1 /*
2 * srtp.c
3 *
4 * the secure real-time transport protocol
5 *
6 * David A. McGrew
7 * Cisco Systems, Inc.
8 */
9 /*
10 *
11 * Copyright (c) 2001-2017, Cisco Systems, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 *
18 * Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 *
21 * Redistributions in binary form must reproduce the above
22 * copyright notice, this list of conditions and the following
23 * disclaimer in the documentation and/or other materials provided
24 * with the distribution.
25 *
26 * Neither the name of the Cisco Systems, Inc. nor the names of its
27 * contributors may be used to endorse or promote products derived
28 * from this software without specific prior written permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 *
43 */
44
45 // Leave this as the top level import. Ensures the existence of defines
46 #include "config.h"
47
48 #include "srtp_priv.h"
49 #include "crypto_types.h"
50 #include "err.h"
51 #include "ekt.h" /* for SRTP Encrypted Key Transport */
52 #include "alloc.h" /* for srtp_crypto_alloc() */
53
54 #ifdef GCM
55 #include "aes_gcm.h" /* for AES GCM mode */
56 #endif
57
58 #ifdef OPENSSL_KDF
59 #include <openssl/kdf.h>
60 #include "aes_icm_ext.h"
61 #endif
62
63 #include <limits.h>
64 #ifdef HAVE_NETINET_IN_H
65 #include <netinet/in.h>
66 #elif defined(HAVE_WINSOCK2_H)
67 #include <winsock2.h>
68 #endif
69
70 /* the debug module for srtp */
71 srtp_debug_module_t mod_srtp = {
72 0, /* debugging is off by default */
73 "srtp" /* printable name for module */
74 };
75
76 #define octets_in_rtp_header 12
77 #define uint32s_in_rtp_header 3
78 #define octets_in_rtcp_header 8
79 #define uint32s_in_rtcp_header 2
80 #define octets_in_rtp_extn_hdr 4
81
srtp_validate_rtp_header(void * rtp_hdr,int * pkt_octet_len)82 static srtp_err_status_t srtp_validate_rtp_header(void *rtp_hdr,
83 int *pkt_octet_len)
84 {
85 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
86 int rtp_header_len;
87
88 if (*pkt_octet_len < octets_in_rtp_header)
89 return srtp_err_status_bad_param;
90
91 /* Check RTP header length */
92 rtp_header_len = octets_in_rtp_header + 4 * hdr->cc;
93 if (hdr->x == 1)
94 rtp_header_len += octets_in_rtp_extn_hdr;
95
96 if (*pkt_octet_len < rtp_header_len)
97 return srtp_err_status_bad_param;
98
99 /* Verifing profile length. */
100 if (hdr->x == 1) {
101 srtp_hdr_xtnd_t *xtn_hdr =
102 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header +
103 hdr->cc);
104 int profile_len = ntohs(xtn_hdr->length);
105 rtp_header_len += profile_len * 4;
106 /* profile length counts the number of 32-bit words */
107 if (*pkt_octet_len < rtp_header_len)
108 return srtp_err_status_bad_param;
109 }
110 return srtp_err_status_ok;
111 }
112
srtp_get_version_string()113 const char *srtp_get_version_string()
114 {
115 /*
116 * Simply return the autotools generated string
117 */
118 return SRTP_VER_STRING;
119 }
120
srtp_get_version()121 unsigned int srtp_get_version()
122 {
123 unsigned int major = 0, minor = 0, micro = 0;
124 unsigned int rv = 0;
125 int parse_rv;
126
127 /*
128 * Parse the autotools generated version
129 */
130 parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, µ);
131 if (parse_rv != 3) {
132 /*
133 * We're expected to parse all 3 version levels.
134 * If not, then this must not be an official release.
135 * Return all zeros on the version
136 */
137 return (0);
138 }
139
140 /*
141 * We allow 8 bits for the major and minor, while
142 * allowing 16 bits for the micro. 16 bits for the micro
143 * may be beneficial for a continuous delivery model
144 * in the future.
145 */
146 rv |= (major & 0xFF) << 24;
147 rv |= (minor & 0xFF) << 16;
148 rv |= micro & 0xFF;
149 return rv;
150 }
151
srtp_stream_dealloc(srtp_stream_ctx_t * stream,const srtp_stream_ctx_t * stream_template)152 srtp_err_status_t srtp_stream_dealloc(srtp_stream_ctx_t *stream,
153 const srtp_stream_ctx_t *stream_template)
154 {
155 srtp_err_status_t status;
156 unsigned int i = 0;
157 srtp_session_keys_t *session_keys = NULL;
158 srtp_session_keys_t *template_session_keys = NULL;
159
160 /*
161 * we use a conservative deallocation strategy - if any deallocation
162 * fails, then we report that fact without trying to deallocate
163 * anything else
164 */
165 if (stream->session_keys) {
166 for (i = 0; i < stream->num_master_keys; i++) {
167 session_keys = &stream->session_keys[i];
168
169 if (stream_template &&
170 stream->num_master_keys == stream_template->num_master_keys) {
171 template_session_keys = &stream_template->session_keys[i];
172 } else {
173 template_session_keys = NULL;
174 }
175
176 /*
177 * deallocate cipher, if it is not the same as that in template
178 */
179 if (template_session_keys &&
180 session_keys->rtp_cipher == template_session_keys->rtp_cipher) {
181 /* do nothing */
182 } else if (session_keys->rtp_cipher) {
183 status = srtp_cipher_dealloc(session_keys->rtp_cipher);
184 if (status)
185 return status;
186 }
187
188 /*
189 * deallocate auth function, if it is not the same as that in
190 * template
191 */
192 if (template_session_keys &&
193 session_keys->rtp_auth == template_session_keys->rtp_auth) {
194 /* do nothing */
195 } else if (session_keys->rtp_auth) {
196 status = srtp_auth_dealloc(session_keys->rtp_auth);
197 if (status)
198 return status;
199 }
200
201 if (template_session_keys &&
202 session_keys->rtp_xtn_hdr_cipher ==
203 template_session_keys->rtp_xtn_hdr_cipher) {
204 /* do nothing */
205 } else if (session_keys->rtp_xtn_hdr_cipher) {
206 status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher);
207 if (status)
208 return status;
209 }
210
211 /*
212 * deallocate rtcp cipher, if it is not the same as that in
213 * template
214 */
215 if (template_session_keys &&
216 session_keys->rtcp_cipher ==
217 template_session_keys->rtcp_cipher) {
218 /* do nothing */
219 } else if (session_keys->rtcp_cipher) {
220 status = srtp_cipher_dealloc(session_keys->rtcp_cipher);
221 if (status)
222 return status;
223 }
224
225 /*
226 * deallocate rtcp auth function, if it is not the same as that in
227 * template
228 */
229 if (template_session_keys &&
230 session_keys->rtcp_auth == template_session_keys->rtcp_auth) {
231 /* do nothing */
232 } else if (session_keys->rtcp_auth) {
233 status = srtp_auth_dealloc(session_keys->rtcp_auth);
234 if (status)
235 return status;
236 }
237
238 /*
239 * zeroize the salt value
240 */
241 octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN);
242 octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN);
243
244 if (session_keys->mki_id) {
245 octet_string_set_to_zero(session_keys->mki_id,
246 session_keys->mki_size);
247 srtp_crypto_free(session_keys->mki_id);
248 session_keys->mki_id = NULL;
249 }
250
251 /*
252 * deallocate key usage limit, if it is not the same as that in
253 * template
254 */
255 if (template_session_keys &&
256 session_keys->limit == template_session_keys->limit) {
257 /* do nothing */
258 } else if (session_keys->limit) {
259 srtp_crypto_free(session_keys->limit);
260 }
261 }
262 srtp_crypto_free(stream->session_keys);
263 }
264
265 status = srtp_rdbx_dealloc(&stream->rtp_rdbx);
266 if (status)
267 return status;
268
269 /* DAM - need to deallocate EKT here */
270
271 if (stream_template &&
272 stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) {
273 /* do nothing */
274 } else if (stream->enc_xtn_hdr) {
275 srtp_crypto_free(stream->enc_xtn_hdr);
276 }
277
278 /* deallocate srtp stream context */
279 srtp_crypto_free(stream);
280
281 return srtp_err_status_ok;
282 }
283
srtp_stream_alloc(srtp_stream_ctx_t ** str_ptr,const srtp_policy_t * p)284 srtp_err_status_t srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
285 const srtp_policy_t *p)
286 {
287 srtp_stream_ctx_t *str;
288 srtp_err_status_t stat;
289 unsigned int i = 0;
290 srtp_session_keys_t *session_keys = NULL;
291
292 /*
293 * This function allocates the stream context, rtp and rtcp ciphers
294 * and auth functions, and key limit structure. If there is a
295 * failure during allocation, we free all previously allocated
296 * memory and return a failure code. The code could probably
297 * be improved, but it works and should be clear.
298 */
299
300 /* allocate srtp stream and set str_ptr */
301 str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t));
302 if (str == NULL)
303 return srtp_err_status_alloc_fail;
304
305 *str_ptr = str;
306
307 /*
308 *To keep backwards API compatible if someone is using multiple master
309 * keys then key should be set to NULL
310 */
311 if (p->key != NULL) {
312 str->num_master_keys = 1;
313 } else {
314 str->num_master_keys = p->num_master_keys;
315 }
316
317 str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc(
318 sizeof(srtp_session_keys_t) * str->num_master_keys);
319
320 if (str->session_keys == NULL) {
321 srtp_stream_dealloc(str, NULL);
322 return srtp_err_status_alloc_fail;
323 }
324
325 for (i = 0; i < str->num_master_keys; i++) {
326 session_keys = &str->session_keys[i];
327
328 /* allocate cipher */
329 stat = srtp_crypto_kernel_alloc_cipher(
330 p->rtp.cipher_type, &session_keys->rtp_cipher,
331 p->rtp.cipher_key_len, p->rtp.auth_tag_len);
332 if (stat) {
333 srtp_stream_dealloc(str, NULL);
334 return stat;
335 }
336
337 /* allocate auth function */
338 stat = srtp_crypto_kernel_alloc_auth(
339 p->rtp.auth_type, &session_keys->rtp_auth, p->rtp.auth_key_len,
340 p->rtp.auth_tag_len);
341 if (stat) {
342 srtp_stream_dealloc(str, NULL);
343 return stat;
344 }
345
346 /*
347 * ...and now the RTCP-specific initialization - first, allocate
348 * the cipher
349 */
350 stat = srtp_crypto_kernel_alloc_cipher(
351 p->rtcp.cipher_type, &session_keys->rtcp_cipher,
352 p->rtcp.cipher_key_len, p->rtcp.auth_tag_len);
353 if (stat) {
354 srtp_stream_dealloc(str, NULL);
355 return stat;
356 }
357
358 /* allocate auth function */
359 stat = srtp_crypto_kernel_alloc_auth(
360 p->rtcp.auth_type, &session_keys->rtcp_auth, p->rtcp.auth_key_len,
361 p->rtcp.auth_tag_len);
362 if (stat) {
363 srtp_stream_dealloc(str, NULL);
364 return stat;
365 }
366
367 session_keys->mki_id = NULL;
368
369 /* allocate key limit structure */
370 session_keys->limit = (srtp_key_limit_ctx_t *)srtp_crypto_alloc(
371 sizeof(srtp_key_limit_ctx_t));
372 if (session_keys->limit == NULL) {
373 srtp_stream_dealloc(str, NULL);
374 return srtp_err_status_alloc_fail;
375 }
376 }
377
378 /* allocate ekt data associated with stream */
379 stat = srtp_ekt_alloc(&str->ekt, p->ekt);
380 if (stat) {
381 srtp_stream_dealloc(str, NULL);
382 return stat;
383 }
384
385 if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) {
386 srtp_cipher_type_id_t enc_xtn_hdr_cipher_type;
387 int enc_xtn_hdr_cipher_key_len;
388
389 str->enc_xtn_hdr = (int *)srtp_crypto_alloc(p->enc_xtn_hdr_count *
390 sizeof(p->enc_xtn_hdr[0]));
391 if (!str->enc_xtn_hdr) {
392 srtp_stream_dealloc(str, NULL);
393 return srtp_err_status_alloc_fail;
394 }
395 memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr,
396 p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0]));
397 str->enc_xtn_hdr_count = p->enc_xtn_hdr_count;
398
399 /*
400 * For GCM ciphers, the corresponding ICM cipher is used for header
401 * extensions encryption.
402 */
403 switch (p->rtp.cipher_type) {
404 case SRTP_AES_GCM_128:
405 enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128;
406 enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT;
407 break;
408 case SRTP_AES_GCM_256:
409 enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256;
410 enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
411 break;
412 default:
413 enc_xtn_hdr_cipher_type = p->rtp.cipher_type;
414 enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len;
415 break;
416 }
417
418 for (i = 0; i < str->num_master_keys; i++) {
419 session_keys = &str->session_keys[i];
420
421 /* allocate cipher for extensions header encryption */
422 stat = srtp_crypto_kernel_alloc_cipher(
423 enc_xtn_hdr_cipher_type, &session_keys->rtp_xtn_hdr_cipher,
424 enc_xtn_hdr_cipher_key_len, 0);
425 if (stat) {
426 srtp_stream_dealloc(str, NULL);
427 return stat;
428 }
429 }
430 } else {
431 for (i = 0; i < str->num_master_keys; i++) {
432 session_keys = &str->session_keys[i];
433 session_keys->rtp_xtn_hdr_cipher = NULL;
434 }
435
436 str->enc_xtn_hdr = NULL;
437 str->enc_xtn_hdr_count = 0;
438 }
439
440 return srtp_err_status_ok;
441 }
442
443 /*
444 * srtp_stream_clone(stream_template, new) allocates a new stream and
445 * initializes it using the cipher and auth of the stream_template
446 *
447 * the only unique data in a cloned stream is the replay database and
448 * the SSRC
449 */
450
srtp_stream_clone(const srtp_stream_ctx_t * stream_template,uint32_t ssrc,srtp_stream_ctx_t ** str_ptr)451 srtp_err_status_t srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
452 uint32_t ssrc,
453 srtp_stream_ctx_t **str_ptr)
454 {
455 srtp_err_status_t status;
456 srtp_stream_ctx_t *str;
457 unsigned int i = 0;
458 srtp_session_keys_t *session_keys = NULL;
459 const srtp_session_keys_t *template_session_keys = NULL;
460
461 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc));
462
463 /* allocate srtp stream and set str_ptr */
464 str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t));
465 if (str == NULL)
466 return srtp_err_status_alloc_fail;
467 *str_ptr = str;
468
469 str->num_master_keys = stream_template->num_master_keys;
470 str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc(
471 sizeof(srtp_session_keys_t) * str->num_master_keys);
472
473 if (str->session_keys == NULL) {
474 srtp_stream_dealloc(*str_ptr, stream_template);
475 *str_ptr = NULL;
476 return srtp_err_status_alloc_fail;
477 }
478
479 for (i = 0; i < stream_template->num_master_keys; i++) {
480 session_keys = &str->session_keys[i];
481 template_session_keys = &stream_template->session_keys[i];
482
483 /* set cipher and auth pointers to those of the template */
484 session_keys->rtp_cipher = template_session_keys->rtp_cipher;
485 session_keys->rtp_auth = template_session_keys->rtp_auth;
486 session_keys->rtp_xtn_hdr_cipher =
487 template_session_keys->rtp_xtn_hdr_cipher;
488 session_keys->rtcp_cipher = template_session_keys->rtcp_cipher;
489 session_keys->rtcp_auth = template_session_keys->rtcp_auth;
490 session_keys->mki_size = template_session_keys->mki_size;
491
492 if (template_session_keys->mki_size == 0) {
493 session_keys->mki_id = NULL;
494 } else {
495 session_keys->mki_id =
496 srtp_crypto_alloc(template_session_keys->mki_size);
497
498 if (session_keys->mki_id == NULL) {
499 srtp_stream_dealloc(*str_ptr, stream_template);
500 *str_ptr = NULL;
501 return srtp_err_status_init_fail;
502 }
503 memcpy(session_keys->mki_id, template_session_keys->mki_id,
504 session_keys->mki_size);
505 }
506 /* Copy the salt values */
507 memcpy(session_keys->salt, template_session_keys->salt,
508 SRTP_AEAD_SALT_LEN);
509 memcpy(session_keys->c_salt, template_session_keys->c_salt,
510 SRTP_AEAD_SALT_LEN);
511
512 /* set key limit to point to that of the template */
513 status = srtp_key_limit_clone(template_session_keys->limit,
514 &session_keys->limit);
515 if (status) {
516 srtp_stream_dealloc(*str_ptr, stream_template);
517 *str_ptr = NULL;
518 return status;
519 }
520 }
521
522 /* initialize replay databases */
523 status = srtp_rdbx_init(
524 &str->rtp_rdbx, srtp_rdbx_get_window_size(&stream_template->rtp_rdbx));
525 if (status) {
526 srtp_stream_dealloc(*str_ptr, stream_template);
527 *str_ptr = NULL;
528 return status;
529 }
530 srtp_rdb_init(&str->rtcp_rdb);
531 str->allow_repeat_tx = stream_template->allow_repeat_tx;
532
533 /* set ssrc to that provided */
534 str->ssrc = ssrc;
535
536 /* reset pending ROC */
537 str->pending_roc = 0;
538
539 /* set direction and security services */
540 str->direction = stream_template->direction;
541 str->rtp_services = stream_template->rtp_services;
542 str->rtcp_services = stream_template->rtcp_services;
543
544 /* set pointer to EKT data associated with stream */
545 str->ekt = stream_template->ekt;
546
547 /* copy information about extensions header encryption */
548 str->enc_xtn_hdr = stream_template->enc_xtn_hdr;
549 str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count;
550
551 /* defensive coding */
552 str->next = NULL;
553 return srtp_err_status_ok;
554 }
555
556 /*
557 * key derivation functions, internal to libSRTP
558 *
559 * srtp_kdf_t is a key derivation context
560 *
561 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher
562 * described by cipher_id, with the master key k with length in octets keylen.
563 *
564 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
565 * corresponding to label l and puts it into kl; the length
566 * of the key in octets is provided as keylen. this function
567 * should be called once for each subkey that is derived.
568 *
569 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state
570 */
571
572 typedef enum {
573 label_rtp_encryption = 0x00,
574 label_rtp_msg_auth = 0x01,
575 label_rtp_salt = 0x02,
576 label_rtcp_encryption = 0x03,
577 label_rtcp_msg_auth = 0x04,
578 label_rtcp_salt = 0x05,
579 label_rtp_header_encryption = 0x06,
580 label_rtp_header_salt = 0x07
581 } srtp_prf_label;
582
583 #define MAX_SRTP_KEY_LEN 256
584
585 #if defined(OPENSSL) && defined(OPENSSL_KDF)
586 #define MAX_SRTP_AESKEY_LEN 32
587 #define MAX_SRTP_SALT_LEN 14
588
589 /*
590 * srtp_kdf_t represents a key derivation function. The SRTP
591 * default KDF is the only one implemented at present.
592 */
593 typedef struct {
594 uint8_t master_key[MAX_SRTP_AESKEY_LEN];
595 uint8_t master_salt[MAX_SRTP_SALT_LEN];
596 const EVP_CIPHER *evp;
597 } srtp_kdf_t;
598
srtp_kdf_init(srtp_kdf_t * kdf,const uint8_t * key,int key_len,int salt_len)599 static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf,
600 const uint8_t *key,
601 int key_len,
602 int salt_len)
603 {
604 memset(kdf, 0x0, sizeof(srtp_kdf_t));
605
606 /* The NULL cipher has zero key length */
607 if (key_len == 0)
608 return srtp_err_status_ok;
609
610 if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) {
611 return srtp_err_status_bad_param;
612 }
613 switch (key_len) {
614 case SRTP_AES_256_KEYSIZE:
615 kdf->evp = EVP_aes_256_ctr();
616 break;
617 case SRTP_AES_192_KEYSIZE:
618 kdf->evp = EVP_aes_192_ctr();
619 break;
620 case SRTP_AES_128_KEYSIZE:
621 kdf->evp = EVP_aes_128_ctr();
622 break;
623 default:
624 return srtp_err_status_bad_param;
625 break;
626 }
627 memcpy(kdf->master_key, key, key_len);
628 memcpy(kdf->master_salt, key + key_len, salt_len);
629 return srtp_err_status_ok;
630 }
631
srtp_kdf_generate(srtp_kdf_t * kdf,srtp_prf_label label,uint8_t * key,unsigned int length)632 static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf,
633 srtp_prf_label label,
634 uint8_t *key,
635 unsigned int length)
636 {
637 int ret;
638
639 /* The NULL cipher will not have an EVP */
640 if (!kdf->evp)
641 return srtp_err_status_ok;
642 octet_string_set_to_zero(key, length);
643
644 /*
645 * Invoke the OpenSSL SRTP KDF function
646 * This is useful if OpenSSL is in FIPS mode and FIP
647 * compliance is required for SRTP.
