Gitiles
Code Review Sign In
review.jami.net / jami-client-android / fd1ef4f45dc67eb6dddc4a9f56bd36dc7507c582 / . / jni / pjproject-android / .svn / pristine / 9f / 9f5122850959e8bc3c655897638890118de412c7.svn-base
blob: b30f6d38adfdd97c1cd4b322cbd3aca509bbc9d5 [file] [log] [blame]
Alexandre Lision8af73cb2013-12-10 14:11:20 -0500[diff] [blame]1/*
2 * srtp.c
3 *
4 * the secure real-time transport protocol
5 *
6 * David A. McGrew
7 * Cisco Systems, Inc.
8 */
9/*
10 *
11 * Copyright (c) 2001-2006, Cisco Systems, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 *
18 * Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 *
21 * Redistributions in binary form must reproduce the above
22 * copyright notice, this list of conditions and the following
23 * disclaimer in the documentation and/or other materials provided
24 * with the distribution.
25 *
26 * Neither the name of the Cisco Systems, Inc. nor the names of its
27 * contributors may be used to endorse or promote products derived
28 * from this software without specific prior written permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 *
43 */
44
45
46#include "srtp_priv.h"
47#include "aes_icm.h" /* aes_icm is used in the KDF */
48#include "alloc.h" /* for crypto_alloc() */
49
50#ifndef SRTP_KERNEL
51# include <limits.h>
52# ifdef HAVE_NETINET_IN_H
53# include <netinet/in.h>
54# elif defined(HAVE_WINSOCK2_H)
55# include <winsock2.h>
56# endif
57#endif /* ! SRTP_KERNEL */
58
59
60extern cipher_type_t aes_icm;
61extern auth_type_t tmmhv2;
62
63/* the debug module for srtp */
64
65debug_module_t mod_srtp = {
66 0, /* debugging is off by default */
67 "srtp" /* printable name for module */
68};
69
70#define octets_in_rtp_header 12
71#define uint32s_in_rtp_header 3
72#define octets_in_rtcp_header 8
73#define uint32s_in_rtcp_header 2
74
75
76err_status_t
77srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
78 const srtp_policy_t *p) {
79 srtp_stream_ctx_t *str;
80 err_status_t stat;
81
82 /*
83 * This function allocates the stream context, rtp and rtcp ciphers
84 * and auth functions, and key limit structure. If there is a
85 * failure during allocation, we free all previously allocated
86 * memory and return a failure code. The code could probably
87 * be improved, but it works and should be clear.
88 */
89
90 /* allocate srtp stream and set str_ptr */
91 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
92 if (str == NULL)
93 return err_status_alloc_fail;
94 *str_ptr = str;
95
96 /* allocate cipher */
97 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
98 &str->rtp_cipher,
99 p->rtp.cipher_key_len);
100 if (stat) {
101 crypto_free(str);
102 return stat;
103 }
104
105 /* allocate auth function */
106 stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
107 &str->rtp_auth,
108 p->rtp.auth_key_len,
109 p->rtp.auth_tag_len);
110 if (stat) {
111 cipher_dealloc(str->rtp_cipher);
112 crypto_free(str);
113 return stat;
114 }
115
116 /* allocate key limit structure */
117 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t));
118 if (str->limit == NULL) {
119 auth_dealloc(str->rtp_auth);
120 cipher_dealloc(str->rtp_cipher);
121 crypto_free(str);
122 return err_status_alloc_fail;
123 }
124
125 /*
126 * ...and now the RTCP-specific initialization - first, allocate
127 * the cipher
128 */
129 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
130 &str->rtcp_cipher,
131 p->rtcp.cipher_key_len);
132 if (stat) {
133 auth_dealloc(str->rtp_auth);
134 cipher_dealloc(str->rtp_cipher);
135 crypto_free(str->limit);
136 crypto_free(str);
137 return stat;
138 }
139
140 /* allocate auth function */
141 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
142 &str->rtcp_auth,
143 p->rtcp.auth_key_len,
144 p->rtcp.auth_tag_len);
145 if (stat) {
146 cipher_dealloc(str->rtcp_cipher);
147 auth_dealloc(str->rtp_auth);
148 cipher_dealloc(str->rtp_cipher);
149 crypto_free(str->limit);
150 crypto_free(str);
151 return stat;
152 }
153
154 return err_status_ok;
155}
156
157err_status_t
158srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) {
159 err_status_t status;
160
161 /*
162 * we use a conservative deallocation strategy - if any deallocation
163 * fails, then we report that fact without trying to deallocate
164 * anything else
165 */
166
167 /* deallocate cipher, if it is not the same as that in template */
168 if (session->stream_template
169 && stream->rtp_cipher == session->stream_template->rtp_cipher) {
170 /* do nothing */
171 } else {
172 status = cipher_dealloc(stream->rtp_cipher);
173 if (status)
174 return status;
175 }
176
177 /* deallocate auth function, if it is not the same as that in template */
178 if (session->stream_template
179 && stream->rtp_auth == session->stream_template->rtp_auth) {
180 /* do nothing */
181 } else {
182 status = auth_dealloc(stream->rtp_auth);
183 if (status)
184 return status;
185 }
186
187 /* deallocate key usage limit, if it is not the same as that in template */
188 if (session->stream_template
189 && stream->limit == session->stream_template->limit) {
190 /* do nothing */
191 } else {
192 crypto_free(stream->limit);
193 }
194
195 /*
196 * deallocate rtcp cipher, if it is not the same as that in
197 * template
198 */
199 if (session->stream_template
200 && stream->rtcp_cipher == session->stream_template->rtcp_cipher) {
201 /* do nothing */
202 } else {
203 status = cipher_dealloc(stream->rtcp_cipher);
204 if (status)
205 return status;
206 }
207
208 /*
209 * deallocate rtcp auth function, if it is not the same as that in
210 * template
211 */
212 if (session->stream_template
213 && stream->rtcp_auth == session->stream_template->rtcp_auth) {
214 /* do nothing */
215 } else {
216 status = auth_dealloc(stream->rtcp_auth);
217 if (status)
218 return status;
219 }
220
221 /* deallocate srtp stream context */
222 crypto_free(stream);
223
224 return err_status_ok;
225}
226
227
228/*
229 * srtp_stream_clone(stream_template, new) allocates a new stream and
230 * initializes it using the cipher and auth of the stream_template
231 *
232 * the only unique data in a cloned stream is the replay database and
233 * the SSRC
234 */
235
236err_status_t
237srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
238 uint32_t ssrc,
239 srtp_stream_ctx_t **str_ptr) {
240 err_status_t status;
241 srtp_stream_ctx_t *str;
242
243 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
244
245 /* allocate srtp stream and set str_ptr */
246 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
247 if (str == NULL)
248 return err_status_alloc_fail;
249 *str_ptr = str;
250
251 /* set cipher and auth pointers to those of the template */
252 str->rtp_cipher = stream_template->rtp_cipher;
253 str->rtp_auth = stream_template->rtp_auth;
254 str->rtcp_cipher = stream_template->rtcp_cipher;
255 str->rtcp_auth = stream_template->rtcp_auth;
256
257 /* set key limit to point to that of the template */
258 status = key_limit_clone(stream_template->limit, &str->limit);
259 if (status)
260 return status;
261
262 /* initialize replay databases */
263 rdbx_init(&str->rtp_rdbx);
264 rdb_init(&str->rtcp_rdb);
265
266 /* set ssrc to that provided */
267 str->ssrc = ssrc;
268
269 /* set direction and security services */
270 str->direction = stream_template->direction;
271 str->rtp_services = stream_template->rtp_services;
272 str->rtcp_services = stream_template->rtcp_services;
273
274 /* defensive coding */
275 str->next = NULL;
276
277 return err_status_ok;
278}
279
280
281/*
282 * key derivation functions, internal to libSRTP
283 *
284 * srtp_kdf_t is a key derivation context
285 *
286 * srtp_kdf_init(&kdf, k) initializes kdf with the key k
287 *
288 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
289 * corresponding to label l and puts it into kl; the length
290 * of the key in octets is provided as keylen. this function
291 * should be called once for each subkey that is derived.
