srtp.c (164341B)
1 /* 2 * srtp.c 3 * 4 * the secure real-time transport protocol 5 * 6 * David A. McGrew 7 * Cisco Systems, Inc. 8 */ 9 /* 10 * 11 * Copyright (c) 2001-2017, Cisco Systems, Inc. 12 * All rights reserved. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 18 * Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 21 * Redistributions in binary form must reproduce the above 22 * copyright notice, this list of conditions and the following 23 * disclaimer in the documentation and/or other materials provided 24 * with the distribution. 25 * 26 * Neither the name of the Cisco Systems, Inc. nor the names of its 27 * contributors may be used to endorse or promote products derived 28 * from this software without specific prior written permission. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 41 * OF THE POSSIBILITY OF SUCH DAMAGE. 42 * 43 */ 44 45 // Leave this as the top level import. Ensures the existence of defines 46 #include "config.h" 47 48 #include "srtp_priv.h" 49 #include "stream_list_priv.h" 50 #include "crypto_types.h" 51 #include "err.h" 52 #include "alloc.h" /* for srtp_crypto_alloc() */ 53 54 #ifdef GCM 55 #include "aes_gcm.h" /* for AES GCM mode */ 56 #endif 57 58 #ifdef OPENSSL_KDF 59 #include <openssl/kdf.h> 60 #include "aes_icm_ext.h" 61 #endif 62 63 #include <limits.h> 64 #ifdef HAVE_NETINET_IN_H 65 #include <netinet/in.h> 66 #elif defined(HAVE_WINSOCK2_H) 67 #include <winsock2.h> 68 #endif 69 70 /* the debug module for srtp */ 71 srtp_debug_module_t mod_srtp = { 72 0, /* debugging is off by default */ 73 "srtp" /* printable name for module */ 74 }; 75 76 #define octets_in_rtp_header 12 77 #define octets_in_rtcp_header 8 78 #define octets_in_rtp_xtn_hdr 4 79 80 static uint32_t srtp_get_rtp_hdr_len(const srtp_hdr_t *hdr) 81 { 82 return octets_in_rtp_header + 4 * hdr->cc; 83 } 84 85 /* 86 * Returns the location of the header extention cast too a srtp_hdr_xtnd_t 87 * struct. Will always return a value and assumes that the caller has already 88 * verified that a header extension is present by checking the x bit of 89 * srtp_hdr_t. 90 */ 91 static srtp_hdr_xtnd_t *srtp_get_rtp_xtn_hdr(srtp_hdr_t *hdr) 92 { 93 uint32_t rtp_xtn_hdr_start = srtp_get_rtp_hdr_len(hdr); 94 return (srtp_hdr_xtnd_t *)((uint8_t *)hdr + rtp_xtn_hdr_start); 95 } 96 97 /* 98 * Returns the length of the extension header including the extension header 99 * header so will return a minium of 4. Assumes the srtp_hdr_xtnd_t is a valid 100 * pointer and that the caller has already verified that a header extension is 101 * valid by checking the x bit of the RTP header. 102 */ 103 static uint32_t srtp_get_rtp_xtn_hdr_len(const srtp_hdr_xtnd_t *xtn_hdr) 104 { 105 return (ntohs(xtn_hdr->length) + 1) * 4; 106 } 107 108 static srtp_err_status_t srtp_validate_rtp_header(const void *rtp_hdr, 109 uint32_t pkt_octet_len) 110 { 111 const srtp_hdr_t *hdr = (const srtp_hdr_t *)rtp_hdr; 112 uint32_t rtp_header_len; 113 114 if (pkt_octet_len < octets_in_rtp_header) 115 return srtp_err_status_bad_param; 116 117 /* Check RTP header length */ 118 rtp_header_len = srtp_get_rtp_hdr_len(hdr); 119 if (pkt_octet_len < rtp_header_len) 120 return srtp_err_status_bad_param; 121 122 /* Verifying profile length. */ 123 if (hdr->x == 1) { 124 if (pkt_octet_len < rtp_header_len + octets_in_rtp_xtn_hdr) 125 return srtp_err_status_bad_param; 126 127 rtp_header_len += srtp_get_rtp_xtn_hdr_len( 128 (const srtp_hdr_xtnd_t *)((const uint8_t *)hdr + rtp_header_len)); 129 if (pkt_octet_len < rtp_header_len) 130 return srtp_err_status_bad_param; 131 } 132 133 return srtp_err_status_ok; 134 } 135 136 const char *srtp_get_version_string(void) 137 { 138 /* 139 * Simply return the autotools generated string 140 */ 141 return SRTP_VER_STRING; 142 } 143 144 unsigned int srtp_get_version(void) 145 { 146 unsigned int major = 0, minor = 0, micro = 0; 147 unsigned int rv = 0; 148 int parse_rv; 149 150 /* 151 * Parse the autotools generated version 152 */ 153 parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, µ); 154 if (parse_rv != 3) { 155 /* 156 * We're expected to parse all 3 version levels. 157 * If not, then this must not be an official release. 158 * Return all zeros on the version 159 */ 160 return (0); 161 } 162 163 /* 164 * We allow 8 bits for the major and minor, while 165 * allowing 16 bits for the micro. 16 bits for the micro 166 * may be beneficial for a continuous delivery model 167 * in the future. 168 */ 169 rv |= (major & 0xFF) << 24; 170 rv |= (minor & 0xFF) << 16; 171 rv |= micro & 0xFF; 172 return rv; 173 } 174 175 static srtp_err_status_t srtp_stream_dealloc( 176 srtp_stream_ctx_t *stream, 177 const srtp_stream_ctx_t *stream_template) 178 { 179 srtp_err_status_t status; 180 unsigned int i = 0; 181 srtp_session_keys_t *session_keys = NULL; 182 srtp_session_keys_t *template_session_keys = NULL; 183 184 /* 185 * we use a conservative deallocation strategy - if any deallocation 186 * fails, then we report that fact without trying to deallocate 187 * anything else 188 */ 189 if (stream->session_keys) { 190 for (i = 0; i < stream->num_master_keys; i++) { 191 session_keys = &stream->session_keys[i]; 192 193 if (stream_template && 194 stream->num_master_keys == stream_template->num_master_keys) { 195 template_session_keys = &stream_template->session_keys[i]; 196 } else { 197 template_session_keys = NULL; 198 } 199 200 /* 201 * deallocate cipher, if it is not the same as that in template 202 */ 203 if (template_session_keys && 204 session_keys->rtp_cipher == template_session_keys->rtp_cipher) { 205 /* do nothing */ 206 } else if (session_keys->rtp_cipher) { 207 status = srtp_cipher_dealloc(session_keys->rtp_cipher); 208 if (status) 209 return status; 210 } 211 212 /* 213 * deallocate auth function, if it is not the same as that in 214 * template 215 */ 216 if (template_session_keys && 217 session_keys->rtp_auth == template_session_keys->rtp_auth) { 218 /* do nothing */ 219 } else if (session_keys->rtp_auth) { 220 status = srtp_auth_dealloc(session_keys->rtp_auth); 221 if (status) 222 return status; 223 } 224 225 if (template_session_keys && 226 session_keys->rtp_xtn_hdr_cipher == 227 template_session_keys->rtp_xtn_hdr_cipher) { 228 /* do nothing */ 229 } else if (session_keys->rtp_xtn_hdr_cipher) { 230 status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher); 231 if (status) 232 return status; 233 } 234 235 /* 236 * deallocate rtcp cipher, if it is not the same as that in 237 * template 238 */ 239 if (template_session_keys && 240 session_keys->rtcp_cipher == 241 template_session_keys->rtcp_cipher) { 242 /* do nothing */ 243 } else if (session_keys->rtcp_cipher) { 244 status = srtp_cipher_dealloc(session_keys->rtcp_cipher); 245 if (status) 246 return status; 247 } 248 249 /* 250 * deallocate rtcp auth function, if it is not the same as that in 251 * template 252 */ 253 if (template_session_keys && 254 session_keys->rtcp_auth == template_session_keys->rtcp_auth) { 255 /* do nothing */ 256 } else if (session_keys->rtcp_auth) { 257 status = srtp_auth_dealloc(session_keys->rtcp_auth); 258 if (status) 259 return status; 260 } 261 262 /* 263 * zeroize the salt value 264 */ 265 octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN); 266 octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN); 267 268 if (session_keys->mki_id) { 269 octet_string_set_to_zero(session_keys->mki_id, 270 session_keys->mki_size); 271 srtp_crypto_free(session_keys->mki_id); 272 session_keys->mki_id = NULL; 273 } 274 275 /* 276 * deallocate key usage limit, if it is not the same as that in 277 * template 278 */ 279 if (template_session_keys && 280 session_keys->limit == template_session_keys->limit) { 281 /* do nothing */ 282 } else if (session_keys->limit) { 283 srtp_crypto_free(session_keys->limit); 284 } 285 } 286 srtp_crypto_free(stream->session_keys); 287 } 288 289 status = srtp_rdbx_dealloc(&stream->rtp_rdbx); 290 if (status) 291 return status; 292 293 if (stream_template && 294 stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) { 295 /* do nothing */ 296 } else if (stream->enc_xtn_hdr) { 297 srtp_crypto_free(stream->enc_xtn_hdr); 298 } 299 300 /* deallocate srtp stream context */ 301 srtp_crypto_free(stream); 302 303 return srtp_err_status_ok; 304 } 305 306 /* try to insert stream in list or deallocate it */ 307 static srtp_err_status_t srtp_insert_or_dealloc_stream(srtp_stream_list_t list, 308 srtp_stream_t stream, 309 srtp_stream_t template) 310 { 311 srtp_err_status_t status = srtp_stream_list_insert(list, stream); 312 /* on failure, ownership wasn't transferred and we need to deallocate */ 313 if (status) { 314 srtp_stream_dealloc(stream, template); 315 } 316 return status; 317 } 318 319 struct remove_and_dealloc_streams_data { 320 srtp_err_status_t status; 321 srtp_stream_list_t list; 322 srtp_stream_t template; 323 }; 324 325 static int remove_and_dealloc_streams_cb(srtp_stream_t stream, void *data) 326 { 327 struct remove_and_dealloc_streams_data *d = 328 (struct remove_and_dealloc_streams_data *)data; 329 srtp_stream_list_remove(d->list, stream); 330 d->status = srtp_stream_dealloc(stream, d->template); 331 if (d->status) { 332 return 1; 333 } 334 return 0; 335 } 336 337 static srtp_err_status_t srtp_remove_and_dealloc_streams( 338 srtp_stream_list_t list, 339 srtp_stream_t template) 340 { 341 struct remove_and_dealloc_streams_data data = { srtp_err_status_ok, list, 342 template }; 343 srtp_stream_list_for_each(list, remove_and_dealloc_streams_cb, &data); 344 return data.status; 345 } 346 347 static srtp_err_status_t srtp_valid_policy(const srtp_policy_t *p) 348 { 349 if (p != NULL && p->deprecated_ekt != NULL) { 350 return srtp_err_status_bad_param; 351 } 352 353 return srtp_err_status_ok; 354 } 355 356 static srtp_err_status_t srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, 357 const srtp_policy_t *p) 358 { 359 srtp_stream_ctx_t *str; 360 srtp_err_status_t stat; 361 unsigned int i = 0; 362 srtp_session_keys_t *session_keys = NULL; 363 364 stat = srtp_valid_policy(p); 365 if (stat != srtp_err_status_ok) { 366 return stat; 367 } 368 369 /* 370 * This function allocates the stream context, rtp and rtcp ciphers 371 * and auth functions, and key limit structure. If there is a 372 * failure during allocation, we free all previously allocated 373 * memory and return a failure code. The code could probably 374 * be improved, but it works and should be clear. 375 */ 376 377 /* allocate srtp stream and set str_ptr */ 378 str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); 379 if (str == NULL) 380 return srtp_err_status_alloc_fail; 381 382 *str_ptr = str; 383 384 /* 385 *To keep backwards API compatible if someone is using multiple master 386 * keys then key should be set to NULL 387 */ 388 if (p->key != NULL) { 389 str->num_master_keys = 1; 390 } else { 391 str->num_master_keys = p->num_master_keys; 392 } 393 394 str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( 395 sizeof(srtp_session_keys_t) * str->num_master_keys); 396 397 if (str->session_keys == NULL) { 398 srtp_stream_dealloc(str, NULL); 399 return srtp_err_status_alloc_fail; 400 } 401 402 for (i = 0; i < str->num_master_keys; i++) { 403 session_keys = &str->session_keys[i]; 404 405 /* allocate cipher */ 406 stat = srtp_crypto_kernel_alloc_cipher( 407 p->rtp.cipher_type, &session_keys->rtp_cipher, 408 p->rtp.cipher_key_len, p->rtp.auth_tag_len); 409 if (stat) { 410 srtp_stream_dealloc(str, NULL); 411 return stat; 412 } 413 414 /* allocate auth function */ 415 stat = srtp_crypto_kernel_alloc_auth( 416 p->rtp.auth_type, &session_keys->rtp_auth, p->rtp.auth_key_len, 417 p->rtp.auth_tag_len); 418 if (stat) { 419 srtp_stream_dealloc(str, NULL); 420 return stat; 421 } 422 423 /* 424 * ...and now the RTCP-specific initialization - first, allocate 425 * the cipher 426 */ 427 stat = srtp_crypto_kernel_alloc_cipher( 428 p->rtcp.cipher_type, &session_keys->rtcp_cipher, 429 p->rtcp.cipher_key_len, p->rtcp.auth_tag_len); 430 if (stat) { 431 srtp_stream_dealloc(str, NULL); 432 return stat; 433 } 434 435 /* allocate auth function */ 436 stat = srtp_crypto_kernel_alloc_auth( 437 p->rtcp.auth_type, &session_keys->rtcp_auth, p->rtcp.auth_key_len, 438 p->rtcp.auth_tag_len); 439 if (stat) { 440 srtp_stream_dealloc(str, NULL); 441 return stat; 442 } 443 444 session_keys->mki_id = NULL; 445 446 /* allocate key limit structure */ 447 session_keys->limit = (srtp_key_limit_ctx_t *)srtp_crypto_alloc( 448 sizeof(srtp_key_limit_ctx_t)); 449 if (session_keys->limit == NULL) { 450 srtp_stream_dealloc(str, NULL); 451 return srtp_err_status_alloc_fail; 452 } 453 } 454 455 if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) { 456 srtp_cipher_type_id_t enc_xtn_hdr_cipher_type; 457 int enc_xtn_hdr_cipher_key_len; 458 459 str->enc_xtn_hdr = (int *)srtp_crypto_alloc(p->enc_xtn_hdr_count * 460 sizeof(p->enc_xtn_hdr[0])); 461 if (!str->enc_xtn_hdr) { 462 srtp_stream_dealloc(str, NULL); 463 return srtp_err_status_alloc_fail; 464 } 465 memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr, 466 p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); 467 str->enc_xtn_hdr_count = p->enc_xtn_hdr_count; 468 469 /* 470 * For GCM ciphers, the corresponding ICM cipher is used for header 471 * extensions encryption. 472 */ 473 switch (p->rtp.cipher_type) { 474 case SRTP_AES_GCM_128: 475 enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128; 476 enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; 477 break; 478 case SRTP_AES_GCM_256: 479 enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256; 480 enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; 481 break; 482 default: 483 enc_xtn_hdr_cipher_type = p->rtp.cipher_type; 484 enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len; 485 break; 486 } 487 488 for (i = 0; i < str->num_master_keys; i++) { 489 session_keys = &str->session_keys[i]; 490 491 /* allocate cipher for extensions header encryption */ 492 stat = srtp_crypto_kernel_alloc_cipher( 493 enc_xtn_hdr_cipher_type, &session_keys->rtp_xtn_hdr_cipher, 494 enc_xtn_hdr_cipher_key_len, 0); 495 if (stat) { 496 srtp_stream_dealloc(str, NULL); 497 return stat; 498 } 499 } 500 } else { 501 for (i = 0; i < str->num_master_keys; i++) { 502 session_keys = &str->session_keys[i]; 503 session_keys->rtp_xtn_hdr_cipher = NULL; 504 } 505 506 str->enc_xtn_hdr = NULL; 507 str->enc_xtn_hdr_count = 0; 508 } 509 510 return srtp_err_status_ok; 511 } 512 513 /* 514 * srtp_stream_clone(stream_template, new) allocates a new stream and 515 * initializes it using the cipher and auth of the stream_template 516 * 517 * the only unique data in a cloned stream is the replay database and 518 * the SSRC 519 */ 520 521 static srtp_err_status_t srtp_stream_clone( 522 const srtp_stream_ctx_t *stream_template, 523 uint32_t ssrc, 524 srtp_stream_ctx_t **str_ptr) 525 { 526 srtp_err_status_t status; 527 srtp_stream_ctx_t *str; 528 unsigned int i = 0; 529 srtp_session_keys_t *session_keys = NULL; 530 const srtp_session_keys_t *template_session_keys = NULL; 531 532 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08lx)",(unsigned long) ntohl(ssrc)); 533 534 /* allocate srtp stream and set str_ptr */ 535 str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); 536 if (str == NULL) 537 return srtp_err_status_alloc_fail; 538 *str_ptr = str; 539 540 str->num_master_keys = stream_template->num_master_keys; 541 str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( 542 sizeof(srtp_session_keys_t) * str->num_master_keys); 543 544 if (str->session_keys == NULL) { 545 srtp_stream_dealloc(*str_ptr, stream_template); 546 *str_ptr = NULL; 547 return srtp_err_status_alloc_fail; 548 } 549 550 for (i = 0; i < stream_template->num_master_keys; i++) { 551 session_keys = &str->session_keys[i]; 552 template_session_keys = &stream_template->session_keys[i]; 553 554 /* set cipher and auth pointers to those of the template */ 555 session_keys->rtp_cipher = template_session_keys->rtp_cipher; 556 session_keys->rtp_auth = template_session_keys->rtp_auth; 557 session_keys->rtp_xtn_hdr_cipher = 558 template_session_keys->rtp_xtn_hdr_cipher; 559 session_keys->rtcp_cipher = template_session_keys->rtcp_cipher; 560 session_keys->rtcp_auth = template_session_keys->rtcp_auth; 561 session_keys->mki_size = template_session_keys->mki_size; 562 563 if (template_session_keys->mki_size == 0) { 564 session_keys->mki_id = NULL; 565 } else { 566 session_keys->mki_id = 567 srtp_crypto_alloc(template_session_keys->mki_size); 568 569 if (session_keys->mki_id == NULL) { 570 srtp_stream_dealloc(*str_ptr, stream_template); 571 *str_ptr = NULL; 572 return srtp_err_status_init_fail; 573 } 574 memcpy(session_keys->mki_id, template_session_keys->mki_id, 575 session_keys->mki_size); 576 } 577 /* Copy the salt values */ 578 memcpy(session_keys->salt, template_session_keys->salt, 579 SRTP_AEAD_SALT_LEN); 580 memcpy(session_keys->c_salt, template_session_keys->c_salt, 581 SRTP_AEAD_SALT_LEN); 582 583 /* set key limit to point to that of the template */ 584 status = srtp_key_limit_clone(template_session_keys->limit, 585 &session_keys->limit); 586 if (status) { 587 srtp_stream_dealloc(*str_ptr, stream_template); 588 *str_ptr = NULL; 589 return status; 590 } 591 } 592 593 /* initialize replay databases */ 594 status = srtp_rdbx_init( 595 &str->rtp_rdbx, srtp_rdbx_get_window_size(&stream_template->rtp_rdbx)); 596 if (status) { 597 srtp_stream_dealloc(*str_ptr, stream_template); 598 *str_ptr = NULL; 599 return status; 600 } 601 srtp_rdb_init(&str->rtcp_rdb); 602 str->allow_repeat_tx = stream_template->allow_repeat_tx; 603 604 /* set ssrc to that provided */ 605 str->ssrc = ssrc; 606 607 /* reset pending ROC */ 608 str->pending_roc = 0; 609 610 /* set direction and security services */ 611 str->direction = stream_template->direction; 612 str->rtp_services = stream_template->rtp_services; 613 str->rtcp_services = stream_template->rtcp_services; 614 615 /* copy information about extensions header encryption */ 616 str->enc_xtn_hdr = stream_template->enc_xtn_hdr; 617 str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count; 618 619 /* defensive coding */ 620 str->next = NULL; 621 str->prev = NULL; 622 return srtp_err_status_ok; 623 } 624 625 /* 626 * key derivation functions, internal to libSRTP 627 * 628 * srtp_kdf_t is a key derivation context 629 * 630 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher 631 * described by cipher_id, with the master key k with length in octets keylen. 632 * 633 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key 634 * corresponding to label l and puts it into kl; the length 635 * of the key in octets is provided as keylen. this function 636 * should be called once for each subkey that is derived. 