Gitiles
Code Review Sign In
review.jami.net / jami-client-android / 96db803943f24b91b1d14a41964504e9df02819a / . / jni / libzrtp / sources / srtp / CryptoContext.h
blob: 25c3a08fcc19a31b33309a807d36d9d584325379 [file] [log] [blame]
/*
Copyright (C) 2006 - 2012 Werner Dittmann
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef CRYPTOCONTEXT_H
#define CRYPTOCONTEXT_H
/**
* @file CryptoContext.h
* @brief The C++ SRTP implementation
* @ingroup Z_SRTP
* @{
*/
#define REPLAY_WINDOW_SIZE 64
const int SrtpAuthenticationNull = 0;
const int SrtpAuthenticationSha1Hmac = 1;
const int SrtpAuthenticationSkeinHmac = 2;
const int SrtpEncryptionNull = 0;
const int SrtpEncryptionAESCM = 1;
const int SrtpEncryptionAESF8 = 2;
const int SrtpEncryptionTWOCM = 3;
const int SrtpEncryptionTWOF8 = 4;
// Check if included via CryptoContextCtrl.cpp - avoid double definitions
#ifndef CRYPTOCONTEXTCTRL_H
#include <stdint.h>
class SrtpSymCrypto;
/**
* @brief Implementation for a SRTP cryptographic context.
*
* This class holds data and provides functions that implement a
* cryptographic context for SRTP. Refer to RFC 3711, chapter 3.2 for some
* more detailed information about the SRTP cryptographic context.
*
* Each SRTP cryptographic context uses a RTP source identified by
* its SSRC. Thus you can independently protect each source inside a RTP
* session.
*
* Key management mechanisms negotiate the parameters for the SRTP
* cryptographic context, such as master key, key length, authentication
* length and so on. The key management mechanisms are not part of
* SRTP. Refer to MIKEY (RFC 3880) or to Phil Zimmermann's ZRTP protocol
* (RFC6189). After key management negotiated the data the application can
* setup the SRTP cryptographic context and enable SRTP processing.
*
* This SRTP context implementation supports RTP only.
*
* A short eample how to setup a SRTP CryptoContext:
@verbatim
// First some key and salt data - this data is just for demo purposes
uint8 masterKey[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
uint8 masterSalt[] = { 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d };
...
CryptoContext* cryptoCtxSend =
new CryptoContext(0xfeedbacc,
0, // roc,
0L, // keyderivation rate << 48,
SrtpEncryptionAESCM, // encryption algo
SrtpAuthenticationSha1Hmac, // authtication algo
masterKey, // Master Key data
128 / 8, // Master Key length in bytes
masterSalt, // Master Salt data
112 / 8, // Master Salt length in bytes
128 / 8, // encryption keylength in bytes
160 / 8, // authentication key length in bytes (SHA1)
112 / 8, // session salt length in bytes
80 / 8); // authentication tag length in bytes
cryptoCtxSend->deriveSrtpKeys(0);
....
// To protect a RTP packet
// buffer: pointer to the RTP packet, length of the RTP data, newLength is a
// pointer to a size_t that gets the updated length.
bool rc = SrtpHandler::protect(cryptoCtxSend, buffer, length, newLength);
// To unprotect a SRTP packet:
// buffer: pointer to the RTP packet, length of the SRTP data, newLength is a
// pointer to a size_t that gets the updated length.
int32_t rc = SrtpHandler::unprotect(cryptoCtxRecv, buffer, length, newLength);
@endverbatim
*
* @note You need two CryptoContext instances - one for the sending channel the
* other one for the receiving channel.
*
* Before an appliction can use a CryptoContext it must call the key derivation
* function deriveSrtpKeys() first. Only then this SRTP cryptographic context is ready
* to protect or unprotect a RTP SSRC stream.
*
* Together with the newCryptoContextForSSRC() function an application can prepare a
* CryptoContext and save it as template. Once it needs a new CryptoContext, say
* for a new SSRC, it calls newCryptoContextForSSRC() on the saved context to get an
* initialized copy and then call deriveSrtpKeys() to compute and process the keys.
*
* @note A saved, pre-initialized template contains the non-processed keys. Only
* the method deriveSrtpKeys() processes the keys and cleares them. Thus don't store
* CryptoContext templates if the application cannot protect the templates against
* reading from other possibly rogue applications.
*
* @sa SrtpHandler
*
* @author Werner Dittmann <Werner.Dittmann@t-online.de>
*/
class CryptoContext {
public:
/**
* @brief Constructor for an active SRTP cryptographic context.
*
* This constructor creates an pre-initialized SRTP cryptographic context were
* algorithms are allocated, keys are stored and so on. An application can
* call newCryptoContextForSSRC() to get a full copy of this pre-initialized
* CryptoContext.