292 *
293 * srtp_kdf_clear(&kdf) zeroizes the kdf state
294 */
295
296typedef enum {
297 label_rtp_encryption = 0x00,
298 label_rtp_msg_auth = 0x01,
299 label_rtp_salt = 0x02,
300 label_rtcp_encryption = 0x03,
301 label_rtcp_msg_auth = 0x04,
302 label_rtcp_salt = 0x05
303} srtp_prf_label;
304
305
306/*
307 * srtp_kdf_t represents a key derivation function. The SRTP
308 * default KDF is the only one implemented at present.
309 */
310
311typedef struct {
312 aes_icm_ctx_t c; /* cipher used for key derivation */
313} srtp_kdf_t;
314
315err_status_t
316srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t key[30]) {
317
318 aes_icm_context_init(&kdf->c, key);
319
320 return err_status_ok;
321}
322
323err_status_t
324srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
325 uint8_t *key, int length) {
326
327 v128_t nonce;
328
329 /* set eigth octet of nonce to <label>, set the rest of it to zero */
330 v128_set_to_zero(&nonce);
331 nonce.v8[7] = label;
332
333 aes_icm_set_iv(&kdf->c, &nonce);
334
335 /* generate keystream output */
336 aes_icm_output(&kdf->c, key, length);
337
338 return err_status_ok;
339}
340
341err_status_t
342srtp_kdf_clear(srtp_kdf_t *kdf) {
343
344 /* zeroize aes context */
345 octet_string_set_to_zero((uint8_t *)kdf, sizeof(srtp_kdf_t));
346
347 return err_status_ok;
348}
349
350/*
351 * end of key derivation functions
352 */
353
354#define MAX_SRTP_KEY_LEN 256
355
356
357err_status_t
358srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
359 err_status_t stat;
360 srtp_kdf_t kdf;
361 uint8_t tmp_key[MAX_SRTP_KEY_LEN];
362
363 /* initialize KDF state */
364 srtp_kdf_init(&kdf, (const uint8_t *)key);
365
366 /* generate encryption key */
367 srtp_kdf_generate(&kdf, label_rtp_encryption,
368 tmp_key, cipher_get_key_length(srtp->rtp_cipher));
369 /*
370 * if the cipher in the srtp context is aes_icm, then we need
371 * to generate the salt value
372 */
373 if (srtp->rtp_cipher->type == &aes_icm) {
374 /* FIX!!! this is really the cipher key length; rest is salt */
375 int base_key_len = 16;
376 int salt_len = cipher_get_key_length(srtp->rtp_cipher) - base_key_len;
377
378 debug_print(mod_srtp, "found aes_icm, generating salt", NULL);
379
380 /* generate encryption salt, put after encryption key */
381 srtp_kdf_generate(&kdf, label_rtp_salt,
382 tmp_key + base_key_len, salt_len);
383 }
384 debug_print(mod_srtp, "cipher key: %s",
385 octet_string_hex_string(tmp_key,
386 cipher_get_key_length(srtp->rtp_cipher)));
387
388 /* initialize cipher */
389 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any);
390 if (stat) {
391 /* zeroize temp buffer */
392 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
393 return err_status_init_fail;
394 }
395
396 /* generate authentication key */
397 srtp_kdf_generate(&kdf, label_rtp_msg_auth,
398 tmp_key, auth_get_key_length(srtp->rtp_auth));
399 debug_print(mod_srtp, "auth key: %s",
400 octet_string_hex_string(tmp_key,
401 auth_get_key_length(srtp->rtp_auth)));
402
403 /* initialize auth function */
404 stat = auth_init(srtp->rtp_auth, tmp_key);
405 if (stat) {
406 /* zeroize temp buffer */
407 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
408 return err_status_init_fail;
409 }
410
411 /*
412 * ...now initialize SRTCP keys
413 */
414
415 /* generate encryption key */
416 srtp_kdf_generate(&kdf, label_rtcp_encryption,
417 tmp_key, cipher_get_key_length(srtp->rtcp_cipher));
418 /*
419 * if the cipher in the srtp context is aes_icm, then we need
420 * to generate the salt value
421 */
422 if (srtp->rtcp_cipher->type == &aes_icm) {
423 /* FIX!!! this is really the cipher key length; rest is salt */
424 int base_key_len = 16;
425 int salt_len = cipher_get_key_length(srtp->rtcp_cipher) - base_key_len;
426
427 debug_print(mod_srtp, "found aes_icm, generating rtcp salt", NULL);
428
429 /* generate encryption salt, put after encryption key */
430 srtp_kdf_generate(&kdf, label_rtcp_salt,
431 tmp_key + base_key_len, salt_len);
432 }
433 debug_print(mod_srtp, "rtcp cipher key: %s",
434 octet_string_hex_string(tmp_key,
435 cipher_get_key_length(srtp->rtcp_cipher)));
436
437 /* initialize cipher */
438 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any);
439 if (stat) {
440 /* zeroize temp buffer */
441 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
442 return err_status_init_fail;
443 }
444
445 /* generate authentication key */
446 srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
447 tmp_key, auth_get_key_length(srtp->rtcp_auth));
448 debug_print(mod_srtp, "rtcp auth key: %s",
449 octet_string_hex_string(tmp_key,
450 auth_get_key_length(srtp->rtcp_auth)));
451
452 /* initialize auth function */
453 stat = auth_init(srtp->rtcp_auth, tmp_key);
454 if (stat) {
455 /* zeroize temp buffer */
456 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
457 return err_status_init_fail;
458 }
459
460 /* clear memory then return */
461 srtp_kdf_clear(&kdf);
462 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
463
464 return err_status_ok;
465}
466
467err_status_t
468srtp_stream_init(srtp_stream_ctx_t *srtp,
469 const srtp_policy_t *p) {
470 err_status_t err;
471
472 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)",
473 p->ssrc.value);
474
475 /* initialize replay database */
476 rdbx_init(&srtp->rtp_rdbx);
477
478 /* initialize key limit to maximum value */
479#ifdef NO_64BIT_MATH
480{
481 uint64_t temp;
482 temp = make64(UINT_MAX,UINT_MAX);
483 key_limit_set(srtp->limit, temp);
484}
485#else
486 key_limit_set(srtp->limit, PJ_UINT64(0xffffffffffff));
487#endif
488
489 /* set the SSRC value */
490 srtp->ssrc = htonl(p->ssrc.value);
491
492 /* set the security service flags */
493 srtp->rtp_services = p->rtp.sec_serv;
494 srtp->rtcp_services = p->rtcp.sec_serv;
495
496 /*
497 * set direction to unknown - this flag gets checked in srtp_protect(),
498 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
499 * gets set appropriately if it is set to unknown.