637 * 638 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state 639 */ 640 641 typedef enum { 642 label_rtp_encryption = 0x00, 643 label_rtp_msg_auth = 0x01, 644 label_rtp_salt = 0x02, 645 label_rtcp_encryption = 0x03, 646 label_rtcp_msg_auth = 0x04, 647 label_rtcp_salt = 0x05, 648 label_rtp_header_encryption = 0x06, 649 label_rtp_header_salt = 0x07 650 } srtp_prf_label; 651 652 #define MAX_SRTP_KEY_LEN 256 653 654 #if defined(OPENSSL) && defined(OPENSSL_KDF) 655 #define MAX_SRTP_AESKEY_LEN 32 656 #define MAX_SRTP_SALT_LEN 14 657 658 /* 659 * srtp_kdf_t represents a key derivation function. The SRTP 660 * default KDF is the only one implemented at present. 661 */ 662 typedef struct { 663 uint8_t master_key[MAX_SRTP_AESKEY_LEN]; 664 uint8_t master_salt[MAX_SRTP_SALT_LEN]; 665 const EVP_CIPHER *evp; 666 } srtp_kdf_t; 667 668 static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, 669 const uint8_t *key, 670 int key_len, 671 int salt_len) 672 { 673 memset(kdf, 0x0, sizeof(srtp_kdf_t)); 674 675 /* The NULL cipher has zero key length */ 676 if (key_len == 0) 677 return srtp_err_status_ok; 678 679 if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) { 680 return srtp_err_status_bad_param; 681 } 682 switch (key_len) { 683 case SRTP_AES_256_KEYSIZE: 684 kdf->evp = EVP_aes_256_ctr(); 685 break; 686 case SRTP_AES_192_KEYSIZE: 687 kdf->evp = EVP_aes_192_ctr(); 688 break; 689 case SRTP_AES_128_KEYSIZE: 690 kdf->evp = EVP_aes_128_ctr(); 691 break; 692 default: 693 return srtp_err_status_bad_param; 694 break; 695 } 696 memcpy(kdf->master_key, key, key_len); 697 memcpy(kdf->master_salt, key + key_len, salt_len); 698 return srtp_err_status_ok; 699 } 700 701 static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, 702 srtp_prf_label label, 703 uint8_t *key, 704 unsigned int length) 705 { 706 int ret; 707 708 /* The NULL cipher will not have an EVP */ 709 if (!kdf->evp) 710 return srtp_err_status_ok; 711 octet_string_set_to_zero(key, length); 712 713 /* 714 * Invoke the OpenSSL SRTP KDF function 715 * This is useful if OpenSSL is in FIPS mode and FIP 716 * compliance is required for SRTP. 717 */ 718 ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key, 719 (char *)&kdf->master_salt, NULL, NULL, label, (char *)key); 720 if (ret == -1) { 721 return (srtp_err_status_algo_fail); 722 } 723 724 return srtp_err_status_ok; 725 } 726 727 static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) 728 { 729 octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN); 730 octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN); 731 kdf->evp = NULL; 732 733 return srtp_err_status_ok; 734 } 735 736 #else /* if OPENSSL_KDF */ 737 738 /* 739 * srtp_kdf_t represents a key derivation function. The SRTP 740 * default KDF is the only one implemented at present. 741 */ 742 typedef struct { 743 srtp_cipher_t *cipher; /* cipher used for key derivation */ 744 } srtp_kdf_t; 745 746 static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, 747 const uint8_t *key, 748 int key_len) 749 { 750 srtp_cipher_type_id_t cipher_id; 751 srtp_err_status_t stat; 752 753 switch (key_len) { 754 case SRTP_AES_ICM_256_KEY_LEN_WSALT: 755 cipher_id = SRTP_AES_ICM_256; 756 break; 757 case SRTP_AES_ICM_192_KEY_LEN_WSALT: 758 cipher_id = SRTP_AES_ICM_192; 759 break; 760 case SRTP_AES_ICM_128_KEY_LEN_WSALT: 761 cipher_id = SRTP_AES_ICM_128; 762 break; 763 default: 764 return srtp_err_status_bad_param; 765 break; 766 } 767 768 stat = srtp_crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, key_len, 0); 769 if (stat) 770 return stat; 771 772 stat = srtp_cipher_init(kdf->cipher, key); 773 if (stat) { 774 srtp_cipher_dealloc(kdf->cipher); 775 return stat; 776 } 777 return srtp_err_status_ok; 778 } 779 780 static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, 781 srtp_prf_label label, 782 uint8_t *key, 783 unsigned int length) 784 { 785 srtp_err_status_t status; 786 v128_t nonce; 787 788 /* set eigth octet of nonce to <label>, set the rest of it to zero */ 789 v128_set_to_zero(&nonce); 790 nonce.v8[7] = label; 791 792 status = srtp_cipher_set_iv(kdf->cipher, (uint8_t *)&nonce, 793 srtp_direction_encrypt); 794 if (status) 795 return status; 796 797 /* generate keystream output */ 798 octet_string_set_to_zero(key, length); 799 status = srtp_cipher_encrypt(kdf->cipher, key, &length); 800 if (status) 801 return status; 802 803 return srtp_err_status_ok; 804 } 805 806 static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) 807 { 808 srtp_err_status_t status; 809 status = srtp_cipher_dealloc(kdf->cipher); 810 if (status) 811 return status; 812 kdf->cipher = NULL; 813 return srtp_err_status_ok; 814 } 815 #endif /* else OPENSSL_KDF */ 816 817 /* 818 * end of key derivation functions 819 */ 820 821 /* Get the base key length corresponding to a given combined key+salt 822 * length for the given cipher. 823 * TODO: key and salt lengths should be separate fields in the policy. */ 824 static inline int base_key_length(const srtp_cipher_type_t *cipher, 825 int key_length) 826 { 827 switch (cipher->id) { 828 case SRTP_NULL_CIPHER: 829 return 0; 830 case SRTP_AES_ICM_128: 831 case SRTP_AES_ICM_192: 832 case SRTP_AES_ICM_256: 833 /* The legacy modes are derived from 834 * the configured key length on the policy */ 835 return key_length - SRTP_SALT_LEN; 836 case SRTP_AES_GCM_128: 837 return key_length - SRTP_AEAD_SALT_LEN; 838 case SRTP_AES_GCM_256: 839 return key_length - SRTP_AEAD_SALT_LEN; 840 default: 841 return key_length; 842 } 843 } 844 845 /* Get the key length that the application should supply for the given cipher */ 846 static inline int full_key_length(const srtp_cipher_type_t *cipher) 847 { 848 switch (cipher->id) { 849 case SRTP_NULL_CIPHER: 850 case SRTP_AES_ICM_128: 851 return SRTP_AES_ICM_128_KEY_LEN_WSALT; 852 case SRTP_AES_ICM_192: 853 return SRTP_AES_ICM_192_KEY_LEN_WSALT; 854 case SRTP_AES_ICM_256: 855 return SRTP_AES_ICM_256_KEY_LEN_WSALT; 856 case SRTP_AES_GCM_128: 857 return SRTP_AES_GCM_128_KEY_LEN_WSALT; 858 case SRTP_AES_GCM_256: 859 return SRTP_AES_GCM_256_KEY_LEN_WSALT; 860 default: 861 return 0; 862 } 863 } 864 865 static unsigned int srtp_validate_policy_master_keys( 866 const srtp_policy_t *policy) 867 { 868 unsigned long i = 0; 869 870 if (policy->key == NULL) { 871 if (policy->num_master_keys <= 0) 872 return 0; 873 874 if (policy->num_master_keys > SRTP_MAX_NUM_MASTER_KEYS) 875 return 0; 876 877 for (i = 0; i < policy->num_master_keys; i++) { 878 if (policy->keys[i]->key == NULL) 879 return 0; 880 if (policy->keys[i]->mki_size > SRTP_MAX_MKI_LEN) 881 return 0; 882 } 883 } 884 885 return 1; 886 } 887 888 srtp_session_keys_t *srtp_get_session_keys_with_mki_index( 889 srtp_stream_ctx_t *stream, 890 unsigned int use_mki, 891 unsigned int mki_index) 892 { 893 if (use_mki) { 894 if (mki_index >= stream->num_master_keys) { 895 return NULL; 896 } 897 return &stream->session_keys[mki_index]; 898 } 899 900 return &stream->session_keys[0]; 901 } 902 903 unsigned int srtp_inject_mki(uint8_t *mki_tag_location, 904 srtp_session_keys_t *session_keys, 905 unsigned int use_mki) 906 { 907 unsigned int mki_size = 0; 908 909 if (use_mki) { 910 mki_size = session_keys->mki_size; 911 912 if (mki_size != 0) { 913 // Write MKI into memory 914 memcpy(mki_tag_location, session_keys->mki_id, mki_size); 915 } 916 } 917 918 return mki_size; 919 } 920 921 srtp_err_status_t srtp_stream_init_all_master_keys( 922 srtp_stream_ctx_t *srtp, 923 unsigned char *key, 924 srtp_master_key_t **keys, 925 const unsigned int max_master_keys) 926 { 927 unsigned int i = 0; 928 srtp_err_status_t status = srtp_err_status_ok; 929 srtp_master_key_t single_master_key; 930 931 if (key != NULL) { 932 srtp->num_master_keys = 1; 933 single_master_key.key = key; 934 single_master_key.mki_id = NULL; 935 single_master_key.mki_size = 0; 936 status = srtp_stream_init_keys(srtp, &single_master_key, 0); 937 } else { 938 srtp->num_master_keys = max_master_keys; 939 940 for (i = 0; i < srtp->num_master_keys && i < SRTP_MAX_NUM_MASTER_KEYS; 941 i++) { 942 status = srtp_stream_init_keys(srtp, keys[i], i); 943 944 if (status) { 945 return status; 946 } 947 } 948 } 949 950 return status; 951 } 952 953 srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp, 954 srtp_master_key_t *master_key, 955 const unsigned int current_mki_index) 956 { 957 srtp_err_status_t stat; 958 srtp_kdf_t kdf; 959 uint8_t tmp_key[MAX_SRTP_KEY_LEN]; 960 int input_keylen, input_keylen_rtcp; 961 int kdf_keylen = 30, rtp_keylen, rtcp_keylen; 962 int rtp_base_key_len, rtp_salt_len; 963 int rtcp_base_key_len, rtcp_salt_len; 964 srtp_session_keys_t *session_keys = NULL; 965 unsigned char *key = master_key->key; 966 967 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ 968 /* TODO: kdf algorithm, master key length, and master salt length should 969 * be part of srtp_policy_t. 970 */ 971 session_keys = &srtp->session_keys[current_mki_index]; 972 973 /* initialize key limit to maximum value */ 974 #ifdef NO_64BIT_MATH 975 { 976 uint64_t temp; 977 temp = make64(UINT_MAX, UINT_MAX); 978 srtp_key_limit_set(session_keys->limit, temp); 979 } 980 #else 981 srtp_key_limit_set(session_keys->limit, 0xffffffffffffLL); 982 #endif 983 984 if (master_key->mki_size != 0) { 985 session_keys->mki_id = srtp_crypto_alloc(master_key->mki_size); 986 987 if (session_keys->mki_id == NULL) { 988 return srtp_err_status_init_fail; 989 } 990 memcpy(session_keys->mki_id, master_key->mki_id, master_key->mki_size); 991 } else { 992 session_keys->mki_id = NULL; 993 } 994 995 session_keys->mki_size = master_key->mki_size; 996 997 input_keylen = full_key_length(session_keys->rtp_cipher->type); 998 input_keylen_rtcp = full_key_length(session_keys->rtcp_cipher->type); 999 if (input_keylen_rtcp > input_keylen) { 1000 input_keylen = input_keylen_rtcp; 1001 } 1002 1003 rtp_keylen = srtp_cipher_get_key_length(session_keys->rtp_cipher); 1004 rtcp_keylen = srtp_cipher_get_key_length(session_keys->rtcp_cipher); 1005 rtp_base_key_len = 1006 base_key_length(session_keys->rtp_cipher->type, rtp_keylen); 1007 rtp_salt_len = rtp_keylen - rtp_base_key_len; 1008 1009 /* 1010 * We assume that the `key` buffer provided by the caller has a length 1011 * equal to the greater of `rtp_keylen` and `rtcp_keylen`. Since we are 1012 * about to read `input_keylen` bytes from it, we need to check that we will 1013 * not overrun. 1014 */ 1015 if ((rtp_keylen < input_keylen) && (rtcp_keylen < input_keylen)) { 1016 return srtp_err_status_bad_param; 1017 } 1018 1019 if (rtp_keylen > kdf_keylen) { 1020 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ 1021 } 1022 1023 if (rtcp_keylen > kdf_keylen) { 1024 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ 1025 } 1026 1027 if (input_keylen > kdf_keylen) { 1028 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ 1029 } 1030 1031 debug_print(mod_srtp, "input key len: %d", input_keylen); 1032 debug_print(mod_srtp, "srtp key len: %d", rtp_keylen); 1033 debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen); 1034 debug_print(mod_srtp, "base key len: %d", rtp_base_key_len); 1035 debug_print(mod_srtp, "kdf key len: %d", kdf_keylen); 1036 debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len); 1037 1038 /* 1039 * Make sure the key given to us is 'zero' appended. GCM 1040 * mode uses a shorter master SALT (96 bits), but still relies on 1041 * the legacy CTR mode KDF, which uses a 112 bit master SALT. 1042 */ 1043 memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN); 1044 memcpy(tmp_key, key, input_keylen); 1045 1046 /* initialize KDF state */ 1047 #if defined(OPENSSL) && defined(OPENSSL_KDF) 1048 stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, rtp_base_key_len, 1049 rtp_salt_len); 1050 #else 1051 stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, kdf_keylen); 1052 #endif 1053 if (stat) { 1054 /* zeroize temp buffer */ 1055 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1056 return srtp_err_status_init_fail; 1057 } 1058 1059 /* generate encryption key */ 1060 stat = srtp_kdf_generate(&kdf, label_rtp_encryption, tmp_key, 1061 rtp_base_key_len); 1062 if (stat) { 1063 /* zeroize temp buffer */ 1064 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1065 return srtp_err_status_init_fail; 1066 } 1067 debug_print(mod_srtp, "cipher key: %s", 1068 srtp_octet_string_hex_string(tmp_key, rtp_base_key_len)); 1069 1070 /* 1071 * if the cipher in the srtp context uses a salt, then we need 1072 * to generate the salt value 1073 */ 1074 if (rtp_salt_len > 0) { 1075 debug_print0(mod_srtp, "found rtp_salt_len > 0, generating salt"); 1076 1077 /* generate encryption salt, put after encryption key */ 1078 stat = srtp_kdf_generate(&kdf, label_rtp_salt, 1079 tmp_key + rtp_base_key_len, rtp_salt_len); 1080 if (stat) { 1081 /* zeroize temp buffer */ 1082 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1083 return srtp_err_status_init_fail; 1084 } 1085 memcpy(session_keys->salt, tmp_key + rtp_base_key_len, 1086 SRTP_AEAD_SALT_LEN); 1087 } 1088 if (rtp_salt_len > 0) { 1089 debug_print(mod_srtp, "cipher salt: %s", 1090 srtp_octet_string_hex_string(tmp_key + rtp_base_key_len, 1091 rtp_salt_len)); 1092 } 1093 1094 /* initialize cipher */ 1095 stat = srtp_cipher_init(session_keys->rtp_cipher, tmp_key); 1096 if (stat) { 1097 /* zeroize temp buffer */ 1098 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1099 return srtp_err_status_init_fail; 1100 } 1101 1102 if (session_keys->rtp_xtn_hdr_cipher) { 1103 /* generate extensions header encryption key */ 1104 int rtp_xtn_hdr_keylen; 1105 int rtp_xtn_hdr_base_key_len; 1106 int rtp_xtn_hdr_salt_len; 1107 srtp_kdf_t tmp_kdf; 1108 srtp_kdf_t *xtn_hdr_kdf; 1109 1110 if (session_keys->rtp_xtn_hdr_cipher->type != 1111 session_keys->rtp_cipher->type) { 1112 /* 1113 * With GCM ciphers, the header extensions are still encrypted using 1114 * the corresponding ICM cipher. 1115 * See https://tools.ietf.org/html/rfc7714#section-8.3 1116 */ 1117 uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN]; 1118 rtp_xtn_hdr_keylen = 1119 srtp_cipher_get_key_length(session_keys->rtp_xtn_hdr_cipher); 1120 rtp_xtn_hdr_base_key_len = base_key_length( 1121 session_keys->rtp_xtn_hdr_cipher->type, rtp_xtn_hdr_keylen); 1122 rtp_xtn_hdr_salt_len = 1123 rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len; 1124 if (rtp_xtn_hdr_salt_len > rtp_salt_len) { 1125 switch (session_keys->rtp_cipher->type->id) { 1126 case SRTP_AES_GCM_128: 1127 case SRTP_AES_GCM_256: 1128 /* 1129 * The shorter GCM salt is padded to the required ICM salt 1130 * length. 1131 */ 1132 rtp_xtn_hdr_salt_len = rtp_salt_len; 1133 break; 1134 default: 1135 /* zeroize temp buffer */ 1136 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1137 return srtp_err_status_bad_param; 1138 } 1139 } 1140 memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN); 1141 memcpy(tmp_xtn_hdr_key, key, 1142 (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_len)); 1143 xtn_hdr_kdf = &tmp_kdf; 1144 1145 /* initialize KDF state */ 1146 #if defined(OPENSSL) && defined(OPENSSL_KDF) 1147 stat = 1148 srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, 1149 rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len); 1150 #else 1151 stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, 1152 kdf_keylen); 1153 #endif 1154 octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN); 1155 if (stat) { 1156 /* zeroize temp buffer */ 1157 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1158 return srtp_err_status_init_fail; 1159 } 1160 } else { 1161 /* Reuse main KDF. */ 1162 rtp_xtn_hdr_keylen = rtp_keylen; 1163 rtp_xtn_hdr_base_key_len = rtp_base_key_len; 1164 rtp_xtn_hdr_salt_len = rtp_salt_len; 1165 xtn_hdr_kdf = &kdf; 1166 } 1167 1168 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption, 1169 tmp_key, rtp_xtn_hdr_base_key_len); 1170 if (stat) { 1171 /* zeroize temp buffer */ 1172 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1173 return srtp_err_status_init_fail; 1174 } 1175 debug_print( 1176 mod_srtp, "extensions cipher key: %s", 1177 srtp_octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len)); 1178 1179 /* 1180 * if the cipher in the srtp context uses a salt, then we need 1181 * to generate the salt value 1182 */ 1183 if (rtp_xtn_hdr_salt_len > 0) { 1184 debug_print0(mod_srtp, 1185 "found rtp_xtn_hdr_salt_len > 0, generating salt"); 1186 1187 /* generate encryption salt, put after encryption key */ 1188 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt, 1189 tmp_key + rtp_xtn_hdr_base_key_len, 1190 rtp_xtn_hdr_salt_len); 1191 if (stat) { 1192 /* zeroize temp buffer */ 1193 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1194 return srtp_err_status_init_fail; 1195 } 1196 } 1197 if (rtp_xtn_hdr_salt_len > 0) { 1198 debug_print( 1199 mod_srtp, "extensions cipher salt: %s", 1200 srtp_octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len, 1201 rtp_xtn_hdr_salt_len)); 1202 } 1203 1204 /* initialize extensions header cipher */ 1205 stat = srtp_cipher_init(session_keys->rtp_xtn_hdr_cipher, tmp_key); 1206 if (stat) { 1207 /* zeroize temp buffer */ 1208 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1209 return srtp_err_status_init_fail; 1210 } 1211 1212 if (xtn_hdr_kdf != &kdf) { 1213 /* release memory for custom header extension encryption kdf */ 1214 stat = srtp_kdf_clear(xtn_hdr_kdf); 1215 if (stat) { 1216 /* zeroize temp buffer */ 1217 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1218 return srtp_err_status_init_fail; 1219 } 1220 } 1221 } 1222 1223 /* generate authentication key */ 1224 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, tmp_key, 1225 srtp_auth_get_key_length(session_keys->rtp_auth)); 1226 if (stat) { 1227 /* zeroize temp buffer */ 1228 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1229 return srtp_err_status_init_fail; 1230 } 1231 debug_print(mod_srtp, "auth key: %s", 1232 srtp_octet_string_hex_string( 1233 tmp_key, srtp_auth_get_key_length(session_keys->rtp_auth))); 1234 1235 /* initialize auth function */ 1236 stat = srtp_auth_init(session_keys->rtp_auth, tmp_key); 1237 if (stat) { 1238 /* zeroize temp buffer */ 1239 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1240 return srtp_err_status_init_fail; 1241 } 1242 1243 /* 1244 * ...now initialize SRTCP keys 1245 */ 1246 1247 rtcp_base_key_len = 1248 base_key_length(session_keys->rtcp_cipher->type, rtcp_keylen); 1249 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; 1250 debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len); 1251 1252 /* generate encryption key */ 1253 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, tmp_key, 1254 rtcp_base_key_len); 1255 if (stat) { 1256 /* zeroize temp buffer */ 1257 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1258 return srtp_err_status_init_fail; 1259 } 1260 1261 /* 1262 * if the cipher in the srtp context uses a salt, then we need 1263 * to generate the salt value 1264 */ 1265 if (rtcp_salt_len > 0) { 1266 debug_print0(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt"); 1267 1268 /* generate encryption salt, put after encryption key */ 1269 stat = srtp_kdf_generate(&kdf, label_rtcp_salt, 1270 tmp_key + rtcp_base_key_len, rtcp_salt_len); 1271 if (stat) { 1272 /* zeroize temp buffer */ 1273 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1274 return srtp_err_status_init_fail; 1275 } 1276 memcpy(session_keys->c_salt, tmp_key + rtcp_base_key_len, 1277 SRTP_AEAD_SALT_LEN); 1278 } 1279 debug_print(mod_srtp, "rtcp cipher key: %s", 1280 srtp_octet_string_hex_string(tmp_key, rtcp_base_key_len)); 1281 if (rtcp_salt_len > 0) { 1282 debug_print(mod_srtp, "rtcp cipher salt: %s", 1283 srtp_octet_string_hex_string(tmp_key + rtcp_base_key_len, 1284 rtcp_salt_len)); 1285 } 1286 1287 /* initialize cipher */ 1288 stat = srtp_cipher_init(session_keys->rtcp_cipher, tmp_key); 1289 if (stat) { 1290 /* zeroize temp buffer */ 1291 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1292 return srtp_err_status_init_fail; 1293 } 1294 1295 /* generate authentication key */ 1296 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, tmp_key, 1297 srtp_auth_get_key_length(session_keys->rtcp_auth)); 1298 if (stat) { 1299 /* zeroize temp buffer */ 1300 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1301 return srtp_err_status_init_fail; 1302 } 1303 1304 debug_print( 1305 mod_srtp, "rtcp auth key: %s", 1306 srtp_octet_string_hex_string( 1307 tmp_key, srtp_auth_get_key_length(session_keys->rtcp_auth))); 1308 1309 /* initialize auth function */ 1310 stat = srtp_auth_init(session_keys->rtcp_auth, tmp_key); 1311 if (stat) { 1312 /* zeroize temp buffer */ 1313 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1314 return srtp_err_status_init_fail; 1315 } 1316 1317 /* clear memory then return */ 1318 stat = srtp_kdf_clear(&kdf); 1319 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 1320 if (stat) 1321 return srtp_err_status_init_fail; 1322 1323 return srtp_err_status_ok; 1324 } 1325 1326 static srtp_err_status_t srtp_stream_init(srtp_stream_ctx_t *srtp, 1327 const srtp_policy_t *p) 1328 { 1329 srtp_err_status_t err; 1330 1331 err = srtp_valid_policy(p); 1332 if (err != srtp_err_status_ok) { 1333 return err; 1334 } 1335 1336 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", p->ssrc.value); 1337 1338 /* initialize replay database */ 1339 /* 1340 * window size MUST be at least 64. MAY be larger. Values more than 1341 * 2^15 aren't meaningful due to how extended sequence numbers are 1342 * calculated. 