648 */
649 ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key,
650 (char *)&kdf->master_salt, NULL, NULL, label, (char *)key);
651 if (ret == -1) {
652 return (srtp_err_status_algo_fail);
653 }
654
655 return srtp_err_status_ok;
656 }
657
srtp_kdf_clear(srtp_kdf_t * kdf)658 static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf)
659 {
660 octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN);
661 octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN);
662 kdf->evp = NULL;
663
664 return srtp_err_status_ok;
665 }
666
667 #else /* if OPENSSL_KDF */
668
669 /*
670 * srtp_kdf_t represents a key derivation function. The SRTP
671 * default KDF is the only one implemented at present.
672 */
673 typedef struct {
674 srtp_cipher_t *cipher; /* cipher used for key derivation */
675 } srtp_kdf_t;
676
srtp_kdf_init(srtp_kdf_t * kdf,const uint8_t * key,int key_len)677 static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf,
678 const uint8_t *key,
679 int key_len)
680 {
681 srtp_cipher_type_id_t cipher_id;
682 srtp_err_status_t stat;
683
684 switch (key_len) {
685 case SRTP_AES_ICM_256_KEY_LEN_WSALT:
686 cipher_id = SRTP_AES_ICM_256;
687 break;
688 case SRTP_AES_ICM_192_KEY_LEN_WSALT:
689 cipher_id = SRTP_AES_ICM_192;
690 break;
691 case SRTP_AES_ICM_128_KEY_LEN_WSALT:
692 cipher_id = SRTP_AES_ICM_128;
693 break;
694 default:
695 return srtp_err_status_bad_param;
696 break;
697 }
698
699 stat = srtp_crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, key_len, 0);
700 if (stat)
701 return stat;
702
703 stat = srtp_cipher_init(kdf->cipher, key);
704 if (stat) {
705 srtp_cipher_dealloc(kdf->cipher);
706 return stat;
707 }
708 return srtp_err_status_ok;
709 }
710
srtp_kdf_generate(srtp_kdf_t * kdf,srtp_prf_label label,uint8_t * key,unsigned int length)711 static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf,
712 srtp_prf_label label,
713 uint8_t *key,
714 unsigned int length)
715 {
716 srtp_err_status_t status;
717 v128_t nonce;
718
719 /* set eigth octet of nonce to <label>, set the rest of it to zero */
720 v128_set_to_zero(&nonce);
721 nonce.v8[7] = label;
722
723 status = srtp_cipher_set_iv(kdf->cipher, (uint8_t *)&nonce,
724 srtp_direction_encrypt);
725 if (status)
726 return status;
727
728 /* generate keystream output */
729 octet_string_set_to_zero(key, length);
730 status = srtp_cipher_encrypt(kdf->cipher, key, &length);
731 if (status)
732 return status;
733
734 return srtp_err_status_ok;
735 }
736
srtp_kdf_clear(srtp_kdf_t * kdf)737 static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf)
738 {
739 srtp_err_status_t status;
740 status = srtp_cipher_dealloc(kdf->cipher);
741 if (status)
742 return status;
743 kdf->cipher = NULL;
744 return srtp_err_status_ok;
745 }
746 #endif /* else OPENSSL_KDF */
747
748 /*
749 * end of key derivation functions
750 */
751
752 /* Get the base key length corresponding to a given combined key+salt
753 * length for the given cipher.
754 * TODO: key and salt lengths should be separate fields in the policy. */
base_key_length(const srtp_cipher_type_t * cipher,int key_length)755 static inline int base_key_length(const srtp_cipher_type_t *cipher,
756 int key_length)
757 {
758 switch (cipher->id) {
759 case SRTP_AES_ICM_128:
760 case SRTP_AES_ICM_192:
761 case SRTP_AES_ICM_256:
762 /* The legacy modes are derived from
763 * the configured key length on the policy */
764 return key_length - SRTP_SALT_LEN;
765 break;
766 case SRTP_AES_GCM_128:
767 return key_length - SRTP_AEAD_SALT_LEN;
768 break;
769 case SRTP_AES_GCM_256:
770 return key_length - SRTP_AEAD_SALT_LEN;
771 break;
772 default:
773 return key_length;
774 break;
775 }
776 }
777
srtp_validate_policy_master_keys(const srtp_policy_t * policy)778 unsigned int srtp_validate_policy_master_keys(const srtp_policy_t *policy)
779 {
780 unsigned long i = 0;
781
782 if (policy->key == NULL) {
783 if (policy->num_master_keys <= 0)
784 return 0;
785
786 if (policy->num_master_keys > SRTP_MAX_NUM_MASTER_KEYS)
787 return 0;
788
789 for (i = 0; i < policy->num_master_keys; i++) {
790 if (policy->keys[i]->key == NULL)
791 return 0;
792 if (policy->keys[i]->mki_size > SRTP_MAX_MKI_LEN)
793 return 0;
794 }
795 }
796
797 return 1;
798 }
799
srtp_get_session_keys_with_mki_index(srtp_stream_ctx_t * stream,unsigned int use_mki,unsigned int mki_index)800 srtp_session_keys_t *srtp_get_session_keys_with_mki_index(
801 srtp_stream_ctx_t *stream,
802 unsigned int use_mki,
803 unsigned int mki_index)
804 {
805 if (use_mki) {
806 if (mki_index >= stream->num_master_keys) {
807 return NULL;
808 }
809 return &stream->session_keys[mki_index];
810 }
811
812 return &stream->session_keys[0];
813 }
814
srtp_inject_mki(uint8_t * mki_tag_location,srtp_session_keys_t * session_keys,unsigned int use_mki)815 unsigned int srtp_inject_mki(uint8_t *mki_tag_location,
816 srtp_session_keys_t *session_keys,
817 unsigned int use_mki)
818 {
819 unsigned int mki_size = 0;
820
821 if (use_mki) {
822 mki_size = session_keys->mki_size;
823
824 if (mki_size != 0) {
825 // Write MKI into memory
826 memcpy(mki_tag_location, session_keys->mki_id, mki_size);
827 }
828 }
829
830 return mki_size;
831 }
832
srtp_stream_init_all_master_keys(srtp_stream_ctx_t * srtp,unsigned char * key,srtp_master_key_t ** keys,const unsigned int max_master_keys)833 srtp_err_status_t srtp_stream_init_all_master_keys(
834 srtp_stream_ctx_t *srtp,
835 unsigned char *key,
836 srtp_master_key_t **keys,
837 const unsigned int max_master_keys)
838 {
839 unsigned int i = 0;
840 srtp_err_status_t status = srtp_err_status_ok;
841 srtp_master_key_t single_master_key;
842
843 if (key != NULL) {
844 srtp->num_master_keys = 1;
845 single_master_key.key = key;
846 single_master_key.mki_id = NULL;
847 single_master_key.mki_size = 0;
848 status = srtp_stream_init_keys(srtp, &single_master_key, 0);
849 } else {
850 srtp->num_master_keys = max_master_keys;
851
852 for (i = 0; i < srtp->num_master_keys && i < SRTP_MAX_NUM_MASTER_KEYS;
853 i++) {
854 status = srtp_stream_init_keys(srtp, keys[i], i);
855
856 if (status) {
857 return status;
858 }
859 }
860 }
861
862 return status;
863 }
864
srtp_stream_init_keys(srtp_stream_ctx_t * srtp,srtp_master_key_t * master_key,const unsigned int current_mki_index)865 srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp,
866 srtp_master_key_t *master_key,
867 const unsigned int current_mki_index)
868 {
869 srtp_err_status_t stat;
870 srtp_kdf_t kdf;
871 uint8_t tmp_key[MAX_SRTP_KEY_LEN];
872 int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
873 int rtp_base_key_len, rtp_salt_len;
874 int rtcp_base_key_len, rtcp_salt_len;
875 srtp_session_keys_t *session_keys = NULL;
876 unsigned char *key = master_key->key;
877
878 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
879 /* TODO: kdf algorithm, master key length, and master salt length should
880 * be part of srtp_policy_t.
881 */
882 session_keys = &srtp->session_keys[current_mki_index];
883
884 /* initialize key limit to maximum value */
885 #ifdef NO_64BIT_MATH
886 {
887 uint64_t temp;
888 temp = make64(UINT_MAX, UINT_MAX);
889 srtp_key_limit_set(session_keys->limit, temp);
890 }
891 #else
892 srtp_key_limit_set(session_keys->limit, 0xffffffffffffLL);
893 #endif
894
895 if (master_key->mki_size != 0) {
896 session_keys->mki_id = srtp_crypto_alloc(master_key->mki_size);
897
898 if (session_keys->mki_id == NULL) {
899 return srtp_err_status_init_fail;
900 }
901 memcpy(session_keys->mki_id, master_key->mki_id, master_key->mki_size);
902 } else {
903 session_keys->mki_id = NULL;
904 }
905
906 session_keys->mki_size = master_key->mki_size;
907
908 rtp_keylen = srtp_cipher_get_key_length(session_keys->rtp_cipher);
909 rtcp_keylen = srtp_cipher_get_key_length(session_keys->rtcp_cipher);
910 rtp_base_key_len =
911 base_key_length(session_keys->rtp_cipher->type, rtp_keylen);
912 rtp_salt_len = rtp_keylen - rtp_base_key_len;
913
914 if (rtp_keylen > kdf_keylen) {
915 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
916 }
917
918 if (rtcp_keylen > kdf_keylen) {
919 kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
920 }
921
922 debug_print(mod_srtp, "srtp key len: %d", rtp_keylen);
923 debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen);
924 debug_print(mod_srtp, "base key len: %d", rtp_base_key_len);
925 debug_print(mod_srtp, "kdf key len: %d", kdf_keylen);
926 debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len);
927
928 /*
929 * Make sure the key given to us is 'zero' appended. GCM
930 * mode uses a shorter master SALT (96 bits), but still relies on
931 * the legacy CTR mode KDF, which uses a 112 bit master SALT.
932 */
933 memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN);
934 memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len));
935
936 /* initialize KDF state */
937 #if defined(OPENSSL) && defined(OPENSSL_KDF)
938 stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, rtp_base_key_len,
939 rtp_salt_len);
940 #else
941 stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, kdf_keylen);
942 #endif
943 if (stat) {
944 /* zeroize temp buffer */
945 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
946 return srtp_err_status_init_fail;
947 }
948
949 /* generate encryption key */
950 stat = srtp_kdf_generate(&kdf, label_rtp_encryption, tmp_key,
951 rtp_base_key_len);
952 if (stat) {
953 /* zeroize temp buffer */
954 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
955 return srtp_err_status_init_fail;
956 }
957 debug_print(mod_srtp, "cipher key: %s",
958 srtp_octet_string_hex_string(tmp_key, rtp_base_key_len));
959
960 /*
961 * if the cipher in the srtp context uses a salt, then we need
962 * to generate the salt value
963 */
964 if (rtp_salt_len > 0) {
965 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
966
967 /* generate encryption salt, put after encryption key */
968 stat = srtp_kdf_generate(&kdf, label_rtp_salt,
969 tmp_key + rtp_base_key_len, rtp_salt_len);
970 if (stat) {
971 /* zeroize temp buffer */
972 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
973 return srtp_err_status_init_fail;
974 }
975 memcpy(session_keys->salt, tmp_key + rtp_base_key_len,
976 SRTP_AEAD_SALT_LEN);
977 }
978 if (rtp_salt_len > 0) {
979 debug_print(mod_srtp, "cipher salt: %s",
980 srtp_octet_string_hex_string(tmp_key + rtp_base_key_len,
981 rtp_salt_len));
982 }
983
984 /* initialize cipher */
985 stat = srtp_cipher_init(session_keys->rtp_cipher, tmp_key);
986 if (stat) {
987 /* zeroize temp buffer */
988 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
989 return srtp_err_status_init_fail;
990 }
991
992 if (session_keys->rtp_xtn_hdr_cipher) {
993 /* generate extensions header encryption key */
994 int rtp_xtn_hdr_keylen;
995 int rtp_xtn_hdr_base_key_len;
996 int rtp_xtn_hdr_salt_len;
997 srtp_kdf_t tmp_kdf;
998 srtp_kdf_t *xtn_hdr_kdf;
999
1000 if (session_keys->rtp_xtn_hdr_cipher->type !=
1001 session_keys->rtp_cipher->type) {
1002 /*
1003 * With GCM ciphers, the header extensions are still encrypted using
1004 * the corresponding ICM cipher.
1005 * See https://tools.ietf.org/html/rfc7714#section-8.3
1006 */
1007 uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN];
1008 rtp_xtn_hdr_keylen =
1009 srtp_cipher_get_key_length(session_keys->rtp_xtn_hdr_cipher);
1010 rtp_xtn_hdr_base_key_len = base_key_length(
1011 session_keys->rtp_xtn_hdr_cipher->type, rtp_xtn_hdr_keylen);
1012 rtp_xtn_hdr_salt_len =
1013 rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len;
1014 if (rtp_xtn_hdr_salt_len > rtp_salt_len) {
1015 switch (session_keys->rtp_cipher->type->id) {
1016 case SRTP_AES_GCM_128:
1017 case SRTP_AES_GCM_256:
1018 /*
1019 * The shorter GCM salt is padded to the required ICM salt
1020 * length.
1021 */
1022 rtp_xtn_hdr_salt_len = rtp_salt_len;
1023 break;
1024 default:
1025 /* zeroize temp buffer */
1026 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1027 return srtp_err_status_bad_param;
1028 }
1029 }
1030 memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN);
1031 memcpy(tmp_xtn_hdr_key, key,
1032 (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_len));
1033 xtn_hdr_kdf = &tmp_kdf;
1034
1035 /* initialize KDF state */
1036 #if defined(OPENSSL) && defined(OPENSSL_KDF)
1037 stat =
1038 srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key,
1039 rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len);
1040 #else
1041 stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key,
1042 kdf_keylen);
1043 #endif
1044 octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN);
1045 if (stat) {
1046 /* zeroize temp buffer */
1047 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1048 return srtp_err_status_init_fail;
1049 }
1050 } else {
1051 /* Reuse main KDF. */
1052 rtp_xtn_hdr_keylen = rtp_keylen;
1053 rtp_xtn_hdr_base_key_len = rtp_base_key_len;
1054 rtp_xtn_hdr_salt_len = rtp_salt_len;
1055 xtn_hdr_kdf = &kdf;
1056 }
1057
1058 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption,
1059 tmp_key, rtp_xtn_hdr_base_key_len);
1060 if (stat) {
1061 /* zeroize temp buffer */
1062 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1063 return srtp_err_status_init_fail;
1064 }
1065 debug_print(
1066 mod_srtp, "extensions cipher key: %s",
1067 srtp_octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len));
1068
1069 /*
1070 * if the cipher in the srtp context uses a salt, then we need
1071 * to generate the salt value
1072 */
1073 if (rtp_xtn_hdr_salt_len > 0) {
1074 debug_print(mod_srtp,
1075 "found rtp_xtn_hdr_salt_len > 0, generating salt",
1076 NULL);
1077
1078 /* generate encryption salt, put after encryption key */
1079 stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt,
1080 tmp_key + rtp_xtn_hdr_base_key_len,
1081 rtp_xtn_hdr_salt_len);
1082 if (stat) {
1083 /* zeroize temp buffer */
1084 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1085 return srtp_err_status_init_fail;
1086 }
1087 }
1088 if (rtp_xtn_hdr_salt_len > 0) {
1089 debug_print(
1090 mod_srtp, "extensions cipher salt: %s",
1091 srtp_octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len,
1092 rtp_xtn_hdr_salt_len));
1093 }
1094
1095 /* initialize extensions header cipher */
1096 stat = srtp_cipher_init(session_keys->rtp_xtn_hdr_cipher, tmp_key);
1097 if (stat) {
1098 /* zeroize temp buffer */
1099 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1100 return srtp_err_status_init_fail;
1101 }
1102
1103 if (xtn_hdr_kdf != &kdf) {
1104 /* release memory for custom header extension encryption kdf */
1105 stat = srtp_kdf_clear(xtn_hdr_kdf);
1106 if (stat) {
1107 /* zeroize temp buffer */
1108 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1109 return srtp_err_status_init_fail;
1110 }
1111 }
1112 }
1113
1114 /* generate authentication key */
1115 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, tmp_key,
1116 srtp_auth_get_key_length(session_keys->rtp_auth));
1117 if (stat) {
1118 /* zeroize temp buffer */
1119 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1120 return srtp_err_status_init_fail;
1121 }
1122 debug_print(mod_srtp, "auth key: %s",
1123 srtp_octet_string_hex_string(
1124 tmp_key, srtp_auth_get_key_length(session_keys->rtp_auth)));
1125
1126 /* initialize auth function */
1127 stat = srtp_auth_init(session_keys->rtp_auth, tmp_key);
1128 if (stat) {
1129 /* zeroize temp buffer */
1130 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1131 return srtp_err_status_init_fail;
1132 }
1133
1134 /*
1135 * ...now initialize SRTCP keys
1136 */
1137
1138 rtcp_base_key_len =
1139 base_key_length(session_keys->rtcp_cipher->type, rtcp_keylen);
1140 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
1141 debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len);
1142
1143 /* generate encryption key */
1144 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, tmp_key,
1145 rtcp_base_key_len);
1146 if (stat) {
1147 /* zeroize temp buffer */
1148 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1149 return srtp_err_status_init_fail;
1150 }
1151
1152 /*
1153 * if the cipher in the srtp context uses a salt, then we need
1154 * to generate the salt value
1155 */
1156 if (rtcp_salt_len > 0) {
1157 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
1158 NULL);
1159
1160 /* generate encryption salt, put after encryption key */
1161 stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
1162 tmp_key + rtcp_base_key_len, rtcp_salt_len);
1163 if (stat) {
1164 /* zeroize temp buffer */
1165 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1166 return srtp_err_status_init_fail;
1167 }
1168 memcpy(session_keys->c_salt, tmp_key + rtcp_base_key_len,
1169 SRTP_AEAD_SALT_LEN);
1170 }
1171 debug_print(mod_srtp, "rtcp cipher key: %s",
1172 srtp_octet_string_hex_string(tmp_key, rtcp_base_key_len));
1173 if (rtcp_salt_len > 0) {
1174 debug_print(mod_srtp, "rtcp cipher salt: %s",
1175 srtp_octet_string_hex_string(tmp_key + rtcp_base_key_len,
1176 rtcp_salt_len));
1177 }
1178
1179 /* initialize cipher */
1180 stat = srtp_cipher_init(session_keys->rtcp_cipher, tmp_key);
1181 if (stat) {
1182 /* zeroize temp buffer */
1183 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1184 return srtp_err_status_init_fail;
1185 }
1186
1187 /* generate authentication key */
1188 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, tmp_key,
1189 srtp_auth_get_key_length(session_keys->rtcp_auth));
1190 if (stat) {
1191 /* zeroize temp buffer */
1192 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1193 return srtp_err_status_init_fail;
1194 }
1195
1196 debug_print(
1197 mod_srtp, "rtcp auth key: %s",
1198 srtp_octet_string_hex_string(
1199 tmp_key, srtp_auth_get_key_length(session_keys->rtcp_auth)));
1200
1201 /* initialize auth function */
1202 stat = srtp_auth_init(session_keys->rtcp_auth, tmp_key);
1203 if (stat) {
1204 /* zeroize temp buffer */
1205 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1206 return srtp_err_status_init_fail;
1207 }
1208
1209 /* clear memory then return */
1210 stat = srtp_kdf_clear(&kdf);
1211 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1212 if (stat)
1213 return srtp_err_status_init_fail;
1214
1215 return srtp_err_status_ok;
1216 }
1217
srtp_stream_init(srtp_stream_ctx_t * srtp,const srtp_policy_t * p)1218 srtp_err_status_t srtp_stream_init(srtp_stream_ctx_t *srtp,
1219 const srtp_policy_t *p)
1220 {
1221 srtp_err_status_t err;
1222
1223 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", p->ssrc.value);
1224
1225 /* initialize replay database */
1226 /*
1227 * window size MUST be at least 64. MAY be larger. Values more than
1228 * 2^15 aren't meaningful due to how extended sequence numbers are
1229 * calculated.
