err_status_t2762 srtp_err_status_t 1823 2763 srtp_dealloc(srtp_t session) { 1824 2764 srtp_stream_ctx_t *stream; 1825 err_status_t status;2765 srtp_err_status_t status; 1826 2766 1827 2767 /* … … 1835 2775 while (stream != NULL) { 1836 2776 srtp_stream_t next = stream->next; 1837 status = srtp_stream_dealloc(s ession, stream);2777 status = srtp_stream_dealloc(stream, session->stream_template); 1838 2778 if (status) 1839 2779 return status; … … 1843 2783 /* deallocate stream template, if there is one */ 1844 2784 if (session->stream_template != NULL) { 1845 status = auth_dealloc(session->stream_template->rtcp_auth); 1846 if (status) 1847 return status; 1848 status = cipher_dealloc(session->stream_template->rtcp_cipher); 1849 if (status) 1850 return status; 1851 crypto_free(session->stream_template->limit); 1852 status = cipher_dealloc(session->stream_template->rtp_cipher); 1853 if (status) 1854 return status; 1855 status = auth_dealloc(session->stream_template->rtp_auth); 2785 status = srtp_stream_dealloc(session->stream_template, NULL); 1856 2786 if (status) 1857 2787 return status; 1858 status = rdbx_dealloc(&session->stream_template->rtp_rdbx);1859 if (status)1860 return status;1861 crypto_free(session->stream_template);1862 2788 } 1863 2789 1864 2790 /* deallocate session context */ 1865 crypto_free(session);1866 1867 return err_status_ok;1868 } 1869 1870 1871 err_status_t2791 srtp_crypto_free(session); 2792 2793 return srtp_err_status_ok; 2794 } 2795 2796 2797 srtp_err_status_t 1872 2798 srtp_add_stream(srtp_t session, 1873 2799 const srtp_policy_t *policy) { 1874 err_status_t status;2800 srtp_err_status_t status; 1875 2801 srtp_stream_t tmp; 1876 2802 1877 2803 /* sanity check arguments */ 1878 if ((session == NULL) || (policy == NULL) || ( policy->key == NULL))1879 return err_status_bad_param;2804 if ((session == NULL) || (policy == NULL) || (!srtp_validate_policy_master_keys(policy))) 2805 return srtp_err_status_bad_param; 1880 2806 1881 2807 /* allocate stream */ … … 1888 2814 status = srtp_stream_init(tmp, policy); 1889 2815 if (status) { 1890 crypto_free(tmp);2816 srtp_crypto_free(tmp); 1891 2817 return status; 1892 2818 } … … 1903 2829 case (ssrc_any_outbound): 1904 2830 if (session->stream_template) { 1905 return err_status_bad_param;2831 return srtp_err_status_bad_param; 1906 2832 } 1907 2833 session->stream_template = tmp; … … 1910 2836 case (ssrc_any_inbound): 1911 2837 if (session->stream_template) { 1912 return err_status_bad_param;2838 return srtp_err_status_bad_param; 1913 2839 } 1914 2840 session->stream_template = tmp; … … 1921 2847 case (ssrc_undefined): 1922 2848 default: 1923 crypto_free(tmp);1924 return err_status_bad_param;2849 srtp_crypto_free(tmp); 2850 return srtp_err_status_bad_param; 1925 2851 } 1926 2852 1927 return err_status_ok;1928 } 1929 1930 1931 err_status_t2853 return srtp_err_status_ok; 2854 } 2855 2856 2857 srtp_err_status_t 1932 2858 srtp_create(srtp_t *session, /* handle for session */ 1933 2859 const srtp_policy_t *policy) { /* SRTP policy (list) */ 1934 err_status_t stat;2860 srtp_err_status_t stat; 1935 2861 srtp_ctx_t *ctx; 1936 2862 1937 2863 /* sanity check arguments */ 1938 2864 if (session == NULL) 1939 return err_status_bad_param;2865 return srtp_err_status_bad_param; 1940 2866 1941 2867 /* allocate srtp context and set ctx_ptr */ 1942 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));2868 ctx = (srtp_ctx_t *) srtp_crypto_alloc(sizeof(srtp_ctx_t)); 1943 2869 if (ctx == NULL) 1944 return err_status_alloc_fail;2870 return srtp_err_status_alloc_fail; 1945 2871 *session = ctx; 1946 2872 … … 1958 2884 /* clean up everything */ 1959 2885 srtp_dealloc(*session); 2886 *session = NULL; 1960 2887 return stat; 1961 2888 } … … 1965 2892 } 1966 2893 1967 return err_status_ok;1968 } 1969 1970 1971 err_status_t2894 return srtp_err_status_ok; 2895 } 2896 2897 2898 srtp_err_status_t 1972 2899 srtp_remove_stream(srtp_t session, uint32_t ssrc) { 1973 2900 srtp_stream_ctx_t *stream, *last_stream; 1974 err_status_t status;2901 srtp_err_status_t status; 1975 2902 1976 2903 /* sanity check arguments */ 1977 2904 if (session == NULL) 1978 return err_status_bad_param;2905 return srtp_err_status_bad_param; 1979 2906 1980 2907 /* find stream in list; complain if not found */ … … 1985 2912 } 1986 2913 if (stream == NULL) 1987 return err_status_no_ctx;2914 return srtp_err_status_no_ctx; 1988 2915 1989 2916 /* remove stream from the list */ … … 1995 2922 1996 2923 /* deallocate the stream */ 1997 status = srtp_stream_dealloc(s ession, stream);2924 status = srtp_stream_dealloc(stream, session->stream_template); 1998 2925 if (status) 1999 2926 return status; 2000 2927 2001 return err_status_ok; 2928 return srtp_err_status_ok; 2929 } 2930 2931 2932 srtp_err_status_t 2933 srtp_update(srtp_t session, const srtp_policy_t *policy) { 2934 srtp_err_status_t stat; 2935 2936 /* sanity check arguments */ 2937 if ((session == NULL) || (policy == NULL) || (!srtp_validate_policy_master_keys(policy))) { 2938 return srtp_err_status_bad_param; 2939 } 2940 2941 while (policy != NULL) { 2942 stat = srtp_update_stream(session, policy); 2943 if (stat) { 2944 return stat; 2945 } 2946 2947 /* set policy to next item in list */ 2948 policy = policy->next; 2949 } 2950 return srtp_err_status_ok; 2951 } 2952 2953 2954 static srtp_err_status_t 2955 update_template_streams(srtp_t session, const srtp_policy_t *policy) { 2956 srtp_err_status_t status; 2957 srtp_stream_t new_stream_template; 2958 srtp_stream_t new_stream_list = NULL; 2959 2960 if (session->stream_template == NULL) { 2961 return srtp_err_status_bad_param; 2962 } 2963 2964 /* allocate new template stream */ 2965 status = srtp_stream_alloc(&new_stream_template, policy); 2966 if (status) { 2967 return status; 2968 } 2969 2970 /* initialize new template stream */ 2971 status = srtp_stream_init(new_stream_template, policy); 2972 if (status) { 2973 srtp_crypto_free(new_stream_template); 2974 return status; 2975 } 2976 2977 /* for all old templated streams */ 2978 for (;;) { 2979 srtp_stream_t stream; 2980 uint32_t ssrc; 2981 srtp_xtd_seq_num_t old_index; 2982 srtp_rdb_t old_rtcp_rdb; 2983 2984 stream = session->stream_list; 2985 while ((stream != NULL) && 2986 (stream->session_keys[0].rtp_auth != 2987 session->stream_template->session_keys[0].rtp_auth)) { 2988 stream = stream->next; 2989 } 2990 if (stream == NULL) { 2991 /* no more templated streams */ 2992 break; 2993 } 2994 2995 /* save old extendard seq */ 2996 ssrc = stream->ssrc; 2997 old_index = stream->rtp_rdbx.index; 2998 old_rtcp_rdb = stream->rtcp_rdb; 2999 3000 /* remove stream */ 3001 status = srtp_remove_stream(session, ssrc); 3002 if (status) { 3003 /* free new allocations */ 3004 while (new_stream_list != NULL) { 3005 srtp_stream_t next = new_stream_list->next; 3006 srtp_stream_dealloc(new_stream_list, new_stream_template); 3007 new_stream_list = next; 3008 } 3009 srtp_stream_dealloc(new_stream_template, NULL); 3010 return status; 3011 } 3012 3013 /* allocate and initialize a new stream */ 3014 status = srtp_stream_clone(new_stream_template, ssrc, &stream); 3015 if (status) { 3016 /* free new allocations */ 3017 while (new_stream_list != NULL) { 3018 srtp_stream_t next = new_stream_list->next; 3019 srtp_stream_dealloc(new_stream_list, new_stream_template); 3020 new_stream_list = next; 3021 } 3022 