1343 * Let a window size of 0 imply the default value. 1344 */ 1345 1346 if (p->window_size != 0 && 1347 (p->window_size < 64 || p->window_size >= 0x8000)) 1348 return srtp_err_status_bad_param; 1349 1350 if (p->window_size != 0) 1351 err = srtp_rdbx_init(&srtp->rtp_rdbx, p->window_size); 1352 else 1353 err = srtp_rdbx_init(&srtp->rtp_rdbx, 128); 1354 if (err) 1355 return err; 1356 1357 /* set the SSRC value */ 1358 srtp->ssrc = htonl(p->ssrc.value); 1359 1360 /* reset pending ROC */ 1361 srtp->pending_roc = 0; 1362 1363 /* set the security service flags */ 1364 srtp->rtp_services = p->rtp.sec_serv; 1365 srtp->rtcp_services = p->rtcp.sec_serv; 1366 1367 /* 1368 * set direction to unknown - this flag gets checked in srtp_protect(), 1369 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and 1370 * gets set appropriately if it is set to unknown. 1371 */ 1372 srtp->direction = dir_unknown; 1373 1374 /* initialize SRTCP replay database */ 1375 srtp_rdb_init(&srtp->rtcp_rdb); 1376 1377 /* initialize allow_repeat_tx */ 1378 /* guard against uninitialized memory: allow only 0 or 1 here */ 1379 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) { 1380 srtp_rdbx_dealloc(&srtp->rtp_rdbx); 1381 return srtp_err_status_bad_param; 1382 } 1383 srtp->allow_repeat_tx = p->allow_repeat_tx; 1384 1385 /* DAM - no RTCP key limit at present */ 1386 1387 /* initialize keys */ 1388 err = srtp_stream_init_all_master_keys(srtp, p->key, p->keys, 1389 p->num_master_keys); 1390 if (err) { 1391 srtp_rdbx_dealloc(&srtp->rtp_rdbx); 1392 return err; 1393 } 1394 1395 return srtp_err_status_ok; 1396 } 1397 1398 /* 1399 * srtp_event_reporter is an event handler function that merely 1400 * reports the events that are reported by the callbacks 1401 */ 1402 1403 void srtp_event_reporter(srtp_event_data_t *data) 1404 { 1405 srtp_err_report(srtp_err_level_warning, 1406 "srtp: in stream 0x%x: ", data->ssrc); 1407 1408 switch (data->event) { 1409 case event_ssrc_collision: 1410 srtp_err_report(srtp_err_level_warning, "\tSSRC collision\n"); 1411 break; 1412 case event_key_soft_limit: 1413 srtp_err_report(srtp_err_level_warning, 1414 "\tkey usage soft limit reached\n"); 1415 break; 1416 case event_key_hard_limit: 1417 srtp_err_report(srtp_err_level_warning, 1418 "\tkey usage hard limit reached\n"); 1419 break; 1420 case event_packet_index_limit: 1421 srtp_err_report(srtp_err_level_warning, 1422 "\tpacket index limit reached\n"); 1423 break; 1424 default: 1425 srtp_err_report(srtp_err_level_warning, 1426 "\tunknown event reported to handler\n"); 1427 } 1428 } 1429 1430 /* 1431 * srtp_event_handler is a global variable holding a pointer to the 1432 * event handler function; this function is called for any unexpected 1433 * event that needs to be handled out of the SRTP data path. see 1434 * srtp_event_t in srtp.h for more info 1435 * 1436 * it is okay to set srtp_event_handler to NULL, but we set 1437 * it to the srtp_event_reporter. 1438 */ 1439 1440 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter; 1441 1442 srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func) 1443 { 1444 /* 1445 * note that we accept NULL arguments intentionally - calling this 1446 * function with a NULL arguments removes an event handler that's 1447 * been previously installed 1448 */ 1449 1450 /* set global event handling function */ 1451 srtp_event_handler = func; 1452 return srtp_err_status_ok; 1453 } 1454 1455 /* 1456 * Check if the given extension header id is / should be encrypted. 1457 * Returns 1 if yes, otherwise 0. 1458 */ 1459 static int srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id) 1460 { 1461 int *enc_xtn_hdr = stream->enc_xtn_hdr; 1462 int count = stream->enc_xtn_hdr_count; 1463 1464 if (!enc_xtn_hdr || count <= 0) { 1465 return 0; 1466 } 1467 1468 while (count > 0) { 1469 if (*enc_xtn_hdr == id) { 1470 return 1; 1471 } 1472 1473 enc_xtn_hdr++; 1474 count--; 1475 } 1476 return 0; 1477 } 1478 1479 /* 1480 * extensions header encryption RFC 6904 1481 */ 1482 static srtp_err_status_t srtp_process_header_encryption( 1483 srtp_stream_ctx_t *stream, 1484 srtp_hdr_xtnd_t *xtn_hdr, 1485 srtp_session_keys_t *session_keys) 1486 { 1487 srtp_err_status_t status; 1488 uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */ 1489 int keystream_pos; 1490 uint8_t *xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_xtn_hdr; 1491 uint8_t *xtn_hdr_end = 1492 xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_t)); 1493 1494 if (ntohs(xtn_hdr->profile_specific) == 0xbede) { 1495 /* RFC 5285, section 4.2. One-Byte Header */ 1496 while (xtn_hdr_data < xtn_hdr_end) { 1497 uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4; 1498 unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1; 1499 uint32_t xlen_with_header = 1 + xlen; 1500 xtn_hdr_data++; 1501 1502 if (xtn_hdr_data + xlen > xtn_hdr_end) 1503 return srtp_err_status_parse_err; 1504 1505 if (xid == 15) { 1506 /* found header 15, stop further processing. */ 1507 break; 1508 } 1509 1510 status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, 1511 keystream, &xlen_with_header); 1512 if (status) 1513 return srtp_err_status_cipher_fail; 1514 1515 if (srtp_protect_extension_header(stream, xid)) { 1516 keystream_pos = 1; 1517 while (xlen > 0) { 1518 *xtn_hdr_data ^= keystream[keystream_pos++]; 1519 xtn_hdr_data++; 1520 xlen--; 1521 } 1522 } else { 1523 xtn_hdr_data += xlen; 1524 } 1525 1526 /* skip padding bytes. */ 1527 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { 1528 xtn_hdr_data++; 1529 } 1530 } 1531 } else if ((ntohs(xtn_hdr->profile_specific) & 0xfff0) == 0x1000) { 1532 /* RFC 5285, section 4.3. Two-Byte Header */ 1533 while (xtn_hdr_data + 1 < xtn_hdr_end) { 1534 uint8_t xid = *xtn_hdr_data; 1535 unsigned int xlen = *(xtn_hdr_data + 1); 1536 uint32_t xlen_with_header = 2 + xlen; 1537 xtn_hdr_data += 2; 1538 1539 if (xtn_hdr_data + xlen > xtn_hdr_end) 1540 return srtp_err_status_parse_err; 1541 1542 status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, 1543 keystream, &xlen_with_header); 1544 if (status) 1545 return srtp_err_status_cipher_fail; 1546 1547 if (xlen > 0 && srtp_protect_extension_header(stream, xid)) { 1548 keystream_pos = 2; 1549 while (xlen > 0) { 1550 *xtn_hdr_data ^= keystream[keystream_pos++]; 1551 xtn_hdr_data++; 1552 xlen--; 1553 } 1554 } else { 1555 xtn_hdr_data += xlen; 1556 } 1557 1558 /* skip padding bytes. */ 1559 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { 1560 xtn_hdr_data++; 1561 } 1562 } 1563 } else { 1564 /* unsupported extension header format. */ 1565 return srtp_err_status_parse_err; 1566 } 1567 1568 return srtp_err_status_ok; 1569 } 1570 1571 /* 1572 * AEAD uses a new IV formation method. This function implements 1573 * section 8.1. (SRTP IV Formation for AES-GCM) of RFC7714. 1574 * The calculation is defined as, where (+) is the xor operation: 1575 * 1576 * 1577 * 0 0 0 0 0 0 0 0 0 0 1 1 1578 * 0 1 2 3 4 5 6 7 8 9 0 1 1579 * +--+--+--+--+--+--+--+--+--+--+--+--+ 1580 * |00|00| SSRC | ROC | SEQ |---+ 1581 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 1582 * | 1583 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 1584 * | Encryption Salt |->(+) 1585 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 1586 * | 1587 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 1588 * | Initialization Vector |<--+ 1589 * +--+--+--+--+--+--+--+--+--+--+--+--+* 1590 * 1591 * Input: *session_keys - pointer to SRTP stream context session keys, 1592 * used to retrieve the SALT 1593 * *iv - Pointer to receive the calculated IV 1594 * *seq - The ROC and SEQ value to use for the 1595 * IV calculation. 1596 * *hdr - The RTP header, used to get the SSRC value 1597 * 1598 */ 1599 1600 static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys, 1601 v128_t *iv, 1602 srtp_xtd_seq_num_t *seq, 1603 const srtp_hdr_t *hdr) 1604 { 1605 v128_t in; 1606 v128_t salt; 1607 1608 #ifdef NO_64BIT_MATH 1609 uint32_t local_roc = ((high32(*seq) << 16) | (low32(*seq) >> 16)); 1610 uint16_t local_seq = (uint16_t)(low32(*seq)); 1611 #else 1612 uint32_t local_roc = (uint32_t)(*seq >> 16); 1613 uint16_t local_seq = (uint16_t)*seq; 1614 #endif 1615 1616 memset(&in, 0, sizeof(v128_t)); 1617 memset(&salt, 0, sizeof(v128_t)); 1618 1619 in.v16[5] = htons(local_seq); 1620 local_roc = htonl(local_roc); 1621 memcpy(&in.v16[3], &local_roc, sizeof(local_roc)); 1622 1623 /* 1624 * Copy in the RTP SSRC value 1625 */ 1626 memcpy(&in.v8[2], &hdr->ssrc, 4); 1627 debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in)); 1628 1629 /* 1630 * Get the SALT value from the context 1631 */ 1632 memcpy(salt.v8, session_keys->salt, SRTP_AEAD_SALT_LEN); 1633 debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt)); 1634 1635 /* 1636 * Finally, apply tyhe SALT to the input 1637 */ 1638 v128_xor(iv, &in, &salt); 1639 } 1640 1641 static srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream, 1642 const uint8_t *hdr, 1643 unsigned int pkt_octet_len, 1644 unsigned int *mki_size, 1645 unsigned int tag_len) 1646 { 1647 unsigned int base_mki_start_location = pkt_octet_len; 1648 unsigned int mki_start_location = 0; 1649 unsigned int i = 0; 1650 1651 if (tag_len > base_mki_start_location) { 1652 *mki_size = 0; 1653 return NULL; 1654 } 1655 1656 base_mki_start_location -= tag_len; 1657 1658 for (i = 0; i < stream->num_master_keys; i++) { 1659 if (stream->session_keys[i].mki_size != 0 && 1660 stream->session_keys[i].mki_size <= base_mki_start_location) { 1661 *mki_size = stream->session_keys[i].mki_size; 1662 mki_start_location = base_mki_start_location - *mki_size; 1663 1664 if (memcmp(hdr + mki_start_location, stream->session_keys[i].mki_id, 1665 *mki_size) == 0) { 1666 return &stream->session_keys[i]; 1667 } 1668 } 1669 } 1670 1671 *mki_size = 0; 1672 return NULL; 1673 } 1674 1675 static srtp_session_keys_t *srtp_get_session_keys_rtp( 1676 srtp_stream_ctx_t *stream, 1677 const uint8_t *hdr, 1678 unsigned int pkt_octet_len, 1679 unsigned int *mki_size) 1680 { 1681 unsigned int tag_len = 0; 1682 1683 // Determine the authentication tag size 1684 if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 || 1685 stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) { 1686 tag_len = 0; 1687 } else { 1688 tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); 1689 } 1690 1691 return srtp_get_session_keys(stream, hdr, pkt_octet_len, mki_size, tag_len); 1692 } 1693 1694 static srtp_session_keys_t *srtp_get_session_keys_rtcp( 1695 srtp_stream_ctx_t *stream, 1696 const uint8_t *hdr, 1697 unsigned int pkt_octet_len, 1698 unsigned int *mki_size) 1699 { 1700 unsigned int tag_len = 0; 1701 1702 // Determine the authentication tag size 1703 if (stream->session_keys[0].rtcp_cipher->algorithm == SRTP_AES_GCM_128 || 1704 stream->session_keys[0].rtcp_cipher->algorithm == SRTP_AES_GCM_256) { 1705 tag_len = 0; 1706 } else { 1707 tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtcp_auth); 1708 } 1709 1710 return srtp_get_session_keys(stream, hdr, pkt_octet_len, mki_size, tag_len); 1711 } 1712 1713 static srtp_err_status_t srtp_estimate_index(srtp_rdbx_t *rdbx, 1714 uint32_t roc, 1715 srtp_xtd_seq_num_t *est, 1716 srtp_sequence_number_t seq, 1717 int *delta) 1718 { 1719 #ifdef NO_64BIT_MATH 1720 uint32_t internal_pkt_idx_reduced; 1721 uint32_t external_pkt_idx_reduced; 1722 uint32_t internal_roc; 1723 uint32_t roc_difference; 1724 #endif 1725 1726 #ifdef NO_64BIT_MATH 1727 *est = (srtp_xtd_seq_num_t)make64(roc >> 16, (roc << 16) | seq); 1728 *delta = low32(est) - rdbx->index; 1729 #else 1730 *est = (srtp_xtd_seq_num_t)(((uint64_t)roc) << 16) | seq; 1731 *delta = (int)(*est - rdbx->index); 1732 #endif 1733 1734 if (*est > rdbx->index) { 1735 #ifdef NO_64BIT_MATH 1736 internal_roc = (uint32_t)(rdbx->index >> 16); 1737 roc_difference = roc - internal_roc; 1738 if (roc_difference > 1) { 1739 *delta = 0; 1740 return srtp_err_status_pkt_idx_adv; 1741 } 1742 1743 internal_pkt_idx_reduced = (uint32_t)(rdbx->index & 0xFFFF); 1744 external_pkt_idx_reduced = (uint32_t)((roc_difference << 16) | seq); 1745 1746 if (external_pkt_idx_reduced - internal_pkt_idx_reduced > 1747 seq_num_median) { 1748 *delta = 0; 1749 return srtp_err_status_pkt_idx_adv; 1750 } 1751 #else 1752 if (*est - rdbx->index > seq_num_median) { 1753 *delta = 0; 1754 return srtp_err_status_pkt_idx_adv; 1755 } 1756 #endif 1757 } else if (*est < rdbx->index) { 1758 #ifdef NO_64BIT_MATH 1759 1760 internal_roc = (uint32_t)(rdbx->index >> 16); 1761 roc_difference = internal_roc - roc; 1762 if (roc_difference > 1) { 1763 *delta = 0; 1764 return srtp_err_status_pkt_idx_adv; 1765 } 1766 1767 internal_pkt_idx_reduced = 1768 (uint32_t)((roc_difference << 16) | rdbx->index & 0xFFFF); 1769 external_pkt_idx_reduced = (uint32_t)(seq); 1770 1771 if (internal_pkt_idx_reduced - external_pkt_idx_reduced > 1772 seq_num_median) { 1773 *delta = 0; 1774 return srtp_err_status_pkt_idx_old; 1775 } 1776 #else 1777 if (rdbx->index - *est > seq_num_median) { 1778 *delta = 0; 1779 return srtp_err_status_pkt_idx_old; 1780 } 1781 #endif 1782 } 1783 1784 return srtp_err_status_ok; 1785 } 1786 1787 static srtp_err_status_t srtp_get_est_pkt_index(const srtp_hdr_t *hdr, 1788 srtp_stream_ctx_t *stream, 1789 srtp_xtd_seq_num_t *est, 1790 int *delta) 1791 { 1792 srtp_err_status_t result = srtp_err_status_ok; 1793 1794 if (stream->pending_roc) { 1795 result = srtp_estimate_index(&stream->rtp_rdbx, stream->pending_roc, 1796 est, ntohs(hdr->seq), delta); 1797 } else { 1798 /* estimate packet index from seq. num. in header */ 1799 *delta = 1800 srtp_rdbx_estimate_index(&stream->rtp_rdbx, est, ntohs(hdr->seq)); 1801 } 1802 1803 #ifdef NO_64BIT_MATH 1804 debug_print2(mod_srtp, "estimated u_packet index: %08lx%08lx", high32(*est), 1805 low32(*est)); 1806 #else 1807 debug_print(mod_srtp, "estimated u_packet index: %016" PRIx64, *est); 1808 #endif 1809 return result; 1810 } 1811 1812 /* 1813 * This function handles outgoing SRTP packets while in AEAD mode, 1814 * which currently supports AES-GCM encryption. All packets are 1815 * encrypted and authenticated. 1816 */ 1817 static srtp_err_status_t srtp_protect_aead(srtp_ctx_t *ctx, 1818 srtp_stream_ctx_t *stream, 1819 void *rtp_hdr, 1820 unsigned int *pkt_octet_len, 1821 srtp_session_keys_t *session_keys, 1822 unsigned int use_mki) 1823 { 1824 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; 1825 uint8_t *enc_start; /* pointer to start of encrypted portion */ 1826 int enc_octet_len = 0; /* number of octets in encrypted portion */ 1827 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 1828 int delta; /* delta of local pkt idx and that in hdr */ 1829 srtp_err_status_t status; 1830 uint32_t tag_len; 1831 v128_t iv; 1832 unsigned int aad_len; 1833 srtp_hdr_xtnd_t *xtn_hdr = NULL; 1834 unsigned int mki_size = 0; 1835 uint8_t *mki_location = NULL; 1836 1837 debug_print0(mod_srtp, "function srtp_protect_aead"); 1838 1839 /* 1840 * update the key usage limit, and check it to make sure that we 1841 * didn't just hit either the soft limit or the hard limit, and call 1842 * the event handler if we hit either. 1843 */ 1844 switch (srtp_key_limit_update(session_keys->limit)) { 1845 case srtp_key_event_normal: 1846 break; 1847 case srtp_key_event_hard_limit: 1848 srtp_handle_event(ctx, stream, event_key_hard_limit); 1849 return srtp_err_status_key_expired; 1850 case srtp_key_event_soft_limit: 1851 default: 1852 srtp_handle_event(ctx, stream, event_key_soft_limit); 1853 break; 1854 } 1855 1856 /* get tag length from stream */ 1857 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); 1858 1859 /* 1860 * find starting point for encryption and length of data to be 1861 * encrypted - the encrypted portion starts after the rtp header 1862 * extension, if present; otherwise, it starts after the last csrc, 1863 * if any are present 1864 */ 1865 enc_start = (uint8_t *)hdr + srtp_get_rtp_hdr_len(hdr); 1866 if (hdr->x == 1) { 1867 xtn_hdr = srtp_get_rtp_xtn_hdr(hdr); 1868 enc_start += srtp_get_rtp_xtn_hdr_len(xtn_hdr); 1869 } 1870 /* note: the passed size is without the auth tag */ 1871 if (!