500 */
501 srtp->direction = dir_unknown;
502
503 /* initialize SRTCP replay database */
504 rdb_init(&srtp->rtcp_rdb);
505
506 /* DAM - no RTCP key limit at present */
507
508 /* initialize keys */
509 err = srtp_stream_init_keys(srtp, p->key);
510 if (err) return err;
511
512 return err_status_ok;
513 }
514
515
516 /*
517 * srtp_event_reporter is an event handler function that merely
518 * reports the events that are reported by the callbacks
519 */
520
521 void
522 srtp_event_reporter(srtp_event_data_t *data) {
523
524 err_report(err_level_warning, "srtp: in stream 0x%x: ",
525 data->stream->ssrc);
526
527 switch(data->event) {
528 case event_ssrc_collision:
529 err_report(err_level_warning, "\tSSRC collision\n");
530 break;
531 case event_key_soft_limit:
532 err_report(err_level_warning, "\tkey usage soft limit reached\n");
533 break;
534 case event_key_hard_limit:
535 err_report(err_level_warning, "\tkey usage hard limit reached\n");
536 break;
537 case event_packet_index_limit:
538 err_report(err_level_warning, "\tpacket index limit reached\n");
539 break;
540 default:
541 err_report(err_level_warning, "\tunknown event reported to handler\n");
542 }
543 }
544
545 /*
546 * srtp_event_handler is a global variable holding a pointer to the
547 * event handler function; this function is called for any unexpected
548 * event that needs to be handled out of the SRTP data path. see
549 * srtp_event_t in srtp.h for more info
550 *
551 * it is okay to set srtp_event_handler to NULL, but we set
552 * it to the srtp_event_reporter.
553 */
554
555 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
556
557 err_status_t
558 srtp_install_event_handler(srtp_event_handler_func_t func) {
559
560 /*
561 * note that we accept NULL arguments intentionally - calling this
562 * function with a NULL arguments removes an event handler that's
563 * been previously installed
564 */
565
566 /* set global event handling function */
567 srtp_event_handler = func;
568 return err_status_ok;
569 }
570
571 err_status_t
572 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
573 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
574 uint32_t *enc_start; /* pointer to start of encrypted portion */
575 uint32_t *auth_start; /* pointer to start of auth. portion */
576 unsigned enc_octet_len = 0; /* number of octets in encrypted portion */
577 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
578 int delta; /* delta of local pkt idx and that in hdr */
579 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
580 err_status_t status;
581 int tag_len;
582 srtp_stream_ctx_t *stream;
583 int prefix_len;
584
585 debug_print(mod_srtp, "function srtp_protect", NULL);
586
587 /* we assume the hdr is 32-bit aligned to start */
588
589 /* check the packet length - it must at least contain a full header */
590 if (*pkt_octet_len < octets_in_rtp_header)
591 return err_status_bad_param;
592
593 /*
594 * look up ssrc in srtp_stream list, and process the packet with
595 * the appropriate stream. if we haven't seen this stream before,
596 * there's a template key for this srtp_session, and the cipher
597 * supports key-sharing, then we assume that a new stream using
598 * that key has just started up
599 */
600 stream = srtp_get_stream(ctx, hdr->ssrc);
601 if (stream == NULL) {
602 if (ctx->stream_template != NULL) {
603 srtp_stream_ctx_t *new_stream;
604
605 /* allocate and initialize a new stream */
606 status = srtp_stream_clone(ctx->stream_template,
607 hdr->ssrc, &new_stream);
608 if (status)
609 return status;
610
611 /* add new stream to the head of the stream_list */
612 new_stream->next = ctx->stream_list;
613 ctx->stream_list = new_stream;
614
615 /* set direction to outbound */
616 new_stream->direction = dir_srtp_sender;
617
618 /* set stream (the pointer used in this function) */
619 stream = new_stream;
620 } else {
621 /* no template stream, so we return an error */
622 return err_status_no_ctx;
623 }
624 }
625
626 /*
627 * verify that stream is for sending traffic - this check will
628 * detect SSRC collisions, since a stream that appears in both
629 * srtp_protect() and srtp_unprotect() will fail this test in one of
630 * those functions.
631 */
632 if (stream->direction != dir_srtp_sender) {
633 if (stream->direction == dir_unknown) {
634 stream->direction = dir_srtp_sender;
635 } else {
636 srtp_handle_event(ctx, stream, event_ssrc_collision);
637 }
638 }
639
640 /*
641 * update the key usage limit, and check it to make sure that we
642 * didn't just hit either the soft limit or the hard limit, and call
643 * the event handler if we hit either.
644 */
645 switch(key_limit_update(stream->limit)) {
646 case key_event_normal:
647 break;
648 case key_event_soft_limit:
649 srtp_handle_event(ctx, stream, event_key_soft_limit);
650 break;
651 case key_event_hard_limit:
652 srtp_handle_event(ctx, stream, event_key_hard_limit);
653 return err_status_key_expired;
654 default:
655 break;
656 }
657
658 /* get tag length from stream */
659 tag_len = auth_get_tag_length(stream->rtp_auth);
660
661 /*
662 * find starting point for encryption and length of data to be
663 * encrypted - the encrypted portion starts after the rtp header
664 * extension, if present; otherwise, it starts after the last csrc,
665 * if any are present
666 *
667 * if we're not providing confidentiality, set enc_start to NULL
668 */
669 if (stream->rtp_services & sec_serv_conf) {
670 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
671 if (hdr->x == 1) {
672 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
673 enc_start += (ntohs(xtn_hdr->length) + 1);
674 }
675 enc_octet_len = (unsigned int)(*pkt_octet_len
676 - ((enc_start - (uint32_t *)hdr) << 2));
677 } else {
678 enc_start = NULL;
679 }
680
681 /*
682 * if we're providing authentication, set the auth_start and auth_tag
683 * pointers to the proper locations; otherwise, set auth_start to NULL
684 * to indicate that no authentication is needed
685 */
686 if (stream->rtp_services & sec_serv_auth) {
687 auth_start = (uint32_t *)hdr;
688 auth_tag = (uint8_t *)hdr + *pkt_octet_len;
689 } else {
690 auth_start = NULL;
691 auth_tag = NULL;
692 }
693
694 /*
695 * estimate the packet index using the start of the replay window
696 * and the sequence number from the header
697 */
698 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
699 status = rdbx_check(&stream->rtp_rdbx, delta);
700 if (status)
701 return status; /* we've been asked to reuse an index */
702 rdbx_add_index(&stream->rtp_rdbx, delta);
703
704#ifdef NO_64BIT_MATH
705 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
706 high32(est),low32(est));
707#else
708 debug_print(mod_srtp, "estimated packet index: %016llx", est);
709#endif
710
711 /*
712 * if we're using rindael counter mode, set nonce and seq
713 */
714 if (stream->rtp_cipher->type == &aes_icm) {
715 v128_t iv;
716
717 iv.v32[0] = 0;
718 iv.v32[1] = hdr->ssrc;
719#ifdef NO_64BIT_MATH
720 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
721 low32(est) << 16));
722#else
723 iv.v64[1] = be64_to_cpu(est << 16);
724#endif
725 status = cipher_set_iv(stream->rtp_cipher, &iv);
726
727 } else {
728 v128_t iv;
729
730 /* otherwise, set the index to est */
731#ifdef NO_64BIT_MATH
732 iv.v32[0] = 0;
733 iv.v32[1] = 0;
734#else
735 iv.v64[0] = 0;
736#endif
737 iv.v64[1] = be64_to_cpu(est);
738 status = cipher_set_iv(stream->rtp_cipher, &iv);
739 }
740 if (status)
741 return err_status_cipher_fail;
742
743 /* shift est, put into network byte order */
744#ifdef NO_64BIT_MATH
745 est = be64_to_cpu(make64((high32(est) << 16) |
746 (low32(est) >> 16),
747 low32(est) << 16));
748#else
749 est = be64_to_cpu(est << 16);
750#endif
751
752 /*
753 * if we're authenticating using a universal hash, put the keystream
754 * prefix into the authentication tag
755 */
756 if (auth_start) {
757