srtp_stream_dealloc(new_stream_template, NULL); 3023 return status; 3024 } 3025 3026 /* add new stream to the head of the new_stream_list */ 3027 stream->next = new_stream_list; 3028 new_stream_list = stream; 3029 3030 /* restore old extended seq */ 3031 stream->rtp_rdbx.index = old_index; 3032 stream->rtcp_rdb = old_rtcp_rdb; 3033 } 3034 /* dealloc old template */ 3035 srtp_stream_dealloc(session->stream_template, NULL); 3036 /* set new template */ 3037 session->stream_template = new_stream_template; 3038 /* add new list */ 3039 if (new_stream_list) { 3040 srtp_stream_t tail = new_stream_list; 3041 while (tail->next) { 3042 tail = tail->next; 3043 } 3044 tail->next = session->stream_list; 3045 session->stream_list = new_stream_list; 3046 } 3047 return status; 3048 } 3049 3050 3051 static srtp_err_status_t 3052 update_stream(srtp_t session, const srtp_policy_t *policy) { 3053 srtp_err_status_t status; 3054 srtp_xtd_seq_num_t old_index; 3055 srtp_rdb_t old_rtcp_rdb; 3056 srtp_stream_t stream; 3057 3058 stream = srtp_get_stream(session, htonl(policy->ssrc.value)); 3059 if (stream == NULL) { 3060 return srtp_err_status_bad_param; 3061 } 3062 3063 /* save old extendard seq */ 3064 old_index = stream->rtp_rdbx.index; 3065 old_rtcp_rdb = stream->rtcp_rdb; 3066 3067 status = srtp_remove_stream(session, htonl(policy->ssrc.value)); 3068 if (status) { 3069 return status; 3070 } 3071 3072 status = srtp_add_stream(session, policy); 3073 if (status) { 3074 return status; 3075 } 3076 3077 stream = srtp_get_stream(session, htonl(policy->ssrc.value)); 3078 if (stream == NULL) { 3079 return srtp_err_status_fail; 3080 } 3081 3082 /* restore old extended seq */ 3083 stream->rtp_rdbx.index = old_index; 3084 stream->rtcp_rdb = old_rtcp_rdb; 3085 3086 return srtp_err_status_ok; 3087 } 3088 3089 3090 srtp_err_status_t 3091 srtp_update_stream(srtp_t session, const srtp_policy_t *policy) { 3092 srtp_err_status_t status; 3093 3094 /* sanity check arguments */ 3095 if ((session == NULL) || (policy == NULL) || (!srtp_validate_policy_master_keys(policy))) 3096 return srtp_err_status_bad_param; 3097 3098 switch (policy->ssrc.type) { 3099 case (ssrc_any_outbound): 3100 case (ssrc_any_inbound): 3101 status = update_template_streams(session, policy); 3102 break; 3103 case (ssrc_specific): 3104 status = update_stream(session, policy); 3105 break; 3106 case (ssrc_undefined): 3107 default: 3108 return srtp_err_status_bad_param; 3109 } 3110 3111 return status; 2002 3112 } 2003 3113 2004 3114 2005 3115 /* 2006 * the default policy - provides a convenient way for callers to use3116 * The default policy - provides a convenient way for callers to use 2007 3117 * the default security policy 2008 * 2009 * this policy is that defined in the current SRTP internet draft. 3118 * 3119 * The default policy is defined in RFC 3711 3120 * (Section 5. Default and mandatory-to-implement Transforms) 2010 3121 * 2011 3122 */ … … 2018 3129 2019 3130 void 2020 crypto_policy_set_rtp_default(crypto_policy_t *p) {2021 2022 p->cipher_type = AES_ICM;2023 p->cipher_key_len = 30;/* default 128 bits per RFC 3711 */2024 p->auth_type = HMAC_SHA1;3131 srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p) { 3132 3133 p->cipher_type = SRTP_AES_ICM_128; 3134 p->cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ 3135 p->auth_type = SRTP_HMAC_SHA1; 2025 3136 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 2026 3137 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ … … 2030 3141 2031 3142 void 2032 crypto_policy_set_rtcp_default(crypto_policy_t *p) {2033 2034 p->cipher_type = AES_ICM;2035 p->cipher_key_len = 30;/* default 128 bits per RFC 3711 */2036 p->auth_type = HMAC_SHA1;3143 srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p) { 3144 3145 p->cipher_type = SRTP_AES_ICM_128; 3146 p->cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ 3147 p->auth_type = SRTP_HMAC_SHA1; 2037 3148 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 2038 3149 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ … … 2042 3153 2043 3154 void 2044 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {3155 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p) { 2045 3156 2046 3157 /* … … 2050 3161 */ 2051 3162 2052 p->cipher_type = AES_ICM;2053 p->cipher_key_len = 30;/* 128 bit key, 112 bit salt */2054 p->auth_type = HMAC_SHA1;3163 p->cipher_type = SRTP_AES_ICM_128; 3164 p->cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ 3165 p->auth_type = SRTP_HMAC_SHA1; 2055 3166 p->auth_key_len = 20; /* 160 bit key */ 2056 3167 p->auth_tag_len = 4; /* 32 bit tag */ … … 2061 3172 2062 3173 void 2063 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {3174 srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p) { 2064 3175 2065 3176 /* … … 2069 3180 */ 2070 3181 2071 p->cipher_type = AES_ICM;2072 p->cipher_key_len = 30;/* 128 bit key, 112 bit salt */2073 p->auth_type = NULL_AUTH;3182 p->cipher_type = SRTP_AES_ICM_128; 3183 p->cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ 3184 p->auth_type = SRTP_NULL_AUTH; 2074 3185 p->auth_key_len = 0; 2075 3186 p->auth_tag_len = 0; … … 2080 3191 2081 3192 void 2082 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {3193 srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p) { 2083 3194 2084 3195 /* … … 2086 3197 */ 2087 3198 2088 p->cipher_type = NULL_CIPHER;3199 p->cipher_type = SRTP_NULL_CIPHER; 2089 3200 p->cipher_key_len = 0; 2090 p->auth_type = HMAC_SHA1;3201 p->auth_type = SRTP_HMAC_SHA1; 2091 3202 p->auth_key_len = 20; 2092 3203 p->auth_tag_len = 10; … … 2095 3206 } 2096 3207 2097 2098 3208 void 2099 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) {3209 srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p) { 2100 3210 2101 3211 /* 2102 * corresponds to draft-ietf-avt-big-aes-03.txt 2103 */ 2104 2105 p->cipher_type = AES_ICM; 2106 p->cipher_key_len = 46; 2107 p->auth_type = HMAC_SHA1; 3212 * Should only be used for testing 3213 */ 3214 3215 p->cipher_type = SRTP_NULL_CIPHER; 3216 p->cipher_key_len = 0; 3217 p->auth_type = SRTP_NULL_AUTH; 3218 p->auth_key_len = 0; 3219 p->auth_tag_len = 0; 3220 p->sec_serv = sec_serv_none; 3221 3222 } 3223 3224 3225 void 3226 srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p) { 3227 3228 /* 3229 * corresponds to RFC 6188 3230 */ 3231 3232 p->cipher_type = SRTP_AES_ICM_256; 3233 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; 3234 p->auth_type = SRTP_HMAC_SHA1; 2108 3235 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 2109 3236 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ … … 2113 3240 2114 3241 void 2115 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) {3242 srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p) { 2116 3243 2117 3244 /* 2118 * corresponds to draft-ietf-avt-big-aes-03.txt3245 * corresponds to RFC 6188 2119 3246 * 2120 3247 * note that this crypto policy is intended for SRTP, but not SRTCP 2121 3248 */ 2122 3249 2123 p->cipher_type = AES_ICM;2124 p->cipher_key_len = 46;2125 p->auth_type = HMAC_SHA1;3250 p->cipher_type = SRTP_AES_ICM_256; 3251 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; 3252 p->auth_type = SRTP_HMAC_SHA1; 2126 3253 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 2127 3254 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ … … 2133 3260 */ 2134 3261 void 2135 crypto_policy_set_aes_cm_256_null_auth (crypto_policy_t *p)3262 srtp_crypto_policy_set_aes_cm_256_null_auth (srtp_crypto_policy_t *p) 2136 3263 { 2137 p->cipher_type = AES_ICM;2138 p->cipher_key_len = 46;2139 p->auth_type = NULL_AUTH;3264 p->cipher_type = SRTP_AES_ICM_256; 3265 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; 3266 p->auth_type = SRTP_NULL_AUTH; 2140 3267 p->auth_key_len = 0; 2141 3268 p->auth_tag_len = 0; … … 2144 3271 2145 3272 #ifdef OPENSSL 3273 void 3274 srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p) { 3275 3276 /* 3277 * corresponds to RFC 6188 3278 */ 3279 3280 p->cipher_type = SRTP_AES_ICM_192; 3281 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; 3282 p->auth_type = SRTP_HMAC_SHA1; 3283 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 3284 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 3285 p->sec_serv = sec_serv_conf_and_auth; 3286 } 3287 3288 3289 void 3290 srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p) { 3291 3292 /* 3293 * corresponds to RFC 6188 3294 * 3295 * note that this crypto policy is intended for SRTP, but not SRTCP 3296 */ 3297 3298 p->cipher_type = SRTP_AES_ICM_192; 3299 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; 3300 p->auth_type = SRTP_HMAC_SHA1; 3301 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 3302 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ 3303 p->sec_serv = sec_serv_conf_and_auth; 3304 } 3305 3306 /* 3307 * AES-192 with no authentication. 3308 */ 3309 void 3310 srtp_crypto_policy_set_aes_cm_192_null_auth (srtp_crypto_policy_t *p) 3311 { 3312 p->cipher_type = SRTP_AES_ICM_192; 3313 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; 3314 p->auth_type = SRTP_NULL_AUTH; 3315 p->auth_key_len = 0; 3316 p->auth_tag_len = 0; 3317 p->sec_serv = sec_serv_conf; 3318 } 3319 2146 3320 /* 2147 3321 * AES-128 GCM mode with 8 octet auth tag. 2148 3322 */ 2149 3323 void 2150 crypto_policy_set_aes_gcm_128_8_auth(crypto_policy_t *p) {2151 p->cipher_type = AES_128_GCM;2152 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;2153 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */3324 srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p) { 3325 p->cipher_type = SRTP_AES_GCM_128; 3326 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; 3327 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 2154 3328 p->auth_key_len = 0; 2155 3329 p->auth_tag_len = 8; /* 8 octet tag length */ … … 2161 3335 */ 2162 3336 void 2163 crypto_policy_set_aes_gcm_256_8_auth(crypto_policy_t *p) {2164 p->cipher_type = AES_256_GCM;2165 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;2166 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */3337 srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p) { 3338 p->cipher_type = SRTP_AES_GCM_256; 3339 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; 3340 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 2167 3341 p->auth_key_len = 0; 2168 3342 p->auth_tag_len = 8; /* 8 octet tag length */ … … 2174 3348 */ 2175 3349 void 2176 crypto_policy_set_aes_gcm_128_8_only_auth(crypto_policy_t *p) {2177 p->cipher_type = AES_128_GCM;2178 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;2179 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */3350 srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p) { 3351 p->cipher_type = SRTP_AES_GCM_128; 3352 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; 3353 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 2180 3354 p->auth_key_len = 0; 2181 3355 p->auth_tag_len = 8; /* 8 octet tag length */ … … 2187 3361 */ 2188 3362 void 2189 crypto_policy_set_aes_gcm_256_8_only_auth(crypto_policy_t *p) {2190 p->cipher_type = AES_256_GCM;2191 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;2192 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */3363 srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p) { 3364 p->cipher_type = SRTP_AES_GCM_256; 3365 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; 3366 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 2193 3367 p->auth_key_len = 0; 2194 3368 p->auth_tag_len = 8; /* 8 octet tag length */ … … 2200 3374 */ 2201 3375 void 2202 crypto_policy_set_aes_gcm_128_16_auth(crypto_policy_t *p) {2203 p->cipher_type = AES_128_GCM;2204 p->cipher_key_len = AES_128_GCM_KEYSIZE_WSALT;2205 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */3376 srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p) { 3377 p->cipher_type = SRTP_AES_GCM_128; 3378 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; 3379 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 2206 3380 p->auth_key_len = 0; 2207 3381 p->auth_tag_len = 16; /* 16 octet tag length */ … … 2213 3387 */ 2214 3388 void 2215 crypto_policy_set_aes_gcm_256_16_auth(crypto_policy_t *p) {2216 p->cipher_type = AES_256_GCM;2217 p->cipher_key_len = AES_256_GCM_KEYSIZE_WSALT;2218 p->auth_type = NULL_AUTH; /* GCM handles the auth for us */3389 srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p) { 3390 p->cipher_type = SRTP_AES_GCM_256; 3391 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; 3392 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 2219 3393 p->auth_key_len = 0; 2220 3394 p->auth_tag_len = 16; /* 16 octet tag length */ … … 2230 3404 /* 2231 3405 * AEAD uses a new IV formation method. This function implements 2232 * section 10.1 from draft-ietf-avtcore-srtp-aes-gcm-07.txt. The2233 * calculation is defined as, where (+) is the xor operation:3406 * section 9.1 (SRTCP IV Formation for AES-GCM) from RFC7714. 3407 * The calculation is defined as, where (+) is the xor operation: 2234 3408 * 2235 3409 * 0 1 2 3 4 5 6 7 8 9 10 11 … … 2246 3420 * +--+--+--+--+--+--+--+--+--+--+--+--+* 2247 3421 * 2248 * Input: *stream - pointer to SRTP stream context, used to retrieve 2249 * the SALT 2250 * *iv - Pointer to recieve the calculated IV 2251 * seq_num - The SEQ value to use for the IV calculation. 2252 * *hdr - The RTP header, used to get the SSRC value 3422 * Input: *session_keys - pointer to SRTP stream context session keys, 3423 * used to retrieve the SALT 3424 * *iv - Pointer to recieve the calculated IV 3425 * seq_num - The SEQ value to use for the IV calculation. 3426 * *hdr - The RTP header, used to get the SSRC value 3427 * 3428 * Returns: srtp_err_status_ok if no error or srtp_err_status_bad_param 3429 * if seq_num is invalid 2253 3430 * 2254 3431 */ 2255 static void srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv, 2256 uint32_t seq_num, srtcp_hdr_t *hdr) 3432 static srtp_err_status_t 3433 srtp_calc_aead_iv_srtcp(srtp_session_keys_t *session_keys, v128_t *iv, 3434 uint32_t seq_num, srtcp_hdr_t *hdr) 2257 3435 { 2258 3436 v128_t in; … … 2265 3443 memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */ 2266 3444 in.v16[3] = 0; 2267 in.v32[2] = 0x7FFFFFFF & htonl(seq_num); /* bit 32 is suppose to be zero */ 3445 3446 /* 3447 * The SRTCP index (seq_num) spans bits 0 through 30 inclusive. 