1 /*
2 * srtp.c
3 *
4 * the secure real-time transport protocol
5 *
6 * David A. McGrew
7 * Cisco Systems, Inc.
8 */
9 /*
10 *
11 * Copyright (c) 2001-2006, Cisco Systems, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 *
18 * Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 *
21 * Redistributions in binary form must reproduce the above
22 * copyright notice, this list of conditions and the following
23 * disclaimer in the documentation and/or other materials provided
24 * with the distribution.
25 *
26 * Neither the name of the Cisco Systems, Inc. nor the names of its
27 * contributors may be used to endorse or promote products derived
28 * from this software without specific prior written permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 *
43 */
44
45
46 #include "srtp.h"
47 #include "ekt.h" /* for SRTP Encrypted Key Transport */
48 #include "alloc.h" /* for crypto_alloc() */
49
50 #ifndef SRTP_KERNEL
51 # include <limits.h>
52 # ifdef HAVE_NETINET_IN_H
53 # include <netinet/in.h>
54 # elif defined(HAVE_WINSOCK2_H)
55 # include <winsock2.h>
56 # endif
57 #endif /* ! SRTP_KERNEL */
58
59
60 /* the debug module for srtp */
61
62 debug_module_t mod_srtp = {
63 0, /* debugging is off by default */
64 "srtp" /* printable name for module */
65 };
66
67 #define octets_in_rtp_header 12
68 #define uint32s_in_rtp_header 3
69 #define octets_in_rtcp_header 8
70 #define uint32s_in_rtcp_header 2
71 #define octets_in_rtp_extn_hdr 4
72
73 static err_status_t
srtp_validate_rtp_header(void * rtp_hdr,int * pkt_octet_len)74 srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) {
75 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
76
77 /* Check RTP header length */
78 int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc;
79 if (hdr->x == 1)
80 rtp_header_len += octets_in_rtp_extn_hdr;
81
82 if (*pkt_octet_len < rtp_header_len)
83 return err_status_bad_param;
84
85 /* Verifing profile length. */
86 if (hdr->x == 1) {
87 srtp_hdr_xtnd_t *xtn_hdr =
88 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc);
89 int profile_len = ntohs(xtn_hdr->length);
90 rtp_header_len += profile_len * 4;
91 /* profile length counts the number of 32-bit words */
92 if (*pkt_octet_len < rtp_header_len)
93 return err_status_bad_param;
94 }
95 return err_status_ok;
96 }
97
98 err_status_t
srtp_stream_alloc(srtp_stream_ctx_t ** str_ptr,const srtp_policy_t * p)99 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
100 const srtp_policy_t *p) {
101 srtp_stream_ctx_t *str;
102 err_status_t stat;
103
104 /*
105 * This function allocates the stream context, rtp and rtcp ciphers
106 * and auth functions, and key limit structure. If there is a
107 * failure during allocation, we free all previously allocated
108 * memory and return a failure code. The code could probably
109 * be improved, but it works and should be clear.
110 */
111
112 /* allocate srtp stream and set str_ptr */
113 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
114 if (str == NULL)
115 return err_status_alloc_fail;
116 *str_ptr = str;
117
118 /* allocate cipher */
119 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
120 &str->rtp_cipher,
121 p->rtp.cipher_key_len);
122 if (stat) {
123 crypto_free(str);
124 return stat;
125 }
126
127 /* allocate auth function */
128 stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
129 &str->rtp_auth,
130 p->rtp.auth_key_len,
131 p->rtp.auth_tag_len);
132 if (stat) {
133 cipher_dealloc(str->rtp_cipher);
134 crypto_free(str);
135 return stat;
136 }
137
138 /* allocate key limit structure */
139 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t));
140 if (str->limit == NULL) {
141 auth_dealloc(str->rtp_auth);
142 cipher_dealloc(str->rtp_cipher);
143 crypto_free(str);
144 return err_status_alloc_fail;
145 }
146
147 /*
148 * ...and now the RTCP-specific initialization - first, allocate
149 * the cipher
150 */
151 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
152 &str->rtcp_cipher,
153 p->rtcp.cipher_key_len);
154 if (stat) {
155 auth_dealloc(str->rtp_auth);
156 cipher_dealloc(str->rtp_cipher);
157 crypto_free(str->limit);
158 crypto_free(str);
159 return stat;
160 }
161
162 /* allocate auth function */
163 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
164 &str->rtcp_auth,
165 p->rtcp.auth_key_len,
166 p->rtcp.auth_tag_len);
167 if (stat) {
168 cipher_dealloc(str->rtcp_cipher);
169 auth_dealloc(str->rtp_auth);
170 cipher_dealloc(str->rtp_cipher);
171 crypto_free(str->limit);
172 crypto_free(str);
173 return stat;
174 }
175
176 /* allocate ekt data associated with stream */
177 stat = ekt_alloc(&str->ekt, p->ekt);
178 if (stat) {
179 auth_dealloc(str->rtcp_auth);
180 cipher_dealloc(str->rtcp_cipher);
181 auth_dealloc(str->rtp_auth);
182 cipher_dealloc(str->rtp_cipher);
183 crypto_free(str->limit);
184 crypto_free(str);
185 return stat;
186 }
187
188 return err_status_ok;
189 }
190
191 err_status_t
srtp_stream_dealloc(srtp_t session,srtp_stream_ctx_t * stream)192 srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) {
193 err_status_t status;
194
195 /*
196 * we use a conservative deallocation strategy - if any deallocation
197 * fails, then we report that fact without trying to deallocate
198 * anything else
199 */
200
201 /* deallocate cipher, if it is not the same as that in template */
202 if (session->stream_template
203 && stream->rtp_cipher == session->stream_template->rtp_cipher) {
204 /* do nothing */
205 } else {
206 status = cipher_dealloc(stream->rtp_cipher);
207 if (status)
208 return status;
209 }
210
211 /* deallocate auth function, if it is not the same as that in template */
212 if (session->stream_template
213 && stream->rtp_auth == session->stream_template->rtp_auth) {
214 /* do nothing */
215 } else {
216 status = auth_dealloc(stream->rtp_auth);
217 if (status)
218 return status;
219 }
220