(enc_start <= (uint8_t *)hdr + *pkt_octet_len)) 1872 return srtp_err_status_parse_err; 1873 enc_octet_len = (int)(*pkt_octet_len - (enc_start - (uint8_t *)hdr)); 1874 if (enc_octet_len < 0) 1875 return srtp_err_status_parse_err; 1876 1877 /* 1878 * estimate the packet index using the start of the replay window 1879 * and the sequence number from the header 1880 */ 1881 status = srtp_get_est_pkt_index(hdr, stream, &est, &delta); 1882 1883 if (status && (status != srtp_err_status_pkt_idx_adv)) 1884 return status; 1885 1886 if (status == srtp_err_status_pkt_idx_adv) { 1887 srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, (uint32_t)(est >> 16), 1888 (uint16_t)(est & 0xFFFF)); 1889 stream->pending_roc = 0; 1890 srtp_rdbx_add_index(&stream->rtp_rdbx, 0); 1891 } else { 1892 status = srtp_rdbx_check(&stream->rtp_rdbx, delta); 1893 if (status) { 1894 if (status != srtp_err_status_replay_fail || 1895 !stream->allow_repeat_tx) 1896 return status; /* we've been asked to reuse an index */ 1897 } 1898 srtp_rdbx_add_index(&stream->rtp_rdbx, delta); 1899 } 1900 1901 #ifdef NO_64BIT_MATH 1902 debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est), 1903 low32(est)); 1904 #else 1905 debug_print(mod_srtp, "estimated packet index: %016" PRIx64, est); 1906 #endif 1907 1908 /* 1909 * AEAD uses a new IV formation method 1910 */ 1911 srtp_calc_aead_iv(session_keys, &iv, &est, hdr); 1912 /* shift est, put into network byte order */ 1913 #ifdef NO_64BIT_MATH 1914 est = be64_to_cpu( 1915 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); 1916 #else 1917 est = be64_to_cpu(est << 16); 1918 #endif 1919 1920 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, 1921 srtp_direction_encrypt); 1922 if (!status && session_keys->rtp_xtn_hdr_cipher) { 1923 iv.v32[0] = 0; 1924 iv.v32[1] = hdr->ssrc; 1925 iv.v64[1] = est; 1926 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, 1927 (uint8_t *)&iv, srtp_direction_encrypt); 1928 } 1929 if (status) { 1930 return srtp_err_status_cipher_fail; 1931 } 1932 1933 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { 1934 /* 1935 * extensions header encryption RFC 6904 1936 */ 1937 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); 1938 if (status) { 1939 return status; 1940 } 1941 } 1942 1943 /* 1944 * Set the AAD over the RTP header 1945 */ 1946 aad_len = (uint32_t)(enc_start - (uint8_t *)hdr); 1947 status = 1948 srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len); 1949 if (status) { 1950 return (srtp_err_status_cipher_fail); 1951 } 1952 1953 /* Encrypt the payload */ 1954 status = srtp_cipher_encrypt(session_keys->rtp_cipher, enc_start, 1955 (unsigned int *)&enc_octet_len); 1956 if (status) { 1957 return srtp_err_status_cipher_fail; 1958 } 1959 /* 1960 * If we're doing GCM, we need to get the tag 1961 * and append that to the output 1962 */ 1963 status = srtp_cipher_get_tag(session_keys->rtp_cipher, 1964 enc_start + enc_octet_len, &tag_len); 1965 if (status) { 1966 return (srtp_err_status_cipher_fail); 1967 } 1968 1969 mki_location = (uint8_t *)hdr + *pkt_octet_len + tag_len; 1970 mki_size = srtp_inject_mki(mki_location, session_keys, use_mki); 1971 1972 /* increase the packet length by the length of the auth tag */ 1973 *pkt_octet_len += tag_len; 1974 1975 /* increase the packet length by the length of the mki_size */ 1976 *pkt_octet_len += mki_size; 1977 1978 return srtp_err_status_ok; 1979 } 1980 1981 /* 1982 * This function handles incoming SRTP packets while in AEAD mode, 1983 * which currently supports AES-GCM encryption. All packets are 1984 * encrypted and authenticated. Note, the auth tag is at the end 1985 * of the packet stream and is automatically checked by GCM 1986 * when decrypting the payload. 1987 */ 1988 static srtp_err_status_t srtp_unprotect_aead(srtp_ctx_t *ctx, 1989 srtp_stream_ctx_t *stream, 1990 int delta, 1991 srtp_xtd_seq_num_t est, 1992 void *srtp_hdr, 1993 unsigned int *pkt_octet_len, 1994 srtp_session_keys_t *session_keys, 1995 unsigned int mki_size, 1996 int advance_packet_index) 1997 { 1998 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; 1999 uint8_t *enc_start; /* pointer to start of encrypted portion */ 2000 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 2001 v128_t iv; 2002 srtp_err_status_t status; 2003 int tag_len; 2004 unsigned int aad_len; 2005 srtp_hdr_xtnd_t *xtn_hdr = NULL; 2006 2007 debug_print0(mod_srtp, "function srtp_unprotect_aead"); 2008 2009 #ifdef NO_64BIT_MATH 2010 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), 2011 low32(est)); 2012 #else 2013 debug_print(mod_srtp, "estimated u_packet index: %016" PRIx64, est); 2014 #endif 2015 2016 /* get tag length from stream */ 2017 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); 2018 2019 /* 2020 * AEAD uses a new IV formation method 2021 */ 2022 srtp_calc_aead_iv(session_keys, &iv, &est, hdr); 2023 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, 2024 srtp_direction_decrypt); 2025 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2026 iv.v32[0] = 0; 2027 iv.v32[1] = hdr->ssrc; 2028 #ifdef NO_64BIT_MATH 2029 iv.v64[1] = be64_to_cpu( 2030 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); 2031 #else 2032 iv.v64[1] = be64_to_cpu(est << 16); 2033 #endif 2034 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, 2035 (uint8_t *)&iv, srtp_direction_encrypt); 2036 } 2037 if (status) { 2038 return srtp_err_status_cipher_fail; 2039 } 2040 2041 /* 2042 * find starting point for decryption and length of data to be 2043 * decrypted - the encrypted portion starts after the rtp header 2044 * extension, if present; otherwise, it starts after the last csrc, 2045 * if any are present 2046 */ 2047 enc_start = (uint8_t *)hdr + srtp_get_rtp_hdr_len(hdr); 2048 if (hdr->x == 1) { 2049 xtn_hdr = srtp_get_rtp_xtn_hdr(hdr); 2050 enc_start += srtp_get_rtp_xtn_hdr_len(xtn_hdr); 2051 } 2052 if (!(enc_start <= (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size))) 2053 return srtp_err_status_parse_err; 2054 /* 2055 * We pass the tag down to the cipher when doing GCM mode 2056 */ 2057 enc_octet_len = (unsigned int)(*pkt_octet_len - mki_size - 2058 (enc_start - (uint8_t *)hdr)); 2059 2060 /* 2061 * Sanity check the encrypted payload length against 2062 * the tag size. It must always be at least as large 2063 * as the tag length. 2064 */ 2065 if (enc_octet_len < (unsigned int)tag_len) { 2066 return srtp_err_status_cipher_fail; 2067 } 2068 2069 /* 2070 * update the key usage limit, and check it to make sure that we 2071 * didn't just hit either the soft limit or the hard limit, and call 2072 * the event handler if we hit either. 2073 */ 2074 switch (srtp_key_limit_update(session_keys->limit)) { 2075 case srtp_key_event_normal: 2076 break; 2077 case srtp_key_event_soft_limit: 2078 srtp_handle_event(ctx, stream, event_key_soft_limit); 2079 break; 2080 case srtp_key_event_hard_limit: 2081 srtp_handle_event(ctx, stream, event_key_hard_limit); 2082 return srtp_err_status_key_expired; 2083 default: 2084 break; 2085 } 2086 2087 /* 2088 * Set the AAD for AES-GCM, which is the RTP header 2089 */ 2090 aad_len = (uint32_t)(enc_start - (uint8_t *)hdr); 2091 status = 2092 srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len); 2093 if (status) { 2094 return (srtp_err_status_cipher_fail); 2095 } 2096 2097 /* Decrypt the ciphertext. This also checks the auth tag based 2098 * on the AAD we just specified above */ 2099 status = srtp_cipher_decrypt(session_keys->rtp_cipher, (uint8_t *)enc_start, 2100 &enc_octet_len); 2101 if (status) { 2102 return status; 2103 } 2104 2105 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { 2106 /* 2107 * extensions header encryption RFC 6904 2108 */ 2109 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); 2110 if (status) { 2111 return status; 2112 } 2113 } 2114 2115 /* 2116 * verify that stream is for received traffic - this check will 2117 * detect SSRC collisions, since a stream that appears in both 2118 * srtp_protect() and srtp_unprotect() will fail this test in one of 2119 * those functions. 2120 * 2121 * we do this check *after* the authentication check, so that the 2122 * latter check will catch any attempts to fool us into thinking 2123 * that we've got a collision 2124 */ 2125 if (stream->direction != dir_srtp_receiver) { 2126 if (stream->direction == dir_unknown) { 2127 stream->direction = dir_srtp_receiver; 2128 } else { 2129 srtp_handle_event(ctx, stream, event_ssrc_collision); 2130 } 2131 } 2132 2133 /* 2134 * if the stream is a 'provisional' one, in which the template context 2135 * is used, then we need to allocate a new stream at this point, since 2136 * the authentication passed 2137 */ 2138 if (stream == ctx->stream_template) { 2139 srtp_stream_ctx_t *new_stream; 2140 2141 /* 2142 * allocate and initialize a new stream 2143 * 2144 * note that we indicate failure if we can't allocate the new 2145 * stream, and some implementations will want to not return 2146 * failure here 2147 */ 2148 status = 2149 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 2150 if (status) { 2151 return status; 2152 } 2153 2154 /* add new stream to the list */ 2155 status = srtp_insert_or_dealloc_stream(ctx->stream_list, new_stream, 2156 ctx->stream_template); 2157 if (status) { 2158 return status; 2159 } 2160 2161 /* set stream (the pointer used in this function) */ 2162 stream = new_stream; 2163 } 2164 2165 /* 2166 * the message authentication function passed, so add the packet 2167 * index into the replay database 2168 */ 2169 if (advance_packet_index) { 2170 uint32_t roc_to_set = (uint32_t)(est >> 16); 2171 uint16_t seq_to_set = (uint16_t)(est & 0xFFFF); 2172 srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, roc_to_set, seq_to_set); 2173 stream->pending_roc = 0; 2174 srtp_rdbx_add_index(&stream->rtp_rdbx, 0); 2175 } else { 2176 srtp_rdbx_add_index(&stream->rtp_rdbx, delta); 2177 } 2178 2179 /* decrease the packet length by the length of the auth tag */ 2180 *pkt_octet_len -= tag_len; 2181 2182 /* decrease the packet length by the length of the mki_size */ 2183 *pkt_octet_len -= mki_size; 2184 2185 return srtp_err_status_ok; 2186 } 2187 2188 srtp_err_status_t srtp_protect(srtp_ctx_t *ctx, 2189 void *rtp_hdr, 2190 int *pkt_octet_len) 2191 { 2192 return srtp_protect_mki(ctx, rtp_hdr, pkt_octet_len, 0, 0); 2193 } 2194 2195 srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, 2196 void *rtp_hdr, 2197 int *pkt_octet_len, 2198 unsigned int use_mki, 2199 unsigned int mki_index) 2200 { 2201 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; 2202 uint8_t *enc_start; /* pointer to start of encrypted portion */ 2203 uint8_t *auth_start; /* pointer to start of auth. portion */ 2204 int enc_octet_len = 0; /* number of octets in encrypted portion */ 2205 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 2206 int delta; /* delta of local pkt idx and that in hdr */ 2207 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2208 srtp_err_status_t status; 2209 int tag_len; 2210 srtp_stream_ctx_t *stream; 2211 uint32_t prefix_len; 2212 srtp_hdr_xtnd_t *xtn_hdr = NULL; 2213 unsigned int mki_size = 0; 2214 srtp_session_keys_t *session_keys = NULL; 2215 uint8_t *mki_location = NULL; 2216 2217 debug_print0(mod_srtp, "function srtp_protect"); 2218 2219 /* Verify RTP header */ 2220 status = srtp_validate_rtp_header(rtp_hdr, *pkt_octet_len); 2221 if (status) 2222 return status; 2223 2224 /* check the packet length - it must at least contain a full header */ 2225 if (*pkt_octet_len < octets_in_rtp_header) 2226 return srtp_err_status_bad_param; 2227 2228 /* 2229 * look up ssrc in srtp_stream list, and process the packet with 2230 * the appropriate stream. if we haven't seen this stream before, 2231 * there's a template key for this srtp_session, and the cipher 2232 * supports key-sharing, then we assume that a new stream using 2233 * that key has just started up 2234 */ 2235 stream = srtp_get_stream(ctx, hdr->ssrc); 2236 if (stream == NULL) { 2237 if (ctx->stream_template != NULL) { 2238 srtp_stream_ctx_t *new_stream; 2239 2240 /* allocate and initialize a new stream */ 2241 status = 2242 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 2243 if (status) 2244 return status; 2245 2246 /* add new stream to the list */ 2247 status = srtp_insert_or_dealloc_stream(ctx->stream_list, new_stream, 2248 ctx->stream_template); 2249 if (status) { 2250 return status; 2251 } 2252 2253 /* set direction to outbound */ 2254 new_stream->direction = dir_srtp_sender; 2255 2256 /* set stream (the pointer used in this function) */ 2257 stream = new_stream; 2258 } else { 2259 /* no template stream, so we return an error */ 2260 return srtp_err_status_no_ctx; 2261 } 2262 } 2263 2264 /* 2265 * verify that stream is for sending traffic - this check will 2266 * detect SSRC collisions, since a stream that appears in both 2267 * srtp_protect() and srtp_unprotect() will fail this test in one of 2268 * those functions. 2269 */ 2270 2271 if (stream->direction != dir_srtp_sender) { 2272 if (stream->direction == dir_unknown) { 2273 stream->direction = dir_srtp_sender; 2274 } else { 2275 srtp_handle_event(ctx, stream, event_ssrc_collision); 2276 } 2277 } 2278 2279 session_keys = 2280 srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); 2281 2282 if (session_keys == NULL) 2283 return srtp_err_status_bad_mki; 2284 2285 /* 2286 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 2287 * the request to our AEAD handler. 2288 */ 2289 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || 2290 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { 2291 return srtp_protect_aead(ctx, stream, rtp_hdr, 2292 (unsigned int *)pkt_octet_len, session_keys, 2293 use_mki); 2294 } 2295 2296 /* 2297 * update the key usage limit, and check it to make sure that we 2298 * didn't just hit either the soft limit or the hard limit, and call 2299 * the event handler if we hit either. 2300 */ 2301 switch (srtp_key_limit_update(session_keys->limit)) { 2302 case srtp_key_event_normal: 2303 break; 2304 case srtp_key_event_soft_limit: 2305 srtp_handle_event(ctx, stream, event_key_soft_limit); 2306 break; 2307 case srtp_key_event_hard_limit: 2308 srtp_handle_event(ctx, stream, event_key_hard_limit); 2309 return srtp_err_status_key_expired; 2310 default: 2311 break; 2312 } 2313 2314 /* get tag length from stream */ 2315 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); 2316 2317 /* 2318 * find starting point for encryption and length of data to be 2319 * encrypted - the encrypted portion starts after the rtp header 2320 * extension, if present; otherwise, it starts after the last csrc, 2321 * if any are present 2322 * 2323 * if we're not providing confidentiality, set enc_start to NULL 2324 */ 2325 if (stream->rtp_services & sec_serv_conf) { 2326 enc_start = (uint8_t *)hdr + srtp_get_rtp_hdr_len(hdr); 2327 if (hdr->x == 1) { 2328 xtn_hdr = srtp_get_rtp_xtn_hdr(hdr); 2329 enc_start += srtp_get_rtp_xtn_hdr_len(xtn_hdr); 2330 } 2331 /* note: the passed size is without the auth tag */ 2332 if (!(enc_start <= (uint8_t *)hdr + *pkt_octet_len)) 2333 return srtp_err_status_parse_err; 2334 enc_octet_len = (int)(*pkt_octet_len - (enc_start - (uint8_t *)hdr)); 2335 if (enc_octet_len < 0) 2336 return srtp_err_status_parse_err; 2337 } else { 2338 enc_start = NULL; 2339 } 2340 2341 mki_location = (uint8_t *)hdr + *pkt_octet_len; 2342 mki_size = srtp_inject_mki(mki_location, session_keys, use_mki); 2343 2344 /* 2345 * if we're providing authentication, set the auth_start and auth_tag 2346 * pointers to the proper locations; otherwise, set auth_start to NULL 2347 * to indicate that no authentication is needed 2348 */ 2349 if (stream->rtp_services & sec_serv_auth) { 2350 auth_start = (uint8_t *)hdr; 2351 auth_tag = (uint8_t *)hdr + *pkt_octet_len + mki_size; 2352 } else { 2353 auth_start = NULL; 2354 auth_tag = NULL; 2355 } 2356 2357 /* 2358 * estimate the packet index using the start of the replay window 2359 * and the sequence number from the header 2360 */ 2361 status = srtp_get_est_pkt_index(hdr, stream, &est, &delta); 2362 2363 if (status && (status != srtp_err_status_pkt_idx_adv)) 2364 return status; 2365 2366 if (status == srtp_err_status_pkt_idx_adv) { 2367 srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, (uint32_t)(est >> 16), 2368 (uint16_t)(est & 0xFFFF)); 2369 stream->pending_roc = 0; 2370 srtp_rdbx_add_index(&stream->rtp_rdbx, 0); 2371 } else { 2372 status = srtp_rdbx_check(&stream->rtp_rdbx, delta); 2373 if (status) { 2374 if (status != srtp_err_status_replay_fail || 2375 !stream->allow_repeat_tx) 2376 return status; /* we've been asked to reuse an index */ 2377 } 2378 srtp_rdbx_add_index(&stream->rtp_rdbx, delta); 2379 } 2380 2381 #ifdef NO_64BIT_MATH 2382 debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est), 2383 low32(est)); 2384 #else 2385 debug_print(mod_srtp, "estimated packet index: %016" PRIx64, est); 2386 #endif 2387 2388 /* 2389 * if we're using rindael counter mode, set nonce and seq 2390 */ 2391 if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || 2392 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || 2393 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { 2394 v128_t iv; 2395 2396 iv.v32[0] = 0; 2397 iv.v32[1] = hdr->ssrc; 2398 #ifdef NO_64BIT_MATH 2399 iv.v64[1] = be64_to_cpu( 2400 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); 2401 #else 2402 iv.v64[1] = be64_to_cpu(est << 16); 2403 #endif 2404 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, 2405 srtp_direction_encrypt); 2406 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2407 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, 2408 (uint8_t *)&iv, srtp_direction_encrypt); 2409 } 2410 } else { 2411 v128_t iv; 2412 2413 /* otherwise, set the index to est */ 2414 #ifdef NO_64BIT_MATH 2415 iv.v32[0] = 0; 2416 iv.v32[1] = 0; 2417 #else 2418 iv.v64[0] = 0; 2419 #endif 2420 iv.v64[1] = be64_to_cpu(est); 2421 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, 2422 srtp_direction_encrypt); 2423 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2424 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, 2425 (uint8_t *)&iv, srtp_direction_encrypt); 2426 } 2427 } 2428 if (status) 2429 return srtp_err_status_cipher_fail; 2430 2431 /* shift est, put into network byte order */ 2432 #ifdef NO_64BIT_MATH 2433 est = be64_to_cpu( 2434 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); 2435 #else 2436 est = be64_to_cpu(est << 16); 2437 #endif 2438 2439 /* 2440 * if we're authenticating using a universal hash, put the keystream 2441 * prefix into the authentication tag 2442 */ 2443 if (auth_start) { 2444 prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); 2445 if (prefix_len) { 2446 status = srtp_cipher_output(session_keys->rtp_cipher, auth_tag, 2447 &prefix_len); 2448 if (status) 2449 return srtp_err_status_cipher_fail; 2450 debug_print(mod_srtp, "keystream prefix: %s", 2451 srtp_octet_string_hex_string(auth_tag, prefix_len)); 2452 } 2453 } 2454 2455 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { 2456 /* 2457 * extensions header encryption RFC 6904 2458 */ 2459 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); 2460 if (status) { 2461 return status; 2462 } 2463 } 2464 2465 /* if we're encrypting, exor keystream into the message */ 2466 if (enc_start) { 2467 status = srtp_cipher_encrypt(session_keys->rtp_cipher, enc_start, 2468 (unsigned int *)&enc_octet_len); 2469 if (status) 2470 return srtp_err_status_cipher_fail; 2471 } 2472 2473 /* 2474 * if we're authenticating, run authentication function and put result 2475 * into the auth_tag 2476 */ 2477 if (auth_start) { 2478 /* initialize auth func context */ 2479 status = srtp_auth_start(session_keys->rtp_auth); 2480 if (status) 2481 return status; 2482 2483 /* run auth func over packet */ 2484 status = srtp_auth_update(session_keys->rtp_auth, auth_start, 2485 *pkt_octet_len); 2486 if (status) 2487 return status; 2488 2489 /* run auth