3448 * The most significant bit should be zero. 3449 */ 3450 if (seq_num & 0x80000000UL) { 3451 return srtp_err_status_bad_param; 3452 } 3453 in.v32[2] = htonl(seq_num); 2268 3454 2269 3455 debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in)); … … 2272 3458 * Get the SALT value from the context 2273 3459 */ 2274 memcpy(salt.v8, s tream->c_salt, 12);3460 memcpy(salt.v8, session_keys->c_salt, 12); 2275 3461 debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt)); 2276 3462 … … 2279 3465 */ 2280 3466 v128_xor(iv, &in, &salt); 3467 3468 return srtp_err_status_ok; 2281 3469 } 2282 3470 … … 2285 3473 * AES-GCM mode with 128 or 256 bit keys. 2286 3474 */ 2287 static err_status_t3475 static srtp_err_status_t 2288 3476 srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, 2289 void *rtcp_hdr, unsigned int *pkt_octet_len) 3477 void *rtcp_hdr, unsigned int *pkt_octet_len, 3478 srtp_session_keys_t *session_keys, unsigned int use_mki) 2290 3479 { 2291 3480 srtcp_hdr_t *hdr = (srtcp_hdr_t*)rtcp_hdr; … … 2294 3483 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 2295 3484 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2296 err_status_t status;2297 int tag_len;3485 srtp_err_status_t status; 3486 uint32_t tag_len; 2298 3487 uint32_t seq_num; 2299 3488 v128_t iv; 2300 3489 uint32_t tseq; 3490 unsigned int mki_size = 0; 2301 3491 2302 3492 /* get tag length from stream context */ 2303 tag_len = auth_get_tag_length(stream->rtcp_auth);3493 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); 2304 3494 2305 3495 /* … … 2325 3515 } 2326 3516 3517 mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + tag_len + sizeof(srtcp_trailer_t), 3518 session_keys, use_mki); 3519 2327 3520 /* 2328 3521 * set the auth_tag pointer to the proper location, which is after … … 2337 3530 * if its value isn't too big 2338 3531 */ 2339 status = rdb_increment(&stream->rtcp_rdb);3532 status = srtp_rdb_increment(&stream->rtcp_rdb); 2340 3533 if (status) { 2341 3534 return status; 2342 3535 } 2343 seq_num = rdb_get_value(&stream->rtcp_rdb);3536 seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); 2344 3537 *trailer |= htonl(seq_num); 2345 3538 debug_print(mod_srtp, "srtcp index: %x", seq_num); 2346 3539 2347 3540 /* 2348 * Calculating the IV and pass it down to the cipher 2349 */ 2350 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr); 2351 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); 3541 * Calculate and set the IV 3542 */ 3543 status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr); 2352 3544 if (status) { 2353 return err_status_cipher_fail; 3545 return srtp_err_status_cipher_fail; 3546 } 3547 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, 3548 (uint8_t*)&iv, srtp_direction_encrypt); 3549 if (status) { 3550 return srtp_err_status_cipher_fail; 2354 3551 } 2355 3552 … … 2358 3555 */ 2359 3556 if (enc_start) { 2360 2361 2362 2363 2364 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, 2365 octets_in_rtcp_header);2366 2367 return (err_status_cipher_fail);2368 3557 /* 3558 * If payload encryption is enabled, then the AAD consist of 3559 * the RTCP header and the seq# at the end of the packet 3560 */ 3561 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, 3562 (uint8_t*)hdr, octets_in_rtcp_header); 3563 if (status) { 3564 return ( srtp_err_status_cipher_fail); 3565 } 2369 3566 } else { 2370 2371 2372 * the entire packet as described in section 10.3 in revision 07 2373 * of the draft. 2374 2375 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, 2376 *pkt_octet_len);2377 2378 return (err_status_cipher_fail);2379 2380 } 2381 /* 3567 /* 3568 * Since payload encryption is not enabled, we must authenticate 3569 * the entire packet as described in RFC 7714 (Section 9.3. Data 3570 * Types in Unencrypted SRTCP Compound Packets) 3571 */ 3572 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, 3573 (uint8_t*)hdr, *pkt_octet_len); 3574 if (status) { 3575 return ( srtp_err_status_cipher_fail); 3576 } 3577 } 3578 /* 2382 3579 * Process the sequence# as AAD 2383 3580 */ 2384 3581 tseq = *trailer; 2385 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq,2386 sizeof(srtcp_trailer_t));3582 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t*)&tseq, 3583 sizeof(srtcp_trailer_t)); 2387 3584 if (status) { 2388 return ( err_status_cipher_fail);3585 return ( srtp_err_status_cipher_fail); 2389 3586 } 2390 3587 2391 3588 /* if we're encrypting, exor keystream into the message */ 2392 3589 if (enc_start) { 2393 status = cipher_encrypt(stream->rtcp_cipher,2394 (uint8_t*)enc_start, &enc_octet_len);3590 status = srtp_cipher_encrypt(session_keys->rtcp_cipher, 3591 (uint8_t*)enc_start, &enc_octet_len); 2395 3592 if (status) { 2396 return err_status_cipher_fail;3593 return srtp_err_status_cipher_fail; 2397 3594 } 2398 2399 2400 2401 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag, 2402 &tag_len);2403 2404 return (err_status_cipher_fail);2405 2406 3595 /* 3596 * Get the tag and append that to the output 3597 */ 3598 status = srtp_cipher_get_tag(session_keys->rtcp_cipher, (uint8_t*)auth_tag, 3599 &tag_len); 3600 if (status) { 3601 return ( srtp_err_status_cipher_fail); 3602 } 3603 enc_octet_len += tag_len; 2407 3604 } else { 2408 2409 2410 2411 2412 2413 status = cipher_encrypt(stream->rtcp_cipher, NULL, &nolen);3605 /* 3606 * Even though we're not encrypting the payload, we need 3607 * to run the cipher to get the auth tag. 3608 */ 3609 unsigned int nolen = 0; 3610 status = srtp_cipher_encrypt(session_keys->rtcp_cipher, NULL, &nolen); 2414 3611 if (status) { 2415 return err_status_cipher_fail;3612 return srtp_err_status_cipher_fail; 2416 3613 } 2417 2418 2419 2420 status = cipher_get_tag(stream->rtcp_cipher, (uint8_t*)auth_tag, 2421 &tag_len);2422 2423 return (err_status_cipher_fail);2424 2425 3614 /* 3615 * Get the tag and append that to the output 3616 */ 3617 status = srtp_cipher_get_tag(session_keys->rtcp_cipher, (uint8_t*)auth_tag, 3618 &tag_len); 3619 if (status) { 3620 return ( srtp_err_status_cipher_fail); 3621 } 3622 enc_octet_len += tag_len; 2426 3623 } 2427 3624 … … 2429 3626 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); 2430 3627 2431 return err_status_ok; 3628 /* increase the packet by the mki_size */ 3629 *pkt_octet_len += mki_size; 3630 3631 return srtp_err_status_ok; 2432 3632 } 2433 3633 … … 2438 3638 * when decrypting the payload. 2439 3639 */ 2440 static err_status_t3640 static srtp_err_status_t 2441 3641 srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, 2442 void *srtcp_hdr, unsigned int *pkt_octet_len) 3642 void *srtcp_hdr, unsigned int *pkt_octet_len, 3643 srtp_session_keys_t *session_keys, unsigned int use_mki) 2443 3644 { 2444 3645 srtcp_hdr_t *hdr = (srtcp_hdr_t*)srtcp_hdr; … … 2447 3648 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 2448 3649 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2449 err_status_t status;3650 srtp_err_status_t status; 2450 3651 int tag_len; 2451 3652 unsigned int tmp_len; … … 2453 3654 v128_t iv; 2454 3655 uint32_t tseq; 3656 unsigned int mki_size = 0; 2455 3657 2456 3658 /* get tag length from stream context */ 2457 tag_len = auth_get_tag_length(stream->rtcp_auth); 3659 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); 3660 3661 if (use_mki) { 3662 mki_size = session_keys->mki_size; 3663 } 2458 3664 2459 3665 /* … … 2469 3675 * multiples of 32-bits (RFC 3550 6.1) 2470 3676 */ 2471 trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t) );3677 trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t) - mki_size); 2472 3678 /* 2473 3679 * We pass the tag down to the cipher when doing GCM mode 2474 3680 */ 2475 3681 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + 2476 sizeof(srtcp_trailer_t) );2477 auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - sizeof(srtcp_trailer_t);3682 