221 /* deallocate key usage limit, if it is not the same as that in template */
222 if (session->stream_template
223 && stream->limit == session->stream_template->limit) {
224 /* do nothing */
225 } else {
226 crypto_free(stream->limit);
227 }
228
229 /*
230 * deallocate rtcp cipher, if it is not the same as that in
231 * template
232 */
233 if (session->stream_template
234 && stream->rtcp_cipher == session->stream_template->rtcp_cipher) {
235 /* do nothing */
236 } else {
237 status = cipher_dealloc(stream->rtcp_cipher);
238 if (status)
239 return status;
240 }
241
242 /*
243 * deallocate rtcp auth function, if it is not the same as that in
244 * template
245 */
246 if (session->stream_template
247 && stream->rtcp_auth == session->stream_template->rtcp_auth) {
248 /* do nothing */
249 } else {
250 status = auth_dealloc(stream->rtcp_auth);
251 if (status)
252 return status;
253 }
254
255 status = rdbx_dealloc(&stream->rtp_rdbx);
256 if (status)
257 return status;
258
259 /* DAM - need to deallocate EKT here */
260
261 /* deallocate srtp stream context */
262 crypto_free(stream);
263
264 return err_status_ok;
265 }
266
267
268 /*
269 * srtp_stream_clone(stream_template, new) allocates a new stream and
270 * initializes it using the cipher and auth of the stream_template
271 *
272 * the only unique data in a cloned stream is the replay database and
273 * the SSRC
274 */
275
276 err_status_t
srtp_stream_clone(const srtp_stream_ctx_t * stream_template,uint32_t ssrc,srtp_stream_ctx_t ** str_ptr)277 srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
278 uint32_t ssrc,
279 srtp_stream_ctx_t **str_ptr) {
280 err_status_t status;
281 srtp_stream_ctx_t *str;
282
283 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
284
285 /* allocate srtp stream and set str_ptr */
286 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
287 if (str == NULL)
288 return err_status_alloc_fail;
289 *str_ptr = str;
290
291 /* set cipher and auth pointers to those of the template */
292 str->rtp_cipher = stream_template->rtp_cipher;
293 str->rtp_auth = stream_template->rtp_auth;
294 str->rtcp_cipher = stream_template->rtcp_cipher;
295 str->rtcp_auth = stream_template->rtcp_auth;
296
297 /* set key limit to point to that of the template */
298 status = key_limit_clone(stream_template->limit, &str->limit);
299 if (status)
300 return status;
301
302 /* initialize replay databases */
303 status = rdbx_init(&str->rtp_rdbx,
304 rdbx_get_window_size(&stream_template->rtp_rdbx));
305 if (status)
306 return status;
307 rdb_init(&str->rtcp_rdb);
308 str->allow_repeat_tx = stream_template->allow_repeat_tx;
309
310 /* set ssrc to that provided */
311 str->ssrc = ssrc;
312
313 /* set direction and security services */
314 str->direction = stream_template->direction;
315 str->rtp_services = stream_template->rtp_services;
316 str->rtcp_services = stream_template->rtcp_services;
317
318 /* set pointer to EKT data associated with stream */
319 str->ekt = stream_template->ekt;
320
321 /* defensive coding */
322 str->next = NULL;
323
324 return err_status_ok;
325 }
326
327
328 /*
329 * key derivation functions, internal to libSRTP
330 *
331 * srtp_kdf_t is a key derivation context
332 *
333 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher
334 * described by cipher_id, with the master key k with length in octets keylen.
335 *
336 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
337 * corresponding to label l and puts it into kl; the length
338 * of the key in octets is provided as keylen. this function
339 * should be called once for each subkey that is derived.
340 *
341 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state
342 */
343
344 typedef enum {
345 label_rtp_encryption = 0x00,
346 label_rtp_msg_auth = 0x01,
347 label_rtp_salt = 0x02,
348 label_rtcp_encryption = 0x03,
349 label_rtcp_msg_auth = 0x04,
350 label_rtcp_salt = 0x05
351 } srtp_prf_label;
352
353
354 /*
355 * srtp_kdf_t represents a key derivation function. The SRTP
356 * default KDF is the only one implemented at present.
357 */
358
359 typedef struct {
360 cipher_t *cipher; /* cipher used for key derivation */
361 } srtp_kdf_t;
362
363 err_status_t
srtp_kdf_init(srtp_kdf_t * kdf,cipher_type_id_t cipher_id,const uint8_t * key,int length)364 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, int length) {
365
366 err_status_t stat;
367 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length);
368 if (stat)
369 return stat;
370
371 stat = cipher_init(kdf->cipher, key, direction_encrypt);
372 if (stat) {
373 cipher_dealloc(kdf->cipher);
374 return stat;
375 }
376
377 return err_status_ok;
378 }
379
380 err_status_t
srtp_kdf_generate(srtp_kdf_t * kdf,srtp_prf_label label,uint8_t * key,unsigned length)381 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
382 uint8_t *key, unsigned length) {
383
384 v128_t nonce;
385 err_status_t status;
386
387 /* set eigth octet of nonce to <label>, set the rest of it to zero */
388 v128_set_to_zero(&nonce);
389 nonce.v8[7] = label;
390
391 status = cipher_set_iv(kdf->cipher, &nonce);
392 if (status)
393 return status;
394
395 /* generate keystream output */
396 octet_string_set_to_zero(key, length);
397 status = cipher_encrypt(kdf->cipher, key, &length);
398 if (status)
399 return status;
400
401 return err_status_ok;
402 }
403
404 err_status_t
srtp_kdf_clear(srtp_kdf_t * kdf)405 srtp_kdf_clear(srtp_kdf_t *kdf) {
406 err_status_t status;
407 status = cipher_dealloc(kdf->cipher);
408 if (status)
409 return status;
410 kdf->cipher = NULL;
411
412 return err_status_ok;
413 }
414
415 /*
416 * end of key derivation functions
417 */
418
419 #define MAX_SRTP_KEY_LEN 256
420
421
422 /* Get the base key length corresponding to a given combined key+salt
423 * length for the given cipher.
424 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using
425 * AES-128 and short salts; everything else uses a salt length of 14.