758 prefix_len = auth_get_prefix_length(stream->rtp_auth);
759 if (prefix_len) {
760 status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len);
761 if (status)
762 return err_status_cipher_fail;
763 debug_print(mod_srtp, "keystream prefix: %s",
764 octet_string_hex_string(auth_tag, prefix_len));
765 }
766 }
767
768 /* if we're encrypting, exor keystream into the message */
769 if (enc_start) {
770 status = cipher_encrypt(stream->rtp_cipher,
771 (uint8_t *)enc_start, &enc_octet_len);
772 if (status)
773 return err_status_cipher_fail;
774 }
775
776 /*
777 * if we're authenticating, run authentication function and put result
778 * into the auth_tag
779 */
780 if (auth_start) {
781
782 /* initialize auth func context */
783 status = auth_start(stream->rtp_auth);
784 if (status) return status;
785
786 /* run auth func over packet */
787 status = auth_update(stream->rtp_auth,
788 (uint8_t *)auth_start, *pkt_octet_len);
789 if (status) return status;
790
791 /* run auth func over ROC, put result into auth_tag */
792 debug_print(mod_srtp, "estimated packet index: %016llx", est);
793 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);
794 debug_print(mod_srtp, "srtp auth tag: %s",
795 octet_string_hex_string(auth_tag, tag_len));
796 if (status)
797 return err_status_auth_fail;
798
799 }
800
801 if (auth_tag) {
802
803 /* increase the packet length by the length of the auth tag */
804 *pkt_octet_len += tag_len;
805 }
806
807 return err_status_ok;
808}
809
810
811err_status_t
812srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
813 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
814 uint32_t *enc_start; /* pointer to start of encrypted portion */
815 uint32_t *auth_start; /* pointer to start of auth. portion */
816 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
817 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
818 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
819 int delta; /* delta of local pkt idx and that in hdr */
820 v128_t iv;
821 err_status_t status;
822 srtp_stream_ctx_t *stream;
823 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
824 int tag_len, prefix_len;
825
826 debug_print(mod_srtp, "function srtp_unprotect", NULL);
827
828 /* we assume the hdr is 32-bit aligned to start */
829
830 /* check the packet length - it must at least contain a full header */
831 if (*pkt_octet_len < octets_in_rtp_header)
832 return err_status_bad_param;
833
834 /*
835 * look up ssrc in srtp_stream list, and process the packet with
836 * the appropriate stream. if we haven't seen this stream before,
837 * there's only one key for this srtp_session, and the cipher
838 * supports key-sharing, then we assume that a new stream using
839 * that key has just started up
840 */
841 stream = srtp_get_stream(ctx, hdr->ssrc);
842 if (stream == NULL) {
843 if (ctx->stream_template != NULL) {
844 stream = ctx->stream_template;
845 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
846 hdr->ssrc);
847
848 /*
849 * set estimated packet index to sequence number from header,
850 * and set delta equal to the same value
851 */
852#ifdef NO_64BIT_MATH
853 est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq));
854 delta = low32(est);
855#else
856 est = (xtd_seq_num_t) ntohs(hdr->seq);
857 delta = (int)est;
858#endif
859 } else {
860
861 /*
862 * no stream corresponding to SSRC found, and we don't do
863 * key-sharing, so return an error
864 */
865 return err_status_no_ctx;
866 }
867 } else {
868
869 /* estimate packet index from seq. num. in header */
870 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
871
872 /* check replay database */
873 status = rdbx_check(&stream->rtp_rdbx, delta);
874 if (status)
875 return status;
876 }
877
878#ifdef NO_64BIT_MATH
879 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32(est));
880#else
881 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
882#endif
883
884 /* get tag length from stream */
885 tag_len = auth_get_tag_length(stream->rtp_auth);
886
887 /*
888 * set the cipher's IV properly, depending on whatever cipher we
889 * happen to be using
890 */
891 if (stream->rtp_cipher->type == &aes_icm) {
892
893 /* aes counter mode */
894 iv.v32[0] = 0;
895 iv.v32[1] = hdr->ssrc; /* still in network order */
896#ifdef NO_64BIT_MATH
897 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
898 low32(est) << 16));
899#else
900 iv.v64[1] = be64_to_cpu(est << 16);
901#endif
902 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtp_cipher->state, &iv);
903 } else {
904
905 /* no particular format - set the iv to the pakcet index */
906#ifdef NO_64BIT_MATH
907 iv.v32[0] = 0;
908 iv.v32[1] = 0;
909#else
910 iv.v64[0] = 0;
911#endif
912 iv.v64[1] = be64_to_cpu(est);
913 status = cipher_set_iv(stream->rtp_cipher, &iv);
914 }
915 if (status)
916 return err_status_cipher_fail;
917
918 /* shift est, put into network byte order */
919#ifdef NO_64BIT_MATH
920 est = be64_to_cpu(make64((high32(est) << 16) |
921 (low32(est) >> 16),
922 low32(est) << 16));
923#else
924 est = be64_to_cpu(est << 16);
925#endif
926
927 /*
928 * find starting point for decryption and length of data to be
929 * decrypted - the encrypted portion starts after the rtp header
930 * extension, if present; otherwise, it starts after the last csrc,
931 * if any are present
932 *
933 * if we're not providing confidentiality, set enc_start to NULL
934 */
935 if (stream->rtp_services & sec_serv_conf) {
936 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
937 if (hdr->x == 1) {
938 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
939 enc_start += (ntohs(xtn_hdr->length) + 1);
940 }
941 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
942 - ((enc_start - (uint32_t *)hdr) << 2));
943 } else {
944 enc_start = NULL;
945 }
946
947 /*
948 * if we're providing authentication, set the auth_start and auth_tag
949 * pointers to the proper locations; otherwise, set auth_start to NULL
950 * to indicate that no authentication is needed
951 */
952 if (stream->rtp_services & sec_serv_auth) {
953 auth_start = (uint32_t *)hdr;
954 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
955 } else {
956 auth_start = NULL;
957 auth_tag = NULL;
958 }
959
960 /*
961 * if we expect message authentication, run the authentication
962 * function and compare the result with the value of the auth_tag
963 */
964 if (auth_start) {
965
966 /*
967 * if we're using a universal hash, then we need to compute the
968 * keystream prefix for encrypting the universal hash output
969 *
970 * if the keystream prefix length is zero, then we know that
971 * the authenticator isn't using a universal hash function
972 */
973 if (stream->rtp_auth->prefix_len != 0) {
974
975 prefix_len = auth_get_prefix_length(stream->rtp_auth);
976 status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len);
977 debug_print(mod_srtp, "keystream prefix: %s",
978 octet_string_hex_string(tmp_tag, prefix_len));
979 if (status)
980 return err_status_cipher_fail;
981 }
982
983 /* initialize auth func context */
984 status = auth_start(stream->rtp_auth);
985 if (status) return status;
986
987 /* now compute auth function over packet */
988 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,
989 *pkt_octet_len - tag_len);
990
991 /* run auth func over ROC, then write tmp tag */
992 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);
993
994 debug_print(mod_srtp, "computed auth tag: %s",
995 octet_string_hex_string(tmp_tag, tag_len));
996 debug_print(mod_srtp, "packet auth tag: %s",
997 octet_string_hex_string(auth_tag, tag_len));
998 if (status)
999 return err_status_auth_fail;
1000
1001 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1002 return err_status_auth_fail;
1003 }
1004
1005 /*
1006 * update the key usage limit, and check it to make sure that we
1007 * didn't just hit either the soft limit or the hard limit, and call
1008 * the event handler if we hit either.