sizeof(srtcp_trailer_t) + mki_size); 3683 auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - mki_size - sizeof(srtcp_trailer_t); 2478 3684 2479 3685 if (*((unsigned char*)trailer) & SRTCP_E_BYTE_BIT) { … … 2490 3696 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; 2491 3697 debug_print(mod_srtp, "srtcp index: %x", seq_num); 2492 status = rdb_check(&stream->rtcp_rdb, seq_num);3698 status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); 2493 3699 if (status) { 2494 3700 return status; … … 2498 3704 * Calculate and set the IV 2499 3705 */ 2500 srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr); 2501 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); 3706 status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr); 2502 3707 if (status) { 2503 return err_status_cipher_fail; 3708 return srtp_err_status_cipher_fail; 3709 } 3710 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, 3711 (uint8_t*)&iv, srtp_direction_decrypt); 3712 if (status) { 3713 return srtp_err_status_cipher_fail; 2504 3714 } 2505 3715 … … 2508 3718 */ 2509 3719 if (enc_start) { 2510 2511 2512 2513 2514 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, 2515 octets_in_rtcp_header);2516 2517 return (err_status_cipher_fail);2518 3720 /* 3721 * If payload encryption is enabled, then the AAD consist of 3722 * the RTCP header and the seq# at the end of the packet 3723 */ 3724 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, 3725 (uint8_t*)hdr, octets_in_rtcp_header); 3726 if (status) { 3727 return ( srtp_err_status_cipher_fail); 3728 } 2519 3729 } else { 2520 /* 2521 * Since payload encryption is not enabled, we must authenticate 2522 * the entire packet as described in section 10.3 in revision 07 2523 * of the draft. 2524 */ 2525 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)hdr, 2526 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t))); 2527 if (status) { 2528 return ( err_status_cipher_fail); 2529 } 2530 } 2531 2532 /* 2533 * Process the sequence# as AAD 3730 /* 3731 * Since payload encryption is not enabled, we must authenticate 3732 * the entire packet as described in RFC 7714 (Section 9.3. Data 3733 * Types in Unencrypted SRTCP Compound Packets) 3734 */ 3735 status = srtp_cipher_set_aad( 3736 session_keys->rtcp_cipher, (uint8_t*)hdr, 3737 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t) - mki_size)); 3738 if (status) { 3739 return ( srtp_err_status_cipher_fail); 3740 } 3741 } 3742 3743 /* 3744 * Process the sequence# as AAD 2534 3745 */ 2535 3746 tseq = *trailer; 2536 status = cipher_set_aad(stream->rtcp_cipher, (uint8_t*)&tseq,2537 sizeof(srtcp_trailer_t));3747 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, 3748 (uint8_t*)&tseq, sizeof(srtcp_trailer_t)); 2538 3749 if (status) { 2539 return (err_status_cipher_fail);3750 return ( srtp_err_status_cipher_fail); 2540 3751 } 2541 3752 2542 3753 /* if we're decrypting, exor keystream into the message */ 2543 3754 if (enc_start) { 2544 status = cipher_decrypt(stream->rtcp_cipher, 2545 (uint8_t*)enc_start, &enc_octet_len); 3755 status = srtp_cipher_decrypt(session_keys->rtcp_cipher, (uint8_t*)enc_start, &enc_octet_len); 2546 3756 if (status) { 2547 3757 return status; 2548 3758 } 2549 3759 } else { 2550 /* 2551 * Still need to run the cipher to check the tag 2552 */ 2553 tmp_len = tag_len; 2554 status = cipher_decrypt(stream->rtcp_cipher, (uint8_t*)auth_tag, 2555 &tmp_len); 3760 /* 3761 * Still need to run the cipher to check the tag 3762 */ 3763 tmp_len = tag_len; 3764 status = srtp_cipher_decrypt(session_keys->rtcp_cipher, (uint8_t*)auth_tag, &tmp_len); 2556 3765 if (status) { 2557 3766 return status; … … 2560 3769 2561 3770 /* decrease the packet length by the length of the auth tag and seq_num*/ 2562 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) );3771 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) + mki_size); 2563 3772 2564 3773 /* … … 2609 3818 2610 3819 /* we've passed the authentication check, so add seq_num to the rdb */ 2611 rdb_add_index(&stream->rtcp_rdb, seq_num);2612 2613 return err_status_ok;2614 } 2615 2616 err_status_t3820 srtp_rdb_add_index(&stream->rtcp_rdb, seq_num); 3821 3822 return srtp_err_status_ok; 3823 } 3824 3825 srtp_err_status_t 2617 3826 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) { 3827 return srtp_protect_rtcp_mki(ctx, rtcp_hdr, pkt_octet_len, 0, 0); 3828 } 3829 3830 srtp_err_status_t 3831 srtp_protect_rtcp_mki(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len, 3832 unsigned int use_mki, unsigned int mki_index) { 2618 3833 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; 2619 3834 uint32_t *enc_start; /* pointer to start of encrypted portion */ … … 2622 3837 unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ 2623 3838 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2624 err_status_t status;3839 srtp_err_status_t status; 2625 3840 int tag_len; 2626 3841 srtp_stream_ctx_t *stream; 2627 int prefix_len;3842 uint32_t prefix_len; 2628 3843 uint32_t seq_num; 3844 unsigned int mki_size = 0; 3845 srtp_session_keys_t *session_keys = NULL; 2629 3846 2630 3847 /* we assume the hdr is 32-bit aligned to start */ … … 2632 3849 /* check the packet length - it must at least contain a full header */ 2633 3850 if (*pkt_octet_len < octets_in_rtcp_header) 2634 return err_status_bad_param;3851 return srtp_err_status_bad_param; 2635 3852 2636 3853 /* … … 2660 3877 } else { 2661 3878 /* no template stream, so we return an error */ 2662 return err_status_no_ctx;3879 return srtp_err_status_no_ctx; 2663 3880 } 2664 3881 } … … 2678 3895 } 2679 3896 3897 session_keys = srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); 3898 2680 3899 /* 2681 3900 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 2682 3901 * the request to our AEAD handler. 2683 3902 */ 2684 if (stream->rtp_cipher->algorithm == AES_128_GCM || 2685 stream->rtp_cipher->algorithm == AES_256_GCM) { 2686 return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, (unsigned int*)pkt_octet_len); 3903 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || 3904 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { 3905 return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, 3906 (unsigned int*)pkt_octet_len, session_keys, 3907 use_mki); 2687 3908 } 2688 3909 2689 3910 /* get tag length from stream context */ 2690 tag_len = auth_get_tag_length(stream->rtcp_auth);3911 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); 2691 3912 2692 3913 /* … … 2713 3934 } 2714 3935 3936 mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t), 3937 session_keys, use_mki); 3938 2715 3939 /* 2716 3940 * set the auth_start and auth_tag pointers to the proper locations … … 2719 3943 /* Note: This would need to change for optional mikey data */ 2720 3944 auth_start = (uint32_t *)hdr; 2721 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) ;3945 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) + mki_size; 2722 3946 2723 3947 /* perform EKT processing if needed */ 2724 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,2725 rdbx_get_packet_index(&stream->rtp_rdbx));3948 srtp_ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len, 3949 srtp_rdbx_get_packet_index(&stream->rtp_rdbx)); 2726 3950 2727 3951 /* … … 2729 3953 * if its value isn't too big 2730 3954 */ 2731 status = rdb_increment(&stream->rtcp_rdb);3955 status = srtp_rdb_increment(&stream->rtcp_rdb); 2732 3956 if (status) 2733 3957 return status; 2734 seq_num = rdb_get_value(&stream->rtcp_rdb);3958 seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); 2735 3959 *trailer |= htonl(seq_num); 2736 3960 debug_print(mod_srtp, "srtcp index: %x", seq_num); … … 2739 3963 * if we're using rindael counter mode, set nonce and seq 2740 3964 */ 2741 if (stream->rtcp_cipher->type->id == AES_ICM) { 3965 if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || 3966 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || 3967 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { 2742 3968 v128_t iv; 2743 3969 … … 2746 3972 iv.v32[2] = htonl(seq_num >> 16); 2747 3973 iv.v32[3] = htonl(seq_num << 16); 2748 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); 3974 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t*)&iv, 3975 srtp_direction_encrypt); 2749 3976 2750 3977 } else { … … 2756 3983 iv.v32[2] = 0; 2757 3984 iv.v32[3] = htonl(seq_num); 2758 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt); 3985 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, 3986 (uint8_t*)&iv, srtp_direction_encrypt); 2759 3987 } 2760 3988 if (status) 2761 return err_status_cipher_fail;3989 return srtp_err_status_cipher_fail; 2762 3990 2763 3991 /* … … 2770 3998 2771 3999 /* put keystream prefix into auth_tag */ 2772 prefix_len = auth_get_prefix_length(stream->rtcp_auth);2773 status = cipher_output(stream->rtcp_cipher, auth_tag,prefix_len);4000 prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); 4001 status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, &prefix_len); 2774 4002 2775 4003 debug_print(mod_srtp, "keystream prefix: %s", 2776 octet_string_hex_string(auth_tag, prefix_len));4004 srtp_octet_string_hex_string(auth_tag, prefix_len)); 2777 4005 2778 4006 if (status) 2779 return err_status_cipher_fail;4007 return srtp_err_status_cipher_fail; 2780 4008 } 2781 4009 2782 4010 /* if we're encrypting, exor keystream into the message */ 2783 4011 if (enc_start) { 2784 status = cipher_encrypt(stream->rtcp_cipher,2785 4012 status = srtp_cipher_encrypt(session_keys->rtcp_cipher, 4013 (uint8_t *)enc_start, &enc_octet_len); 2786 4014 if (status) 2787 return err_status_cipher_fail;4015 return srtp_err_status_cipher_fail; 2788 4016 } 2789 4017 2790 4018 /* initialize auth func context */ 2791 auth_start(stream->rtcp_auth);4019 srtp_auth_start(session_keys->rtcp_auth); 2792 4020 2793 4021 /* … … 2795 4023 * result at auth_tag 2796 4024 */ 2797 status = auth_compute(stream->rtcp_auth,4025 status = srtp_auth_compute(session_keys->rtcp_auth, 2798 4026 (uint8_t *)auth_start, 2799 4027 (*pkt_octet_len) + sizeof(srtcp_trailer_t), 2800 4028 auth_tag); 2801 4029 debug_print(mod_srtp, "srtcp auth tag: %s", 2802 octet_string_hex_string(auth_tag, tag_len));4030 srtp_octet_string_hex_string(auth_tag, tag_len)); 2803 4031 if (status) 2804 return err_status_auth_fail;4032 return srtp_err_status_auth_fail; 2805 4033 2806 4034 /* increase the packet length by the length of the auth tag and seq_num*/ 2807 4035 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); 4036 4037 /* increase the packet by the mki_size */ 4038 *pkt_octet_len += mki_size; 2808 4039 2809 return err_status_ok;2810 } 2811 2812 2813 err_status_t4040 return srtp_err_status_ok; 4041 } 4042 4043 4044 srtp_err_status_t 2814 4045 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) { 4046 return srtp_unprotect_rtcp_mki(ctx, srtcp_hdr, pkt_octet_len, 0); 4047 } 4048 4049 srtp_err_status_t 4050 srtp_unprotect_rtcp_mki(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len, 4051 unsigned int use_mki) { 2815 4052 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; 2816 4053 uint32_t *enc_start; /* pointer to start of encrypted portion */ … … 2821 4058 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 2822 4059 uint8_t tag_copy[SRTP_MAX_TAG_LEN]; 2823 err_status_t status;4060 srtp_err_status_t status; 2824 4061 unsigned int auth_len; 2825 4062 int tag_len; 2826 4063 srtp_stream_ctx_t *stream; 2827 int prefix_len;4064 uint32_t prefix_len; 2828 4065 uint32_t seq_num; 2829 4066 int e_bit_in_packet; /* whether the E-bit was found in the packet */ 2830 4067 int sec_serv_confidentiality; /* whether confidentiality was requested */ 4068 unsigned int mki_size = 0; 4069 srtp_session_keys_t *session_keys = NULL; 2831 4070 2832 4071 /* we assume the hdr is 32-bit aligned to start */ … … 2836 4075 a positive value */ 2837 4076 if (*pkt_octet_len < octets_in_rtcp_header + sizeof(srtcp_trailer_t)) 2838 return err_status_bad_param;4077 return srtp_err_status_bad_param; 2839 4078 2840 4079 /* … … 2867 4106 2868 4107 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", 2869 hdr->ssrc);4108 ntohl(hdr->ssrc)); 2870 4109 } else { 2871 4110 /* no template stream, so we return an error */ 2872 return err_status_no_ctx;4111 return srtp_err_status_no_ctx; 2873 4112 } 2874 4113 } 2875 4114 4115 /* 4116 * Determine if MKI is being used and what session keys should be used 4117 */ 4118 if (use_mki) { 4119 session_keys = srtp_get_session_keys(stream, (uint8_t *)hdr, 4120 (const unsigned int*)pkt_octet_len, 4121 &mki_size); 4122 4123 if (session_keys == NULL) 4124 return srtp_err_status_bad_mki; 4125 } else { 4126 session_keys = &stream->session_keys[0]; 4127 } 4128 4129 2876 4130 /* get tag length from stream context */ 2877 tag_len = auth_get_tag_length(stream->rtcp_auth);4131 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); 2878 4132 2879 4133 /* check the packet length - it must contain at least a full RTCP 2880 4134 header, an auth tag (if applicable), and the SRTCP encrypted flag 2881 4135 and 31-bit index value */ 2882 if (*pkt_octet_len < (int) (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t))) {2883 return err_status_bad_param;4136 if (*pkt_octet_len < (int) (octets_in_rtcp_header + tag_len + mki_size + sizeof(srtcp_trailer_t))) { 4137 return srtp_err_status_bad_param; 2884 4138 } 2885 4139 … … 2888 4142 * the request to our AEAD handler. 2889 4143 */ 2890 if (stream->rtp_cipher->algorithm == AES_128_GCM || 2891 stream->rtp_cipher->algorithm == AES_256_GCM) { 2892 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, (unsigned int*)pkt_octet_len); 4144 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || 4145 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { 4146 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, 4147 (unsigned int*)pkt_octet_len, session_keys, 4148 mki_size); 2893 4149 } 2894 4150 … … 2900 4156 */ 2901 4157 enc_octet_len = *pkt_octet_len - 2902 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));4158 (octets_in_rtcp_header + tag_len + mki_size + sizeof(srtcp_trailer_t)); 2903 4159 /* index & E (encryption) bit follow normal data. hdr->len 2904 4160 is the number of words (32-bit) in the normal packet minus 1 */ … … 2911 4167 */ 2912 4168 trailer = (uint32_t *) ((char *) hdr + 2913 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));4169 *pkt_octet_len -(tag_len + mki_size + sizeof(srtcp_trailer_t))); 2914 4170 e_bit_in_packet = 2915 4171 (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; 2916 4172 if (e_bit_in_packet != sec_serv_confidentiality) { 2917 return err_status_cant_check;4173 return srtp_err_status_cant_check; 2918 4174 } 2919 4175 if (sec_serv_confidentiality) { … … 2929 4185 */ 2930 4186 