*
*
* @param ssrc
* The RTP SSRC that this SRTP cryptographic context belongs to.
*
* @param roc
* The initial Roll-Over-Counter according to RFC 3711. These are the
* upper 32 bit of the overall 48 bit SRTP packet index. Usually set to zero.
* Refer to chapter 3.2.1 of the RFC.
*
* @param keyDerivRate
* The key derivation rate defines when to recompute the SRTP session
* keys. Refer to chapter 4.3.1 in the RFC.
*
* @param ealg
* The encryption algorithm to use. Possible values are <code>
* SrtpEncryptionNull, SrtpEncryptionAESCM, SrtpEncryptionAESF8,
* SrtpEncryptionTWOCM, SrtpEncryptionTWOF8</code>. See chapter 4.1.1
* for AESCM (Counter mode) and 4.1.2 for AES F8 mode.
*
* @param aalg
* The authentication algorithm to use. Possible values are <code>
* SrtpEncryptionNull, SrtpAuthenticationSha1Hmac, SrtpAuthenticationSkeinHmac
* </code>.
*
* @param masterKey
* Pointer to the master key for this SRTP cryptographic context.
* Must point to <code>masterKeyLength</code> bytes. Refer to chapter
* 3.2.1 of the RFC about the role of the master key.
*
* @param masterKeyLength
* The length in bytes of the master key in bytes. The length must
* match the selected encryption algorithm. Because SRTP uses AES
* based encryption only, then master key length may be 16 or 32
* bytes (128 or 256 bit master key)
*
* @param masterSalt
* SRTP uses the master salt to generate the initialization vector
* that in turn is input to compute the session key, session
* authentication key and the session salt.
*
* @param masterSaltLength
* The length in bytes of the master salt data in bytes. According to
* RFC3711 the standard value for the master salt length should
* be 14 bytes (112 bit).
*
* @param ekeyl
* The length in bytes of the session encryption key that SRTP shall
* generate and use. Usually the same length as for the master key
* length, however you may use a different length as well.
*
* @param akeyl
* The length in bytes of the session authentication key. SRTP
* computes this key and uses it as input to the authentication
* algorithm.
* This is usually 160 bits (20 bytes) for @c SrtpAuthenticationSha1Hmac
* and 256 bits (32 bytes) for @c SrtpAuthenticationSkeinHmac.
*
* @param skeyl
* The length in bytes of the session salt. SRTP computes this salt
* key and uses it as input during encryption. The length usually
* is the same as the master salt length.
*
* @param tagLength
* The length is bytes of the authentication tag that SRTP appends
* to the RTP packet. The @c CryptoContext supports @c SrtpAuthenticationSha1Hmac
* with 4 and 10 byte (32 and 80 bits) and @c SrtpAuthenticationSkeinHmac
* with 4 and 8 bytes (32 and 64 bits) tag length. Refer to chapter 4.2. in RFC 3711.
*/
CryptoContext(uint32_t ssrc, int32_t roc,
int64_t keyDerivRate,
const int32_t ealg,
const int32_t aalg,
uint8_t* masterKey,
int32_t masterKeyLength,
uint8_t* masterSalt,
int32_t masterSaltLength,
int32_t ekeyl,
int32_t akeyl,
int32_t skeyl,
int32_t tagLength);
/**
* @brief Destructor.
*
* Cleans the SRTP cryptographic context.
*/
~CryptoContext();
/**
* @brief Set the Roll-Over-Counter.
*
* Ths method sets the upper 32 bit of the 48 bit SRTP packet index
* (the roll-over-part)
*
* @param r
* The roll-over-counter
*/
inline void setRoc(uint32_t r) { roc = r; }
/**
* @brief Get the Roll-Over-Counter.
*
* Ths method get the upper 32 bit of the 48 bit SRTP packet index
* (the roll-over-part)
*
* @return The roll-over-counter
*/
inline uint32_t getRoc() const { return roc; }
/**
* @brief Perform SRTP encryption.
*
* This method encrypts <em>and</em> decrypts SRTP payload data. Plain
* data gets encrypted, encrypted data get decrypted.
*
* @param pkt
* Pointer to RTP packet buffer, used for F8.
*
* @param payload
* The data to encrypt.
*
* @param paylen
* Length of payload.
*
* @param index
* The 48 bit SRTP packet index. See the <code>guessIndex</code>
* method.
*
* @param ssrc
* The RTP SSRC data in <em>host</em> order.
*/
void srtpEncrypt(uint8_t* pkt, uint8_t* payload, uint32_t paylen, uint64_t index, uint32_t ssrc);
/**
* @brief Compute the authentication tag.
*
* Compute the authentication tag according the the paramters in the
* SRTP Cryptograhic context.
*
* @param pkt
* Pointer to RTP packet buffer that contains the data to authenticate.