1009 */
1010 switch(key_limit_update(stream->limit)) {
1011 case key_event_normal:
1012 break;
1013 case key_event_soft_limit:
1014 srtp_handle_event(ctx, stream, event_key_soft_limit);
1015 break;
1016 case key_event_hard_limit:
1017 srtp_handle_event(ctx, stream, event_key_hard_limit);
1018 return err_status_key_expired;
1019 default:
1020 break;
1021 }
1022
1023 /* if we're encrypting, add keystream into ciphertext */
1024 if (enc_start) {
1025 status = cipher_encrypt(stream->rtp_cipher,
1026 (uint8_t *)enc_start, &enc_octet_len);
1027 if (status)
1028 return err_status_cipher_fail;
1029 }
1030
1031 /*
1032 * verify that stream is for received traffic - this check will
1033 * detect SSRC collisions, since a stream that appears in both
1034 * srtp_protect() and srtp_unprotect() will fail this test in one of
1035 * those functions.
1036 *
1037 * we do this check *after* the authentication check, so that the
1038 * latter check will catch any attempts to fool us into thinking
1039 * that we've got a collision
1040 */
1041 if (stream->direction != dir_srtp_receiver) {
1042 if (stream->direction == dir_unknown) {
1043 stream->direction = dir_srtp_receiver;
1044 } else {
1045 srtp_handle_event(ctx, stream, event_ssrc_collision);
1046 }
1047 }
1048
1049 /*
1050 * if the stream is a 'provisional' one, in which the template context
1051 * is used, then we need to allocate a new stream at this point, since
1052 * the authentication passed
1053 */
1054 if (stream == ctx->stream_template) {
1055 srtp_stream_ctx_t *new_stream;
1056
1057 /*
1058 * allocate and initialize a new stream
1059 *
1060 * note that we indicate failure if we can't allocate the new
1061 * stream, and some implementations will want to not return
1062 * failure here
1063 */
1064 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1065 if (status)
1066 return status;
1067
1068 /* add new stream to the head of the stream_list */
1069 new_stream->next = ctx->stream_list;
1070 ctx->stream_list = new_stream;
1071
1072 /* set stream (the pointer used in this function) */
1073 stream = new_stream;
1074 }
1075
1076 /*
1077 * the message authentication function passed, so add the packet
1078 * index into the replay database
1079 */
1080 rdbx_add_index(&stream->rtp_rdbx, delta);
1081
1082 /* decrease the packet length by the length of the auth tag */
1083 *pkt_octet_len -= tag_len;
1084
1085 return err_status_ok;
1086}
1087
1088err_status_t
1089srtp_init() {
1090 err_status_t status;
1091
1092 /* initialize crypto kernel */
1093 status = crypto_kernel_init();
1094 if (status)
1095 return status;
1096
1097 /* load srtp debug module into the kernel */
1098 status = crypto_kernel_load_debug_module(&mod_srtp);
1099 if (status)
1100 return status;
1101
1102 return err_status_ok;
1103}
1104
1105err_status_t
1106srtp_deinit() {
1107 err_status_t status;
1108
1109 status = crypto_kernel_shutdown();
1110
1111 return status;
1112}
1113
1114/*
1115 * The following code is under consideration for removal. See
1116 * SRTP_MAX_TRAILER_LEN
1117 */
1118#if 0
1119
1120/*
1121 * srtp_get_trailer_length(&a) returns the number of octets that will
1122 * be added to an RTP packet by the SRTP processing. This value
1123 * is constant for a given srtp_stream_t (i.e. between initializations).
1124 */
1125
1126int
1127srtp_get_trailer_length(const srtp_stream_t s) {
1128 return auth_get_tag_length(s->rtp_auth);
1129}
1130
1131#endif
1132
1133/*
1134 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
1135 * to ssrc, or NULL if no stream exists for that ssrc
1136 *
1137 * this is an internal function
1138 */
1139
1140srtp_stream_ctx_t *
1141srtp_get_stream(srtp_t srtp, uint32_t ssrc) {
1142 srtp_stream_ctx_t *stream;
1143
1144 /* walk down list until ssrc is found */
1145 stream = srtp->stream_list;
1146 while (stream != NULL) {
1147 if (stream->ssrc == ssrc)
1148 return stream;
1149 stream = stream->next;
1150 }
1151
1152 /* we haven't found our ssrc, so return a null */
1153 return NULL;
1154}
1155
1156err_status_t
1157srtp_dealloc(srtp_t session) {
1158 srtp_stream_ctx_t *stream;
1159 err_status_t status;
1160
1161 /*
1162 * we take a conservative deallocation strategy - if we encounter an
1163 * error deallocating a stream, then we stop trying to deallocate
1164 * memory and just return an error
1165 */
1166
1167 /* walk list of streams, deallocating as we go */
1168 stream = session->stream_list;
1169 while (stream != NULL) {
1170 srtp_stream_t next = stream->next;
1171 status = srtp_stream_dealloc(session, stream);
1172 if (status)
1173 return status;
1174 stream = next;
1175 }
1176
1177 /* deallocate stream template, if there is one */
1178 if (session->stream_template != NULL) {
1179 status = auth_dealloc(session->stream_template->rtcp_auth);
1180 if (status)
1181 return status;
1182 status = cipher_dealloc(session->stream_template->rtcp_cipher);
1183 if (status)
1184 return status;
1185 crypto_free(session->stream_template->limit);
1186 status = cipher_dealloc(session->stream_template->rtp_cipher);
1187 if (status)
1188 return status;
1189 status = auth_dealloc(session->stream_template->rtp_auth);
1190 if (status)
1191 return status;
1192 crypto_free(session->stream_template);
1193 }
1194
1195 /* deallocate session context */
1196 crypto_free(session);
1197
1198 return err_status_ok;
1199}
1200
1201
1202err_status_t
1203srtp_add_stream(srtp_t session,
1204 const srtp_policy_t *policy) {
1205 err_status_t status;
1206 srtp_stream_t tmp;
1207
1208 /* sanity check arguments */
1209 if ((session == NULL) || (policy == NULL) || (policy->key == NULL))
1210 return err_status_bad_param;
1211
1212 /* allocate stream */
1213 status = srtp_stream_alloc(&tmp, policy);
1214 if (status) {
1215 return status;
1216 }
1217
1218 /* initialize stream */
1219 status = srtp_stream_init(tmp, policy);
1220 if (status) {
1221 crypto_free(tmp);
1222 return status;
1223 }
1224
1225 /*
1226 * set the head of the stream list or the template to point to the
1227 * stream that we've just alloced and init'ed, depending on whether
1228 * or not it has a wildcard SSRC value or not
1229 *
1230 * if the template stream has already been set, then the policy is
1231 * inconsistent, so we return a bad_param error code
1232 */
1233 switch (policy->ssrc.type) {
1234 case (ssrc_any_outbound):
1235 if (session->stream_template) {
1236 return err_status_bad_param;
1237 }
1238 session->stream_template = tmp;
1239 session->stream_template->direction = dir_srtp_sender;
1240 break;
1241 case (ssrc_any_inbound):
1242 if (session->stream_template) {