auth_start = (uint32_t *)hdr; 2931 auth_len = *pkt_octet_len - tag_len; 2932 auth_tag = (uint8_t *)hdr + auth_len; 4187 4188 /* 4189 * The location of the auth tag in the packet needs to know MKI 4190 * could be present. The data needed to calculate the Auth tag 4191 * must not include the MKI 4192 */ 4193 auth_len = *pkt_octet_len - tag_len - mki_size; 4194 auth_tag = (uint8_t *)hdr + auth_len + mki_size; 2933 4195 2934 4196 /* … … 2940 4202 */ 2941 4203 if (stream->ekt) { 2942 auth_tag -= ekt_octets_after_base_tag(stream->ekt);4204 auth_tag -= srtp_ekt_octets_after_base_tag(stream->ekt); 2943 4205 memcpy(tag_copy, auth_tag, tag_len); 2944 4206 octet_string_set_to_zero(auth_tag, tag_len); … … 2953 4215 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; 2954 4216 debug_print(mod_srtp, "srtcp index: %x", seq_num); 2955 status = rdb_check(&stream->rtcp_rdb, seq_num);4217 status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); 2956 4218 if (status) 2957 4219 return status; … … 2960 4222 * if we're using aes counter mode, set nonce and seq 2961 4223 */ 2962 if (stream->rtcp_cipher->type->id == AES_ICM) { 4224 if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || 4225 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || 4226 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { 2963 4227 v128_t iv; 2964 4228 … … 2967 4231 iv.v32[2] = htonl(seq_num >> 16); 2968 4232 iv.v32[3] = htonl(seq_num << 16); 2969 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); 4233 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, 4234 (uint8_t*)&iv, srtp_direction_decrypt); 2970 4235 2971 4236 } else { … … 2977 4242 iv.v32[2] = 0; 2978 4243 iv.v32[3] = htonl(seq_num); 2979 status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt); 4244 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, 4245 (uint8_t*)&iv, srtp_direction_decrypt); 2980 4246 2981 4247 } 2982 4248 if (status) 2983 return err_status_cipher_fail;4249 return srtp_err_status_cipher_fail; 2984 4250 2985 4251 /* initialize auth func context */ 2986 auth_start(stream->rtcp_auth);4252 srtp_auth_start(session_keys->rtcp_auth); 2987 4253 2988 4254 /* run auth func over packet, put result into tmp_tag */ 2989 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,4255 status = srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start, 2990 4256 auth_len, tmp_tag); 2991 4257 debug_print(mod_srtp, "srtcp computed tag: %s", 2992 octet_string_hex_string(tmp_tag, tag_len));4258 srtp_octet_string_hex_string(tmp_tag, tag_len)); 2993 4259 if (status) 2994 return err_status_auth_fail;4260 return srtp_err_status_auth_fail; 2995 4261 2996 4262 /* compare the tag just computed with the one in the packet */ 2997 4263 debug_print(mod_srtp, "srtcp tag from packet: %s", 2998 octet_string_hex_string(auth_tag, tag_len));4264 srtp_octet_string_hex_string(auth_tag, tag_len)); 2999 4265 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) 3000 return err_status_auth_fail;4266 return srtp_err_status_auth_fail; 3001 4267 3002 4268 /* … … 3004 4270 * prefix into the authentication tag 3005 4271 */ 3006 prefix_len = auth_get_prefix_length(stream->rtcp_auth);4272 prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); 3007 4273 if (prefix_len) { 3008 status = cipher_output(stream->rtcp_cipher, auth_tag,prefix_len);4274 status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, &prefix_len); 3009 4275 debug_print(mod_srtp, "keystream prefix: %s", 3010 octet_string_hex_string(auth_tag, prefix_len));4276 srtp_octet_string_hex_string(auth_tag, prefix_len)); 3011 4277 if (status) 3012 return err_status_cipher_fail;4278 return srtp_err_status_cipher_fail; 3013 4279 } 3014 4280 3015 4281 /* if we're decrypting, exor keystream into the message */ 3016 4282 if (enc_start) { 3017 status = cipher_decrypt(stream->rtcp_cipher,3018 (uint8_t *)enc_start,&enc_octet_len);4283 status = srtp_cipher_decrypt(session_keys->rtcp_cipher, (uint8_t *)enc_start, 4284 &enc_octet_len); 3019 4285 if (status) 3020 return err_status_cipher_fail;4286 return srtp_err_status_cipher_fail; 3021 4287 } 3022 4288 3023 4289 /* decrease the packet length by the length of the auth tag and seq_num */ 3024 4290 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); 4291 4292 /* decrease the packet length by the length of the mki_size */ 4293 *pkt_octet_len -= mki_size; 3025 4294 3026 4295 /* … … 3028 4297 * length 3029 4298 */ 3030 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt);4299 *pkt_octet_len -= srtp_ekt_octets_after_base_tag(stream->ekt); 3031 4300 3032 4301 /* … … 3076 4345 3077 4346 /* we've passed the authentication check, so add seq_num to the rdb */ 3078 rdb_add_index(&stream->rtcp_rdb, seq_num);4347 srtp_rdb_add_index(&stream->rtcp_rdb, seq_num); 3079 4348 3080 4349 3081 return err_status_ok;4350 return srtp_err_status_ok; 3082 4351 } 3083 4352 … … 3102 4371 */ 3103 4372 3104 err_status_t3105 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,3106 srtp_profile_t profile) {4373 srtp_err_status_t 4374 srtp_crypto_policy_set_from_profile_for_rtp(srtp_crypto_policy_t *policy, 4375 srtp_profile_t profile) { 3107 4376 3108 4377 /* set SRTP policy from the SRTP profile in the key set */ 3109 4378 switch(profile) { 3110 4379 case srtp_profile_aes128_cm_sha1_80: 3111 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);4380 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 3112 4381 break; 3113 4382 case srtp_profile_aes128_cm_sha1_32: 3114 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);4383 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); 3115 4384 break; 3116 4385 case srtp_profile_null_sha1_80: 3117 crypto_policy_set_null_cipher_hmac_sha1_80(policy);4386 srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); 3118 4387 break; 3119 case srtp_profile_aes256_cm_sha1_80: 3120 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 4388 #if defined(OPENSSL) 4389 case srtp_profile_aead_aes_128_gcm: 4390 srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); 3121 4391 break; 3122 case srtp_profile_ae s256_cm_sha1_32:3123 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);4392 case srtp_profile_aead_aes_256_gcm: 4393 srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); 3124 4394 break; 4395 #endif 3125 4396 /* the following profiles are not (yet) supported */ 3126 4397 case srtp_profile_null_sha1_32: 3127 4398 default: 3128 return err_status_bad_param;3129 } 3130 3131 return err_status_ok;3132 } 3133 3134 err_status_t3135 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,3136 srtp_profile_t profile) {4399 return srtp_err_status_bad_param; 4400 } 4401 4402 return srtp_err_status_ok; 4403 } 4404 4405 srtp_err_status_t 4406 srtp_crypto_policy_set_from_profile_for_rtcp(srtp_crypto_policy_t *policy, 4407 srtp_profile_t profile) { 3137 4408 3138 4409 /* set SRTP policy from the SRTP profile in the key set */ 3139 4410 switch(profile) { 3140 4411 case srtp_profile_aes128_cm_sha1_80: 3141 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);4412 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 3142 4413 break; 3143 4414 case srtp_profile_aes128_cm_sha1_32: 3144 4415 /* We do not honor the 32-bit auth tag request since 3145 4416 * this is not compliant with RFC 3711 */ 3146 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);4417 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 