func over ROC, put result into auth_tag */ 2490 debug_print(mod_srtp, "estimated packet index: %016" PRIx64, est); 2491 status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, 2492 auth_tag); 2493 debug_print(mod_srtp, "srtp auth tag: %s", 2494 srtp_octet_string_hex_string(auth_tag, tag_len)); 2495 if (status) 2496 return srtp_err_status_auth_fail; 2497 } 2498 2499 if (auth_tag) { 2500 /* increase the packet length by the length of the auth tag */ 2501 *pkt_octet_len += tag_len; 2502 } 2503 2504 if (use_mki) { 2505 /* increate the packet length by the mki size */ 2506 *pkt_octet_len += mki_size; 2507 } 2508 2509 return srtp_err_status_ok; 2510 } 2511 2512 srtp_err_status_t srtp_unprotect(srtp_ctx_t *ctx, 2513 void *srtp_hdr, 2514 int *pkt_octet_len) 2515 { 2516 return srtp_unprotect_mki(ctx, srtp_hdr, pkt_octet_len, 0); 2517 } 2518 2519 srtp_err_status_t srtp_unprotect_mki(srtp_ctx_t *ctx, 2520 void *srtp_hdr, 2521 int *pkt_octet_len, 2522 unsigned int use_mki) 2523 { 2524 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; 2525 uint8_t *enc_start; /* pointer to start of encrypted portion */ 2526 uint8_t *auth_start; /* pointer to start of auth. portion */ 2527 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 2528 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 2529 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 2530 int delta; /* delta of local pkt idx and that in hdr */ 2531 v128_t iv; 2532 srtp_err_status_t status; 2533 srtp_stream_ctx_t *stream; 2534 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 2535 uint32_t tag_len, prefix_len; 2536 srtp_hdr_xtnd_t *xtn_hdr = NULL; 2537 unsigned int mki_size = 0; 2538 srtp_session_keys_t *session_keys = NULL; 2539 int advance_packet_index = 0; 2540 uint32_t roc_to_set = 0; 2541 uint16_t seq_to_set = 0; 2542 2543 debug_print0(mod_srtp, "function srtp_unprotect"); 2544 2545 /* Verify RTP header */ 2546 status = srtp_validate_rtp_header(srtp_hdr, *pkt_octet_len); 2547 if (status) 2548 return status; 2549 2550 /* check the packet length - it must at least contain a full header */ 2551 if (*pkt_octet_len < octets_in_rtp_header) 2552 return srtp_err_status_bad_param; 2553 2554 /* 2555 * look up ssrc in srtp_stream list, and process the packet with 2556 * the appropriate stream. if we haven't seen this stream before, 2557 * there's only one key for this srtp_session, and the cipher 2558 * supports key-sharing, then we assume that a new stream using 2559 * that key has just started up 2560 */ 2561 stream = srtp_get_stream(ctx, hdr->ssrc); 2562 if (stream == NULL) { 2563 if (ctx->stream_template != NULL) { 2564 stream = ctx->stream_template; 2565 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08lx)", 2566 (unsigned long) ntohl(hdr->ssrc)); 2567 2568 /* 2569 * set estimated packet index to sequence number from header, 2570 * and set delta equal to the same value 2571 */ 2572 #ifdef NO_64BIT_MATH 2573 est = (srtp_xtd_seq_num_t)make64(0, ntohs(hdr->seq)); 2574 delta = low32(est); 2575 #else 2576 est = (srtp_xtd_seq_num_t)ntohs(hdr->seq); 2577 delta = (int)est; 2578 #endif 2579 } else { 2580 /* 2581 * no stream corresponding to SSRC found, and we don't do 2582 * key-sharing, so return an error 2583 */ 2584 return srtp_err_status_no_ctx; 2585 } 2586 } else { 2587 status = srtp_get_est_pkt_index(hdr, stream, &est, &delta); 2588 2589 if (status && (status != srtp_err_status_pkt_idx_adv)) 2590 return status; 2591 2592 if (status == srtp_err_status_pkt_idx_adv) { 2593 advance_packet_index = 1; 2594 roc_to_set = (uint32_t)(est >> 16); 2595 seq_to_set = (uint16_t)(est & 0xFFFF); 2596 } 2597 2598 /* check replay database */ 2599 if (!advance_packet_index) { 2600 status = srtp_rdbx_check(&stream->rtp_rdbx, delta); 2601 if (status) 2602 return status; 2603 } 2604 } 2605 2606 #ifdef NO_64BIT_MATH 2607 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), 2608 low32(est)); 2609 #else 2610 debug_print(mod_srtp, "estimated u_packet index: %016" PRIx64, est); 2611 #endif 2612 2613 /* Determine if MKI is being used and what session keys should be used */ 2614 if (use_mki) { 2615 session_keys = 2616 srtp_get_session_keys_rtp(stream, (const uint8_t *)hdr, 2617 (unsigned int)*pkt_octet_len, &mki_size); 2618 2619 if (session_keys == NULL) 2620 return srtp_err_status_bad_mki; 2621 } else { 2622 session_keys = &stream->session_keys[0]; 2623 } 2624 2625 /* 2626 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 2627 * the request to our AEAD handler. 2628 */ 2629 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || 2630 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { 2631 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, 2632 (unsigned int *)pkt_octet_len, session_keys, 2633 mki_size, advance_packet_index); 2634 } 2635 2636 /* get tag length from stream */ 2637 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); 2638 2639 /* 2640 * set the cipher's IV properly, depending on whatever cipher we 2641 * happen to be using 2642 */ 2643 if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || 2644 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || 2645 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { 2646 /* aes counter mode */ 2647 iv.v32[0] = 0; 2648 iv.v32[1] = hdr->ssrc; /* still in network order */ 2649 #ifdef NO_64BIT_MATH 2650 iv.v64[1] = be64_to_cpu( 2651 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); 2652 #else 2653 iv.v64[1] = be64_to_cpu(est << 16); 2654 #endif 2655 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, 2656 srtp_direction_decrypt); 2657 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2658 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, 2659 (uint8_t *)&iv, srtp_direction_decrypt); 2660 } 2661 } else { 2662 /* no particular format - set the iv to the pakcet index */ 2663 #ifdef NO_64BIT_MATH 2664 iv.v32[0] = 0; 2665 iv.v32[1] = 0; 2666 #else 2667 iv.v64[0] = 0; 2668 #endif 2669 iv.v64[1] = be64_to_cpu(est); 2670 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, 2671 srtp_direction_decrypt); 2672 if (!status && session_keys->rtp_xtn_hdr_cipher) { 2673 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, 2674 (uint8_t *)&iv, srtp_direction_decrypt); 2675 } 2676 } 2677 if (status) 2678 return srtp_err_status_cipher_fail; 2679 2680 /* shift est, put into network byte order */ 2681 #ifdef NO_64BIT_MATH 2682 est = be64_to_cpu( 2683 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); 2684 #else 2685 est = be64_to_cpu(est << 16); 2686 #endif 2687 2688 /* 2689 * find starting point for decryption and length of data to be 2690 * decrypted - the encrypted portion starts after the rtp header 2691 * extension, if present; otherwise, it starts after the last csrc, 2692 * if any are present 2693 * 2694 * if we're not providing confidentiality, set enc_start to NULL 2695 */ 2696 if (stream->rtp_services & sec_serv_conf) { 2697 enc_start = (uint8_t *)hdr + srtp_get_rtp_hdr_len(hdr); 2698 if (hdr->x == 1) { 2699 xtn_hdr = srtp_get_rtp_xtn_hdr(hdr); 2700 enc_start += srtp_get_rtp_xtn_hdr_len(xtn_hdr); 2701 } 2702 if (!(enc_start <= 2703 (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size))) 2704 return srtp_err_status_parse_err; 2705 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - mki_size - 2706 (enc_start - (uint8_t *)hdr)); 2707 } else { 2708 enc_start = NULL; 2709 } 2710 2711 /* 2712 * if we're providing authentication, set the auth_start and auth_tag 2713 * pointers to the proper locations; otherwise, set auth_start to NULL 2714 * to indicate that no authentication is needed 2715 */ 2716 if (stream->rtp_services & sec_serv_auth) { 2717 auth_start = (uint8_t *)hdr; 2718 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len; 2719 } else { 2720 auth_start = NULL; 2721 auth_tag = NULL; 2722 } 2723 2724 /* 2725 * if we expect message authentication, run the authentication 2726 * function and compare the result with the value of the auth_tag 2727 */ 2728 if (auth_start) { 2729 /* 2730 * if we're using a universal hash, then we need to compute the 2731 * keystream prefix for encrypting the universal hash output 2732 * 2733 * if the keystream prefix length is zero, then we know that 2734 * the authenticator isn't using a universal hash function 2735 */ 2736 if (session_keys->rtp_auth->prefix_len != 0) { 2737 prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); 2738 status = srtp_cipher_output(session_keys->rtp_cipher, tmp_tag, 2739 &prefix_len); 2740 debug_print(mod_srtp, "keystream prefix: %s", 2741 srtp_octet_string_hex_string(tmp_tag, prefix_len)); 2742 if (status) 2743 return srtp_err_status_cipher_fail; 2744 } 2745 2746 /* initialize auth func context */ 2747 status = srtp_auth_start(session_keys->rtp_auth); 2748 if (status) 2749 return status; 2750 2751 /* now compute auth function over packet */ 2752 status = srtp_auth_update(session_keys->rtp_auth, auth_start, 2753 *pkt_octet_len - tag_len - mki_size); 2754 if (status) 2755 return status; 2756 2757 /* run auth func over ROC, then write tmp tag */ 2758 status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, 2759 tmp_tag); 2760 2761 debug_print(mod_srtp, "computed auth tag: %s", 2762 srtp_octet_string_hex_string(tmp_tag, tag_len)); 2763 debug_print(mod_srtp, "packet auth tag: %s", 2764 srtp_octet_string_hex_string(auth_tag, tag_len)); 2765 if (status) 2766 return srtp_err_status_auth_fail; 2767 2768 if (srtp_octet_string_is_eq(tmp_tag, auth_tag, tag_len)) 2769 return srtp_err_status_auth_fail; 2770 } 2771 2772 /* 2773 * update the key usage limit, and check it to make sure that we 2774 * didn't just hit either the soft limit or the hard limit, and call 2775 * the event handler if we hit either. 2776 */ 2777 switch (srtp_key_limit_update(session_keys->limit)) { 2778 case srtp_key_event_normal: 2779 break; 2780 case srtp_key_event_soft_limit: 2781 srtp_handle_event(ctx, stream, event_key_soft_limit); 2782 break; 2783 case srtp_key_event_hard_limit: 2784 srtp_handle_event(ctx, stream, event_key_hard_limit); 2785 return srtp_err_status_key_expired; 2786 default: 2787 break; 2788 } 2789 2790 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { 2791 /* extensions header encryption RFC 6904 */ 2792 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); 2793 if (status) { 2794 return status; 2795 } 2796 } 2797 2798 /* if we're decrypting, add keystream into ciphertext */ 2799 if (enc_start) { 2800 status = srtp_cipher_decrypt(session_keys->rtp_cipher, enc_start, 2801 &enc_octet_len); 2802 if (status) 2803 return srtp_err_status_cipher_fail; 2804 } 2805 2806 /* 2807 * verify that stream is for received traffic - this check will 2808 * detect SSRC collisions, since a stream that appears in both 2809 * srtp_protect() and srtp_unprotect() will fail this test in one of 2810 * those functions. 2811 * 2812 * we do this check *after* the authentication check, so that the 2813 * latter check will catch any attempts to fool us into thinking 2814 * that we've got a collision 2815 */ 2816 if (stream->direction != dir_srtp_receiver) { 2817 if (stream->direction == dir_unknown) { 2818 stream->direction = dir_srtp_receiver; 2819 } else { 2820 srtp_handle_event(ctx, stream, event_ssrc_collision); 2821 } 2822 } 2823 2824 /* 2825 * if the stream is a 'provisional' one, in which the template context 2826 * is used, then we need to allocate a new stream at this point, since 2827 * the authentication passed 2828 */ 2829 if (stream == ctx->stream_template) { 2830 srtp_stream_ctx_t *new_stream; 2831 2832 /* 2833 * allocate and initialize a new stream 2834 * 2835 * note that we indicate failure if we can't allocate the new 2836 * stream, and some implementations will want to not return 2837 * failure here 2838 */ 2839 status = 2840 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 2841 if (status) { 2842 return status; 2843 } 2844 2845 /* add new stream to the list */ 2846 status = srtp_insert_or_dealloc_stream(ctx->stream_list, new_stream, 2847 ctx->stream_template); 2848 if (status) { 2849 return status; 2850 } 2851 2852 /* set stream (the pointer used in this function) */ 2853 stream = new_stream; 2854 } 2855 2856 /* 2857 * the message authentication function passed, so add the packet 2858 * index into the replay database 2859 */ 2860 if (advance_packet_index) { 2861 srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, roc_to_set, seq_to_set); 2862 stream->pending_roc = 0; 2863 srtp_rdbx_add_index(&stream->rtp_rdbx, 0); 2864 } else { 2865 srtp_rdbx_add_index(&stream->rtp_rdbx, delta); 2866 } 2867 2868 /* decrease the packet length by the length of the auth tag */ 2869 *pkt_octet_len -= tag_len; 2870 2871 /* decrease the packet length by the mki size */ 2872 *pkt_octet_len -= mki_size; 2873 2874 return srtp_err_status_ok; 2875 } 2876 2877 srtp_err_status_t srtp_init(void) 2878 { 2879 srtp_err_status_t status; 2880 2881 /* initialize crypto kernel */ 2882 status = srtp_crypto_kernel_init(); 2883 if (status) 2884 return status; 2885 2886 /* load srtp debug module into the kernel */ 2887 status = srtp_crypto_kernel_load_debug_module(&mod_srtp); 2888 if (status) 2889 return status; 2890 2891 return srtp_err_status_ok; 2892 } 2893 2894 srtp_err_status_t srtp_shutdown(void) 2895 { 2896 srtp_err_status_t status; 2897 2898 /* shut down crypto kernel */ 2899 status = srtp_crypto_kernel_shutdown(); 2900 if (status) 2901 return status; 2902 2903 /* shutting down crypto kernel frees the srtp debug module as well */ 2904 2905 return srtp_err_status_ok; 2906 } 2907 2908 srtp_stream_ctx_t *srtp_get_stream(srtp_t srtp, uint32_t ssrc) 2909 { 2910 return srtp_stream_list_get(srtp->stream_list, ssrc); 2911 } 2912 2913 srtp_err_status_t srtp_dealloc(srtp_t session) 2914 { 2915 srtp_err_status_t status; 2916 2917 /* 2918 * we take a conservative deallocation strategy - if we encounter an 2919 * error deallocating a stream, then we stop trying to deallocate 2920 * memory and just return an error 2921 */ 2922 2923 /* deallocate streams */ 2924 status = srtp_remove_and_dealloc_streams(session->stream_list, 2925 session->stream_template); 2926 if (status) { 2927 return status; 2928 } 2929 2930 /* deallocate stream template, if there is one */ 2931 if (session->stream_template != NULL) { 2932 status = srtp_stream_dealloc(session->stream_template, NULL); 2933 if (status) { 2934 return status; 2935 } 2936 } 2937 2938 /* deallocate stream list */ 2939 status = srtp_stream_list_dealloc(session->stream_list); 2940 if (status) { 2941 return status; 2942 } 2943 2944 /* deallocate session context */ 2945 srtp_crypto_free(session); 2946 2947 return srtp_err_status_ok; 2948 } 2949 2950 srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy) 2951 { 2952 srtp_err_status_t status; 2953 srtp_stream_t tmp; 2954 2955 status = srtp_valid_policy(policy); 2956 if (status != srtp_err_status_ok) { 2957 return status; 2958 } 2959 2960 /* sanity check arguments */ 2961 if ((session == NULL) || (policy == NULL) || 2962 (!srtp_validate_policy_master_keys(policy))) 2963 return srtp_err_status_bad_param; 2964 2965 /* allocate stream */ 2966 status = srtp_stream_alloc(&tmp, policy); 2967 if (status) { 2968 return status; 2969 } 2970 2971 /* initialize stream */ 2972 status = srtp_stream_init(tmp, policy); 2973 if (status) { 2974 srtp_stream_dealloc(tmp, NULL); 2975 return status; 2976 } 2977 2978 /* 2979 * set the head of the stream list or the template to point to the 2980 * stream that we've just alloced and init'ed, depending on whether 2981 * or not it has a wildcard SSRC value or not 2982 * 2983 * if the template stream has already been set, then the policy is 2984 * inconsistent, so we return a bad_param error code 2985 */ 2986 switch (policy->ssrc.type) { 2987 case (ssrc_any_outbound): 2988 if (session->stream_template) { 2989 srtp_stream_dealloc(tmp, NULL); 2990 return srtp_err_status_bad_param; 2991 } 2992 session->stream_template = tmp; 2993 session->stream_template->direction = dir_srtp_sender; 2994 break; 2995 case (ssrc_any_inbound): 2996 if (session->stream_template) { 2997 srtp_stream_dealloc(tmp, NULL); 2998 return srtp_err_status_bad_param; 2999 } 3000 session->stream_template = tmp; 3001 session->stream_template->direction = dir_srtp_receiver; 3002 break; 3003 case (ssrc_specific): 3004 status = srtp_insert_or_dealloc_stream(session->stream_list, tmp, 3005 session->stream_template); 3006 if (status) { 3007 return status; 3008 } 3009 break; 3010 case (ssrc_undefined): 3011 default: 3012 srtp_stream_dealloc(tmp, NULL); 3013 return srtp_err_status_bad_param; 3014 } 3015 3016 return srtp_err_status_ok; 3017 } 3018 3019 srtp_err_status_t srtp_create(srtp_t *session, /* handle for session */ 3020 const srtp_policy_t *policy) 3021 { /* SRTP policy (list) */ 3022 srtp_err_status_t stat; 3023 srtp_ctx_t *ctx; 3024 3025 stat = srtp_valid_policy(policy); 3026 if (stat != srtp_err_status_ok) { 3027 return stat; 3028 } 3029 3030 /* sanity check arguments */ 3031 if (session == NULL) 3032 return srtp_err_status_bad_param; 3033 3034 /* allocate srtp context and set ctx_ptr */ 3035 ctx = (srtp_ctx_t *)srtp_crypto_alloc(sizeof(srtp_ctx_t)); 3036 if (ctx == NULL) 3037 return srtp_err_status_alloc_fail; 3038 *session = ctx; 3039 3040 ctx->stream_template = NULL; 3041 ctx->stream_list = NULL; 3042 ctx->user_data = NULL; 3043 3044 /* allocate stream list */ 3045 stat = srtp_stream_list_alloc(&ctx->stream_list); 3046 if (stat) { 3047 /* clean up everything */ 3048 srtp_dealloc(*session); 3049 *session = NULL; 3050 return stat; 3051 } 3052 3053 /* 3054 * loop over elements in the policy list, allocating and 3055 * initializing a stream for each element 3056 */ 3057 while (policy != NULL) { 3058 stat = srtp_add_stream(ctx, policy); 3059 if (stat) { 3060 /* clean up everything */ 3061 srtp_dealloc(*session); 3062 *session = NULL; 3063 return stat; 3064 } 3065 3066 /* set policy to next item in list */ 3067 policy = policy->next; 3068 } 3069 3070 return srtp_err_status_ok; 3071 } 3072 3073 srtp_err_status_t srtp_remove_stream(srtp_t session, uint32_t ssrc) 3074 { 3075 srtp_stream_ctx_t *stream; 3076 srtp_err_status_t status; 3077 3078 /* sanity check arguments */ 3079 if (session == NULL) 3080 return srtp_err_status_bad_param; 3081 3082 /* find and remove stream from the list */ 3083 stream = srtp_stream_list_get(session->stream_list, ssrc); 3084 if (stream == NULL) { 3085 return srtp_err_status_no_ctx; 3086 } 3087 3088 srtp_stream_list_remove(session->stream_list, stream); 3089 3090 /* deallocate the stream */ 3091 status = srtp_stream_dealloc(stream, session->stream_template); 3092 if (status) 3093 return status; 3094 3095 return srtp_err_status_ok; 3096 } 3097 3098 srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy) 3099 { 3100 srtp_err_status_t stat; 3101 3102 stat = srtp_valid_policy(policy); 3103 if (stat != srtp_err_status_ok) { 3104 return stat; 3105 } 3106 3107 /* sanity check arguments */ 3108 if ((session == NULL) || (policy == NULL) || 3109 (!srtp_validate_policy_master_keys(policy))) { 3110 return srtp_err_status_bad_param; 3111 } 3112 3113 while (policy != NULL) { 3114 stat = srtp_update_stream(session, policy); 3115 if (stat) { 3116 return stat; 3117 } 3118 3119 /* set policy to next item in list */ 3120 policy = policy->next; 3121 } 3122 return srtp_err_status_ok; 3123 } 3124 3125 struct update_template_stream_data { 3126 srtp_err_status_t status; 3127 srtp_t session; 3128 srtp_stream_t new_stream_template; 3129 srtp_stream_list_t new_stream_list; 3130 }; 3131 3132 static int update_template_stream_cb(srtp_stream_t stream, void *raw_data) 3133 { 3134 struct update_template_stream_data *data = 3135 (struct update_template_stream_data *)raw_data; 3136 srtp_t session = data->session; 3137 uint32_t ssrc = stream->ssrc; 3138 srtp_xtd_seq_num_t old_index; 3139 srtp_rdb_t old_rtcp_rdb; 3140 3141 /* old / non-template streams are copied unchanged */ 3142 if (stream->session_keys[0].rtp_auth != 3143 session->stream_template->session_keys[0].rtp_auth) { 3144 srtp_stream_list_remove(session->stream_list, stream); 3145 data->status = srtp_insert_or_dealloc_stream( 3146 data->new_stream_list, stream, session->stream_template); 3147 if (data->status) { 3148 return 1; 3149 } 3150 return 0; 3151 } 3152 3153 /* save old extendard seq */ 3154 old_index = stream->rtp_rdbx.index; 3155 old_rtcp_rdb = stream->rtcp_rdb; 3156 3157 /* remove stream */ 3158 data->status = srtp_remove_stream(session, ssrc); 3159 if (data->status) { 3160 return 1; 3161 } 3162 3163 /* allocate and initialize a new stream */ 3164 data->status = srtp_stream_clone(data->new_stream_template, ssrc, &stream); 3165 if (data->status) { 3166 return 1; 3167 } 3168 3169 /* add new stream to the head of the new_stream_list */ 3170 data->status = srtp_insert_or_dealloc_stream(data->new_stream_list, stream, 3171 data->new_stream_template); 3172 if (data->status) { 3173 return 1; 3174 } 3175 3176 /* restore old extended seq */ 3177 stream->rtp_rdbx.index = old_index; 3178 stream->rtcp_rdb = old_rtcp_rdb; 3179 3180 return 0; 3181 } 3182 3183 static srtp_err_status_t update_template_streams(srtp_t session, 3184 const srtp_policy_t *policy) 3185 { 3186 srtp_err_status_t status; 3187 srtp_stream_t new_stream_template; 3188 srtp_stream_list_t new_stream_list; 3189 3190 status = srtp_valid_policy(policy); 3191 if (status != srtp_err_status_ok) { 3192 return status; 3193 } 3194 3195 if (session->stream_template == NULL) { 3196 return srtp_err_status_bad_param; 3197 } 3198 3199 /* allocate new template stream */ 3200 status = srtp_stream_alloc(&new_stream_template, policy); 3201 if (status) { 3202 return status; 3203 } 3204 3205 /* initialize new template stream */ 3206 status = srtp_stream_init(new_stream_template, policy); 3207 if (status) { 3208 srtp_crypto_free(new_stream_template); 3209 return status; 3210 } 3211 3212 /* allocate new stream list */ 3213 status = srtp_stream_list_alloc(&new_stream_list); 3214 if (status) { 3215 srtp_crypto_free(new_stream_template); 3216 return status; 3217 } 3218 3219 /* process streams */ 3220 struct update_template_stream_data data = { srtp_err_status_ok, session, 3221 new_stream_template, 3222 new_stream_list }; 3223 srtp_stream_list_for_each(session->stream_list, update_template_stream_cb, 3224 &data); 3225 if (data.status) { 3226 /* free new allocations */ 3227 srtp_remove_and_dealloc_streams(new_stream_list, new_stream_template); 3228 srtp_stream_list_dealloc(new_stream_list); 3229 srtp_stream_dealloc(new_stream_template, NULL); 3230 return data.status; 3231 } 3232 3233 /* dealloc old list / template */ 3234 srtp_remove_and_dealloc_streams(session->stream_list, 3235 session->stream_template); 3236 srtp_stream_list_dealloc(session->stream_list); 3237 srtp_stream_dealloc(session->stream_template, NULL); 3238 3239 /* set new list / template */ 3240 session->stream_template = new_stream_template; 3241 session->stream_list = new_stream_list; 3242 return srtp_err_status_ok; 3243 } 3244 3245 static srtp_err_status_t update_stream(srtp_t session, 3246 const srtp_policy_t *policy) 3247 { 3248 srtp_err_status_t status; 3249 srtp_xtd_seq_num_t old_index; 3250 srtp_rdb_t old_rtcp_rdb; 3251 srtp_stream_t stream; 3252 3253 status = srtp_valid_policy(policy); 3254 if (status != srtp_err_status_ok) { 3255 return status; 3256 } 3257 3258 stream = srtp_get_stream(session, htonl(policy->ssrc.value)); 3259 if (stream == NULL) { 3260 return srtp_err_status_bad_param; 3261 } 3262 3263 /* save old extendard seq */ 3264 old_index = stream->rtp_rdbx.index; 3265 old_rtcp_rdb = stream->rtcp_rdb; 3266 3267 status = srtp_remove_stream(session, htonl(policy->ssrc.value)); 3268 if (status) { 3269 return status; 3270 } 3271 3272 status = srtp_add_stream(session, policy); 3273 if (status) { 3274 return status; 3275 } 3276 3277 stream = srtp_get_stream(session, htonl(policy->ssrc.value)); 3278 if (stream == NULL) { 3279 return srtp_err_status_fail; 3280 } 3281 3282 /* restore old extended seq */ 3283 stream->rtp_rdbx.index = old_index; 3284 stream->rtcp_rdb = old_rtcp_rdb; 3285 3286 return srtp_err_status_ok; 3287 } 3288 3289 srtp_err_status_t srtp_update_stream(srtp_t session, 3290 const srtp_policy_t *policy) 3291 { 3292 srtp_err_status_t status; 3293 3294 status = srtp_valid_policy(policy); 3295 if (status != srtp_err_status_ok) { 3296 return status; 3297 } 3298 3299 /* sanity check arguments */ 3300 if ((session == NULL) || (policy == NULL) || 3301 (!srtp_validate_policy_master_keys(policy))) 3302 return srtp_err_status_bad_param; 3303 3304 switch (policy->ssrc.type) { 3305 case (ssrc_any_outbound): 3306 case (ssrc_any_inbound): 3307 status = update_template_streams(session, policy); 3308 break; 3309 case (ssrc_specific): 3310 status = update_stream(session, policy); 3311 break; 3312 case (ssrc_undefined): 3313 default: 3314 return srtp_err_status_bad_param; 3315 } 3316 3317 return status; 3318 } 3319 3320 /* 3321 * The default policy - provides a convenient way for callers to use 3322 * the default security policy 3323 * 3324 * The default policy is defined in RFC 3711 3325 * (Section 5. Default and mandatory-to-implement Transforms) 3326 * 3327 */ 3328 3329 /* 3330 * NOTE: cipher_key_len is really key len (128 bits) plus salt len 3331 * (112 bits) 3332 */ 3333 /* There are hard-coded 16's for base_key_len in the key generation code */ 3334 3335 void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p) 3336 { 3337 p->cipher_type = SRTP_AES_ICM_128; 3338 p->cipher_key_len = 3339 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ 3340 p->auth_type = SRTP_HMAC_SHA1; 3341 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 3342 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 3343 p->sec_serv = sec_serv_conf_and_auth; 3344 } 3345 3346 void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p) 3347 { 3348 p->cipher_type = SRTP_AES_ICM_128; 3349 p->cipher_key_len = 3350 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ 3351 p->auth_type = SRTP_HMAC_SHA1; 3352 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 3353 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 3354 p->sec_serv = sec_serv_conf_and_auth; 3355 } 3356 3357 void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p) 3358 { 3359 /* 3360 * corresponds to RFC 4568 3361 * 3362 * note that this crypto policy is intended for SRTP, but not SRTCP 3363 */ 3364 3365 p->cipher_type = SRTP_AES_ICM_128; 3366 p->cipher_key_len = 3367 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ 3368 p->auth_type = SRTP_HMAC_SHA1; 3369 p->auth_key_len = 20; /* 160 bit key */ 3370 p->auth_tag_len = 4; /* 32 bit tag */ 3371 p->sec_serv = sec_serv_conf_and_auth; 3372 } 3373 3374 void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p) 3375 { 3376 /* 3377 * corresponds to RFC 4568 3378 * 3379 * note that this crypto policy is intended for SRTP, but not SRTCP 3380 */ 3381 3382 p->cipher_type = SRTP_AES_ICM_128; 3383 p->cipher_key_len = 3384 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ 3385 p->auth_type = SRTP_NULL_AUTH; 3386 p->auth_key_len = 0; 3387 p->auth_tag_len = 0; 3388 p->sec_serv = sec_serv_conf; 3389 } 3390 3391 void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p) 3392 { 3393 /* 3394 * corresponds to RFC 4568 3395 */ 3396 3397 p->cipher_type = SRTP_NULL_CIPHER; 3398 p->cipher_key_len = 3399 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ 3400 p->auth_type = SRTP_HMAC_SHA1; 3401 p->auth_key_len = 20; 3402 p->auth_tag_len = 10; 3403 p->sec_serv = sec_serv_auth; 3404 } 3405 3406 void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p) 3407 { 3408 /* 3409 * Should only be used for testing 3410 */ 3411 3412 p->cipher_type = SRTP_NULL_CIPHER; 3413 p->cipher_key_len = 3414 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ 3415 p->auth_type = SRTP_NULL_AUTH; 3416 p->auth_key_len = 0; 3417 p->auth_tag_len = 0; 3418 p->sec_serv = sec_serv_none; 3419 } 3420 3421 void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p) 3422 { 3423 /* 3424 * corresponds to RFC 6188 3425 */ 3426 3427 p->cipher_type = SRTP_AES_ICM_256; 3428 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; 3429 p->auth_type = SRTP_HMAC_SHA1; 3430 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 3431 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 3432 p->sec_serv = sec_serv_conf_and_auth; 3433 } 3434 3435 void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p) 3436 { 3437 /* 3438 * corresponds to RFC 6188 3439 * 3440 * note that this crypto policy is intended for SRTP, but not SRTCP 3441 */ 3442 3443 p->cipher_type = SRTP_AES_ICM_256; 3444 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; 3445 p->auth_type = SRTP_HMAC_SHA1; 3446 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 3447 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ 3448 p->sec_serv = sec_serv_conf_and_auth; 3449 } 3450 3451 /* 3452 * AES-256 with no authentication. 3453 */ 3454 void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p) 3455 { 3456 p->cipher_type = SRTP_AES_ICM_256; 3457 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; 3458 p->auth_type = SRTP_NULL_AUTH; 3459 p->auth_key_len = 0; 3460 p->auth_tag_len = 0; 3461 p->sec_serv = sec_serv_conf; 3462 } 3463 3464 void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p) 3465 { 3466 /* 3467 * corresponds to RFC 6188 3468 */ 3469 3470 p->cipher_type = SRTP_AES_ICM_192; 3471 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; 3472 p->auth_type = SRTP_HMAC_SHA1; 3473 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 3474 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 3475 p->sec_serv = sec_serv_conf_and_auth; 3476 } 3477 3478 void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p) 3479 { 3480 /* 3481 * corresponds to RFC 6188 3482 * 3483 * note that this crypto policy is intended for SRTP, but not SRTCP 3484 */ 3485 3486 p->cipher_type = SRTP_AES_ICM_192; 3487 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; 3488 p->auth_type = SRTP_HMAC_SHA1; 3489 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 3490 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ 3491 p->sec_serv = sec_serv_conf_and_auth; 3492 } 3493 3494 /* 3495 * AES-192 with no authentication. 3496 */ 3497 void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p) 3498 { 3499 p->cipher_type = SRTP_AES_ICM_192; 3500 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; 3501 p->auth_type = SRTP_NULL_AUTH; 3502 p->auth_key_len = 0; 3503 p->auth_tag_len = 0; 3504 p->sec_serv = sec_serv_conf; 3505 } 3506 3507 /* 3508 * AES-128 GCM mode with 8 octet auth tag. 3509 */ 3510 void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p) 3511 { 3512 p->cipher_type = SRTP_AES_GCM_128; 3513 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; 3514 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 3515 p->auth_key_len = 0; 3516 p->auth_tag_len = 8; /* 8 octet tag length */ 3517 p->sec_serv = sec_serv_conf_and_auth; 3518 } 3519 3520 /* 3521 * AES-256 GCM mode with 8 octet auth tag. 3522 */ 3523 void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p) 3524 { 3525 p->cipher_type = SRTP_AES_GCM_256; 3526 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; 3527 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 3528 p->auth_key_len = 0; 3529 p->auth_tag_len = 8; /* 8 octet tag length */ 3530 p->sec_serv = sec_serv_conf_and_auth; 3531 } 3532 3533 /* 3534 * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption. 3535 */ 3536 void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p) 3537 { 3538 p->cipher_type = SRTP_AES_GCM_128; 3539 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; 3540 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 3541 p->auth_key_len = 0; 3542 p->auth_tag_len = 8; /* 8 octet tag length */ 3543 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ 3544 } 3545 3546 /* 3547 * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption. 3548 */ 3549 void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p) 3550 { 3551 p->cipher_type = SRTP_AES_GCM_256; 3552 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; 3553 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 3554 p->auth_key_len = 0; 3555 p->auth_tag_len = 8; /* 8 octet tag length */ 3556 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ 3557 } 3558 3559 /* 3560 * AES-128 GCM mode with 16 octet auth tag. 3561 */ 3562 void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p) 3563 { 3564 p->cipher_type = SRTP_AES_GCM_128; 3565 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; 3566 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 3567 p->auth_key_len = 0; 3568 p->auth_tag_len = 16; /* 16 octet tag length */ 3569 p->sec_serv = sec_serv_conf_and_auth; 3570 } 3571 3572 /* 3573 * AES-256 GCM mode with 16 octet auth tag. 3574 */ 3575 void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p) 3576 { 3577 p->cipher_type = SRTP_AES_GCM_256; 3578 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; 3579 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ 3580 p->auth_key_len = 0; 3581 p->auth_tag_len = 16; /* 16 octet tag length */ 3582 p->sec_serv = sec_serv_conf_and_auth; 3583 } 3584 3585 /* 3586 * secure rtcp functions 3587 */ 3588 3589 /* 3590 * AEAD uses a new IV formation method. This function implements 3591 * section 9.1 (SRTCP IV Formation for AES-GCM) from RFC7714. 3592 * The calculation is defined as, where (+) is the xor operation: 3593 * 3594 * 0 1 2 3 4 5 6 7 8 9 10 11 3595 * +--+--+--+--+--+--+--+--+--+--+--+--+ 3596 * |00|00| SSRC |00|00|0+SRTCP Idx|---+ 3597 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 3598 * | 3599 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 3600 * | Encryption Salt |->(+) 3601 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 3602 * | 3603 * +--+--+--+--+--+--+--+--+--+--+--+--+ | 3604 * | Initialization Vector |<--+ 3605 * +--+--+--+--+--+--+--+--+--+--+--+--+* 3606 * 3607 * Input: *session_keys - pointer to SRTP stream context session keys, 3608 * used to retrieve the SALT 3609 * *iv - Pointer to recieve the calculated IV 3610 * seq_num - The SEQ value to use for the IV calculation. 3611 * *hdr - The RTP header, used to get the SSRC value 3612 * 3613 * Returns: srtp_err_status_ok if no error or srtp_err_status_bad_param 3614 * if seq_num is invalid 3615 * 3616 */ 3617 static srtp_err_status_t srtp_calc_aead_iv_srtcp( 3618 srtp_session_keys_t *session_keys, 3619 v128_t *iv, 3620 uint32_t seq_num, 3621 const srtcp_hdr_t *hdr) 3622 { 3623 v128_t in; 3624 v128_t salt; 3625 3626 memset(&in, 0, sizeof(v128_t)); 3627 memset(&salt, 0, sizeof(v128_t)); 3628 3629 in.v16[0] = 0; 3630 memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */ 3631 in.v16[3] = 0; 3632 3633 /* 3634 * The SRTCP index (seq_num) spans bits 0 through 30 inclusive. 3635 * The most significant bit should be zero. 3636 */ 3637 if (seq_num & 0x80000000UL) { 3638 return srtp_err_status_bad_param; 3639 } 3640 in.v32[2] = htonl(seq_num); 3641 3642 debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in)); 3643 3644 /* 3645 * Get the SALT value from the context 3646 */ 3647 memcpy(salt.v8, session_keys->c_salt, 12); 3648 debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt)); 3649 3650 /* 3651 * Finally, apply the SALT to the input 3652 */ 3653 v128_xor(iv, &in, &salt); 3654 3655 return srtp_err_status_ok; 3656 } 3657 3658 /* 3659 * This code handles AEAD ciphers for outgoing RTCP. We currently support 3660 * AES-GCM mode with 128 or 256 bit keys. 3661 */ 3662 static srtp_err_status_t srtp_protect_rtcp_aead( 3663 srtp_stream_ctx_t *stream, 3664 void *rtcp_hdr, 3665 unsigned int *pkt_octet_len, 3666 srtp_session_keys_t *session_keys, 3667 unsigned int use_mki) 3668 { 3669 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; 3670 uint8_t *enc_start; /* pointer to start of encrypted portion */ 3671 uint8_t *trailer_p; /* pointer to start of trailer */ 3672 uint32_t trailer; /* trailer value */ 3673 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 3674 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 3675 srtp_err_status_t status; 3676 uint32_t tag_len; 3677 uint32_t seq_num; 3678 v128_t iv; 3679 uint32_t tseq; 3680 unsigned int mki_size = 0; 3681 3682 /* get tag length from stream context */ 3683 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); 3684 3685 /* 3686 * set encryption start and encryption length - if we're not 3687 * providing confidentiality, set enc_start to NULL 3688 */ 3689 enc_start = (uint8_t *)hdr + octets_in_rtcp_header; 3690 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; 3691 3692 /* NOTE: hdr->length is not usable - it refers to only the first 3693 * RTCP report in the compound packet! 