*
* @param pktlen
* Length of the RTP packet buffer
*
* @param roc
* The 32 bit SRTP roll-over-counter.
*
* @param tag
* Points to a buffer that hold the computed tag. This buffer must
* be able to hold <code>tagLength</code> bytes.
*/
void srtpAuthenticate(uint8_t* pkt, uint32_t pktlen, uint32_t roc, uint8_t* tag);
/**
* @brief Perform key derivation according to SRTP specification
*
* This method computes the session key, session authentication key and the
* session salt key. This method must be called at least once after the
* SRTP Cryptograhic context was set up.
*
* This method clears the key data once it was processed by the encryptions'
* set key functions.
*
* @param index
* The 48 bit SRTP packet index. See the <code>guessIndex</code>
* method. Usually 0.
*/
void deriveSrtpKeys(uint64_t index);
/**
* @brief Compute (guess) the new SRTP index based on the sequence number of
* a received RTP packet.
*
* The method uses the algorithm show in RFC3711, Appendix A, to compute
* the new index.
*
* @param newSeqNumber
* The sequence number of the received RTP packet in host order.
*
* @return The new SRTP packet index
*/
uint64_t guessIndex(uint16_t newSeqNumber);
/**
* @brief Check for packet replay.
*
* The method check if a received packet is either to old or was already
* received.
*
* The method supports a 64 packet history relative the the given
* sequence number.
*
* @param newSeqNumber
* The sequence number of the received RTP packet in host order.
*
* @return <code>true</code> if no replay, <code>false</code> if packet
* is too old ar was already received.
*/
bool checkReplay(uint16_t newSeqNumber);
/**
* @brief Update the SRTP packet index.
*
* Call this method after all checks were successful. See chapter
* 3.3.1 in the RFC when to update the ROC and ROC processing.
*
* @param newSeqNumber
* The sequence number of the received RTP packet in host order.
*/
void update(uint16_t newSeqNumber);
/**
* @brief Get the length of the SRTP authentication tag in bytes.
*
* @return the length of the authentication tag.
*/
int32_t getTagLength() const { return tagLength; }
/**
* @brief Get the length of the MKI in bytes.
*
* @return the length of the MKI.
*/
int32_t getMkiLength() const { return mkiLength; }
/**
* @brief Get the SSRC of this SRTP Cryptograhic context.
*
* @return the SSRC.
*/
uint32_t getSsrc() const { return ssrcCtx; }
/**
* @brief Set the start (base) number to compute the PRF labels.
*
* Refer to RFC3711, chapters 4.3.1 and 4.3.2 about values for labels.
* CryptoContext computes the labes as follows:
*
* - labelBase + 0 -> encryption label
* - labelBase + 1 -> authentication label
* - labelBase + 2 -> salting key label
*
* The CryptoContext constructor initializes CryptoContext::labelBase
* with 0 to comply with RFC 3711 label values.
*
* Applications may set the #labelBase to other values to use the CryptoContext
* for other purposes.
*/
void setLabelbase(uint8_t base) { labelBase = base; }
/**
* @brief Derive a new Crypto Context for use with a new SSRC
*
* This method returns a new Crypto Context initialized with the data
* of this crypto context. Replacing the SSRC, Roll-over-Counter, and
* the key derivation rate the application can use this Crypto Context
* to encrypt / decrypt a new stream (Synchronization source) inside
* one RTP session.
*
* Before the application can use this crypto context it must call deriveSrtpKeys().
*
* @param ssrc
* The SSRC for this context
* @param roc
* The Roll-Over-Counter for this context, usually 0
* @param keyDerivRate
* The key derivation rate for this context, usally 0
* @return
* a new CryptoContext with all relevant data set.
*/
CryptoContext* newCryptoContextForSSRC(uint32_t ssrc, int roc, int64_t keyDerivRate);
private:
uint32_t ssrcCtx;
bool using_mki;
uint32_t mkiLength;
uint8_t* mki;
uint32_t roc;
uint32_t guessed_roc;
uint16_t s_l;
int64_t key_deriv_rate;
/* bitmask for replay check */
uint64_t replay_window;
uint8_t* master_key;
uint32_t master_key_length;
uint32_t master_key_srtp_use_nb;
uint32_t master_key_srtcp_use_nb;
uint8_t* master_salt;
uint32_t master_salt_length;
/* Session Encryption, Authentication keys, Salt */
int32_t n_e;
uint8_t* k_e;
int32_t n_a;
uint8_t* k_a;
int32_t n_s;
uint8_t* k_s;
int32_t ealg;
int32_t aalg;
int32_t ekeyl;
int32_t akeyl;
int32_t skeyl;
int32_t tagLength;
uint8_t labelBase;
bool seqNumSet;
void* macCtx;
SrtpSymCrypto* cipher;
SrtpSymCrypto* f8Cipher;
};
#endif
/**
* @}
*/
#endif