1230 * Let a window size of 0 imply the default value.
1231 */
1232
1233 if (p->window_size != 0 &&
1234 (p->window_size < 64 || p->window_size >= 0x8000))
1235 return srtp_err_status_bad_param;
1236
1237 if (p->window_size != 0)
1238 err = srtp_rdbx_init(&srtp->rtp_rdbx, p->window_size);
1239 else
1240 err = srtp_rdbx_init(&srtp->rtp_rdbx, 128);
1241 if (err)
1242 return err;
1243
1244 /* set the SSRC value */
1245 srtp->ssrc = htonl(p->ssrc.value);
1246
1247 /* reset pending ROC */
1248 srtp->pending_roc = 0;
1249
1250 /* set the security service flags */
1251 srtp->rtp_services = p->rtp.sec_serv;
1252 srtp->rtcp_services = p->rtcp.sec_serv;
1253
1254 /*
1255 * set direction to unknown - this flag gets checked in srtp_protect(),
1256 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
1257 * gets set appropriately if it is set to unknown.
1258 */
1259 srtp->direction = dir_unknown;
1260
1261 /* initialize SRTCP replay database */
1262 srtp_rdb_init(&srtp->rtcp_rdb);
1263
1264 /* initialize allow_repeat_tx */
1265 /* guard against uninitialized memory: allow only 0 or 1 here */
1266 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) {
1267 srtp_rdbx_dealloc(&srtp->rtp_rdbx);
1268 return srtp_err_status_bad_param;
1269 }
1270 srtp->allow_repeat_tx = p->allow_repeat_tx;
1271
1272 /* DAM - no RTCP key limit at present */
1273
1274 /* initialize keys */
1275 err = srtp_stream_init_all_master_keys(srtp, p->key, p->keys,
1276 p->num_master_keys);
1277 if (err) {
1278 srtp_rdbx_dealloc(&srtp->rtp_rdbx);
1279 return err;
1280 }
1281
1282 /*
1283 * if EKT is in use, then initialize the EKT data associated with
1284 * the stream
1285 */
1286 err = srtp_ekt_stream_init_from_policy(srtp->ekt, p->ekt);
1287 if (err) {
1288 srtp_rdbx_dealloc(&srtp->rtp_rdbx);
1289 return err;
1290 }
1291
1292 return srtp_err_status_ok;
1293 }
1294
1295 /*
1296 * srtp_event_reporter is an event handler function that merely
1297 * reports the events that are reported by the callbacks
1298 */
1299
srtp_event_reporter(srtp_event_data_t * data)1300 void srtp_event_reporter(srtp_event_data_t *data)
1301 {
1302 srtp_err_report(srtp_err_level_warning, "srtp: in stream 0x%x: ",
1303 data->ssrc);
1304
1305 switch (data->event) {
1306 case event_ssrc_collision:
1307 srtp_err_report(srtp_err_level_warning, "\tSSRC collision\n");
1308 break;
1309 case event_key_soft_limit:
1310 srtp_err_report(srtp_err_level_warning,
1311 "\tkey usage soft limit reached\n");
1312 break;
1313 case event_key_hard_limit:
1314 srtp_err_report(srtp_err_level_warning,
1315 "\tkey usage hard limit reached\n");
1316 break;
1317 case event_packet_index_limit:
1318 srtp_err_report(srtp_err_level_warning,
1319 "\tpacket index limit reached\n");
1320 break;
1321 default:
1322 srtp_err_report(srtp_err_level_warning,
1323 "\tunknown event reported to handler\n");
1324 }
1325 }
1326
1327 /*
1328 * srtp_event_handler is a global variable holding a pointer to the
1329 * event handler function; this function is called for any unexpected
1330 * event that needs to be handled out of the SRTP data path. see
1331 * srtp_event_t in srtp.h for more info
1332 *
1333 * it is okay to set srtp_event_handler to NULL, but we set
1334 * it to the srtp_event_reporter.
1335 */
1336
1337 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
1338
srtp_install_event_handler(srtp_event_handler_func_t func)1339 srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func)
1340 {
1341 /*
1342 * note that we accept NULL arguments intentionally - calling this
1343 * function with a NULL arguments removes an event handler that's
1344 * been previously installed
1345 */
1346
1347 /* set global event handling function */
1348 srtp_event_handler = func;
1349 return srtp_err_status_ok;
1350 }
1351
1352 /*
1353 * Check if the given extension header id is / should be encrypted.
1354 * Returns 1 if yes, otherwise 0.
1355 */
srtp_protect_extension_header(srtp_stream_ctx_t * stream,int id)1356 static int srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id)
1357 {
1358 int *enc_xtn_hdr = stream->enc_xtn_hdr;
1359 int count = stream->enc_xtn_hdr_count;
1360
1361 if (!enc_xtn_hdr || count <= 0) {
1362 return 0;
1363 }
1364
1365 while (count > 0) {
1366 if (*enc_xtn_hdr == id) {
1367 return 1;
1368 }
1369
1370 enc_xtn_hdr++;
1371 count--;
1372 }
1373 return 0;
1374 }
1375
1376 /*
1377 * extensions header encryption RFC 6904
1378 */
srtp_process_header_encryption(srtp_stream_ctx_t * stream,srtp_hdr_xtnd_t * xtn_hdr,srtp_session_keys_t * session_keys)1379 static srtp_err_status_t srtp_process_header_encryption(
1380 srtp_stream_ctx_t *stream,
1381 srtp_hdr_xtnd_t *xtn_hdr,
1382 srtp_session_keys_t *session_keys)
1383 {
1384 srtp_err_status_t status;
1385 uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */
1386 int keystream_pos;
1387 uint8_t *xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr;
1388 uint8_t *xtn_hdr_end =
1389 xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_t));
1390
1391 if (ntohs(xtn_hdr->profile_specific) == 0xbede) {
1392 /* RFC 5285, section 4.2. One-Byte Header */
1393 while (xtn_hdr_data < xtn_hdr_end) {
1394 uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4;
1395 unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1;
1396 uint32_t xlen_with_header = 1 + xlen;
1397 xtn_hdr_data++;
1398
1399 if (xtn_hdr_data + xlen > xtn_hdr_end)
1400 return srtp_err_status_parse_err;
1401
1402 if (xid == 15) {
1403 /* found header 15, stop further processing. */
1404 break;
1405 }
1406
1407 status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher,
1408 keystream, &xlen_with_header);
1409 if (status)
1410 return srtp_err_status_cipher_fail;
1411
1412 if (srtp_protect_extension_header(stream, xid)) {
1413 keystream_pos = 1;
1414 while (xlen > 0) {
1415 *xtn_hdr_data ^= keystream[keystream_pos++];
1416 xtn_hdr_data++;
1417 xlen--;
1418 }
1419 } else {
1420 xtn_hdr_data += xlen;
1421 }
1422
1423 /* skip padding bytes. */
1424 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) {
1425 xtn_hdr_data++;
1426 }
1427 }
1428 } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) {
1429 /* RFC 5285, section 4.3. Two-Byte Header */
1430 while (xtn_hdr_data + 1 < xtn_hdr_end) {
1431 uint8_t xid = *xtn_hdr_data;
1432 unsigned int xlen = *(xtn_hdr_data + 1);
1433 uint32_t xlen_with_header = 2 + xlen;
1434 xtn_hdr_data += 2;
1435
1436 if (xtn_hdr_data + xlen > xtn_hdr_end)
1437 return srtp_err_status_parse_err;
1438
1439 status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher,
1440 keystream, &xlen_with_header);
1441 if (status)
1442 return srtp_err_status_cipher_fail;
1443
1444 if (xlen > 0 && srtp_protect_extension_header(stream, xid)) {
1445 keystream_pos = 2;
1446 while (xlen > 0) {
1447 *xtn_hdr_data ^= keystream[keystream_pos++];
1448 xtn_hdr_data++;
1449 xlen--;
1450 }
1451 } else {
1452 xtn_hdr_data += xlen;
1453 }
1454
1455 /* skip padding bytes. */
1456 while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) {
1457 xtn_hdr_data++;
1458 }
1459 }
1460 } else {
1461 /* unsupported extension header format. */
1462 return srtp_err_status_parse_err;
1463 }
1464
1465 return srtp_err_status_ok;
1466 }
1467
1468 /*
1469 * AEAD uses a new IV formation method. This function implements
1470 * section 8.1. (SRTP IV Formation for AES-GCM) of RFC7714.
1471 * The calculation is defined as, where (+) is the xor operation:
1472 *
1473 *
1474 * 0 0 0 0 0 0 0 0 0 0 1 1
1475 * 0 1 2 3 4 5 6 7 8 9 0 1
1476 * +--+--+--+--+--+--+--+--+--+--+--+--+
1477 * |00|00| SSRC | ROC | SEQ |---+
1478 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
1479 * |
1480 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
1481 * | Encryption Salt |->(+)
1482 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
1483 * |
1484 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
1485 * | Initialization Vector |<--+
1486 * +--+--+--+--+--+--+--+--+--+--+--+--+*
1487 *
1488 * Input: *session_keys - pointer to SRTP stream context session keys,
1489 * used to retrieve the SALT
1490 * *iv - Pointer to receive the calculated IV
1491 * *seq - The ROC and SEQ value to use for the
1492 * IV calculation.
1493 * *hdr - The RTP header, used to get the SSRC value
1494 *
1495 */
1496
srtp_calc_aead_iv(srtp_session_keys_t * session_keys,v128_t * iv,srtp_xtd_seq_num_t * seq,srtp_hdr_t * hdr)1497 static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys,
1498 v128_t *iv,
1499 srtp_xtd_seq_num_t *seq,
1500 srtp_hdr_t *hdr)
1501 {
1502 v128_t in;
1503 v128_t salt;
1504
1505 #ifdef NO_64BIT_MATH
1506 uint32_t local_roc = ((high32(*seq) << 16) | (low32(*seq) >> 16));
1507 uint16_t local_seq = (uint16_t)(low32(*seq));
1508 #else
1509 uint32_t local_roc = (uint32_t)(*seq >> 16);
1510 uint16_t local_seq = (uint16_t)*seq;
1511 #endif
1512
1513 memset(&in, 0, sizeof(v128_t));
1514 memset(&salt, 0, sizeof(v128_t));
1515
1516 in.v16[5] = htons(local_seq);
1517 local_roc = htonl(local_roc);
1518 memcpy(&in.v16[3], &local_roc, sizeof(local_roc));
1519
1520 /*
1521 * Copy in the RTP SSRC value
1522 */
1523 memcpy(&in.v8[2], &hdr->ssrc, 4);
1524 debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in));
1525
1526 /*
1527 * Get the SALT value from the context
1528 */
1529 memcpy(salt.v8, session_keys->salt, SRTP_AEAD_SALT_LEN);
1530 debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt));
1531
1532 /*
1533 * Finally, apply tyhe SALT to the input
1534 */
1535 v128_xor(iv, &in, &salt);
1536 }
1537
srtp_get_session_keys(srtp_stream_ctx_t * stream,uint8_t * hdr,const unsigned int * pkt_octet_len,unsigned int * mki_size)1538 srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream,
1539 uint8_t *hdr,
1540 const unsigned int *pkt_octet_len,
1541 unsigned int *mki_size)
1542 {
1543 unsigned int base_mki_start_location = *pkt_octet_len;
1544 unsigned int mki_start_location = 0;
1545 unsigned int tag_len = 0;
1546 unsigned int i = 0;
1547
1548 // Determine the authentication tag size
1549 if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
1550 stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) {
1551 tag_len = 0;
1552 } else {
1553 tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth);
1554 }
1555
1556 if (tag_len > base_mki_start_location) {
1557 *mki_size = 0;
1558 return NULL;
1559 }
1560
1561 base_mki_start_location -= tag_len;
1562
1563 for (i = 0; i < stream->num_master_keys; i++) {
1564 if (stream->session_keys[i].mki_size != 0 &&
1565 stream->session_keys[i].mki_size <= base_mki_start_location) {
1566 *mki_size = stream->session_keys[i].mki_size;
1567 mki_start_location = base_mki_start_location - *mki_size;
1568
1569 if (memcmp(hdr + mki_start_location, stream->session_keys[i].mki_id,
1570 *mki_size) == 0) {
1571 return &stream->session_keys[i];
1572 }
1573 }
1574 }
1575
1576 *mki_size = 0;
1577 return NULL;
1578 }
1579
srtp_estimate_index(srtp_rdbx_t * rdbx,uint32_t roc,srtp_xtd_seq_num_t * est,srtp_sequence_number_t seq,int * delta)1580 static srtp_err_status_t srtp_estimate_index(srtp_rdbx_t *rdbx,
1581 uint32_t roc,
1582 srtp_xtd_seq_num_t *est,
1583 srtp_sequence_number_t seq,
1584 int *delta)
1585 {
1586 #ifdef NO_64BIT_MATH
1587 uint32_t internal_pkt_idx_reduced;
1588 uint32_t external_pkt_idx_reduced;
1589 uint32_t internal_roc;
1590 uint32_t roc_difference;
1591 #endif
1592
1593 #ifdef NO_64BIT_MATH
1594 *est = (srtp_xtd_seq_num_t)make64(roc >> 16, (roc << 16) | seq);
1595 *delta = low32(est) - rdbx->index;
1596 #else
1597 *est = (srtp_xtd_seq_num_t)(((uint64_t)roc) << 16) | seq;
1598 *delta = (int)(*est - rdbx->index);
1599 #endif
1600
1601 if (*est > rdbx->index) {
1602 #ifdef NO_64BIT_MATH
1603 internal_roc = (uint32_t)(rdbx->index >> 16);
1604 roc_difference = roc - internal_roc;
1605 if (roc_difference > 1) {
1606 *delta = 0;
1607 return srtp_err_status_pkt_idx_adv;
1608 }
1609
1610 internal_pkt_idx_reduced = (uint32_t)(rdbx->index & 0xFFFF);
1611 external_pkt_idx_reduced = (uint32_t)((roc_difference << 16) | seq);
1612
1613 if (external_pkt_idx_reduced - internal_pkt_idx_reduced >
1614 seq_num_median) {
1615 *delta = 0;
1616 return srtp_err_status_pkt_idx_adv;
1617 }
1618 #else
1619 if (*est - rdbx->index > seq_num_median) {
1620 *delta = 0;
1621 return srtp_err_status_pkt_idx_adv;
1622 }
1623 #endif
1624 } else if (*est < rdbx->index) {
1625 #ifdef NO_64BIT_MATH
1626
1627 internal_roc = (uint32_t)(rdbx->index >> 16);
1628 roc_difference = internal_roc - roc;
1629 if (roc_difference > 1) {
1630 *delta = 0;
1631 return srtp_err_status_pkt_idx_adv;
1632 }
1633
1634 internal_pkt_idx_reduced =
1635 (uint32_t)((roc_difference << 16) | rdbx->index & 0xFFFF);
1636 external_pkt_idx_reduced = (uint32_t)(seq);
1637
1638 if (internal_pkt_idx_reduced - external_pkt_idx_reduced >
1639 seq_num_median) {
1640 *delta = 0;
1641 return srtp_err_status_pkt_idx_old;
1642 }
1643 #else
1644 if (rdbx->index - *est > seq_num_median) {
1645 *delta = 0;
1646 return srtp_err_status_pkt_idx_old;
1647 }
1648 #endif
1649 }
1650
1651 return srtp_err_status_ok;
1652 }
1653
srtp_get_est_pkt_index(srtp_hdr_t * hdr,srtp_stream_ctx_t * stream,srtp_xtd_seq_num_t * est,int * delta)1654 static srtp_err_status_t srtp_get_est_pkt_index(srtp_hdr_t *hdr,
1655 srtp_stream_ctx_t *stream,
1656 srtp_xtd_seq_num_t *est,
1657 int *delta)
1658 {
1659 srtp_err_status_t result = srtp_err_status_ok;
1660
1661 if (stream->pending_roc) {
1662 result = srtp_estimate_index(&stream->rtp_rdbx, stream->pending_roc,
1663 est, ntohs(hdr->seq), delta);
1664 } else {
1665 /* estimate packet index from seq. num. in header */
1666 *delta =
1667 srtp_rdbx_estimate_index(&stream->rtp_rdbx, est, ntohs(hdr->seq));
1668 }
1669
1670 #ifdef NO_64BIT_MATH
1671 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(*est),
1672 low32(*est));
1673 #else
1674 debug_print(mod_srtp, "estimated u_packet index: %016llx", *est);
1675 #endif
1676 return result;
1677 }
1678
1679 /*
1680 * This function handles outgoing SRTP packets while in AEAD mode,
1681 * which currently supports AES-GCM encryption. All packets are
1682 * encrypted and authenticated.
1683 */
srtp_protect_aead(srtp_ctx_t * ctx,srtp_stream_ctx_t * stream,void * rtp_hdr,unsigned int * pkt_octet_len,srtp_session_keys_t * session_keys,unsigned int use_mki)1684 static srtp_err_status_t srtp_protect_aead(srtp_ctx_t *ctx,
1685 srtp_stream_ctx_t *stream,
1686 void *rtp_hdr,
1687 unsigned int *pkt_octet_len,
1688 srtp_session_keys_t *session_keys,
1689 unsigned int use_mki)
1690 {
1691 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
1692 uint32_t *enc_start; /* pointer to start of encrypted portion */
1693 int enc_octet_len = 0; /* number of octets in encrypted portion */
1694 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
1695 int delta; /* delta of local pkt idx and that in hdr */
1696 srtp_err_status_t status;
1697 uint32_t tag_len;
1698 v128_t iv;
1699 unsigned int aad_len;
1700 srtp_hdr_xtnd_t *xtn_hdr = NULL;
1701 unsigned int mki_size = 0;
1702 uint8_t *mki_location = NULL;
1703
1704 debug_print(mod_srtp, "function srtp_protect_aead", NULL);
1705
1706 /*
1707 * update the key usage limit, and check it to make sure that we
1708 * didn't just hit either the soft limit or the hard limit, and call
1709 * the event handler if we hit either.