1243 return err_status_bad_param;
1244 }
1245 session->stream_template = tmp;
1246 session->stream_template->direction = dir_srtp_receiver;
1247 break;
1248 case (ssrc_specific):
1249 tmp->next = session->stream_list;
1250 session->stream_list = tmp;
1251 break;
1252 case (ssrc_undefined):
1253 default:
1254 crypto_free(tmp);
1255 return err_status_bad_param;
1256 }
1257
1258 return err_status_ok;
1259}
1260
1261
1262err_status_t
1263srtp_create(srtp_t *session, /* handle for session */
1264 const srtp_policy_t *policy) { /* SRTP policy (list) */
1265 err_status_t stat;
1266 srtp_ctx_t *ctx;
1267
1268 /* sanity check arguments */
1269 if (session == NULL)
1270 return err_status_bad_param;
1271
1272 /* allocate srtp context and set ctx_ptr */
1273 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));
1274 if (ctx == NULL)
1275 return err_status_alloc_fail;
1276 *session = ctx;
1277
1278 /*
1279 * loop over elements in the policy list, allocating and
1280 * initializing a stream for each element
1281 */
1282 ctx->stream_template = NULL;
1283 ctx->stream_list = NULL;
1284 while (policy != NULL) {
1285
1286 stat = srtp_add_stream(ctx, policy);
1287 if (stat) {
1288 /* clean up everything */
1289 srtp_dealloc(*session);
1290 return stat;
1291 }
1292
1293 /* set policy to next item in list */
1294 policy = policy->next;
1295 }
1296
1297 return err_status_ok;
1298}
1299
1300
1301err_status_t
1302srtp_remove_stream(srtp_t session, uint32_t ssrc) {
1303 srtp_stream_ctx_t *stream, *last_stream;
1304 err_status_t status;
1305
1306 /* sanity check arguments */
1307 if (session == NULL)
1308 return err_status_bad_param;
1309
1310 /* find stream in list; complain if not found */
1311 last_stream = stream = session->stream_list;
1312 while ((stream != NULL) && (ssrc != stream->ssrc)) {
1313 last_stream = stream;
1314 stream = stream->next;
1315 }
1316 if (stream == NULL)
1317 return err_status_no_ctx;
1318
1319 /* remove stream from the list */
1320 last_stream->next = stream->next;
1321
1322 /* deallocate the stream */
1323 status = srtp_stream_dealloc(session, stream);
1324 if (status)
1325 return status;
1326
1327 return err_status_ok;
1328}
1329
1330
1331/*
1332 * the default policy - provides a convenient way for callers to use
1333 * the default security policy
1334 *
1335 * this policy is that defined in the current SRTP internet draft.
1336 *
1337 */
1338
1339/*
1340 * NOTE: cipher_key_len is really key len (128 bits) plus salt len
1341 * (112 bits)
1342 */
1343/* There are hard-coded 16's for base_key_len in the key generation code */
1344
1345void
1346crypto_policy_set_rtp_default(crypto_policy_t *p) {
1347
1348 p->cipher_type = AES_128_ICM;
1349 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1350 p->auth_type = HMAC_SHA1;
1351 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1352 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1353 p->sec_serv = sec_serv_conf_and_auth;
1354
1355}
1356
1357void
1358crypto_policy_set_rtcp_default(crypto_policy_t *p) {
1359
1360 p->cipher_type = AES_128_ICM;
1361 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1362 p->auth_type = HMAC_SHA1;
1363 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1364 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1365 p->sec_serv = sec_serv_conf_and_auth;
1366
1367}
1368
1369void
1370crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {
1371
1372 /*
1373 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1374 *
1375 * note that this crypto policy is intended for SRTP, but not SRTCP
1376 */
1377
1378 p->cipher_type = AES_128_ICM;
1379 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1380 p->auth_type = HMAC_SHA1;
1381 p->auth_key_len = 20; /* 160 bit key */
1382 p->auth_tag_len = 4; /* 32 bit tag */
1383 p->sec_serv = sec_serv_conf_and_auth;
1384
1385}
1386
1387
1388void
1389crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {
1390
1391 /*
1392 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1393 *
1394 * note that this crypto policy is intended for SRTP, but not SRTCP
1395 */
1396
1397 p->cipher_type = AES_128_ICM;
1398 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1399 p->auth_type = NULL_AUTH;
1400 p->auth_key_len = 0;
1401 p->auth_tag_len = 0;
1402 p->sec_serv = sec_serv_conf;
1403
1404}
1405
1406
1407void
1408crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {
1409
1410 /*
1411 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1412 */
1413
1414 p->cipher_type = NULL_CIPHER;
1415 p->cipher_key_len = 0;
1416 p->auth_type = HMAC_SHA1;
1417 p->auth_key_len = 20;
1418 p->auth_tag_len = 10;
1419 p->sec_serv = sec_serv_auth;
1420
1421}
1422
1423
1424/*
1425 * secure rtcp functions
1426 */
1427
1428err_status_t
1429srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
1430 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
1431 uint32_t *enc_start; /* pointer to start of encrypted portion */
1432 uint32_t *auth_start; /* pointer to start of auth. portion */
1433 uint32_t *trailer; /* pointer to start of trailer */
1434 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1435 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1436 err_status_t status;
1437 int tag_len;
1438 srtp_stream_ctx_t *stream;
1439 int prefix_len;
1440 uint32_t seq_num;
1441
1442 /* we assume the hdr is 32-bit aligned to start */
1443 /*
1444 * look up ssrc in srtp_stream list, and process the packet with
1445 * the appropriate stream. if we haven't seen this stream before,
1446 * there's only one key for this srtp_session, and the cipher
1447 * supports key-sharing, then we assume that a new stream using
1448 * that key has just started up
1449 */
1450 stream = srtp_get_stream(ctx, hdr->ssrc);
1451 if (stream == NULL) {
1452 if (ctx->stream_template != NULL) {
1453 srtp_stream_ctx_t *new_stream;
1454
1455 /* allocate and initialize a new stream */
1456 status = srtp_stream_clone(ctx->stream_template,
1457 hdr->ssrc, &new_stream);
1458 if (status)
1459 return status;
1460
1461 /* add new stream to the head of the stream_list */
1462 new_stream->next = ctx->stream_list;
1463 ctx->stream_list = new_stream;
1464
1465 /* set stream (the pointer used in this function) */
1466 stream = new_stream;
1467 } else {
1468 /* no template stream, so we return an error */
1469 return err_status_no_ctx;
1470 }
1471 }
1472
1473 /*
1474 * verify that stream is for sending traffic - this check will
1475 * detect SSRC collisions, since a stream that appears in both
1476 * srtp_protect() and srtp_unprotect() will fail this test in one of
1477 * those functions.