426 * TODO: key and salt lengths should be separate fields in the policy. */
base_key_length(const cipher_type_t * cipher,int key_length)427 static INLINE int base_key_length(const cipher_type_t *cipher, int key_length)
428 {
429 if (cipher->id != AES_ICM)
430 return key_length;
431 else if (key_length > 16 && key_length < 30)
432 return 16;
433 return key_length - 14;
434 }
435
436 err_status_t
srtp_stream_init_keys(srtp_stream_ctx_t * srtp,const void * key)437 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
438 err_status_t stat;
439 srtp_kdf_t kdf;
440 uint8_t tmp_key[MAX_SRTP_KEY_LEN];
441 int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
442 int rtp_base_key_len, rtp_salt_len;
443 int rtcp_base_key_len, rtcp_salt_len;
444
445 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
446 /* TODO: kdf algorithm, master key length, and master salt length should
447 * be part of srtp_policy_t. */
448 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher);
449 if (rtp_keylen > kdf_keylen)
450 kdf_keylen = rtp_keylen;
451
452 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher);
453 if (rtcp_keylen > kdf_keylen)
454 kdf_keylen = rtcp_keylen;
455
456 /* initialize KDF state */
457 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)key, kdf_keylen);
458 if (stat) {
459 return err_status_init_fail;
460 }
461
462 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
463 rtp_salt_len = rtp_keylen - rtp_base_key_len;
464
465 /* generate encryption key */
466 stat = srtp_kdf_generate(&kdf, label_rtp_encryption,
467 tmp_key, rtp_base_key_len);
468 if (stat) {
469 /* zeroize temp buffer */
470 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
471 return err_status_init_fail;
472 }
473
474 /*
475 * if the cipher in the srtp context uses a salt, then we need
476 * to generate the salt value
477 */
478 if (rtp_salt_len > 0) {
479 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
480
481 /* generate encryption salt, put after encryption key */
482 stat = srtp_kdf_generate(&kdf, label_rtp_salt,
483 tmp_key + rtp_base_key_len, rtp_salt_len);
484 if (stat) {
485 /* zeroize temp buffer */
486 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
487 return err_status_init_fail;
488 }
489 }
490 debug_print(mod_srtp, "cipher key: %s",
491 octet_string_hex_string(tmp_key, rtp_base_key_len));
492 if (rtp_salt_len > 0) {
493 debug_print(mod_srtp, "cipher salt: %s",
494 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len));
495 }
496
497 /* initialize cipher */
498 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any);
499 if (stat) {
500 /* zeroize temp buffer */
501 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
502 return err_status_init_fail;
503 }
504
505 /* generate authentication key */
506 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth,
507 tmp_key, auth_get_key_length(srtp->rtp_auth));
508 if (stat) {
509 /* zeroize temp buffer */
510 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
511 return err_status_init_fail;
512 }
513 debug_print(mod_srtp, "auth key: %s",
514 octet_string_hex_string(tmp_key,
515 auth_get_key_length(srtp->rtp_auth)));
516
517 /* initialize auth function */
518 stat = auth_init(srtp->rtp_auth, tmp_key);
519 if (stat) {
520 /* zeroize temp buffer */
521 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
522 return err_status_init_fail;
523 }
524
525 /*
526 * ...now initialize SRTCP keys
527 */
528
529 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen);
530 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
531
532 /* generate encryption key */
533 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption,
534 tmp_key, rtcp_base_key_len);
535 if (stat) {
536 /* zeroize temp buffer */
537 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
538 return err_status_init_fail;
539 }
540
541 /*
542 * if the cipher in the srtp context uses a salt, then we need
543 * to generate the salt value
544 */
545 if (rtcp_salt_len > 0) {
546 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
547 NULL);
548
549 /* generate encryption salt, put after encryption key */
550 stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
551 tmp_key + rtcp_base_key_len, rtcp_salt_len);
552 if (stat) {
553 /* zeroize temp buffer */
554 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
555 return err_status_init_fail;
556 }
557 }
558 debug_print(mod_srtp, "rtcp cipher key: %s",
559 octet_string_hex_string(tmp_key, rtcp_base_key_len));
560 if (rtcp_salt_len > 0) {
561 debug_print(mod_srtp, "rtcp cipher salt: %s",
562 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_len));
563 }
564
565 /* initialize cipher */
566 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any);
567 if (stat) {
568 /* zeroize temp buffer */
569 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
570 return err_status_init_fail;
571 }
572
573 /* generate authentication key */
574 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
575 tmp_key, auth_get_key_length(srtp->rtcp_auth));
576 if (stat) {
577 /* zeroize temp buffer */
578 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
579 return err_status_init_fail;
580 }
581
582 debug_print(mod_srtp, "rtcp auth key: %s",
583 octet_string_hex_string(tmp_key,
584 auth_get_key_length(srtp->rtcp_auth)));
585
586 /* initialize auth function */
587 stat = auth_init(srtp->rtcp_auth, tmp_key);
588 if (stat) {
589 /* zeroize temp buffer */
590 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
591 return err_status_init_fail;
592 }
593
594 /* clear memory then return */
595 stat = srtp_kdf_clear(&kdf);
596 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
597 if (stat)
598 return err_status_init_fail;
599
600 return err_status_ok;
601 }
602
603 err_status_t
srtp_stream_init(srtp_stream_ctx_t * srtp,const srtp_policy_t * p)604 srtp_stream_init(srtp_stream_ctx_t *srtp,
605 const srtp_policy_t *p) {
606 err_status_t err;
607
608 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)",
609 p->ssrc.value);
610
611 /* initialize replay database */
612 /* window size MUST be at least 64. MAY be larger. Values more than
613 * 2^15 aren't meaningful due to how extended sequence numbers are
614 * calculated. Let a window size of 0 imply the default value. */
615
616 if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000))
617 return err_status_bad_param;
618
619 if (p->window_size != 0)
620 err = rdbx_init(&srtp->rtp_rdbx, p->window_size);
621 else
622 err = rdbx_init(&srtp->rtp_rdbx, 128);
623 if (err) return err;
624
625 /* initialize key limit to maximum value */
626 #ifdef NO_64BIT_MATH
627 {
628 uint64_t temp;
629 temp = make64(UINT_MAX,UINT_MAX);
630 key_limit_set(srtp->limit, temp);
631 }
632 #else
633 key_limit_set(srtp->limit, 0xffffffffffffLL);
634 #endif
635
636 /* set the SSRC value */
637 srtp->ssrc = htonl(p->ssrc.value);
638
639 /* set the security service flags */
640 srtp->rtp_services = p->rtp.sec_serv;
641 srtp->rtcp_services = p->rtcp.sec_serv;
642
643 /*
644 * set direction to unknown - this flag gets checked in srtp_protect(),
645 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
646 * gets set appropriately if it is set to unknown.
647 */
648 srtp->direction = dir_unknown;
649
650 /* initialize SRTCP replay database */
651 rdb_init(&srtp->rtcp_rdb);
652
653 /* initialize allow_repeat_tx */
654 /* guard against uninitialized memory: allow only 0 or 1 here */
655 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) {
656 rdbx_dealloc(&srtp->rtp_rdbx);
657 return err_status_bad_param;
658 }
659 srtp->allow_repeat_tx = p->allow_repeat_tx;
660
661 /* DAM - no RTCP key limit at present */
662
663 /* initialize keys */
664 err = srtp_stream_init_keys(srtp, p->key);
665 if (err) {
666 rdbx_dealloc(&srtp->rtp_rdbx);
667 return err;
668 }
669
670 /*
671 * if EKT is in use, then initialize the EKT data associated with
672 * the stream
673 */
674 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt);
675 if (err) {
676 rdbx_dealloc(&srtp->rtp_rdbx);
677 return err;
678 }
679
680 return err_status_ok;
681 }
682
683
684 /*
685 * srtp_event_reporter is an event handler function that merely
686 * reports the events that are reported by the callbacks
687 */
688
689 void
srtp_event_reporter(srtp_event_data_t * data)690 srtp_event_reporter(srtp_event_data_t *data) {
691
692 err_report(err_level_warning, "srtp: in stream 0x%x: ",
693 data->stream->ssrc);
694
695 switch(data->event) {
696 case event_ssrc_collision:
697 err_report(err_level_warning, "\tSSRC collision\n");
698 break;
699 case event_key_soft_limit:
700 err_report(err_level_warning, "\tkey usage soft limit reached\n");
701 break;
702 case event_key_hard_limit:
703 err_report(err_level_warning, "\tkey usage hard limit reached\n");
704 break;
705 case event_packet_index_limit:
706 err_report(err_level_warning, "\tpacket index limit reached\n");
707 break;
708 default:
709 err_report(err_level_warning, "\tunknown event reported to handler\n");
710 }
711 }
712
713 /*
714 * srtp_event_handler is a global variable holding a pointer to the
715 * event handler function; this function is called for any unexpected
716 * event that needs to be handled out of the SRTP data path. see
717 * srtp_event_t in srtp.h for more info
718 *
719 * it is okay to set srtp_event_handler to NULL, but we set
720 * it to the srtp_event_reporter.