3147 4418 break; 3148 4419 case srtp_profile_null_sha1_80: 3149 crypto_policy_set_null_cipher_hmac_sha1_80(policy);4420 srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); 3150 4421 break; 3151 case srtp_profile_aes256_cm_sha1_80: 3152 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 4422 #if defined(OPENSSL) 4423 case srtp_profile_aead_aes_128_gcm: 4424 srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); 3153 4425 break; 3154 case srtp_profile_aes256_cm_sha1_32: 3155 /* We do not honor the 32-bit auth tag request since 3156 * this is not compliant with RFC 3711 */ 3157 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 4426 case srtp_profile_aead_aes_256_gcm: 4427 srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); 3158 4428 break; 4429 #endif 3159 4430 /* the following profiles are not (yet) supported */ 3160 4431 case srtp_profile_null_sha1_32: 3161 4432 default: 3162 return err_status_bad_param; 3163 } 3164 3165 return err_status_ok; 3166 } 3167 3168 void 3169 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key, 3170 uint8_t *salt, unsigned int bytes_in_salt) { 3171 4433 return srtp_err_status_bad_param; 4434 } 4435 4436 return srtp_err_status_ok; 4437 } 4438 4439 void srtp_append_salt_to_key(uint8_t *key, unsigned int bytes_in_key, uint8_t *salt, unsigned int bytes_in_salt) { 3172 4440 memcpy(key + bytes_in_key, salt, bytes_in_salt); 3173 3174 4441 } 3175 4442 … … 3179 4446 switch(profile) { 3180 4447 case srtp_profile_aes128_cm_sha1_80: 3181 return 16;4448 return SRTP_AES_128_KEY_LEN; 3182 4449 break; 3183 4450 case srtp_profile_aes128_cm_sha1_32: 3184 return 16;4451 return SRTP_AES_128_KEY_LEN; 3185 4452 break; 3186 4453 case srtp_profile_null_sha1_80: 3187 return 16;4454 return SRTP_AES_128_KEY_LEN; 3188 4455 break; 3189 case srtp_profile_ae s256_cm_sha1_80:3190 return 32;4456 case srtp_profile_aead_aes_128_gcm: 4457 return SRTP_AES_128_KEY_LEN; 3191 4458 break; 3192 case srtp_profile_ae s256_cm_sha1_32:3193 return 32;4459 case srtp_profile_aead_aes_256_gcm: 4460 return SRTP_AES_256_KEY_LEN; 3194 4461 break; 3195 4462 /* the following profiles are not (yet) supported */ … … 3205 4472 switch(profile) { 3206 4473 case srtp_profile_aes128_cm_sha1_80: 3207 return 14;4474 return SRTP_SALT_LEN; 3208 4475 break; 3209 4476 case srtp_profile_aes128_cm_sha1_32: 3210 return 14;4477 return SRTP_SALT_LEN; 3211 4478 break; 3212 4479 case srtp_profile_null_sha1_80: 3213 return 14;4480 return SRTP_SALT_LEN; 3214 4481 break; 3215 case srtp_profile_ae s256_cm_sha1_80:3216 return 14;4482 case srtp_profile_aead_aes_128_gcm: 4483 return SRTP_AEAD_SALT_LEN; 3217 4484 break; 3218 case srtp_profile_ae s256_cm_sha1_32:3219 return 14;4485 case srtp_profile_aead_aes_256_gcm: 4486 return SRTP_AEAD_SALT_LEN; 3220 4487 break; 3221 4488 /* the following profiles are not (yet) supported */ … … 3225 4492 } 3226 4493 } 4494 4495 srtp_err_status_t 4496 srtp_get_protect_trailer_length(srtp_t session, 4497 uint32_t use_mki, 4498 uint32_t mki_index, 4499 uint32_t *length) 4500 { 4501 srtp_stream_ctx_t *stream; 4502 4503 if (session == NULL) 4504 return srtp_err_status_bad_param; 4505 4506 *length = 0; 4507 4508 /* Try obtaining stream from stream_list */ 4509 stream = session->stream_list; 4510 4511 if (stream == NULL) { 4512 /* Try obtaining the template stream */ 4513 stream = session->stream_template; 4514 } 4515 4516 if (stream == NULL) { 4517 return srtp_err_status_bad_param; 4518 } 4519 4520 if (use_mki) { 4521 if (mki_index > stream->num_master_keys) 4522 return srtp_err_status_bad_mki; 4523 4524 *length += stream->session_keys[mki_index].mki_size; 4525 *length += srtp_auth_get_tag_length(stream->session_keys[mki_index].rtp_auth); 4526 } else { 4527 *length += srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); 4528 } 4529 4530 return srtp_err_status_ok; 4531 } 4532 4533 srtp_err_status_t 4534 srtp_get_protect_rtcp_trailer_length(srtp_t session, 4535 uint32_t use_mki, 4536 uint32_t mki_index, 4537 uint32_t *length) 4538 { 4539 srtp_stream_ctx_t *stream; 4540 4541 if (session == NULL) 4542 return srtp_err_status_bad_param; 4543 4544 *length = 0; 4545 4546 /* Try obtaining stream from stream_list */ 4547 stream = session->stream_list; 4548 4549 if (stream == NULL) { 4550 /* Try obtaining the template stream */ 4551 stream = session->stream_template; 4552 } 4553 4554 if (stream == NULL) { 4555 return srtp_err_status_bad_param; 4556 } 4557 4558 if (use_mki) { 4559 if (mki_index > stream->num_master_keys) 4560 return srtp_err_status_bad_mki; 4561 4562 *length += stream->session_keys[mki_index].mki_size; 4563 *length += srtp_auth_get_tag_length(stream->session_keys[mki_index].rtcp_auth); 4564 } else { 4565 *length += srtp_auth_get_tag_length(stream->session_keys[0].rtcp_auth); 4566 } 4567 4568 *length += sizeof(srtcp_trailer_t); 4569 4570 return srtp_err_status_ok; 4571 } 4572 4573 4574 /* 4575 * SRTP debug interface 4576 */ 4577 srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v) 4578 { 4579 return srtp_crypto_kernel_set_debug_module(mod_name, v); 4580 } 4581 4582 srtp_err_status_t srtp_list_debug_modules(void) 4583 { 4584 return srtp_crypto_kernel_list_debug_modules(); 4585 } 4586 4587 /* 4588 * srtp_log_handler is a global variable holding a pointer to the 4589 * log handler function; this function is called for any log 4590 * output. 4591 */ 4592 4593 static srtp_log_handler_func_t *srtp_log_handler = NULL; 4594 static void * srtp_log_handler_data = NULL; 4595 4596 void srtp_err_handler(srtp_err_reporting_level_t level, const char * msg) 4597 { 4598 if (srtp_log_handler) { 4599 srtp_log_level_t log_level = srtp_log_level_error; 4600 switch(level) { 4601 case srtp_err_level_error: log_level = srtp_log_level_error; break; 4602 case srtp_err_level_warning: log_level = srtp_log_level_warning; break; 4603 case srtp_err_level_info: log_level = srtp_log_level_info; break; 4604 case srtp_err_level_debug: log_level = srtp_log_level_debug; break; 4605 } 4606 4607 srtp_log_handler(log_level, msg, srtp_log_handler_data); 4608 } 4609 } 4610 4611 srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, void * data) 4612 { 4613 4614 /* 4615 * note that we accept NULL arguments intentionally - calling this 4616 * function with a NULL arguments removes a log handler that's 4617 * been previously installed 4618 */ 4619 4620 if (srtp_log_handler) { 4621 srtp_install_err_report_handler(NULL); 4622 } 4623 srtp_log_handler = func; 4624 srtp_log_handler_data = data; 4625 if (srtp_log_handler) { 4626 srtp_install_err_report_handler(srtp_err_handler); 4627 } 4628 return srtp_err_status_ok; 4629 } 4630 4631 srtp_err_status_t 4632 srtp_set_stream_roc(srtp_t session, uint32_t ssrc, uint32_t roc) { 4633 srtp_stream_t stream; 4634 4635 stream = srtp_get_stream(session, htonl(ssrc)); 4636 if (stream == NULL) 4637 return srtp_err_status_bad_param; 4638 4639 stream->pending_roc = roc; 4640 4641 return srtp_err_status_ok; 4642 } 4643 4644 srtp_err_status_t 4645 srtp_get_stream_roc(srtp_t session, uint32_t ssrc, uint32_t *roc) { 4646 srtp_stream_t stream; 4647 4648 stream = srtp_get_stream(session, htonl(ssrc)); 4649 if (stream == NULL) 4650 return srtp_err_status_bad_param; 4651 4652 *roc = srtp_rdbx_get_roc(&stream->rtp_rdbx); 4653 4654 return srtp_err_status_ok; 4655 }
Note: See TracChangeset
for help on using the changeset viewer.