3694 */ 3695 trailer_p = enc_start + enc_octet_len + tag_len; 3696 3697 if (stream->rtcp_services & sec_serv_conf) { 3698 trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ 3699 } else { 3700 enc_start = NULL; 3701 enc_octet_len = 0; 3702 /* 0 is network-order independant */ 3703 trailer = 0x00000000; /* set encrypt bit */ 3704 } 3705 3706 mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + tag_len + 3707 sizeof(srtcp_trailer_t), 3708 session_keys, use_mki); 3709 3710 /* 3711 * set the auth_tag pointer to the proper location, which is after 3712 * the payload, but before the trailer 3713 * (note that srtpc *always* provides authentication, unlike srtp) 3714 */ 3715 /* Note: This would need to change for optional mikey data */ 3716 auth_tag = (uint8_t *)hdr + *pkt_octet_len; 3717 3718 /* 3719 * check sequence number for overruns, and copy it into the packet 3720 * if its value isn't too big 3721 */ 3722 status = srtp_rdb_increment(&stream->rtcp_rdb); 3723 if (status) { 3724 return status; 3725 } 3726 seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); 3727 trailer |= htonl(seq_num); 3728 debug_print(mod_srtp, "srtcp index: %x", seq_num); 3729 3730 memcpy(trailer_p, &trailer, sizeof(trailer)); 3731 3732 /* 3733 * Calculate and set the IV 3734 */ 3735 status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr); 3736 if (status) { 3737 return srtp_err_status_cipher_fail; 3738 } 3739 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, 3740 srtp_direction_encrypt); 3741 if (status) { 3742 return srtp_err_status_cipher_fail; 3743 } 3744 3745 /* 3746 * Set the AAD for GCM mode 3747 */ 3748 if (enc_start) { 3749 /* 3750 * If payload encryption is enabled, then the AAD consist of 3751 * the RTCP header and the seq# at the end of the packet 3752 */ 3753 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr, 3754 octets_in_rtcp_header); 3755 if (status) { 3756 return (srtp_err_status_cipher_fail); 3757 } 3758 } else { 3759 /* 3760 * Since payload encryption is not enabled, we must authenticate 3761 * the entire packet as described in RFC 7714 (Section 9.3. Data 3762 * Types in Unencrypted SRTCP Compound Packets) 3763 */ 3764 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr, 3765 *pkt_octet_len); 3766 if (status) { 3767 return (srtp_err_status_cipher_fail); 3768 } 3769 } 3770 /* 3771 * Process the sequence# as AAD 3772 */ 3773 tseq = trailer; 3774 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq, 3775 sizeof(srtcp_trailer_t)); 3776 if (status) { 3777 return (srtp_err_status_cipher_fail); 3778 } 3779 3780 /* if we're encrypting, exor keystream into the message */ 3781 if (enc_start) { 3782 status = srtp_cipher_encrypt(session_keys->rtcp_cipher, enc_start, 3783 &enc_octet_len); 3784 if (status) { 3785 return srtp_err_status_cipher_fail; 3786 } 3787 /* 3788 * Get the tag and append that to the output 3789 */ 3790 status = 3791 srtp_cipher_get_tag(session_keys->rtcp_cipher, auth_tag, &tag_len); 3792 if (status) { 3793 return (srtp_err_status_cipher_fail); 3794 } 3795 enc_octet_len += tag_len; 3796 } else { 3797 /* 3798 * Even though we're not encrypting the payload, we need 3799 * to run the cipher to get the auth tag. 3800 */ 3801 unsigned int nolen = 0; 3802 status = srtp_cipher_encrypt(session_keys->rtcp_cipher, NULL, &nolen); 3803 if (status) { 3804 return srtp_err_status_cipher_fail; 3805 } 3806 /* 3807 * Get the tag and append that to the output 3808 */ 3809 status = 3810 srtp_cipher_get_tag(session_keys->rtcp_cipher, auth_tag, &tag_len); 3811 if (status) { 3812 return (srtp_err_status_cipher_fail); 3813 } 3814 enc_octet_len += tag_len; 3815 } 3816 3817 /* increase the packet length by the length of the auth tag and seq_num*/ 3818 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); 3819 3820 /* increase the packet by the mki_size */ 3821 *pkt_octet_len += mki_size; 3822 3823 return srtp_err_status_ok; 3824 } 3825 3826 /* 3827 * This function handles incoming SRTCP packets while in AEAD mode, 3828 * which currently supports AES-GCM encryption. Note, the auth tag is 3829 * at the end of the packet stream and is automatically checked by GCM 3830 * when decrypting the payload. 3831 */ 3832 static srtp_err_status_t srtp_unprotect_rtcp_aead( 3833 srtp_t ctx, 3834 srtp_stream_ctx_t *stream, 3835 void *srtcp_hdr, 3836 unsigned int *pkt_octet_len, 3837 srtp_session_keys_t *session_keys, 3838 unsigned int use_mki) 3839 { 3840 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; 3841 uint8_t *enc_start; /* pointer to start of encrypted portion */ 3842 uint8_t *trailer_p; /* pointer to start of trailer */ 3843 uint32_t trailer; /* trailer value */ 3844 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 3845 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 3846 srtp_err_status_t status; 3847 int tag_len; 3848 unsigned int tmp_len; 3849 uint32_t seq_num; 3850 v128_t iv; 3851 uint32_t tseq; 3852 unsigned int mki_size = 0; 3853 3854 /* get tag length from stream context */ 3855 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); 3856 3857 if (use_mki) { 3858 mki_size = session_keys->mki_size; 3859 } 3860 3861 /* 3862 * set encryption start, encryption length, and trailer 3863 */ 3864 /* index & E (encryption) bit follow normal data. hdr->len is the number of 3865 * words (32-bit) in the normal packet minus 1 3866 */ 3867 /* This should point trailer to the word past the end of the normal data. */ 3868 /* This would need to be modified for optional mikey data */ 3869 trailer_p = 3870 (uint8_t *)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t) - mki_size; 3871 memcpy(&trailer, trailer_p, sizeof(trailer)); 3872 3873 /* 3874 * We pass the tag down to the cipher when doing GCM mode 3875 */ 3876 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + 3877 sizeof(srtcp_trailer_t) + mki_size); 3878 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len - mki_size - 3879 sizeof(srtcp_trailer_t); 3880 3881 if (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) { 3882 enc_start = (uint8_t *)hdr + octets_in_rtcp_header; 3883 } else { 3884 enc_octet_len = 0; 3885 enc_start = NULL; /* this indicates that there's no encryption */ 3886 } 3887 3888 /* 3889 * check the sequence number for replays 3890 */ 3891 /* this is easier than dealing with bitfield access */ 3892 seq_num = ntohl(trailer) & SRTCP_INDEX_MASK; 3893 debug_print(mod_srtp, "srtcp index: %x", seq_num); 3894 status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); 3895 if (status) { 3896 return status; 3897 } 3898 3899 /* 3900 * Calculate and set the IV 3901 */ 3902 status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr); 3903 if (status) { 3904 return srtp_err_status_cipher_fail; 3905 } 3906 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, 3907 srtp_direction_decrypt); 3908 if (status) { 3909 return srtp_err_status_cipher_fail; 3910 } 3911 3912 /* 3913 * Set the AAD for GCM mode 3914 */ 3915 if (enc_start) { 3916 /* 3917 * If payload encryption is enabled, then the AAD consist of 3918 * the RTCP header and the seq# at the end of the packet 3919 */ 3920 status = 3921 srtp_cipher_set_aad(session_keys->rtcp_cipher, (const uint8_t *)hdr, 3922 octets_in_rtcp_header); 3923 if (status) { 3924 return (srtp_err_status_cipher_fail); 3925 } 3926 } else { 3927 /* 3928 * Since payload encryption is not enabled, we must authenticate 3929 * the entire packet as described in RFC 7714 (Section 9.3. Data 3930 * Types in Unencrypted SRTCP Compound Packets) 3931 */ 3932 status = srtp_cipher_set_aad( 3933 session_keys->rtcp_cipher, (uint8_t *)hdr, 3934 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t) - mki_size)); 3935 if (status) { 3936 return (srtp_err_status_cipher_fail); 3937 } 3938 } 3939 3940 /* 3941 * Process the sequence# as AAD 3942 */ 3943 tseq = trailer; 3944 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq, 3945 sizeof(srtcp_trailer_t)); 3946 if (status) { 3947 return (srtp_err_status_cipher_fail); 3948 } 3949 3950 /* if we're decrypting, exor keystream into the message */ 3951 if (enc_start) { 3952 status = srtp_cipher_decrypt(session_keys->rtcp_cipher, enc_start, 3953 &enc_octet_len); 3954 if (status) { 3955 return status; 3956 } 3957 } else { 3958 /* 3959 * Still need to run the cipher to check the tag 3960 */ 3961 tmp_len = tag_len; 3962 status = 3963 srtp_cipher_decrypt(session_keys->rtcp_cipher, auth_tag, &tmp_len); 3964 if (status) { 3965 return status; 3966 } 3967 } 3968 3969 /* decrease the packet length by the length of the auth tag and seq_num*/ 3970 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) + mki_size); 3971 3972 /* 3973 * verify that stream is for received traffic - this check will 3974 * detect SSRC collisions, since a stream that appears in both 3975 * srtp_protect() and srtp_unprotect() will fail this test in one of 3976 * those functions. 3977 * 3978 * we do this check *after* the authentication check, so that the 3979 * latter check will catch any attempts to fool us into thinking 3980 * that we've got a collision 3981 */ 3982 if (stream->direction != dir_srtp_receiver) { 3983 if (stream->direction == dir_unknown) { 3984 stream->direction = dir_srtp_receiver; 3985 } else { 3986 srtp_handle_event(ctx, stream, event_ssrc_collision); 3987 } 3988 } 3989 3990 /* 3991 * if the stream is a 'provisional' one, in which the template context 3992 * is used, then we need to allocate a new stream at this point, since 3993 * the authentication passed 3994 */ 3995 if (stream == ctx->stream_template) { 3996 srtp_stream_ctx_t *new_stream; 3997 3998 /* 3999 * allocate and initialize a new stream 4000 * 4001 * note that we indicate failure if we can't allocate the new 4002 * stream, and some implementations will want to not return 4003 * failure here 4004 */ 4005 status = 4006 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 4007 if (status) { 4008 return status; 4009 } 4010 4011 /* add new stream to the list */ 4012 status = srtp_insert_or_dealloc_stream(ctx->stream_list, new_stream, 4013 ctx->stream_template); 4014 if (status) { 4015 return status; 4016 } 4017 4018 /* set stream (the pointer used in this function) */ 4019 stream = new_stream; 4020 } 4021 4022 /* we've passed the authentication check, so add seq_num to the rdb */ 4023 srtp_rdb_add_index(&stream->rtcp_rdb, seq_num); 4024 4025 return srtp_err_status_ok; 4026 } 4027 4028 srtp_err_status_t srtp_protect_rtcp(srtp_t ctx, 4029 void *rtcp_hdr, 4030 int *pkt_octet_len) 4031 { 4032 return srtp_protect_rtcp_mki(ctx, rtcp_hdr, pkt_octet_len, 0, 0); 4033 } 4034 4035 srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, 4036 void *rtcp_hdr, 4037 int *pkt_octet_len, 4038 unsigned int use_mki, 4039 unsigned int mki_index) 4040 { 4041 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; 4042 uint8_t *enc_start; /* pointer to start of encrypted portion */ 4043 uint8_t *auth_start; /* pointer to start of auth. portion */ 4044 uint8_t *trailer_p; /* pointer to start of trailer */ 4045 uint32_t trailer; /* trailer value */ 4046 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 4047 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 4048 srtp_err_status_t status; 4049 int tag_len; 4050 srtp_stream_ctx_t *stream; 4051 uint32_t prefix_len; 4052 uint32_t seq_num; 4053 unsigned int mki_size = 0; 4054 srtp_session_keys_t *session_keys = NULL; 4055 4056 /* check the packet length - it must at least contain a full header */ 4057 if (*pkt_octet_len < octets_in_rtcp_header) 4058 return srtp_err_status_bad_param; 4059 4060 /* 4061 * look up ssrc in srtp_stream list, and process the packet with 4062 * the appropriate stream. if we haven't seen this stream before, 4063 * there's only one key for this srtp_session, and the cipher 4064 * supports key-sharing, then we assume that a new stream using 4065 * that key has just started up 4066 */ 4067 stream = srtp_get_stream(ctx, hdr->ssrc); 4068 if (stream == NULL) { 4069 if (ctx->stream_template != NULL) { 4070 srtp_stream_ctx_t *new_stream; 4071 4072 /* allocate and initialize a new stream */ 4073 status = 4074 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 4075 if (status) 4076 return status; 4077 4078 /* add new stream to the list */ 4079 status = srtp_insert_or_dealloc_stream(ctx->stream_list, new_stream, 4080 ctx->stream_template); 4081 if (status) { 4082 return status; 4083 } 4084 4085 /* set stream (the pointer used in this function) */ 4086 stream = new_stream; 4087 } else { 4088 /* no template stream, so we return an error */ 4089 return srtp_err_status_no_ctx; 4090 } 4091 } 4092 4093 /* 4094 * verify that stream is for sending traffic - this check will 4095 * detect SSRC collisions, since a stream that appears in both 4096 * srtp_protect() and srtp_unprotect() will fail this test in one of 4097 * those functions. 4098 */ 4099 if (stream->direction != dir_srtp_sender) { 4100 if (stream->direction == dir_unknown) { 4101 stream->direction = dir_srtp_sender; 4102 } else { 4103 srtp_handle_event(ctx, stream, event_ssrc_collision); 4104 } 4105 } 4106 4107 session_keys = 4108 srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); 4109 4110 if (session_keys == NULL) 4111 return srtp_err_status_bad_mki; 4112 4113 /* 4114 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 4115 * the request to our AEAD handler. 4116 */ 4117 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || 4118 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { 4119 return srtp_protect_rtcp_aead(stream, rtcp_hdr, 4120 (unsigned int *)pkt_octet_len, 4121 session_keys, use_mki); 4122 } 4123 4124 /* get tag length from stream context */ 4125 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); 4126 4127 /* 4128 * set encryption start and encryption length - if we're not 4129 * providing confidentiality, set enc_start to NULL 4130 */ 4131 enc_start = (uint8_t *)hdr + octets_in_rtcp_header; 4132 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; 4133 4134 /* all of the packet, except the header, gets encrypted */ 4135 /* 4136 * NOTE: hdr->length is not usable - it refers to only the first RTCP report 4137 * in the compound packet! 4138 */ 4139 trailer_p = enc_start + enc_octet_len; 4140 4141 if (stream->rtcp_services & sec_serv_conf) { 4142 trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ 4143 } else { 4144 enc_start = NULL; 4145 enc_octet_len = 0; 4146 /* 0 is network-order independant */ 4147 trailer = 0x00000000; /* set encrypt bit */ 4148 } 4149 4150 mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + 4151 sizeof(srtcp_trailer_t), 4152 session_keys, use_mki); 4153 4154 /* 4155 * set the auth_start and auth_tag pointers to the proper locations 4156 * (note that srtpc *always* provides authentication, unlike srtp) 4157 */ 4158 /* Note: This would need to change for optional mikey data */ 4159 auth_start = (uint8_t *)hdr; 4160 auth_tag = 4161 (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) + mki_size; 4162 4163 /* 4164 * check sequence number for overruns, and copy it into the packet 4165 * if its value isn't too big 4166 */ 4167 status = srtp_rdb_increment(&stream->rtcp_rdb); 4168 if (status) 4169 return status; 4170 seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); 4171 trailer |= htonl(seq_num); 4172 debug_print(mod_srtp, "srtcp index: %x", seq_num); 4173 4174 memcpy(trailer_p, &trailer, sizeof(trailer)); 4175 4176 /* 4177 * if we're using rindael counter mode, set nonce and seq 4178 */ 4179 if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || 4180 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || 4181 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { 4182 v128_t iv; 4183 4184 iv.v32[0] = 0; 4185 iv.v32[1] = hdr->ssrc; /* still in network order! */ 4186 iv.v32[2] = htonl(seq_num >> 16); 4187 iv.v32[3] = htonl(seq_num << 16); 4188 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, 4189 srtp_direction_encrypt); 4190 4191 } else { 4192 v128_t iv; 4193 4194 /* otherwise, just set the index to seq_num */ 4195 iv.v32[0] = 0; 4196 iv.v32[1] = 0; 4197 iv.v32[2] = 0; 4198 iv.v32[3] = htonl(seq_num); 4199 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, 4200 srtp_direction_encrypt); 4201 } 4202 if (status) 4203 return srtp_err_status_cipher_fail; 4204 4205 /* 4206 * if we're authenticating using a universal hash, put the keystream 4207 * prefix into the authentication tag 4208 */ 4209 4210 /* if auth_start is non-null, then put keystream into tag */ 4211 if (auth_start) { 4212 /* put keystream prefix into auth_tag */ 4213 prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); 4214 status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, 4215 &prefix_len); 4216 4217 debug_print(mod_srtp, "keystream prefix: %s", 4218 srtp_octet_string_hex_string(auth_tag, prefix_len)); 4219 4220 if (status) 4221 return srtp_err_status_cipher_fail; 4222 } 4223 4224 /* if we're encrypting, exor keystream into the message */ 4225 if (enc_start) { 4226 status = srtp_cipher_encrypt(session_keys->rtcp_cipher, enc_start, 4227 &enc_octet_len); 4228 if (status) 4229 return srtp_err_status_cipher_fail; 4230 } 4231 4232 /* initialize auth func context */ 4233 status = srtp_auth_start(session_keys->rtcp_auth); 4234 if (status) 4235 return status; 4236 4237 /* 4238 * run auth func over packet (including trailer), and write the 4239 * result at auth_tag 4240 */ 4241 status = 4242 srtp_auth_compute(session_keys->rtcp_auth, auth_start, 4243 (*pkt_octet_len) + sizeof(srtcp_trailer_t), auth_tag); 4244 debug_print(mod_srtp, "srtcp auth tag: %s", 4245 srtp_octet_string_hex_string(auth_tag, tag_len)); 4246 if (status) 4247 return srtp_err_status_auth_fail; 4248 4249 /* increase the packet length by the length of the auth tag and seq_num*/ 4250 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); 4251 4252 /* increase the packet by the mki_size */ 4253 *pkt_octet_len += mki_size; 4254 4255 return srtp_err_status_ok; 4256 } 4257 4258 srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, 4259 void *srtcp_hdr, 4260 int *pkt_octet_len) 4261 { 4262 return srtp_unprotect_rtcp_mki(ctx, srtcp_hdr, pkt_octet_len, 0); 4263 } 4264 4265 srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, 4266 void *srtcp_hdr, 4267 int *pkt_octet_len, 4268 unsigned int use_mki) 4269 { 4270 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; 4271 uint8_t *enc_start; /* pointer to start of encrypted portion */ 4272 uint8_t *auth_start; /* pointer to start of auth. portion */ 4273 uint8_t *trailer_p; /* pointer to start of trailer */ 4274 uint32_t trailer; /* trailer value */ 4275 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ 4276 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 4277 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 4278 srtp_err_status_t status; 4279 unsigned int auth_len; 4280 int tag_len; 4281 srtp_stream_ctx_t *stream; 4282 uint32_t prefix_len; 4283 uint32_t seq_num; 4284 int e_bit_in_packet; /* whether the E-bit was found in the packet */ 4285 int sec_serv_confidentiality; /* whether confidentiality was requested */ 4286 unsigned int mki_size = 0; 4287 srtp_session_keys_t *session_keys = NULL; 4288 4289 if (*pkt_octet_len < 0) 4290 return srtp_err_status_bad_param; 4291 4292 /* 4293 * check that the length value is sane; we'll check again once we 4294 * know the tag length, but we at least want to know that it is 4295 * a positive value 4296 */ 4297 if ((unsigned int)(*pkt_octet_len) < 4298 octets_in_rtcp_header + sizeof(srtcp_trailer_t)) 4299 return srtp_err_status_bad_param; 4300 4301 /* 4302 * look up ssrc in srtp_stream list, and process the packet with 4303 * the appropriate stream. if we haven't seen this stream before, 4304 * there's only one key for this srtp_session, and the cipher 4305 * supports key-sharing, then we assume that a new stream using 4306 * that key has just started up 4307 */ 4308 stream = srtp_get_stream(ctx, hdr->ssrc); 4309 if (stream == NULL) { 4310 if (ctx->stream_template != NULL) { 4311 stream = ctx->stream_template; 4312 4313 debug_print(mod_srtp, 4314 "srtcp using provisional stream (SSRC: 0x%08lx)", 4315 (unsigned long) ntohl(hdr->ssrc)); 4316 } else { 4317 /* no template stream, so we return an error */ 4318 return srtp_err_status_no_ctx; 4319 } 4320 } 4321 4322 /* 4323 * Determine if MKI is being used and what session keys should be used 4324 */ 4325 if (use_mki) { 4326 session_keys = srtp_get_session_keys_rtcp( 4327 stream, (uint8_t *)hdr, (unsigned int)*pkt_octet_len, &mki_size); 4328 4329 if (session_keys == NULL) 4330 return srtp_err_status_bad_mki; 4331 } else { 4332 session_keys = &stream->session_keys[0]; 4333 } 4334 4335 /* get tag length from stream context */ 4336 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); 4337 4338 /* check the packet length - it must contain at least a full RTCP 4339 header, an auth tag (if applicable), and the SRTCP encrypted flag 4340 and 31-bit index value */ 4341 if (*pkt_octet_len < (int)(octets_in_rtcp_header + tag_len + mki_size + 4342 sizeof(srtcp_trailer_t))) { 4343 return srtp_err_status_bad_param; 4344 } 4345 4346 /* 4347 * Check if this is an AEAD stream (GCM mode). If so, then dispatch 4348 * the request to our AEAD handler. 