721 */
722
723 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
724
725 err_status_t
srtp_install_event_handler(srtp_event_handler_func_t func)726 srtp_install_event_handler(srtp_event_handler_func_t func) {
727
728 /*
729 * note that we accept NULL arguments intentionally - calling this
730 * function with a NULL arguments removes an event handler that's
731 * been previously installed
732 */
733
734 /* set global event handling function */
735 srtp_event_handler = func;
736 return err_status_ok;
737 }
738
739 err_status_t
srtp_protect(srtp_ctx_t * ctx,void * rtp_hdr,int * pkt_octet_len)740 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
741 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
742 uint32_t *enc_start; /* pointer to start of encrypted portion */
743 uint32_t *auth_start; /* pointer to start of auth. portion */
744 unsigned enc_octet_len = 0; /* number of octets in encrypted portion */
745 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
746 int delta; /* delta of local pkt idx and that in hdr */
747 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
748 err_status_t status;
749 int tag_len;
750 srtp_stream_ctx_t *stream;
751 int prefix_len;
752
753 debug_print(mod_srtp, "function srtp_protect", NULL);
754
755 /* we assume the hdr is 32-bit aligned to start */
756
757 /* Verify RTP header */
758 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len);
759 if (status)
760 return status;
761
762 /*
763 * look up ssrc in srtp_stream list, and process the packet with
764 * the appropriate stream. if we haven't seen this stream before,
765 * there's a template key for this srtp_session, and the cipher
766 * supports key-sharing, then we assume that a new stream using
767 * that key has just started up
768 */
769 stream = srtp_get_stream(ctx, hdr->ssrc);
770 if (stream == NULL) {
771 if (ctx->stream_template != NULL) {
772 srtp_stream_ctx_t *new_stream;
773
774 /* allocate and initialize a new stream */
775 status = srtp_stream_clone(ctx->stream_template,
776 hdr->ssrc, &new_stream);
777 if (status)
778 return status;
779
780 /* add new stream to the head of the stream_list */
781 new_stream->next = ctx->stream_list;
782 ctx->stream_list = new_stream;
783
784 /* set direction to outbound */
785 new_stream->direction = dir_srtp_sender;
786
787 /* set stream (the pointer used in this function) */
788 stream = new_stream;
789 } else {
790 /* no template stream, so we return an error */
791 return err_status_no_ctx;
792 }
793 }
794
795 /*
796 * verify that stream is for sending traffic - this check will
797 * detect SSRC collisions, since a stream that appears in both
798 * srtp_protect() and srtp_unprotect() will fail this test in one of
799 * those functions.
800 */
801 if (stream->direction != dir_srtp_sender) {
802 if (stream->direction == dir_unknown) {
803 stream->direction = dir_srtp_sender;
804 } else {
805 srtp_handle_event(ctx, stream, event_ssrc_collision);
806 }
807 }
808
809 /*
810 * update the key usage limit, and check it to make sure that we
811 * didn't just hit either the soft limit or the hard limit, and call
812 * the event handler if we hit either.
813 */
814 switch(key_limit_update(stream->limit)) {
815 case key_event_normal:
816 break;
817 case key_event_soft_limit:
818 srtp_handle_event(ctx, stream, event_key_soft_limit);
819 break;
820 case key_event_hard_limit:
821 srtp_handle_event(ctx, stream, event_key_hard_limit);
822 return err_status_key_expired;
823 default:
824 break;
825 }
826
827 /* get tag length from stream */
828 tag_len = auth_get_tag_length(stream->rtp_auth);
829
830 /*
831 * find starting point for encryption and length of data to be
832 * encrypted - the encrypted portion starts after the rtp header
833 * extension, if present; otherwise, it starts after the last csrc,
834 * if any are present
835 *
836 * if we're not providing confidentiality, set enc_start to NULL
837 */
838 if (stream->rtp_services & sec_serv_conf) {
839 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
840 if (hdr->x == 1) {
841 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
842 enc_start += (ntohs(xtn_hdr->length) + 1);
843 }
844 enc_octet_len = (unsigned int)(*pkt_octet_len
845 - ((enc_start - (uint32_t *)hdr) << 2));
846 } else {
847 enc_start = NULL;
848 }
849
850 /*
851 * if we're providing authentication, set the auth_start and auth_tag
852 * pointers to the proper locations; otherwise, set auth_start to NULL
853 * to indicate that no authentication is needed
854 */
855 if (stream->rtp_services & sec_serv_auth) {
856 auth_start = (uint32_t *)hdr;
857 auth_tag = (uint8_t *)hdr + *pkt_octet_len;
858 } else {
859 auth_start = NULL;
860 auth_tag = NULL;
861 }
862
863 /*
864 * estimate the packet index using the start of the replay window
865 * and the sequence number from the header
866 */
867 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
868 status = rdbx_check(&stream->rtp_rdbx, delta);
869 if (status) {
870 if (status != err_status_replay_fail || !stream->allow_repeat_tx)
871 return status; /* we've been asked to reuse an index */
872 }
873 else
874 rdbx_add_index(&stream->rtp_rdbx, delta);
875
876 #ifdef NO_64BIT_MATH
877 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
878 high32(est),low32(est));
879 #else
880 debug_print(mod_srtp, "estimated packet index: %016llx", est);
881 #endif
882
883 /*
884 * if we're using rindael counter mode, set nonce and seq
885 */
886 if (stream->rtp_cipher->type->id == AES_ICM) {
887 v128_t iv;
888
889 iv.v32[0] = 0;
890 iv.v32[1] = hdr->ssrc;
891 #ifdef NO_64BIT_MATH
892 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
893 low32(est) << 16));
894 #else
895 iv.v64[1] = be64_to_cpu(est << 16);
896 #endif
897 status = cipher_set_iv(stream->rtp_cipher, &iv);
898
899 } else {
900 v128_t iv;
901
902 /* otherwise, set the index to est */
903 #ifdef NO_64BIT_MATH
904 iv.v32[0] = 0;
905 iv.v32[1] = 0;
906 #else
907 iv.v64[0] = 0;
908 #endif
909 iv.v64[1] = be64_to_cpu(est);
910 status = cipher_set_iv(stream->rtp_cipher, &iv);