1710 */
1711 switch (srtp_key_limit_update(session_keys->limit)) {
1712 case srtp_key_event_normal:
1713 break;
1714 case srtp_key_event_hard_limit:
1715 srtp_handle_event(ctx, stream, event_key_hard_limit);
1716 return srtp_err_status_key_expired;
1717 case srtp_key_event_soft_limit:
1718 default:
1719 srtp_handle_event(ctx, stream, event_key_soft_limit);
1720 break;
1721 }
1722
1723 /* get tag length from stream */
1724 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
1725
1726 /*
1727 * find starting point for encryption and length of data to be
1728 * encrypted - the encrypted portion starts after the rtp header
1729 * extension, if present; otherwise, it starts after the last csrc,
1730 * if any are present
1731 */
1732 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1733 if (hdr->x == 1) {
1734 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1735 enc_start += (ntohs(xtn_hdr->length) + 1);
1736 }
1737 /* note: the passed size is without the auth tag */
1738 if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len))
1739 return srtp_err_status_parse_err;
1740 enc_octet_len =
1741 (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr));
1742 if (enc_octet_len < 0)
1743 return srtp_err_status_parse_err;
1744
1745 /*
1746 * estimate the packet index using the start of the replay window
1747 * and the sequence number from the header
1748 */
1749 delta = srtp_rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
1750 status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
1751 if (status) {
1752 if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) {
1753 return status; /* we've been asked to reuse an index */
1754 }
1755 } else {
1756 srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
1757 }
1758
1759 #ifdef NO_64BIT_MATH
1760 debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est),
1761 low32(est));
1762 #else
1763 debug_print(mod_srtp, "estimated packet index: %016llx", est);
1764 #endif
1765
1766 /*
1767 * AEAD uses a new IV formation method
1768 */
1769 srtp_calc_aead_iv(session_keys, &iv, &est, hdr);
1770 /* shift est, put into network byte order */
1771 #ifdef NO_64BIT_MATH
1772 est = be64_to_cpu(
1773 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
1774 #else
1775 est = be64_to_cpu(est << 16);
1776 #endif
1777
1778 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
1779 srtp_direction_encrypt);
1780 if (!status && session_keys->rtp_xtn_hdr_cipher) {
1781 iv.v32[0] = 0;
1782 iv.v32[1] = hdr->ssrc;
1783 iv.v64[1] = est;
1784 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
1785 (uint8_t *)&iv, srtp_direction_encrypt);
1786 }
1787 if (status) {
1788 return srtp_err_status_cipher_fail;
1789 }
1790
1791 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
1792 /*
1793 * extensions header encryption RFC 6904
1794 */
1795 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
1796 if (status) {
1797 return status;
1798 }
1799 }
1800
1801 /*
1802 * Set the AAD over the RTP header
1803 */
1804 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
1805 status =
1806 srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len);
1807 if (status) {
1808 return (srtp_err_status_cipher_fail);
1809 }
1810
1811 /* Encrypt the payload */
1812 status = srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
1813 (unsigned int *)&enc_octet_len);
1814 if (status) {
1815 return srtp_err_status_cipher_fail;
1816 }
1817 /*
1818 * If we're doing GCM, we need to get the tag
1819 * and append that to the output
1820 */
1821 status =
1822 srtp_cipher_get_tag(session_keys->rtp_cipher,
1823 (uint8_t *)enc_start + enc_octet_len, &tag_len);
1824 if (status) {
1825 return (srtp_err_status_cipher_fail);
1826 }
1827
1828 mki_location = (uint8_t *)hdr + *pkt_octet_len + tag_len;
1829 mki_size = srtp_inject_mki(mki_location, session_keys, use_mki);
1830
1831 /* increase the packet length by the length of the auth tag */
1832 *pkt_octet_len += tag_len;
1833
1834 /* increase the packet length by the length of the mki_size */
1835 *pkt_octet_len += mki_size;
1836
1837 return srtp_err_status_ok;
1838 }
1839
1840 /*
1841 * This function handles incoming SRTP packets while in AEAD mode,
1842 * which currently supports AES-GCM encryption. All packets are
1843 * encrypted and authenticated. Note, the auth tag is at the end
1844 * of the packet stream and is automatically checked by GCM
1845 * when decrypting the payload.
1846 */
srtp_unprotect_aead(srtp_ctx_t * ctx,srtp_stream_ctx_t * stream,int delta,srtp_xtd_seq_num_t est,void * srtp_hdr,unsigned int * pkt_octet_len,srtp_session_keys_t * session_keys,unsigned int mki_size)1847 static srtp_err_status_t srtp_unprotect_aead(srtp_ctx_t *ctx,
1848 srtp_stream_ctx_t *stream,
1849 int delta,
1850 srtp_xtd_seq_num_t est,
1851 void *srtp_hdr,
1852 unsigned int *pkt_octet_len,
1853 srtp_session_keys_t *session_keys,
1854 unsigned int mki_size)
1855 {
1856 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
1857 uint32_t *enc_start; /* pointer to start of encrypted portion */
1858 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
1859 v128_t iv;
1860 srtp_err_status_t status;
1861 int tag_len;
1862 unsigned int aad_len;
1863 srtp_hdr_xtnd_t *xtn_hdr = NULL;
1864
1865 debug_print(mod_srtp, "function srtp_unprotect_aead", NULL);
1866
1867 #ifdef NO_64BIT_MATH
1868 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),
1869 low32(est));
1870 #else
1871 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1872 #endif
1873
1874 /* get tag length from stream */
1875 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
1876
1877 /*
1878 * AEAD uses a new IV formation method
1879 */
1880 srtp_calc_aead_iv(session_keys, &iv, &est, hdr);
1881 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
1882 srtp_direction_decrypt);
1883 if (!status && session_keys->rtp_xtn_hdr_cipher) {
1884 iv.v32[0] = 0;
1885 iv.v32[1] = hdr->ssrc;
1886 #ifdef NO_64BIT_MATH
1887 iv.v64[1] = be64_to_cpu(
1888 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
1889 #else
1890 iv.v64[1] = be64_to_cpu(est << 16);
1891 #endif
1892 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
1893 (uint8_t *)&iv, srtp_direction_encrypt);
1894 }
1895 if (status) {
1896 return srtp_err_status_cipher_fail;
1897 }
1898
1899 /*
1900 * find starting point for decryption and length of data to be
1901 * decrypted - the encrypted portion starts after the rtp header
1902 * extension, if present; otherwise, it starts after the last csrc,
1903 * if any are present
1904 */
1905 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1906 if (hdr->x == 1) {
1907 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1908 enc_start += (ntohs(xtn_hdr->length) + 1);
1909 }
1910 if (!((uint8_t *)enc_start <=
1911 (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size)))
1912 return srtp_err_status_parse_err;
1913 /*
1914 * We pass the tag down to the cipher when doing GCM mode
1915 */
1916 enc_octet_len = (unsigned int)(*pkt_octet_len - mki_size -
1917 ((uint8_t *)enc_start - (uint8_t *)hdr));
1918
1919 /*
1920 * Sanity check the encrypted payload length against
1921 * the tag size. It must always be at least as large
1922 * as the tag length.
1923 */
1924 if (enc_octet_len < (unsigned int)tag_len) {
1925 return srtp_err_status_cipher_fail;
1926 }
1927
1928 /*
1929 * update the key usage limit, and check it to make sure that we
1930 * didn't just hit either the soft limit or the hard limit, and call
1931 * the event handler if we hit either.
1932 */
1933 switch (srtp_key_limit_update(session_keys->limit)) {
1934 case srtp_key_event_normal:
1935 break;
1936 case srtp_key_event_soft_limit:
1937 srtp_handle_event(ctx, stream, event_key_soft_limit);
1938 break;
1939 case srtp_key_event_hard_limit:
1940 srtp_handle_event(ctx, stream, event_key_hard_limit);
1941 return srtp_err_status_key_expired;
1942 default:
1943 break;
1944 }
1945
1946 /*
1947 * Set the AAD for AES-GCM, which is the RTP header
1948 */
1949 aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
1950 status =
1951 srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len);
1952 if (status) {
1953 return (srtp_err_status_cipher_fail);
1954 }
1955
1956 /* Decrypt the ciphertext. This also checks the auth tag based
1957 * on the AAD we just specified above */
1958 status = srtp_cipher_decrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
1959 &enc_octet_len);
1960 if (status) {
1961 return status;
1962 }
1963
1964 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
1965 /*
1966 * extensions header encryption RFC 6904
1967 */
1968 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
1969 if (status) {
1970 return status;
1971 }
1972 }
1973
1974 /*
1975 * verify that stream is for received traffic - this check will
1976 * detect SSRC collisions, since a stream that appears in both
1977 * srtp_protect() and srtp_unprotect() will fail this test in one of
1978 * those functions.
1979 *
1980 * we do this check *after* the authentication check, so that the
1981 * latter check will catch any attempts to fool us into thinking
1982 * that we've got a collision
1983 */
1984 if (stream->direction != dir_srtp_receiver) {
1985 if (stream->direction == dir_unknown) {
1986 stream->direction = dir_srtp_receiver;
1987 } else {
1988 srtp_handle_event(ctx, stream, event_ssrc_collision);
1989 }
1990 }
1991
1992 /*
1993 * if the stream is a 'provisional' one, in which the template context
1994 * is used, then we need to allocate a new stream at this point, since
1995 * the authentication passed
1996 */
1997 if (stream == ctx->stream_template) {
1998 srtp_stream_ctx_t *new_stream;
1999
2000 /*
2001 * allocate and initialize a new stream
2002 *
2003 * note that we indicate failure if we can't allocate the new
2004 * stream, and some implementations will want to not return
2005 * failure here
2006 */
2007 status =
2008 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2009 if (status) {
2010 return status;
2011 }
2012
2013 /* add new stream to the head of the stream_list */
2014 new_stream->next = ctx->stream_list;
2015 ctx->stream_list = new_stream;
2016
2017 /* set stream (the pointer used in this function) */
2018 stream = new_stream;
2019 }
2020
2021 /*
2022 * the message authentication function passed, so add the packet
2023 * index into the replay database
2024 */
2025 srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
2026
2027 /* decrease the packet length by the length of the auth tag */
2028 *pkt_octet_len -= tag_len;
2029
2030 /* decrease the packet length by the length of the mki_size */
2031 *pkt_octet_len -= mki_size;
2032
2033 return srtp_err_status_ok;
2034 }
2035
srtp_protect(srtp_ctx_t * ctx,void * rtp_hdr,int * pkt_octet_len)2036 srtp_err_status_t srtp_protect(srtp_ctx_t *ctx,
2037 void *rtp_hdr,
2038 int *pkt_octet_len)
2039 {
2040 return srtp_protect_mki(ctx, rtp_hdr, pkt_octet_len, 0, 0);
2041 }
2042
srtp_protect_mki(srtp_ctx_t * ctx,void * rtp_hdr,int * pkt_octet_len,unsigned int use_mki,unsigned int mki_index)2043 srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx,
2044 void *rtp_hdr,
2045 int *pkt_octet_len,
2046 unsigned int use_mki,
2047 unsigned int mki_index)
2048 {
2049 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
2050 uint32_t *enc_start; /* pointer to start of encrypted portion */
2051 uint32_t *auth_start; /* pointer to start of auth. portion */
2052 int enc_octet_len = 0; /* number of octets in encrypted portion */
2053 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
2054 int delta; /* delta of local pkt idx and that in hdr */
2055 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
2056 srtp_err_status_t status;
2057 int tag_len;
2058 srtp_stream_ctx_t *stream;
2059 uint32_t prefix_len;
2060 srtp_hdr_xtnd_t *xtn_hdr = NULL;
2061 unsigned int mki_size = 0;
2062 srtp_session_keys_t *session_keys = NULL;
2063 uint8_t *mki_location = NULL;
2064 int advance_packet_index = 0;
2065
2066 debug_print(mod_srtp, "function srtp_protect", NULL);
2067
2068 /* we assume the hdr is 32-bit aligned to start */
2069
2070 /* Verify RTP header */
2071 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len);
2072 if (status)
2073 return status;
2074
2075 /* check the packet length - it must at least contain a full header */
2076 if (*pkt_octet_len < octets_in_rtp_header)
2077 return srtp_err_status_bad_param;
2078
2079 /*
2080 * look up ssrc in srtp_stream list, and process the packet with
2081 * the appropriate stream. if we haven't seen this stream before,
2082 * there's a template key for this srtp_session, and the cipher
2083 * supports key-sharing, then we assume that a new stream using
2084 * that key has just started up
2085 */
2086 stream = srtp_get_stream(ctx, hdr->ssrc);
2087 if (stream == NULL) {
2088 if (ctx->stream_template != NULL) {
2089 srtp_stream_ctx_t *new_stream;
2090
2091 /* allocate and initialize a new stream */
2092 status =
2093 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2094 if (status)
2095 return status;
2096
2097 /* add new stream to the head of the stream_list */
2098 new_stream->next = ctx->stream_list;
2099 ctx->stream_list = new_stream;
2100
2101 /* set direction to outbound */
2102 new_stream->direction = dir_srtp_sender;
2103
2104 /* set stream (the pointer used in this function) */
2105 stream = new_stream;
2106 } else {
2107 /* no template stream, so we return an error */
2108 return srtp_err_status_no_ctx;
2109 }
2110 }
2111
2112 /*
2113 * verify that stream is for sending traffic - this check will
2114 * detect SSRC collisions, since a stream that appears in both
2115 * srtp_protect() and srtp_unprotect() will fail this test in one of
2116 * those functions.
2117 */
2118
2119 if (stream->direction != dir_srtp_sender) {
2120 if (stream->direction == dir_unknown) {
2121 stream->direction = dir_srtp_sender;
2122 } else {
2123 srtp_handle_event(ctx, stream, event_ssrc_collision);
2124 }
2125 }
2126
2127 session_keys =
2128 srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index);
2129
2130 if (session_keys == NULL)
2131 return srtp_err_status_bad_mki;
2132
2133 /*
2134 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
2135 * the request to our AEAD handler.
2136 */
2137 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
2138 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
2139 return srtp_protect_aead(ctx, stream, rtp_hdr,
2140 (unsigned int *)pkt_octet_len, session_keys,
2141 use_mki);
2142 }
2143
2144 /*
2145 * update the key usage limit, and check it to make sure that we
2146 * didn't just hit either the soft limit or the hard limit, and call
2147 * the event handler if we hit either.
2148 */
2149 switch (srtp_key_limit_update(session_keys->limit)) {
2150 case srtp_key_event_normal:
2151 break;
2152 case srtp_key_event_soft_limit:
2153 srtp_handle_event(ctx, stream, event_key_soft_limit);
2154 break;
2155 case srtp_key_event_hard_limit:
2156 srtp_handle_event(ctx, stream, event_key_hard_limit);
2157 return srtp_err_status_key_expired;
2158 default:
2159 break;
2160 }
2161
2162 /* get tag length from stream */
2163 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
2164
2165 /*
2166 * find starting point for encryption and length of data to be
2167 * encrypted - the encrypted portion starts after the rtp header
2168 * extension, if present; otherwise, it starts after the last csrc,
2169 * if any are present
2170 *
2171 * if we're not providing confidentiality, set enc_start to NULL
2172 */
2173 if (stream->rtp_services & sec_serv_conf) {
2174 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
2175 if (hdr->x == 1) {
2176 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
2177 enc_start += (ntohs(xtn_hdr->length) + 1);
2178 }
2179 /* note: the passed size is without the auth tag */
2180 if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len))
2181 return srtp_err_status_parse_err;
2182 enc_octet_len =
2183 (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr));
2184 if (enc_octet_len < 0)
2185 return srtp_err_status_parse_err;
2186 } else {
2187 enc_start = NULL;
2188 }
2189
2190 mki_location = (uint8_t *)hdr + *pkt_octet_len;
2191 mki_size = srtp_inject_mki(mki_location, session_keys, use_mki);
2192
2193 /*
2194 * if we're providing authentication, set the auth_start and auth_tag
2195 * pointers to the proper locations; otherwise, set auth_start to NULL
2196 * to indicate that no authentication is needed
2197 */
2198 if (stream->rtp_services & sec_serv_auth) {
2199 auth_start = (uint32_t *)hdr;
2200 auth_tag = (uint8_t *)hdr + *pkt_octet_len + mki_size;
2201 } else {
2202 auth_start = NULL;
2203 auth_tag = NULL;
2204 }
2205
2206 /*
2207 * estimate the packet index using the start of the replay window
2208 * and the sequence number from the header
2209 */
2210 status = srtp_get_est_pkt_index(hdr, stream, &est, &delta);
2211
2212 if (status && (status != srtp_err_status_pkt_idx_adv))
2213 return status;
2214
2215 if (status == srtp_err_status_pkt_idx_adv)
2216 advance_packet_index = 1;
2217
2218 if (advance_packet_index) {
2219 srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, (uint32_t)(est >> 16),
2220 (uint16_t)(est & 0xFFFF));
2221 stream->pending_roc = 0;
2222 srtp_rdbx_add_index(&stream->rtp_rdbx, 0);
2223 } else {
2224 status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
2225 if (status) {
2226 if (status != srtp_err_status_replay_fail ||
2227 !stream->allow_repeat_tx)
2228 return status; /* we've been asked to reuse an index */
2229 }
2230 srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
2231 }
2232
2233 #ifdef NO_64BIT_MATH
2234 debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est),
2235 low32(est));
2236 #else
2237 debug_print(mod_srtp, "estimated packet index: %016llx", est);
2238 #endif
2239
2240 /*
2241 * if we're using rindael counter mode, set nonce and seq
2242 */
2243 if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 ||
2244 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 ||
2245 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) {
2246 v128_t iv;
2247
2248 iv.v32[0] = 0;
2249 iv.v32[1] = hdr->ssrc;
2250 #ifdef NO_64BIT_MATH
2251 iv.v64[1] = be64_to_cpu(
2252 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
2253 #else
2254 iv.v64[1] = be64_to_cpu(est << 16);
2255 #endif
2256 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
2257 srtp_direction_encrypt);
2258 if (!status && session_keys->rtp_xtn_hdr_cipher) {
2259 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
2260 (uint8_t *)&iv, srtp_direction_encrypt);
2261 }
2262 } else {
2263 v128_t iv;
2264
2265 /* otherwise, set the index to est */
2266 #ifdef NO_64BIT_MATH
2267 iv.v32[0] = 0;
2268 iv.v32[1] = 0;
2269 #else
2270 iv.v64[0] = 0;
2271 #endif
2272 iv.v64[1] = be64_to_cpu(est);
2273 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
2274 srtp_direction_encrypt);
2275 if (!status && session_keys->rtp_xtn_hdr_cipher) {
2276 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
2277 (uint8_t *)&iv, srtp_direction_encrypt);
2278 }
2279 }
2280 if (status)
2281 return srtp_err_status_cipher_fail;
2282
2283 /* shift est, put into network byte order */
2284 #ifdef NO_64BIT_MATH
2285 est = be64_to_cpu(
2286 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
2287 #else
2288 est = be64_to_cpu(est << 16);
2289 #endif
2290
2291 /*
2292 * if we're authenticating using a universal hash, put the keystream
2293 * prefix into the authentication tag
2294 */
2295 if (auth_start) {
2296 prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth);
2297 if (prefix_len) {
2298 status = srtp_cipher_output(session_keys->rtp_cipher, auth_tag,
2299 &prefix_len);
2300 if (status)
2301 return srtp_err_status_cipher_fail;
2302 debug_print(mod_srtp, "keystream prefix: %s",
2303 srtp_octet_string_hex_string(auth_tag, prefix_len));
2304 }
2305 }
2306
2307 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
2308 /*
2309 * extensions header encryption RFC 6904
2310 */
2311 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
2312 if (status) {
2313 return status;
2314 }
2315 }
2316
2317 /* if we're encrypting, exor keystream into the message */
2318 if (enc_start) {
2319 status =
2320 srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
2321 (unsigned int *)&enc_octet_len);
2322 if (status)
2323 return srtp_err_status_cipher_fail;
2324 }
2325
2326 /*
2327 * if we're authenticating, run authentication function and put result
2328 * into the auth_tag
2329 */
2330 if (auth_start) {
2331 /* initialize auth func context */
2332 status = srtp_auth_start(session_keys->rtp_auth);
2333 if (status)
2334 return status;
2335
2336 /* run auth func over packet */
2337 status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start,
2338 *pkt_octet_len);
2339 if (status)
2340 return status;
2341
2342 /* run auth func over ROC, put result into auth_tag */
2343 debug_print(mod_srtp, "estimated packet index: %016llx", est);
2344 status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4,
2345 auth_tag);
2346 debug_print(mod_srtp, "srtp auth tag: %s",
2347 srtp_octet_string_hex_string(auth_tag, tag_len));
2348 if (status)
2349 return srtp_err_status_auth_fail;
2350 }
2351
2352 if (auth_tag) {
2353 /* increase the packet length by the length of the auth tag */
2354 *pkt_octet_len += tag_len;
2355 }
2356
2357 if (use_mki) {
2358 /* increate the packet length by the mki size */
2359 *pkt_octet_len += mki_size;
2360 }
2361
2362 return srtp_err_status_ok;
2363 }
2364
srtp_unprotect(srtp_ctx_t * ctx,void * srtp_hdr,int * pkt_octet_len)2365 srtp_err_status_t srtp_unprotect(srtp_ctx_t *ctx,
2366 void *srtp_hdr,
2367 int *pkt_octet_len)
2368 {
2369 return srtp_unprotect_mki(ctx, srtp_hdr, pkt_octet_len, 0);
2370 }
2371
srtp_unprotect_mki(srtp_ctx_t * ctx,void * srtp_hdr,int * pkt_octet_len,unsigned int use_mki)2372 srtp_err_status_t srtp_unprotect_mki(srtp_ctx_t *ctx,
2373 void *srtp_hdr,
2374 int *pkt_octet_len,
2375 unsigned int use_mki)
2376 {
2377 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
2378 uint32_t *enc_start; /* pointer to start of encrypted portion */
2379 uint32_t *auth_start; /* pointer to start of auth. portion */
2380 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
2381 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
2382 srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
2383 int delta; /* delta of local pkt idx and that in hdr */
2384 v128_t iv;
2385 srtp_err_status_t status;
2386 srtp_stream_ctx_t *stream;
2387 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
2388 uint32_t tag_len, prefix_len;
2389 srtp_hdr_xtnd_t *xtn_hdr = NULL;
2390 unsigned int mki_size = 0;
2391 srtp_session_keys_t *session_keys = NULL;
2392 int advance_packet_index = 0;
2393 uint32_t roc_to_set = 0;
2394 uint16_t seq_to_set = 0;
2395
2396 debug_print(mod_srtp, "function srtp_unprotect", NULL);
2397
2398 /* we assume the hdr is 32-bit aligned to start */
2399
2400 /* Verify RTP header */
2401 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len);
2402 if (status)
2403 return status;
2404
2405 /* check the packet length - it must at least contain a full header */
2406 if (*pkt_octet_len < octets_in_rtp_header)
2407 return srtp_err_status_bad_param;
2408
2409 /*
2410 * look up ssrc in srtp_stream list, and process the packet with
2411 * the appropriate stream. if we haven't seen this stream before,
2412 * there's only one key for this srtp_session, and the cipher
2413 * supports key-sharing, then we assume that a new stream using
2414 * that key has just started up
2415 */
2416 stream = srtp_get_stream(ctx, hdr->ssrc);
2417 if (stream == NULL) {
2418 if (ctx->stream_template != NULL) {
2419 stream = ctx->stream_template;
2420 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
2421 ntohl(hdr->ssrc));
2422
2423 /*
2424 * set estimated packet index to sequence number from header,
2425 * and set delta equal to the same value
2426 */
2427 #ifdef NO_64BIT_MATH
2428 est = (srtp_xtd_seq_num_t)make64(0, ntohs(hdr->seq));
2429 delta = low32(est);
2430 #else
2431 est = (srtp_xtd_seq_num_t)ntohs(hdr->seq);
2432 delta = (int)est;
2433 #endif
2434 } else {
2435 /*
2436 * no stream corresponding to SSRC found, and we don't do
2437 * key-sharing, so return an error
2438 */
2439 return srtp_err_status_no_ctx;
2440 }
2441 } else {
2442 status = srtp_get_est_pkt_index(hdr, stream, &est, &delta);
2443
2444 if (status && (status != srtp_err_status_pkt_idx_adv))
2445 return status;
2446
2447 if (status == srtp_err_status_pkt_idx_adv) {
2448 advance_packet_index = 1;
2449 roc_to_set = (uint32_t)(est >> 16);
2450 seq_to_set = (uint16_t)(est & 0xFFFF);
2451 }
2452
2453 /* check replay database */
2454 if (!advance_packet_index) {
2455 status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
2456 if (status)
2457 return status;
2458 }
2459 }
2460
2461 #ifdef NO_64BIT_MATH
2462 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),
2463 low32(est));
2464 #else
2465 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
2466 #endif
2467
2468 /* Determine if MKI is being used and what session keys should be used */
2469 if (use_mki) {
2470 session_keys = srtp_get_session_keys(
2471 stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len,
2472 &mki_size);
2473
2474 if (session_keys == NULL)
2475 return srtp_err_status_bad_mki;
2476 } else {
2477 session_keys = &stream->session_keys[0];
2478 }
2479
2480 /*
2481 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
2482 * the request to our AEAD handler.
