1 /*
2 * ekt.c
3 *
4 * Encrypted Key Transport for SRTP
5 *
6 * David McGrew
7 * Cisco Systems, Inc.
8 */
9 /*
10 *
11 * Copyright (c) 2001-2017 Cisco Systems, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 *
18 * Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 *
21 * Redistributions in binary form must reproduce the above
22 * copyright notice, this list of conditions and the following
23 * disclaimer in the documentation and/or other materials provided
24 * with the distribution.
25 *
26 * Neither the name of the Cisco Systems, Inc. nor the names of its
27 * contributors may be used to endorse or promote products derived
28 * from this software without specific prior written permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 *
43 */
44
45 #include "srtp_priv.h"
46 #include "err.h"
47 #include "ekt.h"
48
49 extern srtp_debug_module_t mod_srtp;
50
51 /*
52 * The EKT Authentication Tag format.
53 *
54 * 0 1 2 3
55 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
56 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
57 * : Base Authentication Tag :
58 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 * : Encrypted Master Key :
60 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
61 * | Rollover Counter |
62 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
63 * | Initial Sequence Number | Security Parameter Index |
64 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
65 *
66 */
67
68 #define EKT_OCTETS_AFTER_BASE_TAG 24
69 #define EKT_OCTETS_AFTER_EMK 8
70 #define EKT_OCTETS_AFTER_ROC 4
71 #define EKT_SPI_LEN 2
72
srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt)73 unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt)
74 {
75 /*
76 * if the pointer ekt is NULL, then EKT is not in effect, so we
77 * indicate this by returning zero
78 */
79 if (!ekt)
80 return 0;
81
82 switch (ekt->data->ekt_cipher_type) {
83 case SRTP_EKT_CIPHER_AES_128_ECB:
84 return 16 + EKT_OCTETS_AFTER_EMK;
85 break;
86 default:
87 break;
88 }
89 return 0;
90 }
91
srtcp_packet_get_ekt_spi(const uint8_t * packet_start,unsigned pkt_octet_len)92 static inline srtp_ekt_spi_t srtcp_packet_get_ekt_spi(
93 const uint8_t *packet_start,
94 unsigned pkt_octet_len)
95 {
96 const uint8_t *spi_location;
97
98 spi_location = packet_start + (pkt_octet_len - EKT_SPI_LEN);
99
100 return *((const srtp_ekt_spi_t *)spi_location);
101 }
102
srtcp_packet_get_ekt_roc(const uint8_t * packet_start,unsigned pkt_octet_len)103 static inline uint32_t srtcp_packet_get_ekt_roc(const uint8_t *packet_start,
104 unsigned pkt_octet_len)
105 {
106 const uint8_t *roc_location;
107
108 roc_location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_ROC);
109
110 return *((const uint32_t *)roc_location);
111 }
112
srtcp_packet_get_emk_location(const uint8_t * packet_start,unsigned pkt_octet_len)113 static inline const uint8_t *srtcp_packet_get_emk_location(
114 const uint8_t *packet_start,
115 unsigned pkt_octet_len)
116 {
117 const uint8_t *location;
118
119 location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_BASE_TAG);
120
121 return location;
122 }
123
srtp_ekt_alloc(srtp_ekt_stream_t * stream_data,srtp_ekt_policy_t policy)124 srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data,
125 srtp_ekt_policy_t policy)
126 {
127 /*
128 * if the policy pointer is NULL, then EKT is not in use
129 * so we just set the EKT stream data pointer to NULL
130 */
131 if (!policy) {
132 *stream_data = NULL;
133 return srtp_err_status_ok;
134 }
135
136 /* TODO */
137 *stream_data = NULL;
138
139 return srtp_err_status_ok;
140 }
141
srtp_ekt_stream_init_from_policy(srtp_ekt_stream_t stream_data,srtp_ekt_policy_t policy)142 srtp_err_status_t srtp_ekt_stream_init_from_policy(
143 srtp_ekt_stream_t stream_data,
144 srtp_ekt_policy_t policy)
145 {
146 if (!stream_data)
147 return srtp_err_status_ok;
148
149 return srtp_err_status_ok;
150 }
151
aes_decrypt_with_raw_key(void * ciphertext,const void * key,int key_len)152 void aes_decrypt_with_raw_key(void *ciphertext, const void *key, int key_len)
153 {
154 #ifndef GCM
155 // FIXME: need to get this working through the crypto module interface
156 srtp_aes_expanded_key_t expanded_key;
157
158 srtp_aes_expand_decryption_key(key, key_len, &expanded_key);
159 srtp_aes_decrypt(ciphertext, &expanded_key);
160 #endif
161 }
162
163 /*
164 * The function srtp_stream_init_from_ekt() initializes a stream using
165 * the EKT data from an SRTCP trailer.