911 }
912 if (status)
913 return err_status_cipher_fail;
914
915 /* shift est, put into network byte order */
916 #ifdef NO_64BIT_MATH
917 est = be64_to_cpu(make64((high32(est) << 16) |
918 (low32(est) >> 16),
919 low32(est) << 16));
920 #else
921 est = be64_to_cpu(est << 16);
922 #endif
923
924 /*
925 * if we're authenticating using a universal hash, put the keystream
926 * prefix into the authentication tag
927 */
928 if (auth_start) {
929
930 prefix_len = auth_get_prefix_length(stream->rtp_auth);
931 if (prefix_len) {
932 status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len);
933 if (status)
934 return err_status_cipher_fail;
935 debug_print(mod_srtp, "keystream prefix: %s",
936 octet_string_hex_string(auth_tag, prefix_len));
937 }
938 }
939
940 /* if we're encrypting, exor keystream into the message */
941 if (enc_start) {
942 status = cipher_encrypt(stream->rtp_cipher,
943 (uint8_t *)enc_start, &enc_octet_len);
944 if (status)
945 return err_status_cipher_fail;
946 }
947
948 /*
949 * if we're authenticating, run authentication function and put result
950 * into the auth_tag
951 */
952 if (auth_start) {
953
954 /* initialize auth func context */
955 status = auth_start(stream->rtp_auth);
956 if (status) return status;
957
958 /* run auth func over packet */
959 status = auth_update(stream->rtp_auth,
960 (uint8_t *)auth_start, *pkt_octet_len);
961 if (status) return status;
962
963 /* run auth func over ROC, put result into auth_tag */
964 debug_print(mod_srtp, "estimated packet index: %016llx", est);
965 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);
966 debug_print(mod_srtp, "srtp auth tag: %s",
967 octet_string_hex_string(auth_tag, tag_len));
968 if (status)
969 return err_status_auth_fail;
970
971 }
972
973 if (auth_tag) {
974
975 /* increase the packet length by the length of the auth tag */
976 *pkt_octet_len += tag_len;
977 }
978
979 return err_status_ok;
980 }
981
982
983 err_status_t
srtp_unprotect(srtp_ctx_t * ctx,void * srtp_hdr,int * pkt_octet_len)984 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
985 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
986 uint32_t *enc_start; /* pointer to start of encrypted portion */
987 uint32_t *auth_start; /* pointer to start of auth. portion */
988 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
989 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
990 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
991 int delta; /* delta of local pkt idx and that in hdr */
992 v128_t iv;
993 err_status_t status;
994 srtp_stream_ctx_t *stream;
995 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
996 int tag_len, prefix_len;
997
998 debug_print(mod_srtp, "function srtp_unprotect", NULL);
999
1000 /* we assume the hdr is 32-bit aligned to start */
1001
1002 /* Verify RTP header */
1003 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len);
1004 if (status)
1005 return status;
1006
1007 /*
1008 * look up ssrc in srtp_stream list, and process the packet with
1009 * the appropriate stream. if we haven't seen this stream before,
1010 * there's only one key for this srtp_session, and the cipher
1011 * supports key-sharing, then we assume that a new stream using
1012 * that key has just started up
1013 */
1014 stream = srtp_get_stream(ctx, hdr->ssrc);
1015 if (stream == NULL) {
1016 if (ctx->stream_template != NULL) {
1017 stream = ctx->stream_template;
1018 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
1019 hdr->ssrc);
1020
1021 /*
1022 * set estimated packet index to sequence number from header,
1023 * and set delta equal to the same value
1024 */
1025 #ifdef NO_64BIT_MATH
1026 est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq));
1027 delta = low32(est);
1028 #else
1029 est = (xtd_seq_num_t) ntohs(hdr->seq);
1030 delta = (int)est;
1031 #endif
1032 } else {
1033
1034 /*
1035 * no stream corresponding to SSRC found, and we don't do
1036 * key-sharing, so return an error
1037 */
1038 return err_status_no_ctx;
1039 }
1040 } else {
1041
1042 /* estimate packet index from seq. num. in header */
1043 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
1044
1045 /* check replay database */
1046 status = rdbx_check(&stream->rtp_rdbx, delta);
1047 if (status)
1048 return status;
1049 }
1050
1051 #ifdef NO_64BIT_MATH
1052 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32(est));
1053 #else
1054 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1055 #endif
1056
1057 /* get tag length from stream */
1058 tag_len = auth_get_tag_length(stream->rtp_auth);
1059
1060 /*
1061 * set the cipher's IV properly, depending on whatever cipher we
1062 * happen to be using
1063 */
1064 if (stream->rtp_cipher->type->id == AES_ICM) {
1065
1066 /* aes counter mode */
1067 iv.v32[0] = 0;
1068 iv.v32[1] = hdr->ssrc; /* still in network order */
1069 #ifdef NO_64BIT_MATH
1070 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
1071 low32(est) << 16));
1072 #else
1073 iv.v64[1] = be64_to_cpu(est << 16);
1074 #endif
1075 status = cipher_set_iv(stream->rtp_cipher, &iv);
1076 } else {
1077
1078 /* no particular format - set the iv to the pakcet index */
1079 #ifdef NO_64BIT_MATH
1080 iv.v32[0] = 0;
1081 iv.v32[1] = 0;
1082 #else
1083 iv.v64[0] = 0;
1084 #endif
1085 iv.v64[1] = be64_to_cpu(est);
1086 status = cipher_set_iv(stream->rtp_cipher, &iv);
1087 }
1088 if (status)
1089 return err_status_cipher_fail;
1090
1091 /* shift est, put into network byte order */
1092 #ifdef NO_64BIT_MATH
1093 est = be64_to_cpu(make64((high32(est) << 16) |
1094 (low32(est) >> 16),
1095 low32(est) << 16));
1096 #else
1097 est = be64_to_cpu(est << 16);
1098 #endif
1099
1100 /*
1101 * find starting point for decryption and length of data to be
1102 * decrypted - the encrypted portion starts after the rtp header
1103 * extension, if present; otherwise, it starts after the last csrc,
1104 * if any are present
1105 *
1106 * if we're not providing confidentiality, set enc_start to NULL
1107 */
1108 if (stream->rtp_services & sec_serv_conf) {