2483 */
2484 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
2485 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
2486 return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr,
2487 (unsigned int *)pkt_octet_len, session_keys,
2488 mki_size);
2489 }
2490
2491 /* get tag length from stream */
2492 tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
2493
2494 /*
2495 * set the cipher's IV properly, depending on whatever cipher we
2496 * happen to be using
2497 */
2498 if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 ||
2499 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 ||
2500 session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) {
2501 /* aes counter mode */
2502 iv.v32[0] = 0;
2503 iv.v32[1] = hdr->ssrc; /* still in network order */
2504 #ifdef NO_64BIT_MATH
2505 iv.v64[1] = be64_to_cpu(
2506 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
2507 #else
2508 iv.v64[1] = be64_to_cpu(est << 16);
2509 #endif
2510 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
2511 srtp_direction_decrypt);
2512 if (!status && session_keys->rtp_xtn_hdr_cipher) {
2513 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
2514 (uint8_t *)&iv, srtp_direction_decrypt);
2515 }
2516 } else {
2517 /* no particular format - set the iv to the pakcet index */
2518 #ifdef NO_64BIT_MATH
2519 iv.v32[0] = 0;
2520 iv.v32[1] = 0;
2521 #else
2522 iv.v64[0] = 0;
2523 #endif
2524 iv.v64[1] = be64_to_cpu(est);
2525 status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
2526 srtp_direction_decrypt);
2527 if (!status && session_keys->rtp_xtn_hdr_cipher) {
2528 status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
2529 (uint8_t *)&iv, srtp_direction_decrypt);
2530 }
2531 }
2532 if (status)
2533 return srtp_err_status_cipher_fail;
2534
2535 /* shift est, put into network byte order */
2536 #ifdef NO_64BIT_MATH
2537 est = be64_to_cpu(
2538 make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
2539 #else
2540 est = be64_to_cpu(est << 16);
2541 #endif
2542
2543 /*
2544 * find starting point for decryption and length of data to be
2545 * decrypted - the encrypted portion starts after the rtp header
2546 * extension, if present; otherwise, it starts after the last csrc,
2547 * if any are present
2548 *
2549 * if we're not providing confidentiality, set enc_start to NULL
2550 */
2551 if (stream->rtp_services & sec_serv_conf) {
2552 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
2553 if (hdr->x == 1) {
2554 xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
2555 enc_start += (ntohs(xtn_hdr->length) + 1);
2556 }
2557 if (!((uint8_t *)enc_start <=
2558 (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size)))
2559 return srtp_err_status_parse_err;
2560 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - mki_size -
2561 ((uint8_t *)enc_start - (uint8_t *)hdr));
2562 } else {
2563 enc_start = NULL;
2564 }
2565
2566 /*
2567 * if we're providing authentication, set the auth_start and auth_tag
2568 * pointers to the proper locations; otherwise, set auth_start to NULL
2569 * to indicate that no authentication is needed
2570 */
2571 if (stream->rtp_services & sec_serv_auth) {
2572 auth_start = (uint32_t *)hdr;
2573 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
2574 } else {
2575 auth_start = NULL;
2576 auth_tag = NULL;
2577 }
2578
2579 /*
2580 * if we expect message authentication, run the authentication
2581 * function and compare the result with the value of the auth_tag
2582 */
2583 if (auth_start) {
2584 /*
2585 * if we're using a universal hash, then we need to compute the
2586 * keystream prefix for encrypting the universal hash output
2587 *
2588 * if the keystream prefix length is zero, then we know that
2589 * the authenticator isn't using a universal hash function
2590 */
2591 if (session_keys->rtp_auth->prefix_len != 0) {
2592 prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth);
2593 status = srtp_cipher_output(session_keys->rtp_cipher, tmp_tag,
2594 &prefix_len);
2595 debug_print(mod_srtp, "keystream prefix: %s",
2596 srtp_octet_string_hex_string(tmp_tag, prefix_len));
2597 if (status)
2598 return srtp_err_status_cipher_fail;
2599 }
2600
2601 /* initialize auth func context */
2602 status = srtp_auth_start(session_keys->rtp_auth);
2603 if (status)
2604 return status;
2605
2606 /* now compute auth function over packet */
2607 status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start,
2608 *pkt_octet_len - tag_len - mki_size);
2609
2610 /* run auth func over ROC, then write tmp tag */
2611 status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4,
2612 tmp_tag);
2613
2614 debug_print(mod_srtp, "computed auth tag: %s",
2615 srtp_octet_string_hex_string(tmp_tag, tag_len));
2616 debug_print(mod_srtp, "packet auth tag: %s",
2617 srtp_octet_string_hex_string(auth_tag, tag_len));
2618 if (status)
2619 return srtp_err_status_auth_fail;
2620
2621 if (srtp_octet_string_is_eq(tmp_tag, auth_tag, tag_len))
2622 return srtp_err_status_auth_fail;
2623 }
2624
2625 /*
2626 * update the key usage limit, and check it to make sure that we
2627 * didn't just hit either the soft limit or the hard limit, and call
2628 * the event handler if we hit either.
2629 */
2630 switch (srtp_key_limit_update(session_keys->limit)) {
2631 case srtp_key_event_normal:
2632 break;
2633 case srtp_key_event_soft_limit:
2634 srtp_handle_event(ctx, stream, event_key_soft_limit);
2635 break;
2636 case srtp_key_event_hard_limit:
2637 srtp_handle_event(ctx, stream, event_key_hard_limit);
2638 return srtp_err_status_key_expired;
2639 default:
2640 break;
2641 }
2642
2643 if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
2644 /* extensions header encryption RFC 6904 */
2645 status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
2646 if (status) {
2647 return status;
2648 }
2649 }
2650
2651 /* if we're decrypting, add keystream into ciphertext */
2652 if (enc_start) {
2653 status = srtp_cipher_decrypt(session_keys->rtp_cipher,
2654 (uint8_t *)enc_start, &enc_octet_len);
2655 if (status)
2656 return srtp_err_status_cipher_fail;
2657 }
2658
2659 /*
2660 * verify that stream is for received traffic - this check will
2661 * detect SSRC collisions, since a stream that appears in both
2662 * srtp_protect() and srtp_unprotect() will fail this test in one of
2663 * those functions.
2664 *
2665 * we do this check *after* the authentication check, so that the
2666 * latter check will catch any attempts to fool us into thinking
2667 * that we've got a collision
2668 */
2669 if (stream->direction != dir_srtp_receiver) {
2670 if (stream->direction == dir_unknown) {
2671 stream->direction = dir_srtp_receiver;
2672 } else {
2673 srtp_handle_event(ctx, stream, event_ssrc_collision);
2674 }
2675 }
2676
2677 /*
2678 * if the stream is a 'provisional' one, in which the template context
2679 * is used, then we need to allocate a new stream at this point, since
2680 * the authentication passed
2681 */
2682 if (stream == ctx->stream_template) {
2683 srtp_stream_ctx_t *new_stream;
2684
2685 /*
2686 * allocate and initialize a new stream
2687 *
2688 * note that we indicate failure if we can't allocate the new
2689 * stream, and some implementations will want to not return
2690 * failure here
2691 */
2692 status =
2693 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2694 if (status)
2695 return status;
2696
2697 /* add new stream to the head of the stream_list */
2698 new_stream->next = ctx->stream_list;
2699 ctx->stream_list = new_stream;
2700
2701 /* set stream (the pointer used in this function) */
2702 stream = new_stream;
2703 }
2704
2705 /*
2706 * the message authentication function passed, so add the packet
2707 * index into the replay database
2708 */
2709 if (advance_packet_index) {
2710 srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, roc_to_set, seq_to_set);
2711 stream->pending_roc = 0;
2712 srtp_rdbx_add_index(&stream->rtp_rdbx, 0);
2713 } else {
2714 srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
2715 }
2716
2717 /* decrease the packet length by the length of the auth tag */
2718 *pkt_octet_len -= tag_len;
2719
2720 /* decrease the packet length by the mki size */
2721 *pkt_octet_len -= mki_size;
2722
2723 return srtp_err_status_ok;
2724 }
2725
srtp_init()2726 srtp_err_status_t srtp_init()
2727 {
2728 srtp_err_status_t status;
2729
2730 /* initialize crypto kernel */
2731 status = srtp_crypto_kernel_init();
2732 if (status)
2733 return status;
2734
2735 /* load srtp debug module into the kernel */
2736 status = srtp_crypto_kernel_load_debug_module(&mod_srtp);
2737 if (status)
2738 return status;
2739
2740 return srtp_err_status_ok;
2741 }
2742
srtp_shutdown()2743 srtp_err_status_t srtp_shutdown()
2744 {
2745 srtp_err_status_t status;
2746
2747 /* shut down crypto kernel */
2748 status = srtp_crypto_kernel_shutdown();
2749 if (status)
2750 return status;
2751
2752 /* shutting down crypto kernel frees the srtp debug module as well */
2753
2754 return srtp_err_status_ok;
2755 }
2756
2757 /*
2758 * The following code is under consideration for removal. See
2759 * SRTP_MAX_TRAILER_LEN
2760 */
2761 #if 0
2762
2763 /*
2764 * srtp_get_trailer_length(&a) returns the number of octets that will
2765 * be added to an RTP packet by the SRTP processing. This value
2766 * is constant for a given srtp_stream_t (i.e. between initializations).
2767 */
2768
2769 int
2770 srtp_get_trailer_length(const srtp_stream_t s) {
2771 return srtp_auth_get_tag_length(s->rtp_auth);
2772 }
2773
2774 #endif
2775
2776 /*
2777 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
2778 * to ssrc, or NULL if no stream exists for that ssrc
2779 *
2780 * this is an internal function
2781 */
2782
srtp_get_stream(srtp_t srtp,uint32_t ssrc)2783 srtp_stream_ctx_t *srtp_get_stream(srtp_t srtp, uint32_t ssrc)
2784 {
2785 srtp_stream_ctx_t *stream;
2786
2787 /* walk down list until ssrc is found */
2788 stream = srtp->stream_list;
2789 while (stream != NULL) {
2790 if (stream->ssrc == ssrc)
2791 return stream;
2792 stream = stream->next;
2793 }
2794
2795 /* we haven't found our ssrc, so return a null */
2796 return NULL;
2797 }
2798
srtp_dealloc(srtp_t session)2799 srtp_err_status_t srtp_dealloc(srtp_t session)
2800 {
2801 srtp_stream_ctx_t *stream;
2802 srtp_err_status_t status;
2803
2804 /*
2805 * we take a conservative deallocation strategy - if we encounter an
2806 * error deallocating a stream, then we stop trying to deallocate
2807 * memory and just return an error
2808 */
2809
2810 /* walk list of streams, deallocating as we go */
2811 stream = session->stream_list;
2812 while (stream != NULL) {
2813 srtp_stream_t next = stream->next;
2814 status = srtp_stream_dealloc(stream, session->stream_template);
2815 if (status)
2816 return status;
2817 stream = next;
2818 }
2819
2820 /* deallocate stream template, if there is one */
2821 if (session->stream_template != NULL) {
2822 status = srtp_stream_dealloc(session->stream_template, NULL);
2823 if (status)
2824 return status;
2825 }
2826
2827 /* deallocate session context */
2828 srtp_crypto_free(session);
2829
2830 return srtp_err_status_ok;
2831 }
2832
srtp_add_stream(srtp_t session,const srtp_policy_t * policy)2833 srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy)
2834 {
2835 srtp_err_status_t status;
2836 srtp_stream_t tmp;
2837
2838 /* sanity check arguments */
2839 if ((session == NULL) || (policy == NULL) ||
2840 (!srtp_validate_policy_master_keys(policy)))
2841 return srtp_err_status_bad_param;
2842
2843 /* allocate stream */
2844 status = srtp_stream_alloc(&tmp, policy);
2845 if (status) {
2846 return status;
2847 }
2848
2849 /* initialize stream */
2850 status = srtp_stream_init(tmp, policy);
2851 if (status) {
2852 srtp_stream_dealloc(tmp, NULL);
2853 return status;
2854 }
2855
2856 /*
2857 * set the head of the stream list or the template to point to the
2858 * stream that we've just alloced and init'ed, depending on whether
2859 * or not it has a wildcard SSRC value or not
2860 *
2861 * if the template stream has already been set, then the policy is
2862 * inconsistent, so we return a bad_param error code
2863 */
2864 switch (policy->ssrc.type) {
2865 case (ssrc_any_outbound):
2866 if (session->stream_template) {
2867 srtp_stream_dealloc(tmp, NULL);
2868 return srtp_err_status_bad_param;
2869 }
2870 session->stream_template = tmp;
2871 session->stream_template->direction = dir_srtp_sender;
2872 break;
2873 case (ssrc_any_inbound):
2874 if (session->stream_template) {
2875 srtp_stream_dealloc(tmp, NULL);
2876 return srtp_err_status_bad_param;
2877 }
2878 session->stream_template = tmp;
2879 session->stream_template->direction = dir_srtp_receiver;
2880 break;
2881 case (ssrc_specific):
2882 tmp->next = session->stream_list;
2883 session->stream_list = tmp;
2884 break;
2885 case (ssrc_undefined):
2886 default:
2887 srtp_stream_dealloc(tmp, NULL);
2888 return srtp_err_status_bad_param;
2889 }
2890
2891 return srtp_err_status_ok;
2892 }
2893
srtp_create(srtp_t * session,const srtp_policy_t * policy)2894 srtp_err_status_t srtp_create(srtp_t *session, /* handle for session */
2895 const srtp_policy_t *policy)
2896 { /* SRTP policy (list) */
2897 srtp_err_status_t stat;
2898 srtp_ctx_t *ctx;
2899
2900 /* sanity check arguments */
2901 if (session == NULL)
2902 return srtp_err_status_bad_param;
2903
2904 /* allocate srtp context and set ctx_ptr */
2905 ctx = (srtp_ctx_t *)srtp_crypto_alloc(sizeof(srtp_ctx_t));
2906 if (ctx == NULL)
2907 return srtp_err_status_alloc_fail;
2908 *session = ctx;
2909
2910 /*
2911 * loop over elements in the policy list, allocating and
2912 * initializing a stream for each element
2913 */
2914 ctx->stream_template = NULL;
2915 ctx->stream_list = NULL;
2916 ctx->user_data = NULL;
2917 while (policy != NULL) {
2918 stat = srtp_add_stream(ctx, policy);
2919 if (stat) {
2920 /* clean up everything */
2921 srtp_dealloc(*session);
2922 *session = NULL;
2923 return stat;
2924 }
2925
2926 /* set policy to next item in list */
2927 policy = policy->next;
2928 }
2929
2930 return srtp_err_status_ok;
2931 }
2932
srtp_remove_stream(srtp_t session,uint32_t ssrc)2933 srtp_err_status_t srtp_remove_stream(srtp_t session, uint32_t ssrc)
2934 {
2935 srtp_stream_ctx_t *stream, *last_stream;
2936 srtp_err_status_t status;
2937
2938 /* sanity check arguments */
2939 if (session == NULL)
2940 return srtp_err_status_bad_param;
2941
2942 /* find stream in list; complain if not found */
2943 last_stream = stream = session->stream_list;
2944 while ((stream != NULL) && (ssrc != stream->ssrc)) {
2945 last_stream = stream;
2946 stream = stream->next;
2947 }
2948 if (stream == NULL)
2949 return srtp_err_status_no_ctx;
2950
2951 /* remove stream from the list */
2952 if (last_stream == stream)
2953 /* stream was first in list */
2954 session->stream_list = stream->next;
2955 else
2956 last_stream->next = stream->next;
2957
2958 /* deallocate the stream */
2959 status = srtp_stream_dealloc(stream, session->stream_template);
2960 if (status)
2961 return status;
2962
2963 return srtp_err_status_ok;
2964 }
2965
srtp_update(srtp_t session,const srtp_policy_t * policy)2966 srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy)
2967 {
2968 srtp_err_status_t stat;
2969
2970 /* sanity check arguments */
2971 if ((session == NULL) || (policy == NULL) ||
2972 (!srtp_validate_policy_master_keys(policy))) {
2973 return srtp_err_status_bad_param;
2974 }
2975
2976 while (policy != NULL) {
2977 stat = srtp_update_stream(session, policy);
2978 if (stat) {
2979 return stat;
2980 }
2981
2982 /* set policy to next item in list */
2983 policy = policy->next;
2984 }
2985 return srtp_err_status_ok;
2986 }
2987
update_template_streams(srtp_t session,const srtp_policy_t * policy)2988 static srtp_err_status_t update_template_streams(srtp_t session,
2989 const srtp_policy_t *policy)
2990 {
2991 srtp_err_status_t status;
2992 srtp_stream_t new_stream_template;
2993 srtp_stream_t new_stream_list = NULL;
2994
2995 if (session->stream_template == NULL) {
2996 return srtp_err_status_bad_param;
2997 }
2998
2999 /* allocate new template stream */
3000 status = srtp_stream_alloc(&new_stream_template, policy);
3001 if (status) {
3002 return status;
3003 }
3004
3005 /* initialize new template stream */
3006 status = srtp_stream_init(new_stream_template, policy);
3007 if (status) {
3008 srtp_crypto_free(new_stream_template);
3009 return status;
3010 }
3011
3012 /* for all old templated streams */
3013 for (;;) {
3014 srtp_stream_t stream;
3015 uint32_t ssrc;
3016 srtp_xtd_seq_num_t old_index;
3017 srtp_rdb_t old_rtcp_rdb;
3018
3019 stream = session->stream_list;
3020 while ((stream != NULL) &&
3021 (stream->session_keys[0].rtp_auth !=
3022 session->stream_template->session_keys[0].rtp_auth)) {
3023 stream = stream->next;
3024 }
3025 if (stream == NULL) {
3026 /* no more templated streams */
3027 break;
3028 }
3029
3030 /* save old extendard seq */
3031 ssrc = stream->ssrc;
3032 old_index = stream->rtp_rdbx.index;
3033 old_rtcp_rdb = stream->rtcp_rdb;
3034
3035 /* remove stream */
3036 status = srtp_remove_stream(session, ssrc);
3037 if (status) {
3038 /* free new allocations */
3039 while (new_stream_list != NULL) {
3040 srtp_stream_t next = new_stream_list->next;
3041 srtp_stream_dealloc(new_stream_list, new_stream_template);
3042 new_stream_list = next;
3043 }
3044 srtp_stream_dealloc(new_stream_template, NULL);
3045 return status;
3046 }
3047
3048 /* allocate and initialize a new stream */
3049 status = srtp_stream_clone(new_stream_template, ssrc, &stream);
3050 if (status) {
3051 /* free new allocations */
3052 while (new_stream_list != NULL) {
3053 srtp_stream_t next = new_stream_list->next;
3054 srtp_stream_dealloc(new_stream_list, new_stream_template);
3055 new_stream_list = next;
3056 }
3057 srtp_stream_dealloc(new_stream_template, NULL);
3058 return status;
3059 }
3060
3061 /* add new stream to the head of the new_stream_list */
3062 stream->next = new_stream_list;
3063 new_stream_list = stream;
3064
3065 /* restore old extended seq */
3066 stream->rtp_rdbx.index = old_index;
3067 stream->rtcp_rdb = old_rtcp_rdb;
3068 }
3069 /* dealloc old template */
3070 srtp_stream_dealloc(session->stream_template, NULL);
3071 /* set new template */
3072 session->stream_template = new_stream_template;
3073 /* add new list */
3074 if (new_stream_list) {