1478 */
1479 if (stream->direction != dir_srtp_sender) {
1480 if (stream->direction == dir_unknown) {
1481 stream->direction = dir_srtp_sender;
1482 } else {
1483 srtp_handle_event(ctx, stream, event_ssrc_collision);
1484 }
1485 }
1486
1487 /* get tag length from stream context */
1488 tag_len = auth_get_tag_length(stream->rtcp_auth);
1489
1490 /*
1491 * set encryption start and encryption length - if we're not
1492 * providing confidentiality, set enc_start to NULL
1493 */
1494 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1495 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
1496
1497 /* all of the packet, except the header, gets encrypted */
1498 /* NOTE: hdr->length is not usable - it refers to only the first
1499 RTCP report in the compound packet! */
1500 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1501 multiples of 32-bits (RFC 3550 6.1) */
1502 trailer = (uint32_t *) ((char *)enc_start + enc_octet_len);
1503
1504 if (stream->rtcp_services & sec_serv_conf) {
1505 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
1506 } else {
1507 enc_start = NULL;
1508 enc_octet_len = 0;
1509 /* 0 is network-order independant */
1510 *trailer = 0x00000000; /* set encrypt bit */
1511 }
1512
1513 /*
1514 * set the auth_start and auth_tag pointers to the proper locations
1515 * (note that srtpc *always* provides authentication, unlike srtp)
1516 */
1517 /* Note: This would need to change for optional mikey data */
1518 auth_start = (uint32_t *)hdr;
1519 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t);
1520
1521 /*
1522 * check sequence number for overruns, and copy it into the packet
1523 * if its value isn't too big
1524 */
1525 status = rdb_increment(&stream->rtcp_rdb);
1526 if (status)
1527 return status;
1528 seq_num = rdb_get_value(&stream->rtcp_rdb);
1529 *trailer |= htonl(seq_num);
1530 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1531
1532 /*
1533 * if we're using rindael counter mode, set nonce and seq
1534 */
1535 if (stream->rtcp_cipher->type == &aes_icm) {
1536 v128_t iv;
1537
1538 iv.v32[0] = 0;
1539 iv.v32[1] = hdr->ssrc; /* still in network order! */
1540 iv.v32[2] = htonl(seq_num >> 16);
1541 iv.v32[3] = htonl(seq_num << 16);
1542 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtcp_cipher->state, &iv);
1543
1544 } else {
1545 v128_t iv;
1546
1547 /* otherwise, just set the index to seq_num */
1548 iv.v32[0] = 0;
1549 iv.v32[1] = 0;
1550 iv.v32[2] = 0;
1551 iv.v32[3] = htonl(seq_num);
1552 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1553 }
1554 if (status)
1555 return err_status_cipher_fail;
1556
1557 /*
1558 * if we're authenticating using a universal hash, put the keystream
1559 * prefix into the authentication tag
1560 */
1561
1562 /* if auth_start is non-null, then put keystream into tag */
1563 if (auth_start) {
1564
1565 /* put keystream prefix into auth_tag */
1566 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1567 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1568
1569 debug_print(mod_srtp, "keystream prefix: %s",
1570 octet_string_hex_string(auth_tag, prefix_len));
1571
1572 if (status)
1573 return err_status_cipher_fail;
1574 }
1575
1576 /* if we're encrypting, exor keystream into the message */
1577 if (enc_start) {
1578 status = cipher_encrypt(stream->rtcp_cipher,
1579 (uint8_t *)enc_start, &enc_octet_len);
1580 if (status)
1581 return err_status_cipher_fail;
1582 }
1583
1584 /* initialize auth func context */
1585 auth_start(stream->rtcp_auth);
1586
1587 /*
1588 * run auth func over packet (including trailer), and write the
1589 * result at auth_tag
1590 */
1591 status = auth_compute(stream->rtcp_auth,
1592 (uint8_t *)auth_start,
1593 (*pkt_octet_len) + sizeof(srtcp_trailer_t),
1594 auth_tag);
1595 debug_print(mod_srtp, "srtcp auth tag: %s",
1596 octet_string_hex_string(auth_tag, tag_len));
1597 if (status)
1598 return err_status_auth_fail;
1599
1600 /* increase the packet length by the length of the auth tag and seq_num*/
1601 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
1602
1603 return err_status_ok;
1604}
1605
1606
1607err_status_t
1608srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
1609 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
1610 uint32_t *enc_start; /* pointer to start of encrypted portion */
1611 uint32_t *auth_start; /* pointer to start of auth. portion */
1612 uint32_t *trailer; /* pointer to start of trailer */
1613 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1614 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1615 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
1616 err_status_t status;
1617 int tag_len;
1618 srtp_stream_ctx_t *stream;
1619 int prefix_len;
1620 uint32_t seq_num;
1621
1622 /* we assume the hdr is 32-bit aligned to start */
1623 /*
1624 * look up ssrc in srtp_stream list, and process the packet with
1625 * the appropriate stream. if we haven't seen this stream before,
1626 * there's only one key for this srtp_session, and the cipher
1627 * supports key-sharing, then we assume that a new stream using
1628 * that key has just started up
1629 */
1630 stream = srtp_get_stream(ctx, hdr->ssrc);
1631 if (stream == NULL) {
1632 if (ctx->stream_template != NULL) {
1633 stream = ctx->stream_template;
1634 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
1635 hdr->ssrc);
1636 } else {
1637 /* no template stream, so we return an error */
1638 return err_status_no_ctx;
1639 }
1640 }
1641
1642 /* get tag length from stream context */
1643 tag_len = auth_get_tag_length(stream->rtcp_auth);
1644
1645 /*
1646 * set encryption start, encryption length, and trailer
1647 */
1648 enc_octet_len = *pkt_octet_len -
1649 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
1650 /* index & E (encryption) bit follow normal data. hdr->len
1651 is the number of words (32-bit) in the normal packet minus 1 */
1652 /* This should point trailer to the word past the end of the
1653 normal data. */
1654 /* This would need to be modified for optional mikey data */
1655 /*
1656 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1657 * multiples of 32-bits (RFC 3550 6.1)
1658 */
1659 trailer = (uint32_t *) ((char *) hdr +
1660 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
1661 if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) {
1662 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1663 } else {
1664 enc_octet_len = 0;
1665 enc_start = NULL; /* this indicates that there's no encryption */
1666 }
1667
1668 /*
1669 * set the auth_start and auth_tag pointers to the proper locations
1670 * (note that srtcp *always* uses authentication, unlike srtp)
1671 */
1672 auth_start = (uint32_t *)hdr;
1673 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
1674
1675 /*
1676 * check the sequence number for replays
1677 */
1678 /* this is easier than dealing with bitfield access */
1679 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
1680 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1681 status = rdb_check(&stream->rtcp_rdb, seq_num);