4349 */ 4350 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || 4351 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { 4352 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, 4353 (unsigned int *)pkt_octet_len, 4354 session_keys, mki_size); 4355 } 4356 4357 sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf || 4358 stream->rtcp_services == sec_serv_conf_and_auth; 4359 4360 /* 4361 * set encryption start, encryption length, and trailer 4362 */ 4363 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + tag_len + 4364 mki_size + sizeof(srtcp_trailer_t)); 4365 /* 4366 *index & E (encryption) bit follow normal data. hdr->len is the number of 4367 * words (32-bit) in the normal packet minus 1 4368 */ 4369 /* This should point trailer to the word past the end of the normal data. */ 4370 /* This would need to be modified for optional mikey data */ 4371 trailer_p = (uint8_t *)hdr + *pkt_octet_len - 4372 (tag_len + mki_size + sizeof(srtcp_trailer_t)); 4373 memcpy(&trailer, trailer_p, sizeof(trailer)); 4374 4375 e_bit_in_packet = (*(trailer_p)&SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; 4376 if (e_bit_in_packet != sec_serv_confidentiality) { 4377 return srtp_err_status_cant_check; 4378 } 4379 if (sec_serv_confidentiality) { 4380 enc_start = (uint8_t *)hdr + octets_in_rtcp_header; 4381 } else { 4382 enc_octet_len = 0; 4383 enc_start = NULL; /* this indicates that there's no encryption */ 4384 } 4385 4386 /* 4387 * set the auth_start and auth_tag pointers to the proper locations 4388 * (note that srtcp *always* uses authentication, unlike srtp) 4389 */ 4390 auth_start = (uint8_t *)hdr; 4391 4392 /* 4393 * The location of the auth tag in the packet needs to know MKI 4394 * could be present. The data needed to calculate the Auth tag 4395 * must not include the MKI 4396 */ 4397 auth_len = *pkt_octet_len - tag_len - mki_size; 4398 auth_tag = (uint8_t *)hdr + auth_len + mki_size; 4399 4400 /* 4401 * check the sequence number for replays 4402 */ 4403 /* this is easier than dealing with bitfield access */ 4404 seq_num = ntohl(trailer) & SRTCP_INDEX_MASK; 4405 debug_print(mod_srtp, "srtcp index: %x", seq_num); 4406 status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); 4407 if (status) 4408 return status; 4409 4410 /* 4411 * if we're using aes counter mode, set nonce and seq 4412 */ 4413 if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || 4414 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || 4415 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { 4416 v128_t iv; 4417 4418 iv.v32[0] = 0; 4419 iv.v32[1] = hdr->ssrc; /* still in network order! */ 4420 iv.v32[2] = htonl(seq_num >> 16); 4421 iv.v32[3] = htonl(seq_num << 16); 4422 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, 4423 srtp_direction_decrypt); 4424 4425 } else { 4426 v128_t iv; 4427 4428 /* otherwise, just set the index to seq_num */ 4429 iv.v32[0] = 0; 4430 iv.v32[1] = 0; 4431 iv.v32[2] = 0; 4432 iv.v32[3] = htonl(seq_num); 4433 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, 4434 srtp_direction_decrypt); 4435 } 4436 if (status) 4437 return srtp_err_status_cipher_fail; 4438 4439 /* initialize auth func context */ 4440 status = srtp_auth_start(session_keys->rtcp_auth); 4441 if (status) 4442 return status; 4443 4444 /* run auth func over packet, put result into tmp_tag */ 4445 status = srtp_auth_compute(session_keys->rtcp_auth, auth_start, auth_len, 4446 tmp_tag); 4447 debug_print(mod_srtp, "srtcp computed tag: %s", 4448 srtp_octet_string_hex_string(tmp_tag, tag_len)); 4449 if (status) 4450 return srtp_err_status_auth_fail; 4451 4452 /* compare the tag just computed with the one in the packet */ 4453 debug_print(mod_srtp, "srtcp tag from packet: %s", 4454 srtp_octet_string_hex_string(auth_tag, tag_len)); 4455 if (srtp_octet_string_is_eq(tmp_tag, auth_tag, tag_len)) 4456 return srtp_err_status_auth_fail; 4457 4458 /* 4459 * if we're authenticating using a universal hash, put the keystream 4460 * prefix into the authentication tag 4461 */ 4462 prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); 4463 if (prefix_len) { 4464 status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, 4465 &prefix_len); 4466 debug_print(mod_srtp, "keystream prefix: %s", 4467 srtp_octet_string_hex_string(auth_tag, prefix_len)); 4468 if (status) 4469 return srtp_err_status_cipher_fail; 4470 } 4471 4472 /* if we're decrypting, exor keystream into the message */ 4473 if (enc_start) { 4474 status = srtp_cipher_decrypt(session_keys->rtcp_cipher, enc_start, 4475 &enc_octet_len); 4476 if (status) 4477 return srtp_err_status_cipher_fail; 4478 } 4479 4480 /* decrease the packet length by the length of the auth tag and seq_num */ 4481 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); 4482 4483 /* decrease the packet length by the length of the mki_size */ 4484 *pkt_octet_len -= mki_size; 4485 4486 /* 4487 * verify that stream is for received traffic - this check will 4488 * detect SSRC collisions, since a stream that appears in both 4489 * srtp_protect() and srtp_unprotect() will fail this test in one of 4490 * those functions. 4491 * 4492 * we do this check *after* the authentication check, so that the 4493 * latter check will catch any attempts to fool us into thinking 4494 * that we've got a collision 4495 */ 4496 if (stream->direction != dir_srtp_receiver) { 4497 if (stream->direction == dir_unknown) { 4498 stream->direction = dir_srtp_receiver; 4499 } else { 4500 srtp_handle_event(ctx, stream, event_ssrc_collision); 4501 } 4502 } 4503 4504 /* 4505 * if the stream is a 'provisional' one, in which the template context 4506 * is used, then we need to allocate a new stream at this point, since 4507 * the authentication passed 4508 */ 4509 if (stream == ctx->stream_template) { 4510 srtp_stream_ctx_t *new_stream; 4511 4512 /* 4513 * allocate and initialize a new stream 4514 * 4515 * note that we indicate failure if we can't allocate the new 4516 * stream, and some implementations will want to not return 4517 * failure here 4518 */ 4519 status = 4520 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 4521 if (status) 4522 return status; 4523 4524 /* add new stream to the list */ 4525 status = srtp_insert_or_dealloc_stream(ctx->stream_list, new_stream, 4526 ctx->stream_template); 4527 if (status) { 4528 return status; 4529 } 4530 4531 /* set stream (the pointer used in this function) */ 4532 stream = new_stream; 4533 } 4534 4535 /* we've passed the authentication check, so add seq_num to the rdb */ 4536 srtp_rdb_add_index(&stream->rtcp_rdb, seq_num); 4537 4538 return srtp_err_status_ok; 4539 } 4540 4541 /* 4542 * user data within srtp_t context 4543 */ 4544 4545 void srtp_set_user_data(srtp_t ctx, void *data) 4546 { 4547 ctx->user_data = data; 4548 } 4549 4550 void *srtp_get_user_data(srtp_t ctx) 4551 { 4552 return ctx->user_data; 4553 } 4554 4555 srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp( 4556 srtp_crypto_policy_t *policy, 4557 srtp_profile_t profile) 4558 { 4559 /* set SRTP policy from the SRTP profile in the key set */ 4560 switch (profile) { 4561 case srtp_profile_aes128_cm_sha1_80: 4562 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 4563 break; 4564 case srtp_profile_aes128_cm_sha1_32: 4565 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); 4566 break; 4567 case srtp_profile_null_sha1_80: 4568 srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); 4569 break; 4570 #ifdef GCM 4571 case srtp_profile_aead_aes_128_gcm: 4572 srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); 4573 break; 4574 case srtp_profile_aead_aes_256_gcm: 4575 srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); 4576 break; 4577 #endif 4578 /* the following profiles are not (yet) supported */ 4579 case srtp_profile_null_sha1_32: 4580 default: 4581 return srtp_err_status_bad_param; 4582 } 4583 4584 return srtp_err_status_ok; 4585 } 4586 4587 srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp( 4588 srtp_crypto_policy_t *policy, 4589 srtp_profile_t profile) 4590 { 4591 /* set SRTP policy from the SRTP profile in the key set */ 4592 switch (profile) { 4593 case srtp_profile_aes128_cm_sha1_80: 4594 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 4595 break; 4596 case srtp_profile_aes128_cm_sha1_32: 4597 /* We do not honor the 32-bit auth tag request since 4598 * this is not compliant with RFC 3711 */ 4599 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 4600 break; 4601 case srtp_profile_null_sha1_80: 4602 srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); 4603 break; 4604 #ifdef GCM 4605 case srtp_profile_aead_aes_128_gcm: 4606 srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); 4607 break; 4608 case srtp_profile_aead_aes_256_gcm: 4609 srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); 4610 break; 4611 #endif 4612 /* the following profiles are not (yet) supported */ 4613 case srtp_profile_null_sha1_32: 4614 default: 4615 return srtp_err_status_bad_param; 4616 } 4617 4618 return srtp_err_status_ok; 4619 } 4620 4621 void srtp_append_salt_to_key(uint8_t *key, 4622 unsigned int bytes_in_key, 4623 uint8_t *salt, 4624 unsigned int bytes_in_salt) 4625 { 4626 memcpy(key + bytes_in_key, salt, bytes_in_salt); 4627 } 4628 4629 unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile) 4630 { 4631 switch (profile) { 4632 case srtp_profile_aes128_cm_sha1_80: 4633 return SRTP_AES_128_KEY_LEN; 4634 break; 4635 case srtp_profile_aes128_cm_sha1_32: 4636 return SRTP_AES_128_KEY_LEN; 4637 break; 4638 case srtp_profile_null_sha1_80: 4639 return SRTP_AES_128_KEY_LEN; 4640 break; 4641 case srtp_profile_aead_aes_128_gcm: 4642 return SRTP_AES_128_KEY_LEN; 4643 break; 4644 case srtp_profile_aead_aes_256_gcm: 4645 return SRTP_AES_256_KEY_LEN; 4646 break; 4647 /* the following profiles are not (yet) supported */ 4648 case srtp_profile_null_sha1_32: 4649 default: 4650 return 0; /* indicate error by returning a zero */ 4651 } 4652 } 4653 4654 unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile) 4655 { 4656 switch (profile) { 4657 case srtp_profile_aes128_cm_sha1_80: 4658 return SRTP_SALT_LEN; 4659 break; 4660 case srtp_profile_aes128_cm_sha1_32: 4661 return SRTP_SALT_LEN; 4662 break; 4663 case srtp_profile_null_sha1_80: 4664 return SRTP_SALT_LEN; 4665 break; 4666 case srtp_profile_aead_aes_128_gcm: 4667 return SRTP_AEAD_SALT_LEN; 4668 break; 4669 case srtp_profile_aead_aes_256_gcm: 4670 return SRTP_AEAD_SALT_LEN; 4671 break; 4672 /* the following profiles are not (yet) supported */ 4673 case srtp_profile_null_sha1_32: 4674 default: 4675 return 0; /* indicate error by returning a zero */ 4676 } 4677 } 4678 4679 srtp_err_status_t stream_get_protect_trailer_length(srtp_stream_ctx_t *stream, 4680 uint32_t is_rtp, 4681 uint32_t use_mki, 4682 uint32_t mki_index, 4683 uint32_t *length) 4684 { 4685 srtp_session_keys_t *session_key; 4686 4687 *length = 0; 4688 4689 if (use_mki) { 4690 if (mki_index >= stream->num_master_keys) { 4691 return srtp_err_status_bad_mki; 4692 } 4693 session_key = &stream->session_keys[mki_index]; 4694 4695 *length += session_key->mki_size; 4696 4697 } else { 4698 session_key = &stream->session_keys[0]; 4699 } 4700 if (is_rtp) { 4701 *length += srtp_auth_get_tag_length(session_key->rtp_auth); 4702 } else { 4703 *length += srtp_auth_get_tag_length(session_key->rtcp_auth); 4704 *length += sizeof(srtcp_trailer_t); 4705 } 4706 4707 return srtp_err_status_ok; 4708 } 4709 4710 struct get_protect_trailer_length_data { 4711 uint32_t found_stream; /* whether at least one matching stream was found */ 4712 uint32_t length; /* maximum trailer length found so far */ 4713 uint32_t is_rtp; 4714 uint32_t use_mki; 4715 uint32_t mki_index; 4716 }; 4717 4718 static int get_protect_trailer_length_cb(srtp_stream_t stream, void *raw_data) 4719 { 4720 struct get_protect_trailer_length_data *data = 4721 (struct get_protect_trailer_length_data *)raw_data; 4722 uint32_t temp_length; 4723 4724 if (stream_get_protect_trailer_length(stream, data->is_rtp, data->use_mki, 4725 data->mki_index, 4726 &temp_length) == srtp_err_status_ok) { 4727 data->found_stream = 1; 4728 if (temp_length > data->length) { 4729 data->length = temp_length; 4730 } 4731 } 4732 4733 return 0; 4734 } 4735 4736 srtp_err_status_t get_protect_trailer_length(srtp_t session, 4737 uint32_t is_rtp, 4738 uint32_t use_mki, 4739 uint32_t mki_index, 4740 uint32_t *length) 4741 { 4742 srtp_stream_ctx_t *stream; 4743 struct get_protect_trailer_length_data data = { 0, 0, is_rtp, use_mki, 4744 mki_index }; 4745 4746 if (session == NULL) { 4747 return srtp_err_status_bad_param; 4748 } 4749 4750 stream = session->stream_template; 4751 4752 if (stream != NULL) { 4753 data.found_stream = 1; 4754 stream_get_protect_trailer_length(stream, is_rtp, use_mki, mki_index, 4755 &data.length); 4756 } 4757 4758 srtp_stream_list_for_each(session->stream_list, 4759 get_protect_trailer_length_cb, &data); 4760 4761 if (!data.found_stream) { 4762 return srtp_err_status_bad_param; 4763 } 4764 4765 *length = data.length; 4766 return srtp_err_status_ok; 4767 } 4768 4769 srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session, 4770 uint32_t use_mki, 4771 uint32_t mki_index, 4772 uint32_t *length) 4773 { 4774 return get_protect_trailer_length(session, 1, use_mki, mki_index, length); 4775 } 4776 4777 srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session, 4778 uint32_t use_mki, 4779 uint32_t mki_index, 4780 uint32_t *length) 4781 { 4782 return get_protect_trailer_length(session, 0, use_mki, mki_index, length); 4783 } 4784 4785 /* 4786 * SRTP debug interface 4787 */ 4788 srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v) 4789 { 4790 return srtp_crypto_kernel_set_debug_module(mod_name, v); 4791 } 4792 4793 srtp_err_status_t srtp_list_debug_modules(void) 4794 { 4795 return srtp_crypto_kernel_list_debug_modules(); 4796 } 4797 4798 /* 4799 * srtp_log_handler is a global variable holding a pointer to the 4800 * log handler function; this function is called for any log 4801 * output. 4802 */ 4803 4804 static srtp_log_handler_func_t *srtp_log_handler = NULL; 4805 static void *srtp_log_handler_data = NULL; 4806 4807 static void srtp_err_handler(srtp_err_reporting_level_t level, const char *msg) 4808 { 4809 if (srtp_log_handler) { 4810 srtp_log_level_t log_level = srtp_log_level_error; 4811 switch (level) { 4812 case srtp_err_level_error: 4813 log_level = srtp_log_level_error; 4814 break; 4815 case srtp_err_level_warning: 4816 log_level = srtp_log_level_warning; 4817 break; 4818 case srtp_err_level_info: 4819 log_level = srtp_log_level_info; 4820 break; 4821 case srtp_err_level_debug: 4822 log_level = srtp_log_level_debug; 4823 break; 4824 } 4825 4826 srtp_log_handler(log_level, msg, srtp_log_handler_data); 4827 } 4828 } 4829 4830 srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, 4831 void *data) 4832 { 4833 /* 4834 * note that we accept NULL arguments intentionally - calling this 4835 * function with a NULL arguments removes a log handler that's 4836 * been previously installed 4837 */ 4838 4839 if (srtp_log_handler) { 4840 srtp_install_err_report_handler(NULL); 4841 } 4842 srtp_log_handler = func; 4843 srtp_log_handler_data = data; 4844 if (srtp_log_handler) { 4845 srtp_install_err_report_handler(srtp_err_handler); 4846 } 4847 return srtp_err_status_ok; 4848 } 4849 4850 srtp_err_status_t srtp_set_stream_roc(srtp_t session, 4851 uint32_t ssrc, 4852 uint32_t roc) 4853 { 4854 srtp_stream_t stream; 4855 4856 stream = srtp_get_stream(session, htonl(ssrc)); 4857 if (stream == NULL) 4858 return srtp_err_status_bad_param; 4859 4860 stream->pending_roc = roc; 4861 4862 return srtp_err_status_ok; 4863 } 4864 4865 srtp_err_status_t srtp_get_stream_roc(srtp_t session, 4866 uint32_t ssrc, 4867 uint32_t *roc) 4868 { 4869 srtp_stream_t stream; 4870 4871 stream = srtp_get_stream(session, htonl(ssrc)); 4872 if (stream == NULL) 4873 return srtp_err_status_bad_param; 4874 4875 *roc = srtp_rdbx_get_roc(&stream->rtp_rdbx); 4876 4877 return srtp_err_status_ok; 4878 } 4879 4880 #ifndef SRTP_NO_STREAM_LIST 4881 4882 /* in the default implementation, we have an intrusive doubly-linked list */ 4883 typedef struct srtp_stream_list_ctx_t_ { 4884 /* a stub stream that just holds pointers to the beginning and end of the 4885 * list */ 4886 srtp_stream_ctx_t data; 4887 } srtp_stream_list_ctx_t_; 4888 4889 srtp_err_status_t srtp_stream_list_alloc(srtp_stream_list_t *list_ptr) 4890 { 4891 srtp_stream_list_t list = 4892 srtp_crypto_alloc(sizeof(srtp_stream_list_ctx_t_)); 4893 if (list == NULL) { 4894 return srtp_err_status_alloc_fail; 4895 } 4896 4897 list->data.next = NULL; 4898 list->data.prev = NULL; 4899 4900 *list_ptr = list; 4901 return srtp_err_status_ok; 4902 } 4903 4904 srtp_err_status_t srtp_stream_list_dealloc(srtp_stream_list_t list) 4905 { 4906 /* list must be empty */ 4907 if (list->data.next) { 4908 return srtp_err_status_fail; 4909 } 4910 srtp_crypto_free(list); 4911 return srtp_err_status_ok; 4912 } 4913 4914 srtp_err_status_t srtp_stream_list_insert(srtp_stream_list_t list, 4915 srtp_stream_t stream) 4916 { 4917 /* insert at the head of the list */ 4918 stream->next = list->data.next; 4919 if (stream->next != NULL) { 4920 stream->next->prev = stream; 4921 } 4922 list->data.next = stream; 4923 stream->prev = &(list->data); 4924 4925 return srtp_err_status_ok; 4926 } 4927 4928 srtp_stream_t srtp_stream_list_get(srtp_stream_list_t list, uint32_t ssrc) 4929 { 4930 /* walk down list until ssrc is found */ 4931 srtp_stream_t stream = list->data.next; 4932 while (stream != NULL) { 4933 if (stream->ssrc == ssrc) { 4934 return stream; 4935 } 4936 stream = stream->next; 4937 } 4938 4939 /* we haven't found our ssrc, so return a null */ 4940 return NULL; 4941 } 4942 4943 void srtp_stream_list_remove(srtp_stream_list_t list, 4944 srtp_stream_t stream_to_remove) 4945 { 4946 (void)list; 4947 4948 stream_to_remove->prev->next = stream_to_remove->next; 4949 if (stream_to_remove->next != NULL) { 4950 stream_to_remove->next->prev = stream_to_remove->prev; 4951 } 4952 } 4953 4954 void srtp_stream_list_for_each(srtp_stream_list_t list, 4955 int (*callback)(srtp_stream_t, void *), 4956 void *data) 4957 { 4958 srtp_stream_t stream = list->data.next; 4959 while (stream != NULL) { 4960 srtp_stream_t tmp = stream; 4961 stream = stream->next; 4962 if (callback(tmp, data)) 4963 break; 4964 } 4965 } 4966 4967 #endif