3075 srtp_stream_t tail = new_stream_list;
3076 while (tail->next) {
3077 tail = tail->next;
3078 }
3079 tail->next = session->stream_list;
3080 session->stream_list = new_stream_list;
3081 }
3082 return status;
3083 }
3084
update_stream(srtp_t session,const srtp_policy_t * policy)3085 static srtp_err_status_t update_stream(srtp_t session,
3086 const srtp_policy_t *policy)
3087 {
3088 srtp_err_status_t status;
3089 srtp_xtd_seq_num_t old_index;
3090 srtp_rdb_t old_rtcp_rdb;
3091 srtp_stream_t stream;
3092
3093 stream = srtp_get_stream(session, htonl(policy->ssrc.value));
3094 if (stream == NULL) {
3095 return srtp_err_status_bad_param;
3096 }
3097
3098 /* save old extendard seq */
3099 old_index = stream->rtp_rdbx.index;
3100 old_rtcp_rdb = stream->rtcp_rdb;
3101
3102 status = srtp_remove_stream(session, htonl(policy->ssrc.value));
3103 if (status) {
3104 return status;
3105 }
3106
3107 status = srtp_add_stream(session, policy);
3108 if (status) {
3109 return status;
3110 }
3111
3112 stream = srtp_get_stream(session, htonl(policy->ssrc.value));
3113 if (stream == NULL) {
3114 return srtp_err_status_fail;
3115 }
3116
3117 /* restore old extended seq */
3118 stream->rtp_rdbx.index = old_index;
3119 stream->rtcp_rdb = old_rtcp_rdb;
3120
3121 return srtp_err_status_ok;
3122 }
3123
srtp_update_stream(srtp_t session,const srtp_policy_t * policy)3124 srtp_err_status_t srtp_update_stream(srtp_t session,
3125 const srtp_policy_t *policy)
3126 {
3127 srtp_err_status_t status;
3128
3129 /* sanity check arguments */
3130 if ((session == NULL) || (policy == NULL) ||
3131 (!srtp_validate_policy_master_keys(policy)))
3132 return srtp_err_status_bad_param;
3133
3134 switch (policy->ssrc.type) {
3135 case (ssrc_any_outbound):
3136 case (ssrc_any_inbound):
3137 status = update_template_streams(session, policy);
3138 break;
3139 case (ssrc_specific):
3140 status = update_stream(session, policy);
3141 break;
3142 case (ssrc_undefined):
3143 default:
3144 return srtp_err_status_bad_param;
3145 }
3146
3147 return status;
3148 }
3149
3150 /*
3151 * The default policy - provides a convenient way for callers to use
3152 * the default security policy
3153 *
3154 * The default policy is defined in RFC 3711
3155 * (Section 5. Default and mandatory-to-implement Transforms)
3156 *
3157 */
3158
3159 /*
3160 * NOTE: cipher_key_len is really key len (128 bits) plus salt len
3161 * (112 bits)
3162 */
3163 /* There are hard-coded 16's for base_key_len in the key generation code */
3164
srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t * p)3165 void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p)
3166 {
3167 p->cipher_type = SRTP_AES_ICM_128;
3168 p->cipher_key_len =
3169 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */
3170 p->auth_type = SRTP_HMAC_SHA1;
3171 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3172 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
3173 p->sec_serv = sec_serv_conf_and_auth;
3174 }
3175
srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t * p)3176 void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p)
3177 {
3178 p->cipher_type = SRTP_AES_ICM_128;
3179 p->cipher_key_len =
3180 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */
3181 p->auth_type = SRTP_HMAC_SHA1;
3182 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3183 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
3184 p->sec_serv = sec_serv_conf_and_auth;
3185 }
3186
srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t * p)3187 void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p)
3188 {
3189 /*
3190 * corresponds to RFC 4568
3191 *
3192 * note that this crypto policy is intended for SRTP, but not SRTCP
3193 */
3194
3195 p->cipher_type = SRTP_AES_ICM_128;
3196 p->cipher_key_len =
3197 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */
3198 p->auth_type = SRTP_HMAC_SHA1;
3199 p->auth_key_len = 20; /* 160 bit key */
3200 p->auth_tag_len = 4; /* 32 bit tag */
3201 p->sec_serv = sec_serv_conf_and_auth;
3202 }
3203
srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t * p)3204 void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p)
3205 {
3206 /*
3207 * corresponds to RFC 4568
3208 *
3209 * note that this crypto policy is intended for SRTP, but not SRTCP
3210 */
3211
3212 p->cipher_type = SRTP_AES_ICM_128;
3213 p->cipher_key_len =
3214 SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */
3215 p->auth_type = SRTP_NULL_AUTH;
3216 p->auth_key_len = 0;
3217 p->auth_tag_len = 0;
3218 p->sec_serv = sec_serv_conf;
3219 }
3220
srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t * p)3221 void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p)
3222 {
3223 /*
3224 * corresponds to RFC 4568
3225 */
3226
3227 p->cipher_type = SRTP_NULL_CIPHER;
3228 p->cipher_key_len = 0;
3229 p->auth_type = SRTP_HMAC_SHA1;
3230 p->auth_key_len = 20;
3231 p->auth_tag_len = 10;
3232 p->sec_serv = sec_serv_auth;
3233 }
3234
srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t * p)3235 void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p)
3236 {
3237 /*
3238 * Should only be used for testing
3239 */
3240
3241 p->cipher_type = SRTP_NULL_CIPHER;
3242 p->cipher_key_len = 0;
3243 p->auth_type = SRTP_NULL_AUTH;
3244 p->auth_key_len = 0;
3245 p->auth_tag_len = 0;
3246 p->sec_serv = sec_serv_none;
3247 }
3248
srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t * p)3249 void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p)
3250 {
3251 /*
3252 * corresponds to RFC 6188
3253 */
3254
3255 p->cipher_type = SRTP_AES_ICM_256;
3256 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
3257 p->auth_type = SRTP_HMAC_SHA1;
3258 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3259 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
3260 p->sec_serv = sec_serv_conf_and_auth;
3261 }
3262
srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t * p)3263 void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p)
3264 {
3265 /*
3266 * corresponds to RFC 6188
3267 *
3268 * note that this crypto policy is intended for SRTP, but not SRTCP
3269 */
3270
3271 p->cipher_type = SRTP_AES_ICM_256;
3272 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
3273 p->auth_type = SRTP_HMAC_SHA1;
3274 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3275 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */
3276 p->sec_serv = sec_serv_conf_and_auth;
3277 }
3278
3279 /*
3280 * AES-256 with no authentication.
3281 */
srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t * p)3282 void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p)
3283 {
3284 p->cipher_type = SRTP_AES_ICM_256;
3285 p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
3286 p->auth_type = SRTP_NULL_AUTH;
3287 p->auth_key_len = 0;
3288 p->auth_tag_len = 0;
3289 p->sec_serv = sec_serv_conf;
3290 }
3291
srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t * p)3292 void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p)
3293 {
3294 /*
3295 * corresponds to RFC 6188
3296 */
3297
3298 p->cipher_type = SRTP_AES_ICM_192;
3299 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
3300 p->auth_type = SRTP_HMAC_SHA1;
3301 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3302 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
3303 p->sec_serv = sec_serv_conf_and_auth;
3304 }
3305
srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t * p)3306 void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p)
3307 {
3308 /*
3309 * corresponds to RFC 6188
3310 *
3311 * note that this crypto policy is intended for SRTP, but not SRTCP
3312 */
3313
3314 p->cipher_type = SRTP_AES_ICM_192;
3315 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
3316 p->auth_type = SRTP_HMAC_SHA1;
3317 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3318 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */
3319 p->sec_serv = sec_serv_conf_and_auth;
3320 }
3321
3322 /*
3323 * AES-192 with no authentication.
3324 */
srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t * p)3325 void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p)
3326 {
3327 p->cipher_type = SRTP_AES_ICM_192;
3328 p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
3329 p->auth_type = SRTP_NULL_AUTH;
3330 p->auth_key_len = 0;
3331 p->auth_tag_len = 0;
3332 p->sec_serv = sec_serv_conf;
3333 }
3334
3335 /*
3336 * AES-128 GCM mode with 8 octet auth tag.
3337 */
srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t * p)3338 void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p)
3339 {
3340 p->cipher_type = SRTP_AES_GCM_128;
3341 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
3342 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3343 p->auth_key_len = 0;
3344 p->auth_tag_len = 8; /* 8 octet tag length */
3345 p->sec_serv = sec_serv_conf_and_auth;
3346 }
3347
3348 /*
3349 * AES-256 GCM mode with 8 octet auth tag.
3350 */
srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t * p)3351 void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p)
3352 {
3353 p->cipher_type = SRTP_AES_GCM_256;
3354 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
3355 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3356 p->auth_key_len = 0;
3357 p->auth_tag_len = 8; /* 8 octet tag length */
3358 p->sec_serv = sec_serv_conf_and_auth;
3359 }
3360
3361 /*
3362 * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption.
3363 */
srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t * p)3364 void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p)
3365 {
3366 p->cipher_type = SRTP_AES_GCM_128;
3367 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
3368 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3369 p->auth_key_len = 0;
3370 p->auth_tag_len = 8; /* 8 octet tag length */
3371 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
3372 }
3373
3374 /*
3375 * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption.
3376 */
srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t * p)3377 void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p)
3378 {
3379 p->cipher_type = SRTP_AES_GCM_256;
3380 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
3381 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3382 p->auth_key_len = 0;
3383 p->auth_tag_len = 8; /* 8 octet tag length */
3384 p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
3385 }
3386
3387 /*
3388 * AES-128 GCM mode with 16 octet auth tag.
3389 */
srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t * p)3390 void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p)
3391 {
3392 p->cipher_type = SRTP_AES_GCM_128;
3393 p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
3394 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3395 p->auth_key_len = 0;
3396 p->auth_tag_len = 16; /* 16 octet tag length */
3397 p->sec_serv = sec_serv_conf_and_auth;
3398 }
3399
3400 /*
3401 * AES-256 GCM mode with 16 octet auth tag.
3402 */
srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t * p)3403 void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p)
3404 {
3405 p->cipher_type = SRTP_AES_GCM_256;
3406 p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
3407 p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3408 p->auth_key_len = 0;
3409 p->auth_tag_len = 16; /* 16 octet tag length */
3410 p->sec_serv = sec_serv_conf_and_auth;
3411 }
3412
3413 /*
3414 * secure rtcp functions
3415 */
3416
3417 /*
3418 * AEAD uses a new IV formation method. This function implements
3419 * section 9.1 (SRTCP IV Formation for AES-GCM) from RFC7714.
3420 * The calculation is defined as, where (+) is the xor operation:
3421 *
3422 * 0 1 2 3 4 5 6 7 8 9 10 11
3423 * +--+--+--+--+--+--+--+--+--+--+--+--+
3424 * |00|00| SSRC |00|00|0+SRTCP Idx|---+
3425 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
3426 * |
3427 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
3428 * | Encryption Salt |->(+)
3429 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
3430 * |
3431 * +--+--+--+--+--+--+--+--+--+--+--+--+ |
3432 * | Initialization Vector |<--+
3433 * +--+--+--+--+--+--+--+--+--+--+--+--+*
3434 *
3435 * Input: *session_keys - pointer to SRTP stream context session keys,
3436 * used to retrieve the SALT
3437 * *iv - Pointer to recieve the calculated IV
3438 * seq_num - The SEQ value to use for the IV calculation.
3439 * *hdr - The RTP header, used to get the SSRC value
3440 *
3441 * Returns: srtp_err_status_ok if no error or srtp_err_status_bad_param
3442 * if seq_num is invalid
3443 *
3444 */
srtp_calc_aead_iv_srtcp(srtp_session_keys_t * session_keys,v128_t * iv,uint32_t seq_num,srtcp_hdr_t * hdr)3445 static srtp_err_status_t srtp_calc_aead_iv_srtcp(
3446 srtp_session_keys_t *session_keys,
3447 v128_t *iv,
3448 uint32_t seq_num,
3449 srtcp_hdr_t *hdr)
3450 {
3451 v128_t in;
3452 v128_t salt;
3453
3454 memset(&in, 0, sizeof(v128_t));
3455 memset(&salt, 0, sizeof(v128_t));
3456
3457 in.v16[0] = 0;
3458 memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */
3459 in.v16[3] = 0;
3460
3461 /*
3462 * The SRTCP index (seq_num) spans bits 0 through 30 inclusive.
3463 * The most significant bit should be zero.
3464 */
3465 if (seq_num & 0x80000000UL) {
3466 return srtp_err_status_bad_param;
3467 }
3468 in.v32[2] = htonl(seq_num);
3469
3470 debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in));
3471
3472 /*
3473 * Get the SALT value from the context
3474 */
3475 memcpy(salt.v8, session_keys->c_salt, 12);
3476 debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt));
3477
3478 /*
3479 * Finally, apply the SALT to the input
3480 */
3481 v128_xor(iv, &in, &salt);
3482
3483 return srtp_err_status_ok;
3484 }
3485
3486 /*
3487 * This code handles AEAD ciphers for outgoing RTCP. We currently support
3488 * AES-GCM mode with 128 or 256 bit keys.
3489 */
srtp_protect_rtcp_aead(srtp_t ctx,srtp_stream_ctx_t * stream,void * rtcp_hdr,unsigned int * pkt_octet_len,srtp_session_keys_t * session_keys,unsigned int use_mki)3490 static srtp_err_status_t srtp_protect_rtcp_aead(
3491 srtp_t ctx,
3492 srtp_stream_ctx_t *stream,
3493 void *rtcp_hdr,
3494 unsigned int *pkt_octet_len,
3495 srtp_session_keys_t *session_keys,
3496 unsigned int use_mki)
3497 {
3498 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
3499 uint32_t *enc_start; /* pointer to start of encrypted portion */
3500 uint32_t *trailer_p; /* pointer to start of trailer */
3501 uint32_t trailer; /* trailer value */
3502 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
3503 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
3504 srtp_err_status_t status;
3505 uint32_t tag_len;
3506 uint32_t seq_num;
3507 v128_t iv;
3508 uint32_t tseq;
3509 unsigned int mki_size = 0;
3510
3511 /* get tag length from stream context */
3512 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
3513
3514 /*
3515 * set encryption start and encryption length - if we're not
3516 * providing confidentiality, set enc_start to NULL
3517 */
3518 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
3519 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
3520
3521 /* NOTE: hdr->length is not usable - it refers to only the first
3522 * RTCP report in the compound packet!
3523 */
3524 trailer_p = (uint32_t *)((char *)enc_start + enc_octet_len + tag_len);
3525
3526 if (stream->rtcp_services & sec_serv_conf) {
3527 trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
3528 } else {
3529 enc_start = NULL;
3530 enc_octet_len = 0;
3531 /* 0 is network-order independant */
3532 trailer = 0x00000000; /* set encrypt bit */
3533 }
3534
3535 mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + tag_len +
3536 sizeof(srtcp_trailer_t),
3537 session_keys, use_mki);
3538
3539 /*
3540 * set the auth_tag pointer to the proper location, which is after
3541 * the payload, but before the trailer
3542 * (note that srtpc *always* provides authentication, unlike srtp)
3543 */
3544 /* Note: This would need to change for optional mikey data */
3545 auth_tag = (uint8_t *)hdr + *pkt_octet_len;
3546
3547 /*
3548 * check sequence number for overruns, and copy it into the packet
3549 * if its value isn't too big
3550 */
3551 status = srtp_rdb_increment(&stream->rtcp_rdb);
3552 if (status) {
3553 return status;
3554 }
3555 seq_num = srtp_rdb_get_value(&stream->rtcp_rdb);
3556 trailer |= htonl(seq_num);
3557 debug_print(mod_srtp, "srtcp index: %x", seq_num);
3558
3559 memcpy(trailer_p, &trailer, sizeof(trailer));
3560
3561 /*
3562 * Calculate and set the IV
3563 */
3564 status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr);
3565 if (status) {
3566 return srtp_err_status_cipher_fail;
3567 }
3568 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
3569 srtp_direction_encrypt);
3570 if (status) {
3571 return srtp_err_status_cipher_fail;
3572 }
3573
3574 /*
3575 * Set the AAD for GCM mode
3576 */
3577 if (enc_start) {
3578 /*
3579 * If payload encryption is enabled, then the AAD consist of
3580 * the RTCP header and the seq# at the end of the packet
3581 */
3582 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
3583 octets_in_rtcp_header);
3584 if (status) {
3585 return (srtp_err_status_cipher_fail);
3586 }
3587 } else {
3588 /*
3589 * Since payload encryption is not enabled, we must authenticate
3590 * the entire packet as described in RFC 7714 (Section 9.3. Data
3591 * Types in Unencrypted SRTCP Compound Packets)
3592 */
3593 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
3594 *pkt_octet_len);
3595 if (status) {
3596 return (srtp_err_status_cipher_fail);
3597 }
3598 }
3599 /*
3600 * Process the sequence# as AAD
3601 */
3602 tseq = trailer;
3603 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq,
3604 sizeof(srtcp_trailer_t));
3605 if (status) {
3606 return (srtp_err_status_cipher_fail);
3607 }
3608
3609 /* if we're encrypting, exor keystream into the message */
3610 if (enc_start) {
3611 status = srtp_cipher_encrypt(session_keys->rtcp_cipher,
3612 (uint8_t *)enc_start, &enc_octet_len);
3613 if (status) {
3614 return srtp_err_status_cipher_fail;
3615 }
3616 /*
3617 * Get the tag and append that to the output
3618 */
3619 status = srtp_cipher_get_tag(session_keys->rtcp_cipher,
3620 (uint8_t *)auth_tag, &tag_len);
3621 if (status) {
3622 return (srtp_err_status_cipher_fail);
3623 }
3624 enc_octet_len += tag_len;
3625 } else {
3626 /*
3627 * Even though we're not encrypting the payload, we need
3628 * to run the cipher to get the auth tag.