1109 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1110 if (hdr->x == 1) {
1111 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1112 enc_start += (ntohs(xtn_hdr->length) + 1);
1113 }
1114 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
1115 - ((enc_start - (uint32_t *)hdr) << 2));
1116 } else {
1117 enc_start = NULL;
1118 }
1119
1120 /*
1121 * if we're providing authentication, set the auth_start and auth_tag
1122 * pointers to the proper locations; otherwise, set auth_start to NULL
1123 * to indicate that no authentication is needed
1124 */
1125 if (stream->rtp_services & sec_serv_auth) {
1126 auth_start = (uint32_t *)hdr;
1127 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
1128 } else {
1129 auth_start = NULL;
1130 auth_tag = NULL;
1131 }
1132
1133 /*
1134 * if we expect message authentication, run the authentication
1135 * function and compare the result with the value of the auth_tag
1136 */
1137 if (auth_start) {
1138
1139 /*
1140 * if we're using a universal hash, then we need to compute the
1141 * keystream prefix for encrypting the universal hash output
1142 *
1143 * if the keystream prefix length is zero, then we know that
1144 * the authenticator isn't using a universal hash function
1145 */
1146 if (stream->rtp_auth->prefix_len != 0) {
1147
1148 prefix_len = auth_get_prefix_length(stream->rtp_auth);
1149 status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len);
1150 debug_print(mod_srtp, "keystream prefix: %s",
1151 octet_string_hex_string(tmp_tag, prefix_len));
1152 if (status)
1153 return err_status_cipher_fail;
1154 }
1155
1156 /* initialize auth func context */
1157 status = auth_start(stream->rtp_auth);
1158 if (status) return status;
1159
1160 /* now compute auth function over packet */
1161 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,
1162 *pkt_octet_len - tag_len);
1163
1164 /* run auth func over ROC, then write tmp tag */
1165 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);
1166
1167 debug_print(mod_srtp, "computed auth tag: %s",
1168 octet_string_hex_string(tmp_tag, tag_len));
1169 debug_print(mod_srtp, "packet auth tag: %s",
1170 octet_string_hex_string(auth_tag, tag_len));
1171 if (status)
1172 return err_status_auth_fail;
1173
1174 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1175 return err_status_auth_fail;
1176 }
1177
1178 /*
1179 * update the key usage limit, and check it to make sure that we
1180 * didn't just hit either the soft limit or the hard limit, and call
1181 * the event handler if we hit either.
1182 */
1183 switch(key_limit_update(stream->limit)) {
1184 case key_event_normal:
1185 break;
1186 case key_event_soft_limit:
1187 srtp_handle_event(ctx, stream, event_key_soft_limit);
1188 break;
1189 case key_event_hard_limit:
1190 srtp_handle_event(ctx, stream, event_key_hard_limit);
1191 return err_status_key_expired;
1192 default:
1193 break;
1194 }
1195
1196 /* if we're decrypting, add keystream into ciphertext */
1197 if (enc_start) {
1198 status = cipher_decrypt(stream->rtp_cipher,
1199 (uint8_t *)enc_start, &enc_octet_len);
1200 if (status)
1201 return err_status_cipher_fail;
1202 }
1203
1204 /*
1205 * verify that stream is for received traffic - this check will
1206 * detect SSRC collisions, since a stream that appears in both
1207 * srtp_protect() and srtp_unprotect() will fail this test in one of
1208 * those functions.
1209 *
1210 * we do this check *after* the authentication check, so that the
1211 * latter check will catch any attempts to fool us into thinking
1212 * that we've got a collision
1213 */
1214 if (stream->direction != dir_srtp_receiver) {
1215 if (stream->direction == dir_unknown) {
1216 stream->direction = dir_srtp_receiver;
1217 } else {
1218 srtp_handle_event(ctx, stream, event_ssrc_collision);
1219 }
1220 }
1221
1222 /*
1223 * if the stream is a 'provisional' one, in which the template context
1224 * is used, then we need to allocate a new stream at this point, since
1225 * the authentication passed
1226 */
1227 if (stream == ctx->stream_template) {
1228 srtp_stream_ctx_t *new_stream;
1229
1230 /*
1231 * allocate and initialize a new stream
1232 *
1233 * note that we indicate failure if we can't allocate the new
1234 * stream, and some implementations will want to not return
1235 * failure here
1236 */
1237 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1238 if (status)
1239 return status;
1240
1241 /* add new stream to the head of the stream_list */
1242 new_stream->next = ctx->stream_list;
1243 ctx->stream_list = new_stream;
1244
1245 /* set stream (the pointer used in this function) */
1246 stream = new_stream;
1247 }
1248
1249 /*
1250 * the message authentication function passed, so add the packet
1251 * index into the replay database
1252 */
1253 rdbx_add_index(&stream->rtp_rdbx, delta);
1254
1255 /* decrease the packet length by the length of the auth tag */
1256 *pkt_octet_len -= tag_len;
1257
1258 return err_status_ok;
1259 }
1260
1261 err_status_t
srtp_init()1262 srtp_init() {
1263 err_status_t status;
1264
1265 /* initialize crypto kernel */
1266 status = crypto_kernel_init();
1267 if (status)
1268 return status;
1269
1270 /* load srtp debug module into the kernel */
1271 status = crypto_kernel_load_debug_module(&mod_srtp);
1272 if (status)
1273 return status;
1274
1275 return err_status_ok;
1276 }
1277
1278 err_status_t
srtp_shutdown()1279 srtp_shutdown() {
1280 err_status_t status;
1281
1282 /* shut down crypto kernel */
1283 status = crypto_kernel_shutdown();
1284 if (status)
1285 return status;
1286
1287 /* shutting down crypto kernel frees the srtp debug module as well */
1288
1289 return err_status_ok;
1290 }
1291
1292
1293 /*
1294 * The following code is under consideration for removal. See
1295 * SRTP_MAX_TRAILER_LEN
1296 */
1297 #if 0
1298
1299 /*
1300 * srtp_get_trailer_length(&a) returns the number of octets that will
1301 * be added to an RTP packet by the SRTP processing. This value
1302 * is constant for a given srtp_stream_t (i.e. between initializations).