166 */
167
srtp_stream_init_from_ekt(srtp_stream_t stream,const void * srtcp_hdr,unsigned pkt_octet_len)168 srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream,
169 const void *srtcp_hdr,
170 unsigned pkt_octet_len)
171 {
172 srtp_err_status_t err;
173 const uint8_t *master_key;
174 srtp_policy_t srtp_policy;
175 uint32_t roc;
176
177 /*
178 * NOTE: at present, we only support a single ekt_policy at a time.
179 */
180 if (stream->ekt->data->spi !=
181 srtcp_packet_get_ekt_spi(srtcp_hdr, pkt_octet_len))
182 return srtp_err_status_no_ctx;
183
184 if (stream->ekt->data->ekt_cipher_type != SRTP_EKT_CIPHER_AES_128_ECB)
185 return srtp_err_status_bad_param;
186
187 /* decrypt the Encrypted Master Key field */
188 master_key = srtcp_packet_get_emk_location(srtcp_hdr, pkt_octet_len);
189 /* FIX!? This decrypts the master key in-place, and never uses it */
190 /* FIX!? It's also passing to ekt_dec_key (which is an aes_expanded_key_t)
191 * to a function which expects a raw (unexpanded) key */
192 aes_decrypt_with_raw_key((void *)master_key,
193 &stream->ekt->data->ekt_dec_key, 16);
194
195 /* set the SRTP ROC */
196 roc = srtcp_packet_get_ekt_roc(srtcp_hdr, pkt_octet_len);
197 err = srtp_rdbx_set_roc(&stream->rtp_rdbx, roc);
198 if (err)
199 return err;
200
201 err = srtp_stream_init(stream, &srtp_policy);
202 if (err)
203 return err;
204
205 return srtp_err_status_ok;
206 }
207
srtp_ekt_write_data(srtp_ekt_stream_t ekt,uint8_t * base_tag,unsigned base_tag_len,int * packet_len,srtp_xtd_seq_num_t pkt_index)208 void srtp_ekt_write_data(srtp_ekt_stream_t ekt,
209 uint8_t *base_tag,
210 unsigned base_tag_len,
211 int *packet_len,
212 srtp_xtd_seq_num_t pkt_index)
213 {
214 uint32_t roc;
215 uint16_t isn;
216 unsigned emk_len;
217 uint8_t *packet;
218
219 /* if the pointer ekt is NULL, then EKT is not in effect */
220 if (!ekt) {
221 debug_print(mod_srtp, "EKT not in use", NULL);
222 return;
223 }
224
225 /* write zeros into the location of the base tag */
226 octet_string_set_to_zero(base_tag, base_tag_len);
227 packet = base_tag + base_tag_len;
228
229 /* copy encrypted master key into packet */
230 emk_len = srtp_ekt_octets_after_base_tag(ekt);
231 memcpy(packet, ekt->encrypted_master_key, emk_len);
232 debug_print(mod_srtp, "writing EKT EMK: %s,",
233 srtp_octet_string_hex_string(packet, emk_len));
234 packet += emk_len;
235
236 /* copy ROC into packet */
237 roc = (uint32_t)(pkt_index >> 16);
238 *((uint32_t *)packet) = be32_to_cpu(roc);
239 debug_print(mod_srtp, "writing EKT ROC: %s,",
240 srtp_octet_string_hex_string(packet, sizeof(roc)));
241 packet += sizeof(roc);
242
243 /* copy ISN into packet */
244 isn = (uint16_t)pkt_index;
245 *((uint16_t *)packet) = htons(isn);
246 debug_print(mod_srtp, "writing EKT ISN: %s,",
247 srtp_octet_string_hex_string(packet, sizeof(isn)));
248 packet += sizeof(isn);
249
250 /* copy SPI into packet */
251 *((uint16_t *)packet) = htons(ekt->data->spi);
252 debug_print(mod_srtp, "writing EKT SPI: %s,",
253 srtp_octet_string_hex_string(packet, sizeof(ekt->data->spi)));
254
255 /* increase packet length appropriately */
256 *packet_len += EKT_OCTETS_AFTER_EMK + emk_len;
257 }
258
259 /*
260 * The function call srtcp_ekt_trailer(ekt, auth_len, auth_tag )
261 *
262 * If the pointer ekt is NULL, then the other inputs are unaffected.
263 *
264 * auth_tag is a pointer to the pointer to the location of the
265 * authentication tag in the packet. If EKT is in effect, then the
266 * auth_tag pointer is set to the location
267 */
268
srtcp_ekt_trailer(srtp_ekt_stream_t ekt,unsigned * auth_len,void ** auth_tag,void * tag_copy)269 void srtcp_ekt_trailer(srtp_ekt_stream_t ekt,
270 unsigned *auth_len,
271 void **auth_tag,
272 void *tag_copy)
273 {
274 /*
275 * if there is no EKT policy, then the other inputs are unaffected
276 */
277 if (!ekt)
278 return;
279
280 /* copy auth_tag into temporary location */
281 }
282