3629 */
3630 unsigned int nolen = 0;
3631 status = srtp_cipher_encrypt(session_keys->rtcp_cipher, NULL, &nolen);
3632 if (status) {
3633 return srtp_err_status_cipher_fail;
3634 }
3635 /*
3636 * Get the tag and append that to the output
3637 */
3638 status = srtp_cipher_get_tag(session_keys->rtcp_cipher,
3639 (uint8_t *)auth_tag, &tag_len);
3640 if (status) {
3641 return (srtp_err_status_cipher_fail);
3642 }
3643 enc_octet_len += tag_len;
3644 }
3645
3646 /* increase the packet length by the length of the auth tag and seq_num*/
3647 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
3648
3649 /* increase the packet by the mki_size */
3650 *pkt_octet_len += mki_size;
3651
3652 return srtp_err_status_ok;
3653 }
3654
3655 /*
3656 * This function handles incoming SRTCP packets while in AEAD mode,
3657 * which currently supports AES-GCM encryption. Note, the auth tag is
3658 * at the end of the packet stream and is automatically checked by GCM
3659 * when decrypting the payload.
3660 */
srtp_unprotect_rtcp_aead(srtp_t ctx,srtp_stream_ctx_t * stream,void * srtcp_hdr,unsigned int * pkt_octet_len,srtp_session_keys_t * session_keys,unsigned int use_mki)3661 static srtp_err_status_t srtp_unprotect_rtcp_aead(
3662 srtp_t ctx,
3663 srtp_stream_ctx_t *stream,
3664 void *srtcp_hdr,
3665 unsigned int *pkt_octet_len,
3666 srtp_session_keys_t *session_keys,
3667 unsigned int use_mki)
3668 {
3669 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
3670 uint32_t *enc_start; /* pointer to start of encrypted portion */
3671 uint32_t *trailer_p; /* pointer to start of trailer */
3672 uint32_t trailer; /* trailer value */
3673 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
3674 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
3675 srtp_err_status_t status;
3676 int tag_len;
3677 unsigned int tmp_len;
3678 uint32_t seq_num;
3679 v128_t iv;
3680 uint32_t tseq;
3681 unsigned int mki_size = 0;
3682
3683 /* get tag length from stream context */
3684 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
3685
3686 if (use_mki) {
3687 mki_size = session_keys->mki_size;
3688 }
3689
3690 /*
3691 * set encryption start, encryption length, and trailer
3692 */
3693 /* index & E (encryption) bit follow normal data. hdr->len is the number of
3694 * words (32-bit) in the normal packet minus 1
3695 */
3696 /* This should point trailer to the word past the end of the normal data. */
3697 /* This would need to be modified for optional mikey data */
3698 trailer_p = (uint32_t *)((char *)hdr + *pkt_octet_len -
3699 sizeof(srtcp_trailer_t) - mki_size);
3700 memcpy(&trailer, trailer_p, sizeof(trailer));
3701
3702 /*
3703 * We pass the tag down to the cipher when doing GCM mode
3704 */
3705 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header +
3706 sizeof(srtcp_trailer_t) + mki_size);
3707 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len - mki_size -
3708 sizeof(srtcp_trailer_t);
3709
3710 if (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) {
3711 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
3712 } else {
3713 enc_octet_len = 0;
3714 enc_start = NULL; /* this indicates that there's no encryption */
3715 }
3716
3717 /*
3718 * check the sequence number for replays
3719 */
3720 /* this is easier than dealing with bitfield access */
3721 seq_num = ntohl(trailer) & SRTCP_INDEX_MASK;
3722 debug_print(mod_srtp, "srtcp index: %x", seq_num);
3723 status = srtp_rdb_check(&stream->rtcp_rdb, seq_num);
3724 if (status) {
3725 return status;
3726 }
3727
3728 /*
3729 * Calculate and set the IV
3730 */
3731 status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr);
3732 if (status) {
3733 return srtp_err_status_cipher_fail;
3734 }
3735 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
3736 srtp_direction_decrypt);
3737 if (status) {
3738 return srtp_err_status_cipher_fail;
3739 }
3740
3741 /*
3742 * Set the AAD for GCM mode
3743 */
3744 if (enc_start) {
3745 /*
3746 * If payload encryption is enabled, then the AAD consist of
3747 * the RTCP header and the seq# at the end of the packet
3748 */
3749 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
3750 octets_in_rtcp_header);
3751 if (status) {
3752 return (srtp_err_status_cipher_fail);
3753 }
3754 } else {
3755 /*
3756 * Since payload encryption is not enabled, we must authenticate
3757 * the entire packet as described in RFC 7714 (Section 9.3. Data
3758 * Types in Unencrypted SRTCP Compound Packets)
3759 */
3760 status = srtp_cipher_set_aad(
3761 session_keys->rtcp_cipher, (uint8_t *)hdr,
3762 (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t) - mki_size));
3763 if (status) {
3764 return (srtp_err_status_cipher_fail);
3765 }
3766 }
3767
3768 /*
3769 * Process the sequence# as AAD
3770 */
3771 tseq = trailer;
3772 status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq,
3773 sizeof(srtcp_trailer_t));
3774 if (status) {
3775 return (srtp_err_status_cipher_fail);
3776 }
3777
3778 /* if we're decrypting, exor keystream into the message */
3779 if (enc_start) {
3780 status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
3781 (uint8_t *)enc_start, &enc_octet_len);
3782 if (status) {
3783 return status;
3784 }
3785 } else {
3786 /*
3787 * Still need to run the cipher to check the tag
3788 */
3789 tmp_len = tag_len;
3790 status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
3791 (uint8_t *)auth_tag, &tmp_len);
3792 if (status) {
3793 return status;
3794 }
3795 }
3796
3797 /* decrease the packet length by the length of the auth tag and seq_num*/
3798 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) + mki_size);
3799
3800 /*
3801 * verify that stream is for received traffic - this check will
3802 * detect SSRC collisions, since a stream that appears in both
3803 * srtp_protect() and srtp_unprotect() will fail this test in one of
3804 * those functions.
3805 *
3806 * we do this check *after* the authentication check, so that the
3807 * latter check will catch any attempts to fool us into thinking
3808 * that we've got a collision
3809 */
3810 if (stream->direction != dir_srtp_receiver) {
3811 if (stream->direction == dir_unknown) {
3812 stream->direction = dir_srtp_receiver;
3813 } else {
3814 srtp_handle_event(ctx, stream, event_ssrc_collision);
3815 }
3816 }
3817
3818 /*
3819 * if the stream is a 'provisional' one, in which the template context
3820 * is used, then we need to allocate a new stream at this point, since
3821 * the authentication passed
3822 */
3823 if (stream == ctx->stream_template) {
3824 srtp_stream_ctx_t *new_stream;
3825
3826 /*
3827 * allocate and initialize a new stream
3828 *
3829 * note that we indicate failure if we can't allocate the new
3830 * stream, and some implementations will want to not return
3831 * failure here
3832 */
3833 status =
3834 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
3835 if (status) {
3836 return status;
3837 }
3838
3839 /* add new stream to the head of the stream_list */
3840 new_stream->next = ctx->stream_list;
3841 ctx->stream_list = new_stream;
3842
3843 /* set stream (the pointer used in this function) */
3844 stream = new_stream;
3845 }
3846
3847 /* we've passed the authentication check, so add seq_num to the rdb */
3848 srtp_rdb_add_index(&stream->rtcp_rdb, seq_num);
3849
3850 return srtp_err_status_ok;
3851 }
3852
srtp_protect_rtcp(srtp_t ctx,void * rtcp_hdr,int * pkt_octet_len)3853 srtp_err_status_t srtp_protect_rtcp(srtp_t ctx,
3854 void *rtcp_hdr,
3855 int *pkt_octet_len)
3856 {
3857 return srtp_protect_rtcp_mki(ctx, rtcp_hdr, pkt_octet_len, 0, 0);
3858 }
3859
srtp_protect_rtcp_mki(srtp_t ctx,void * rtcp_hdr,int * pkt_octet_len,unsigned int use_mki,unsigned int mki_index)3860 srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx,
3861 void *rtcp_hdr,
3862 int *pkt_octet_len,
3863 unsigned int use_mki,
3864 unsigned int mki_index)
3865 {
3866 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
3867 uint32_t *enc_start; /* pointer to start of encrypted portion */
3868 uint32_t *auth_start; /* pointer to start of auth. portion */
3869 uint32_t *trailer_p; /* pointer to start of trailer */
3870 uint32_t trailer; /* trailer value */
3871 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
3872 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
3873 srtp_err_status_t status;
3874 int tag_len;
3875 srtp_stream_ctx_t *stream;
3876 uint32_t prefix_len;
3877 uint32_t seq_num;
3878 unsigned int mki_size = 0;
3879 srtp_session_keys_t *session_keys = NULL;
3880
3881 /* we assume the hdr is 32-bit aligned to start */
3882
3883 /* check the packet length - it must at least contain a full header */
3884 if (*pkt_octet_len < octets_in_rtcp_header)
3885 return srtp_err_status_bad_param;
3886
3887 /*
3888 * look up ssrc in srtp_stream list, and process the packet with
3889 * the appropriate stream. if we haven't seen this stream before,
3890 * there's only one key for this srtp_session, and the cipher
3891 * supports key-sharing, then we assume that a new stream using
3892 * that key has just started up
3893 */
3894 stream = srtp_get_stream(ctx, hdr->ssrc);
3895 if (stream == NULL) {
3896 if (ctx->stream_template != NULL) {
3897 srtp_stream_ctx_t *new_stream;
3898
3899 /* allocate and initialize a new stream */
3900 status =
3901 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
3902 if (status)
3903 return status;
3904
3905 /* add new stream to the head of the stream_list */
3906 new_stream->next = ctx->stream_list;
3907 ctx->stream_list = new_stream;
3908
3909 /* set stream (the pointer used in this function) */
3910 stream = new_stream;
3911 } else {
3912 /* no template stream, so we return an error */
3913 return srtp_err_status_no_ctx;
3914 }
3915 }
3916
3917 /*
3918 * verify that stream is for sending traffic - this check will
3919 * detect SSRC collisions, since a stream that appears in both
3920 * srtp_protect() and srtp_unprotect() will fail this test in one of
3921 * those functions.
3922 */
3923 if (stream->direction != dir_srtp_sender) {
3924 if (stream->direction == dir_unknown) {
3925 stream->direction = dir_srtp_sender;
3926 } else {
3927 srtp_handle_event(ctx, stream, event_ssrc_collision);
3928 }
3929 }
3930
3931 session_keys =
3932 srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index);
3933
3934 if (session_keys == NULL)
3935 return srtp_err_status_bad_mki;
3936
3937 /*
3938 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
3939 * the request to our AEAD handler.
3940 */
3941 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
3942 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
3943 return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr,
3944 (unsigned int *)pkt_octet_len,
3945 session_keys, use_mki);
3946 }
3947
3948 /* get tag length from stream context */
3949 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
3950
3951 /*
3952 * set encryption start and encryption length - if we're not
3953 * providing confidentiality, set enc_start to NULL
3954 */
3955 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
3956 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
3957
3958 /* all of the packet, except the header, gets encrypted */
3959 /*
3960 * NOTE: hdr->length is not usable - it refers to only the first RTCP report
3961 * in the compound packet!
3962 */
3963 trailer_p = (uint32_t *)((char *)enc_start + enc_octet_len);
3964
3965 if (stream->rtcp_services & sec_serv_conf) {
3966 trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
3967 } else {
3968 enc_start = NULL;
3969 enc_octet_len = 0;
3970 /* 0 is network-order independant */
3971 trailer = 0x00000000; /* set encrypt bit */
3972 }
3973
3974 mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len +
3975 sizeof(srtcp_trailer_t),
3976 session_keys, use_mki);
3977
3978 /*
3979 * set the auth_start and auth_tag pointers to the proper locations
3980 * (note that srtpc *always* provides authentication, unlike srtp)
3981 */
3982 /* Note: This would need to change for optional mikey data */
3983 auth_start = (uint32_t *)hdr;
3984 auth_tag =
3985 (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) + mki_size;
3986
3987 /* perform EKT processing if needed */
3988 srtp_ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
3989 srtp_rdbx_get_packet_index(&stream->rtp_rdbx));
3990
3991 /*
3992 * check sequence number for overruns, and copy it into the packet
3993 * if its value isn't too big
3994 */
3995 status = srtp_rdb_increment(&stream->rtcp_rdb);
3996 if (status)
3997 return status;
3998 seq_num = srtp_rdb_get_value(&stream->rtcp_rdb);
3999 trailer |= htonl(seq_num);
4000 debug_print(mod_srtp, "srtcp index: %x", seq_num);
4001
4002 memcpy(trailer_p, &trailer, sizeof(trailer));
4003
4004 /*
4005 * if we're using rindael counter mode, set nonce and seq
4006 */
4007 if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 ||
4008 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 ||
4009 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) {
4010 v128_t iv;
4011
4012 iv.v32[0] = 0;
4013 iv.v32[1] = hdr->ssrc; /* still in network order! */
4014 iv.v32[2] = htonl(seq_num >> 16);
4015 iv.v32[3] = htonl(seq_num << 16);
4016 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
4017 srtp_direction_encrypt);
4018
4019 } else {
4020 v128_t iv;
4021
4022 /* otherwise, just set the index to seq_num */
4023 iv.v32[0] = 0;
4024 iv.v32[1] = 0;
4025 iv.v32[2] = 0;
4026 iv.v32[3] = htonl(seq_num);
4027 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
4028 srtp_direction_encrypt);
4029 }
4030 if (status)
4031 return srtp_err_status_cipher_fail;
4032
4033 /*
4034 * if we're authenticating using a universal hash, put the keystream
4035 * prefix into the authentication tag
4036 */
4037
4038 /* if auth_start is non-null, then put keystream into tag */
4039 if (auth_start) {
4040 /* put keystream prefix into auth_tag */
4041 prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth);
4042 status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag,
4043 &prefix_len);
4044
4045 debug_print(mod_srtp, "keystream prefix: %s",
4046 srtp_octet_string_hex_string(auth_tag, prefix_len));
4047
4048 if (status)
4049 return srtp_err_status_cipher_fail;
4050 }
4051
4052 /* if we're encrypting, exor keystream into the message */
4053 if (enc_start) {
4054 status = srtp_cipher_encrypt(session_keys->rtcp_cipher,
4055 (uint8_t *)enc_start, &enc_octet_len);
4056 if (status)
4057 return srtp_err_status_cipher_fail;
4058 }
4059
4060 /* initialize auth func context */
4061 srtp_auth_start(session_keys->rtcp_auth);
4062
4063 /*
4064 * run auth func over packet (including trailer), and write the
4065 * result at auth_tag
4066 */
4067 status =
4068 srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start,
4069 (*pkt_octet_len) + sizeof(srtcp_trailer_t), auth_tag);
4070 debug_print(mod_srtp, "srtcp auth tag: %s",
4071 srtp_octet_string_hex_string(auth_tag, tag_len));
4072 if (status)
4073 return srtp_err_status_auth_fail;
4074
4075 /* increase the packet length by the length of the auth tag and seq_num*/
4076 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
4077
4078 /* increase the packet by the mki_size */
4079 *pkt_octet_len += mki_size;
4080
4081 return srtp_err_status_ok;
4082 }
4083
srtp_unprotect_rtcp(srtp_t ctx,void * srtcp_hdr,int * pkt_octet_len)4084 srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx,
4085 void *srtcp_hdr,
4086 int *pkt_octet_len)
4087 {
4088 return srtp_unprotect_rtcp_mki(ctx, srtcp_hdr, pkt_octet_len, 0);
4089 }
4090
srtp_unprotect_rtcp_mki(srtp_t ctx,void * srtcp_hdr,int * pkt_octet_len,unsigned int use_mki)4091 srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx,
4092 void *srtcp_hdr,
4093 int *pkt_octet_len,
4094 unsigned int use_mki)
4095 {
4096 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
4097 uint32_t *enc_start; /* pointer to start of encrypted portion */
4098 uint32_t *auth_start; /* pointer to start of auth. portion */
4099 uint32_t *trailer_p; /* pointer to start of trailer */
4100 uint32_t trailer; /* trailer value */
4101 unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
4102 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
4103 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
4104 uint8_t tag_copy[SRTP_MAX_TAG_LEN];
4105 srtp_err_status_t status;
4106 unsigned int auth_len;
4107 int tag_len;
4108 srtp_stream_ctx_t *stream;
4109 uint32_t prefix_len;
4110 uint32_t seq_num;
4111 int e_bit_in_packet; /* whether the E-bit was found in the packet */
4112 int sec_serv_confidentiality; /* whether confidentiality was requested */
4113 unsigned int mki_size = 0;
4114 srtp_session_keys_t *session_keys = NULL;
4115
4116 /* we assume the hdr is 32-bit aligned to start */
4117
4118 if (*pkt_octet_len < 0)
4119 return srtp_err_status_bad_param;
4120
4121 /*
4122 * check that the length value is sane; we'll check again once we
4123 * know the tag length, but we at least want to know that it is
4124 * a positive value
4125 */
4126 if ((unsigned int)(*pkt_octet_len) <
4127 octets_in_rtcp_header + sizeof(srtcp_trailer_t))
4128 return srtp_err_status_bad_param;
4129
4130 /*
4131 * look up ssrc in srtp_stream list, and process the packet with
4132 * the appropriate stream. if we haven't seen this stream before,
4133 * there's only one key for this srtp_session, and the cipher
4134 * supports key-sharing, then we assume that a new stream using
4135 * that key has just started up
4136 */
4137 stream = srtp_get_stream(ctx, hdr->ssrc);
4138 if (stream == NULL) {
4139 if (ctx->stream_template != NULL) {
4140 stream = ctx->stream_template;
4141
4142 /*
4143 * check to see if stream_template has an EKT data structure, in
4144 * which case we initialize the template using the EKT policy
4145 * referenced by that data (which consists of decrypting the
4146 * master key from the EKT field)
4147 *
4148 * this function initializes a *provisional* stream, and this
4149 * stream should not be accepted until and unless the packet
4150 * passes its authentication check
4151 */
4152 if (stream->ekt != NULL) {
4153 status = srtp_stream_init_from_ekt(stream, srtcp_hdr,
4154 *pkt_octet_len);
4155 if (status)
4156 return status;
4157 }
4158
4159 debug_print(mod_srtp,
4160 "srtcp using provisional stream (SSRC: 0x%08x)",
4161 ntohl(hdr->ssrc));
4162 } else {
4163 /* no template stream, so we return an error */
4164 return srtp_err_status_no_ctx;
4165 }
4166 }
4167
4168 /*
4169 * Determine if MKI is being used and what session keys should be used
4170 */
4171 if (use_mki) {
4172 session_keys = srtp_get_session_keys(
4173 stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len,
4174 &mki_size);
4175
4176 if (session_keys == NULL)
4177 return srtp_err_status_bad_mki;
4178 } else {
4179 session_keys = &stream->session_keys[0];
4180 }
4181
4182 /* get tag length from stream context */
4183 tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
4184
4185 /* check the packet length - it must contain at least a full RTCP
4186 header, an auth tag (if applicable), and the SRTCP encrypted flag
4187 and 31-bit index value */
4188 if (*pkt_octet_len < (int)(octets_in_rtcp_header + tag_len + mki_size +
4189 sizeof(srtcp_trailer_t))) {
4190 return srtp_err_status_bad_param;
4191 }
4192
4193 /*
4194 * Check if this is an AEAD stream (GCM mode). If so, then dispatch
4195 * the request to our AEAD handler.