1303 */
1304
1305 int
1306 srtp_get_trailer_length(const srtp_stream_t s) {
1307 return auth_get_tag_length(s->rtp_auth);
1308 }
1309
1310 #endif
1311
1312 /*
1313 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
1314 * to ssrc, or NULL if no stream exists for that ssrc
1315 *
1316 * this is an internal function
1317 */
1318
1319 srtp_stream_ctx_t *
srtp_get_stream(srtp_t srtp,uint32_t ssrc)1320 srtp_get_stream(srtp_t srtp, uint32_t ssrc) {
1321 srtp_stream_ctx_t *stream;
1322
1323 /* walk down list until ssrc is found */
1324 stream = srtp->stream_list;
1325 while (stream != NULL) {
1326 if (stream->ssrc == ssrc)
1327 return stream;
1328 stream = stream->next;
1329 }
1330
1331 /* we haven't found our ssrc, so return a null */
1332 return NULL;
1333 }
1334
1335 err_status_t
srtp_dealloc(srtp_t session)1336 srtp_dealloc(srtp_t session) {
1337 srtp_stream_ctx_t *stream;
1338 err_status_t status;
1339
1340 /*
1341 * we take a conservative deallocation strategy - if we encounter an
1342 * error deallocating a stream, then we stop trying to deallocate
1343 * memory and just return an error
1344 */
1345
1346 /* walk list of streams, deallocating as we go */
1347 stream = session->stream_list;
1348 while (stream != NULL) {
1349 srtp_stream_t next = stream->next;
1350 status = srtp_stream_dealloc(session, stream);
1351 if (status)
1352 return status;
1353 stream = next;
1354 }
1355
1356 /* deallocate stream template, if there is one */
1357 if (session->stream_template != NULL) {
1358 status = auth_dealloc(session->stream_template->rtcp_auth);
1359 if (status)
1360 return status;
1361 status = cipher_dealloc(session->stream_template->rtcp_cipher);
1362 if (status)
1363 return status;
1364 crypto_free(session->stream_template->limit);
1365 status = cipher_dealloc(session->stream_template->rtp_cipher);
1366 if (status)
1367 return status;
1368 status = auth_dealloc(session->stream_template->rtp_auth);
1369 if (status)
1370 return status;
1371 status = rdbx_dealloc(&session->stream_template->rtp_rdbx);
1372 if (status)
1373 return status;
1374 crypto_free(session->stream_template);
1375 }
1376
1377 /* deallocate session context */
1378 crypto_free(session);
1379
1380 return err_status_ok;
1381 }
1382
1383
1384 err_status_t
srtp_add_stream(srtp_t session,const srtp_policy_t * policy)1385 srtp_add_stream(srtp_t session,
1386 const srtp_policy_t *policy) {
1387 err_status_t status;
1388 srtp_stream_t tmp;
1389
1390 /* sanity check arguments */
1391 if ((session == NULL) || (policy == NULL) || (policy->key == NULL))
1392 return err_status_bad_param;
1393
1394 /* allocate stream */
1395 status = srtp_stream_alloc(&tmp, policy);
1396 if (status) {
1397 return status;
1398 }
1399
1400 /* initialize stream */
1401 status = srtp_stream_init(tmp, policy);
1402 if (status) {
1403 crypto_free(tmp);
1404 return status;
1405 }
1406
1407 /*
1408 * set the head of the stream list or the template to point to the
1409 * stream that we've just alloced and init'ed, depending on whether
1410 * or not it has a wildcard SSRC value or not
1411 *
1412 * if the template stream has already been set, then the policy is
1413 * inconsistent, so we return a bad_param error code
1414 */
1415 switch (policy->ssrc.type) {
1416 case (ssrc_any_outbound):
1417 if (session->stream_template) {
1418 return err_status_bad_param;
1419 }
1420 session->stream_template = tmp;
1421 session->stream_template->direction = dir_srtp_sender;
1422 break;
1423 case (ssrc_any_inbound):
1424 if (session->stream_template) {
1425 return err_status_bad_param;
1426 }
1427 session->stream_template = tmp;
1428 session->stream_template->direction = dir_srtp_receiver;
1429 break;
1430 case (ssrc_specific):
1431 tmp->next = session->stream_list;
1432 session->stream_list = tmp;
1433 break;
1434 case (ssrc_undefined):
1435 default:
1436 crypto_free(tmp);
1437 return err_status_bad_param;
1438 }
1439
1440 return err_status_ok;
1441 }
1442
1443
1444 err_status_t
srtp_create(srtp_t * session,const srtp_policy_t * policy)1445 srtp_create(srtp_t *session, /* handle for session */
1446 const srtp_policy_t *policy) { /* SRTP policy (list) */
1447 err_status_t stat;
1448 srtp_ctx_t *ctx;
1449
1450 /* sanity check arguments */
1451 if (session == NULL)
1452 return err_status_bad_param;
1453
1454 /* allocate srtp context and set ctx_ptr */
1455 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));
1456 if (ctx == NULL)
1457 return err_status_alloc_fail;
1458 *session = ctx;
1459
1460 /*
1461 * loop over elements in the policy list, allocating and
1462 * initializing a stream for each element
1463 */
1464 ctx->stream_template = NULL;
1465 ctx->stream_list = NULL;
1466 while (policy != NULL) {
1467
1468 stat = srtp_add_stream(ctx, policy);
1469 if (stat) {
1470 /* clean up everything */
1471 srtp_dealloc(*session);
1472 return stat;
1473 }
1474
1475 /* set policy to next item in list */
1476 policy = policy->next;
1477 }
1478
1479 return err_status_ok;
1480 }
1481
1482
1483 err_status_t
srtp_remove_stream(srtp_t session,uint32_t ssrc)1484 srtp_remove_stream(srtp_t session, uint32_t ssrc) {
1485 srtp_stream_ctx_t *stream, *last_stream;
1486 err_status_t status;
1487
1488 /* sanity check arguments */
1489 if (session == NULL)
1490 return err_status_bad_param;
1491
1492 /* find stream in list; complain if not found */
1493 last_stream = stream = session->stream_list;
1494 while ((stream != NULL) && (ssrc != stream->ssrc)) {
1495 last_stream = stream;
1496 stream = stream->next;
1497 }
1498 if (stream == NULL)
1499 return err_status_no_ctx;
1500
1501 /* remove stream from the list */
1502 if (last_stream == stream)
1503 /* stream was first in list */
1504 session->stream_list = stream->next;
1505 else
1506 last_stream->next = stream->next;
1507
1508 /* deallocate the stream */
1509 status = srtp_stream_dealloc(session, stream);
1510 if (status)
1511 return status;
1512
1513 return err_status_ok;
1514 }
1515
1516
1517 /*
1518 * the default policy - provides a convenient way for callers to use
1519 * the default security policy
1520 *
1521 * this policy is that defined in the current SRTP internet draft.