1682 if (status)
1683 return status;
1684
1685 /*
1686 * if we're using aes counter mode, set nonce and seq
1687 */
1688 if (stream->rtcp_cipher->type == &aes_icm) {
1689 v128_t iv;
1690
1691 iv.v32[0] = 0;
1692 iv.v32[1] = hdr->ssrc; /* still in network order! */
1693 iv.v32[2] = htonl(seq_num >> 16);
1694 iv.v32[3] = htonl(seq_num << 16);
1695 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtcp_cipher->state, &iv);
1696
1697 } else {
1698 v128_t iv;
1699
1700 /* otherwise, just set the index to seq_num */
1701 iv.v32[0] = 0;
1702 iv.v32[1] = 0;
1703 iv.v32[2] = 0;
1704 iv.v32[3] = htonl(seq_num);
1705 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1706
1707 }
1708 if (status)
1709 return err_status_cipher_fail;
1710
1711 /* initialize auth func context */
1712 auth_start(stream->rtcp_auth);
1713
1714 /* run auth func over packet, put result into tmp_tag */
1715 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
1716 *pkt_octet_len - tag_len,
1717 tmp_tag);
1718 debug_print(mod_srtp, "srtcp computed tag: %s",
1719 octet_string_hex_string(tmp_tag, tag_len));
1720 if (status)
1721 return err_status_auth_fail;
1722
1723 /* compare the tag just computed with the one in the packet */
1724 debug_print(mod_srtp, "srtcp tag from packet: %s",
1725 octet_string_hex_string(auth_tag, tag_len));
1726 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1727 return err_status_auth_fail;
1728
1729 /*
1730 * if we're authenticating using a universal hash, put the keystream
1731 * prefix into the authentication tag
1732 */
1733 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1734 if (prefix_len) {
1735 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1736 debug_print(mod_srtp, "keystream prefix: %s",
1737 octet_string_hex_string(auth_tag, prefix_len));
1738 if (status)
1739 return err_status_cipher_fail;
1740 }
1741
1742 /* if we're decrypting, exor keystream into the message */
1743 if (enc_start) {
1744 status = cipher_encrypt(stream->rtcp_cipher,
1745 (uint8_t *)enc_start, &enc_octet_len);
1746 if (status)
1747 return err_status_cipher_fail;
1748 }
1749
1750 /* decrease the packet length by the length of the auth tag and seq_num*/
1751 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
1752
1753 /*
1754 * verify that stream is for received traffic - this check will
1755 * detect SSRC collisions, since a stream that appears in both
1756 * srtp_protect() and srtp_unprotect() will fail this test in one of
1757 * those functions.
1758 *
1759 * we do this check *after* the authentication check, so that the
1760 * latter check will catch any attempts to fool us into thinking
1761 * that we've got a collision
1762 */
1763 if (stream->direction != dir_srtp_receiver) {
1764 if (stream->direction == dir_unknown) {
1765 stream->direction = dir_srtp_receiver;
1766 } else {
1767 srtp_handle_event(ctx, stream, event_ssrc_collision);
1768 }
1769 }
1770
1771 /*
1772 * if the stream is a 'provisional' one, in which the template context
1773 * is used, then we need to allocate a new stream at this point, since
1774 * the authentication passed
1775 */
1776 if (stream == ctx->stream_template) {
1777 srtp_stream_ctx_t *new_stream;
1778
1779 /*
1780 * allocate and initialize a new stream
1781 *
1782 * note that we indicate failure if we can't allocate the new
1783 * stream, and some implementations will want to not return
1784 * failure here
1785 */
1786 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1787 if (status)
1788 return status;
1789
1790 /* add new stream to the head of the stream_list */
1791 new_stream->next = ctx->stream_list;
1792 ctx->stream_list = new_stream;
1793
1794 /* set stream (the pointer used in this function) */
1795 stream = new_stream;
1796 }
1797
1798 /* we've passed the authentication check, so add seq_num to the rdb */
1799 rdb_add_index(&stream->rtcp_rdb, seq_num);
1800
1801
1802 return err_status_ok;
1803}
1804
1805
1806
1807/*
1808 * dtls keying for srtp
1809 */
1810
1811err_status_t
1812crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
1813 srtp_profile_t profile) {
1814
1815 /* set SRTP policy from the SRTP profile in the key set */
1816 switch(profile) {
1817 case srtp_profile_aes128_cm_sha1_80:
1818 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1819 break;
1820 case srtp_profile_aes128_cm_sha1_32:
1821 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
1822 break;
1823 case srtp_profile_null_sha1_80:
1824 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
1825 break;
1826 /* the following profiles are not (yet) supported */
1827 case srtp_profile_null_sha1_32:
1828 case srtp_profile_aes256_cm_sha1_80:
1829 case srtp_profile_aes256_cm_sha1_32:
1830 default:
1831 return err_status_bad_param;
1832 }
1833
1834 return err_status_ok;
1835}
1836
1837err_status_t
1838crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
1839 srtp_profile_t profile) {
1840
1841 /* set SRTP policy from the SRTP profile in the key set */
1842 switch(profile) {
1843 case srtp_profile_aes128_cm_sha1_80:
1844 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1845 break;
1846 case srtp_profile_aes128_cm_sha1_32:
1847 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
1848 break;
1849 case srtp_profile_null_sha1_80:
1850 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
1851 break;
1852 /* the following profiles are not (yet) supported */
1853 case srtp_profile_null_sha1_32:
1854 case srtp_profile_aes256_cm_sha1_80:
1855 case srtp_profile_aes256_cm_sha1_32:
1856 default:
1857 return err_status_bad_param;
1858 }
1859
1860 return err_status_ok;
1861}
1862
1863void
1864append_salt_to_key(uint8_t *key, unsigned int bytes_in_key,
1865 uint8_t *salt, unsigned int bytes_in_salt) {
1866
1867 memcpy(key + bytes_in_key, salt, bytes_in_salt);
1868
1869}
1870
1871unsigned int
1872srtp_profile_get_master_key_length(srtp_profile_t profile) {
1873
1874 switch(profile) {
1875 case srtp_profile_aes128_cm_sha1_80:
1876 return 16;
1877 break;
1878 case srtp_profile_aes128_cm_sha1_32:
1879 return 16;
1880 break;
1881 case srtp_profile_null_sha1_80:
1882 return 16;
1883 break;
1884 /* the following profiles are not (yet) supported */
1885 case srtp_profile_null_sha1_32:
1886 case srtp_profile_aes256_cm_sha1_80:
1887 case srtp_profile_aes256_cm_sha1_32:
1888 default:
1889 return 0; /* indicate error by returning a zero */
1890 }
1891}
1892
1893unsigned int
1894srtp_profile_get_master_salt_length(srtp_profile_t profile) {
1895
1896 switch(profile) {
1897 case srtp_profile_aes128_cm_sha1_80:
1898 return 14;
1899 break;
1900 case srtp_profile_aes128_cm_sha1_32:
1901 return 14;
1902 break;
1903 case srtp_profile_null_sha1_80:
1904 return 14;
1905 break;
1906 /* the following profiles are not (yet) supported */
1907 case srtp_profile_null_sha1_32:
1908 case srtp_profile_aes256_cm_sha1_80:
1909 case srtp_profile_aes256_cm_sha1_32:
1910 default:
1911 return 0; /* indicate error by returning a zero */
1912 }
1913}