4196 */
4197 if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
4198 session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
4199 return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr,
4200 (unsigned int *)pkt_octet_len,
4201 session_keys, mki_size);
4202 }
4203
4204 sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf ||
4205 stream->rtcp_services == sec_serv_conf_and_auth;
4206
4207 /*
4208 * set encryption start, encryption length, and trailer
4209 */
4210 enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + tag_len +
4211 mki_size + sizeof(srtcp_trailer_t));
4212 /*
4213 *index & E (encryption) bit follow normal data. hdr->len is the number of
4214 * words (32-bit) in the normal packet minus 1
4215 */
4216 /* This should point trailer to the word past the end of the normal data. */
4217 /* This would need to be modified for optional mikey data */
4218 trailer_p = (uint32_t *)((char *)hdr + *pkt_octet_len -
4219 (tag_len + mki_size + sizeof(srtcp_trailer_t)));
4220 memcpy(&trailer, trailer_p, sizeof(trailer));
4221
4222 e_bit_in_packet =
4223 (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT;
4224 if (e_bit_in_packet != sec_serv_confidentiality) {
4225 return srtp_err_status_cant_check;
4226 }
4227 if (sec_serv_confidentiality) {
4228 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
4229 } else {
4230 enc_octet_len = 0;
4231 enc_start = NULL; /* this indicates that there's no encryption */
4232 }
4233
4234 /*
4235 * set the auth_start and auth_tag pointers to the proper locations
4236 * (note that srtcp *always* uses authentication, unlike srtp)
4237 */
4238 auth_start = (uint32_t *)hdr;
4239
4240 /*
4241 * The location of the auth tag in the packet needs to know MKI
4242 * could be present. The data needed to calculate the Auth tag
4243 * must not include the MKI
4244 */
4245 auth_len = *pkt_octet_len - tag_len - mki_size;
4246 auth_tag = (uint8_t *)hdr + auth_len + mki_size;
4247
4248 /*
4249 * if EKT is in use, then we make a copy of the tag from the packet,
4250 * and then zeroize the location of the base tag
4251 *
4252 * we first re-position the auth_tag pointer so that it points to
4253 * the base tag
4254 */
4255 if (stream->ekt) {
4256 auth_tag -= srtp_ekt_octets_after_base_tag(stream->ekt);
4257 memcpy(tag_copy, auth_tag, tag_len);
4258 octet_string_set_to_zero(auth_tag, tag_len);
4259 auth_tag = tag_copy;
4260 auth_len += tag_len;
4261 }
4262
4263 /*
4264 * check the sequence number for replays
4265 */
4266 /* this is easier than dealing with bitfield access */
4267 seq_num = ntohl(trailer) & SRTCP_INDEX_MASK;
4268 debug_print(mod_srtp, "srtcp index: %x", seq_num);
4269 status = srtp_rdb_check(&stream->rtcp_rdb, seq_num);
4270 if (status)
4271 return status;
4272
4273 /*
4274 * if we're using aes counter mode, set nonce and seq
4275 */
4276 if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 ||
4277 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 ||
4278 session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) {
4279 v128_t iv;
4280
4281 iv.v32[0] = 0;
4282 iv.v32[1] = hdr->ssrc; /* still in network order! */
4283 iv.v32[2] = htonl(seq_num >> 16);
4284 iv.v32[3] = htonl(seq_num << 16);
4285 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
4286 srtp_direction_decrypt);
4287
4288 } else {
4289 v128_t iv;
4290
4291 /* otherwise, just set the index to seq_num */
4292 iv.v32[0] = 0;
4293 iv.v32[1] = 0;
4294 iv.v32[2] = 0;
4295 iv.v32[3] = htonl(seq_num);
4296 status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
4297 srtp_direction_decrypt);
4298 }
4299 if (status)
4300 return srtp_err_status_cipher_fail;
4301
4302 /* initialize auth func context */
4303 srtp_auth_start(session_keys->rtcp_auth);
4304
4305 /* run auth func over packet, put result into tmp_tag */
4306 status = srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start,
4307 auth_len, tmp_tag);
4308 debug_print(mod_srtp, "srtcp computed tag: %s",
4309 srtp_octet_string_hex_string(tmp_tag, tag_len));
4310 if (status)
4311 return srtp_err_status_auth_fail;
4312
4313 /* compare the tag just computed with the one in the packet */
4314 debug_print(mod_srtp, "srtcp tag from packet: %s",
4315 srtp_octet_string_hex_string(auth_tag, tag_len));
4316 if (srtp_octet_string_is_eq(tmp_tag, auth_tag, tag_len))
4317 return srtp_err_status_auth_fail;
4318
4319 /*
4320 * if we're authenticating using a universal hash, put the keystream
4321 * prefix into the authentication tag
4322 */
4323 prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth);
4324 if (prefix_len) {
4325 status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag,
4326 &prefix_len);
4327 debug_print(mod_srtp, "keystream prefix: %s",
4328 srtp_octet_string_hex_string(auth_tag, prefix_len));
4329 if (status)
4330 return srtp_err_status_cipher_fail;
4331 }
4332
4333 /* if we're decrypting, exor keystream into the message */
4334 if (enc_start) {
4335 status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
4336 (uint8_t *)enc_start, &enc_octet_len);
4337 if (status)
4338 return srtp_err_status_cipher_fail;
4339 }
4340
4341 /* decrease the packet length by the length of the auth tag and seq_num */
4342 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
4343
4344 /* decrease the packet length by the length of the mki_size */
4345 *pkt_octet_len -= mki_size;
4346
4347 /*
4348 * if EKT is in effect, subtract the EKT data out of the packet
4349 * length
4350 */
4351 *pkt_octet_len -= srtp_ekt_octets_after_base_tag(stream->ekt);
4352
4353 /*
4354 * verify that stream is for received traffic - this check will
4355 * detect SSRC collisions, since a stream that appears in both
4356 * srtp_protect() and srtp_unprotect() will fail this test in one of
4357 * those functions.
4358 *
4359 * we do this check *after* the authentication check, so that the
4360 * latter check will catch any attempts to fool us into thinking
4361 * that we've got a collision
4362 */
4363 if (stream->direction != dir_srtp_receiver) {
4364 if (stream->direction == dir_unknown) {
4365 stream->direction = dir_srtp_receiver;
4366 } else {
4367 srtp_handle_event(ctx, stream, event_ssrc_collision);
4368 }
4369 }
4370
4371 /*
4372 * if the stream is a 'provisional' one, in which the template context
4373 * is used, then we need to allocate a new stream at this point, since
4374 * the authentication passed
4375 */
4376 if (stream == ctx->stream_template) {
4377 srtp_stream_ctx_t *new_stream;
4378
4379 /*
4380 * allocate and initialize a new stream
4381 *
4382 * note that we indicate failure if we can't allocate the new
4383 * stream, and some implementations will want to not return
4384 * failure here
4385 */
4386 status =
4387 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
4388 if (status)
4389 return status;
4390
4391 /* add new stream to the head of the stream_list */
4392 new_stream->next = ctx->stream_list;
4393 ctx->stream_list = new_stream;
4394
4395 /* set stream (the pointer used in this function) */
4396 stream = new_stream;
4397 }
4398
4399 /* we've passed the authentication check, so add seq_num to the rdb */
4400 srtp_rdb_add_index(&stream->rtcp_rdb, seq_num);
4401
4402 return srtp_err_status_ok;
4403 }
4404
4405 /*
4406 * user data within srtp_t context
4407 */
4408
srtp_set_user_data(srtp_t ctx,void * data)4409 void srtp_set_user_data(srtp_t ctx, void *data)
4410 {
4411 ctx->user_data = data;
4412 }
4413
srtp_get_user_data(srtp_t ctx)4414 void *srtp_get_user_data(srtp_t ctx)
4415 {
4416 return ctx->user_data;
4417 }
4418
4419 /*
4420 * dtls keying for srtp
4421 */
4422
srtp_crypto_policy_set_from_profile_for_rtp(srtp_crypto_policy_t * policy,srtp_profile_t profile)4423 srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp(
4424 srtp_crypto_policy_t *policy,
4425 srtp_profile_t profile)
4426 {
4427 /* set SRTP policy from the SRTP profile in the key set */
4428 switch (profile) {
4429 case srtp_profile_aes128_cm_sha1_80:
4430 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
4431 break;
4432 case srtp_profile_aes128_cm_sha1_32:
4433 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
4434 break;
4435 case srtp_profile_null_sha1_80:
4436 srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy);
4437 break;
4438 #ifdef GCM
4439 case srtp_profile_aead_aes_128_gcm:
4440 srtp_crypto_policy_set_aes_gcm_128_16_auth(policy);
4441 break;
4442 case srtp_profile_aead_aes_256_gcm:
4443 srtp_crypto_policy_set_aes_gcm_256_16_auth(policy);
4444 break;
4445 #endif
4446 /* the following profiles are not (yet) supported */
4447 case srtp_profile_null_sha1_32:
4448 default:
4449 return srtp_err_status_bad_param;
4450 }
4451
4452 return srtp_err_status_ok;
4453 }
4454
srtp_crypto_policy_set_from_profile_for_rtcp(srtp_crypto_policy_t * policy,srtp_profile_t profile)4455 srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp(
4456 srtp_crypto_policy_t *policy,
4457 srtp_profile_t profile)
4458 {
4459 /* set SRTP policy from the SRTP profile in the key set */
4460 switch (profile) {
4461 case srtp_profile_aes128_cm_sha1_80:
4462 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
4463 break;
4464 case srtp_profile_aes128_cm_sha1_32:
4465 /* We do not honor the 32-bit auth tag request since
4466 * this is not compliant with RFC 3711 */
4467 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
4468 break;
4469 case srtp_profile_null_sha1_80:
4470 srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy);
4471 break;
4472 #ifdef GCM
4473 case srtp_profile_aead_aes_128_gcm:
4474 srtp_crypto_policy_set_aes_gcm_128_16_auth(policy);
4475 break;
4476 case srtp_profile_aead_aes_256_gcm:
4477 srtp_crypto_policy_set_aes_gcm_256_16_auth(policy);
4478 break;
4479 #endif
4480 /* the following profiles are not (yet) supported */
4481 case srtp_profile_null_sha1_32:
4482 default:
4483 return srtp_err_status_bad_param;
4484 }
4485
4486 return srtp_err_status_ok;
4487 }
4488
srtp_append_salt_to_key(uint8_t * key,unsigned int bytes_in_key,uint8_t * salt,unsigned int bytes_in_salt)4489 void srtp_append_salt_to_key(uint8_t *key,
4490 unsigned int bytes_in_key,
4491 uint8_t *salt,
4492 unsigned int bytes_in_salt)
4493 {
4494 memcpy(key + bytes_in_key, salt, bytes_in_salt);
4495 }
4496
srtp_profile_get_master_key_length(srtp_profile_t profile)4497 unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile)
4498 {
4499 switch (profile) {
4500 case srtp_profile_aes128_cm_sha1_80:
4501 return SRTP_AES_128_KEY_LEN;
4502 break;
4503 case srtp_profile_aes128_cm_sha1_32:
4504 return SRTP_AES_128_KEY_LEN;
4505 break;
4506 case srtp_profile_null_sha1_80:
4507 return SRTP_AES_128_KEY_LEN;
4508 break;
4509 case srtp_profile_aead_aes_128_gcm:
4510 return SRTP_AES_128_KEY_LEN;
4511 break;
4512 case srtp_profile_aead_aes_256_gcm:
4513 return SRTP_AES_256_KEY_LEN;
4514 break;
4515 /* the following profiles are not (yet) supported */
4516 case srtp_profile_null_sha1_32:
4517 default:
4518 return 0; /* indicate error by returning a zero */
4519 }
4520 }
4521
srtp_profile_get_master_salt_length(srtp_profile_t profile)4522 unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile)
4523 {
4524 switch (profile) {
4525 case srtp_profile_aes128_cm_sha1_80:
4526 return SRTP_SALT_LEN;
4527 break;
4528 case srtp_profile_aes128_cm_sha1_32:
4529 return SRTP_SALT_LEN;
4530 break;
4531 case srtp_profile_null_sha1_80:
4532 return SRTP_SALT_LEN;
4533 break;
4534 case srtp_profile_aead_aes_128_gcm:
4535 return SRTP_AEAD_SALT_LEN;
4536 break;
4537 case srtp_profile_aead_aes_256_gcm:
4538 return SRTP_AEAD_SALT_LEN;
4539 break;
4540 /* the following profiles are not (yet) supported */
4541 case srtp_profile_null_sha1_32:
4542 default:
4543 return 0; /* indicate error by returning a zero */
4544 }
4545 }
4546
stream_get_protect_trailer_length(srtp_stream_ctx_t * stream,uint32_t is_rtp,uint32_t use_mki,uint32_t mki_index,uint32_t * length)4547 srtp_err_status_t stream_get_protect_trailer_length(srtp_stream_ctx_t *stream,
4548 uint32_t is_rtp,
4549 uint32_t use_mki,
4550 uint32_t mki_index,
4551 uint32_t *length)
4552 {
4553 srtp_session_keys_t *session_key;
4554
4555 *length = 0;
4556
4557 if (use_mki) {
4558 if (mki_index >= stream->num_master_keys) {
4559 return srtp_err_status_bad_mki;
4560 }
4561 session_key = &stream->session_keys[mki_index];
4562
4563 *length += session_key->mki_size;
4564
4565 } else {
4566 session_key = &stream->session_keys[0];
4567 }
4568 if (is_rtp) {
4569 *length += srtp_auth_get_tag_length(session_key->rtp_auth);
4570 } else {
4571 *length += srtp_auth_get_tag_length(session_key->rtcp_auth);
4572 *length += sizeof(srtcp_trailer_t);
4573 }
4574
4575 return srtp_err_status_ok;
4576 }
4577
get_protect_trailer_length(srtp_t session,uint32_t is_rtp,uint32_t use_mki,uint32_t mki_index,uint32_t * length)4578 srtp_err_status_t get_protect_trailer_length(srtp_t session,
4579 uint32_t is_rtp,
4580 uint32_t use_mki,
4581 uint32_t mki_index,
4582 uint32_t *length)
4583 {
4584 srtp_stream_ctx_t *stream;
4585
4586 if (session == NULL) {
4587 return srtp_err_status_bad_param;
4588 }
4589
4590 if (session->stream_template == NULL && session->stream_list == NULL) {
4591 return srtp_err_status_bad_param;
4592 }
4593
4594 *length = 0;
4595
4596 stream = session->stream_template;
4597
4598 if (stream != NULL) {
4599 stream_get_protect_trailer_length(stream, is_rtp, use_mki, mki_index,
4600 length);
4601 }
4602
4603 stream = session->stream_list;
4604
4605 while (stream != NULL) {
4606 uint32_t temp_length;
4607 if (stream_get_protect_trailer_length(stream, is_rtp, use_mki,
4608 mki_index, &temp_length) ==
4609 srtp_err_status_ok) {
4610 if (temp_length > *length) {
4611 *length = temp_length;
4612 }
4613 }
4614 stream = stream->next;
4615 }
4616
4617 return srtp_err_status_ok;
4618 }
4619
srtp_get_protect_trailer_length(srtp_t session,uint32_t use_mki,uint32_t mki_index,uint32_t * length)4620 srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session,
4621 uint32_t use_mki,
4622 uint32_t mki_index,
4623 uint32_t *length)
4624 {
4625 return get_protect_trailer_length(session, 1, use_mki, mki_index, length);
4626 }
4627
srtp_get_protect_rtcp_trailer_length(srtp_t session,uint32_t use_mki,uint32_t mki_index,uint32_t * length)4628 srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session,
4629 uint32_t use_mki,
4630 uint32_t mki_index,
4631 uint32_t *length)
4632 {
4633 return get_protect_trailer_length(session, 0, use_mki, mki_index, length);
4634 }
4635
4636 /*
4637 * SRTP debug interface
4638 */
srtp_set_debug_module(const char * mod_name,int v)4639 srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v)
4640 {
4641 return srtp_crypto_kernel_set_debug_module(mod_name, v);
4642 }
4643
srtp_list_debug_modules(void)4644 srtp_err_status_t srtp_list_debug_modules(void)
4645 {
4646 return srtp_crypto_kernel_list_debug_modules();
4647 }
4648
4649 /*
4650 * srtp_log_handler is a global variable holding a pointer to the
4651 * log handler function; this function is called for any log
4652 * output.
4653 */
4654
4655 static srtp_log_handler_func_t *srtp_log_handler = NULL;
4656 static void *srtp_log_handler_data = NULL;
4657
srtp_err_handler(srtp_err_reporting_level_t level,const char * msg)4658 void srtp_err_handler(srtp_err_reporting_level_t level, const char *msg)
4659 {
4660 if (srtp_log_handler) {
4661 srtp_log_level_t log_level = srtp_log_level_error;
4662 switch (level) {
4663 case srtp_err_level_error:
4664 log_level = srtp_log_level_error;
4665 break;
4666 case srtp_err_level_warning:
4667 log_level = srtp_log_level_warning;
4668 break;
4669 case srtp_err_level_info:
4670 log_level = srtp_log_level_info;
4671 break;
4672 case srtp_err_level_debug:
4673 log_level = srtp_log_level_debug;
4674 break;
4675 }
4676
4677 srtp_log_handler(log_level, msg, srtp_log_handler_data);
4678 }
4679 }
4680
srtp_install_log_handler(srtp_log_handler_func_t func,void * data)4681 srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func,
4682 void *data)
4683 {
4684 /*
4685 * note that we accept NULL arguments intentionally - calling this
4686 * function with a NULL arguments removes a log handler that's
4687 * been previously installed
4688 */
4689
4690 if (srtp_log_handler) {
4691 srtp_install_err_report_handler(NULL);
4692 }
4693 srtp_log_handler = func;
4694 srtp_log_handler_data = data;
4695 if (srtp_log_handler) {
4696 srtp_install_err_report_handler(srtp_err_handler);
4697 }
4698 return srtp_err_status_ok;
4699 }
4700
srtp_set_stream_roc(srtp_t session,uint32_t ssrc,uint32_t roc)4701 srtp_err_status_t srtp_set_stream_roc(srtp_t session,
4702 uint32_t ssrc,
4703 uint32_t roc)
4704 {
4705 srtp_stream_t stream;
4706
4707 stream = srtp_get_stream(session, htonl(ssrc));
4708 if (stream == NULL)
4709 return srtp_err_status_bad_param;
4710
4711 stream->pending_roc = roc;
4712
4713 return srtp_err_status_ok;
4714 }
4715
srtp_get_stream_roc(srtp_t session,uint32_t ssrc,uint32_t * roc)4716 srtp_err_status_t srtp_get_stream_roc(srtp_t session,
4717 uint32_t ssrc,
4718 uint32_t *roc)
4719 {
4720 srtp_stream_t stream;
4721
4722 stream = srtp_get_stream(session, htonl(ssrc));
4723 if (stream == NULL)
4724 return srtp_err_status_bad_param;
4725
4726 *roc = srtp_rdbx_get_roc(&stream->rtp_rdbx);
4727
4728 return srtp_err_status_ok;
4729 }
4730