1522 *
1523 */
1524
1525 /*
1526 * NOTE: cipher_key_len is really key len (128 bits) plus salt len
1527 * (112 bits)
1528 */
1529 /* There are hard-coded 16's for base_key_len in the key generation code */
1530
1531 void
crypto_policy_set_rtp_default(crypto_policy_t * p)1532 crypto_policy_set_rtp_default(crypto_policy_t *p) {
1533
1534 p->cipher_type = AES_ICM;
1535 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1536 p->auth_type = HMAC_SHA1;
1537 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1538 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1539 p->sec_serv = sec_serv_conf_and_auth;
1540
1541 }
1542
1543 void
crypto_policy_set_rtcp_default(crypto_policy_t * p)1544 crypto_policy_set_rtcp_default(crypto_policy_t *p) {
1545
1546 p->cipher_type = AES_ICM;
1547 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1548 p->auth_type = HMAC_SHA1;
1549 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1550 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1551 p->sec_serv = sec_serv_conf_and_auth;
1552
1553 }
1554
1555 void
crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t * p)1556 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {
1557
1558 /*
1559 * corresponds to RFC 4568
1560 *
1561 * note that this crypto policy is intended for SRTP, but not SRTCP
1562 */
1563
1564 p->cipher_type = AES_ICM;
1565 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1566 p->auth_type = HMAC_SHA1;
1567 p->auth_key_len = 20; /* 160 bit key */
1568 p->auth_tag_len = 4; /* 32 bit tag */
1569 p->sec_serv = sec_serv_conf_and_auth;
1570
1571 }
1572
1573
1574 void
crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t * p)1575 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {
1576
1577 /*
1578 * corresponds to RFC 4568
1579 *
1580 * note that this crypto policy is intended for SRTP, but not SRTCP
1581 */
1582
1583 p->cipher_type = AES_ICM;
1584 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1585 p->auth_type = NULL_AUTH;
1586 p->auth_key_len = 0;
1587 p->auth_tag_len = 0;
1588 p->sec_serv = sec_serv_conf;
1589
1590 }
1591
1592
1593 void
crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t * p)1594 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {
1595
1596 /*
1597 * corresponds to RFC 4568
1598 */
1599
1600 p->cipher_type = NULL_CIPHER;
1601 p->cipher_key_len = 0;
1602 p->auth_type = HMAC_SHA1;
1603 p->auth_key_len = 20;
1604 p->auth_tag_len = 10;
1605 p->sec_serv = sec_serv_auth;
1606
1607 }
1608
1609
1610 void
crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t * p)1611 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) {
1612
1613 /*
1614 * corresponds to draft-ietf-avt-big-aes-03.txt
1615 */
1616
1617 p->cipher_type = AES_ICM;
1618 p->cipher_key_len = 46;
1619 p->auth_type = HMAC_SHA1;
1620 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1621 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1622 p->sec_serv = sec_serv_conf_and_auth;
1623 }
1624
1625
1626 void
crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t * p)1627 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) {
1628
1629 /*
1630 * corresponds to draft-ietf-avt-big-aes-03.txt
1631 *
1632 * note that this crypto policy is intended for SRTP, but not SRTCP
1633 */
1634
1635 p->cipher_type = AES_ICM;
1636 p->cipher_key_len = 46;
1637 p->auth_type = HMAC_SHA1;
1638 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1639 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */
1640 p->sec_serv = sec_serv_conf_and_auth;
1641 }
1642
1643
1644 /*
1645 * secure rtcp functions
1646 */
1647
1648 err_status_t
srtp_protect_rtcp(srtp_t ctx,void * rtcp_hdr,int * pkt_octet_len)1649 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
1650 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
1651 uint32_t *enc_start; /* pointer to start of encrypted portion */
1652 uint32_t *auth_start; /* pointer to start of auth. portion */
1653 uint32_t *trailer; /* pointer to start of trailer */
1654 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1655 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1656 err_status_t status;
1657 int tag_len;
1658 srtp_stream_ctx_t *stream;
1659 int prefix_len;
1660 uint32_t seq_num;
1661
1662 /* we assume the hdr is 32-bit aligned to start */
1663 /*
1664 * look up ssrc in srtp_stream list, and process the packet with
1665 * the appropriate stream. if we haven't seen this stream before,
1666 * there's only one key for this srtp_session, and the cipher
1667 * supports key-sharing, then we assume that a new stream using
1668 * that key has just started up
1669 */
1670 stream = srtp_get_stream(ctx, hdr->ssrc);
1671 if (stream == NULL) {
1672 if (ctx->stream_template != NULL) {
1673 srtp_stream_ctx_t *new_stream;
1674
1675 /* allocate and initialize a new stream */
1676 status = srtp_stream_clone(ctx->stream_template,
1677 hdr->ssrc, &new_stream);
1678 if (status)
1679 return status;
1680
1681 /* add new stream to the head of the stream_list */
1682 new_stream->next = ctx->stream_list;
1683 ctx->stream_list = new_stream;
1684
1685 /* set stream (the pointer used in this function) */
1686 stream = new_stream;
1687 } else {
1688 /* no template stream, so we return an error */
1689 return err_status_no_ctx;
1690 }
1691 }
1692
1693 /*
1694 * verify that stream is for sending traffic - this check will
1695 * detect SSRC collisions, since a stream that appears in both
1696 * srtp_protect() and srtp_unprotect() will fail this test in one of
1697 * those functions.
1698 */
1699 if (stream->direction != dir_srtp_sender) {
1700 if (stream->direction == dir_unknown) {
1701 stream->direction = dir_srtp_sender;
1702 } else {
1703 srtp_handle_event(ctx, stream, event_ssrc_collision);
1704 }
1705 }
1706
1707 /* get tag length from stream context */
1708 tag_len = auth_get_tag_length(stream->rtcp_auth);
1709
1710 /*
1711 * set encryption start and encryption length - if we're not
1712 * providing confidentiality, set enc_start to NULL
1713 */
1714 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1715 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
1716
1717 /* all of the packet, except the header, gets encrypted */
1718 /* NOTE: hdr->length is not usable - it refers to only the first
1719 RTCP report in the compound packet! */
1720 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1721 multiples of 32-bits (RFC 3550 6.1) */
1722 trailer = (uint32_t *) ((char *)enc_start + enc_octet_len);
1723
1724 if (stream->rtcp_services & sec_serv_conf) {
1725 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
1726 } else {
1727 enc_start = NULL;
1728 enc_octet_len = 0;
1729 /* 0 is network-order independant */
1730 *trailer = 0x00000000; /* set encrypt bit */
1731 }
1732
1733 /*
1734 * set the auth_start and auth_tag pointers to the proper locations
1735 * (note that srtpc *always* provides authentication, unlike srtp)
1736 */
1737 /* Note: This would need to change for optional mikey data */
1738 auth_start = (uint32_t *)hdr;
1739 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t);
1740
1741 /* perform EKT processing if needed */
1742 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
1743 rdbx_get_packet_index(&stream->rtp_rdbx));
1744
1745 /*
1746 * check sequence number for overruns, and copy it into the packet
1747 * if its value isn't too big
1748 */
1749 status = rdb_increment(&stream->rtcp_rdb);
1750 if (status)
1751 return status;
1752 seq_num = rdb_get_value(&stream->rtcp_rdb);
1753 *trailer |= htonl(seq_num);
1754 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1755
1756 /*
1757 * if we're using rindael counter mode, set nonce and seq
1758 */
1759 if (stream->rtcp_cipher->type->id == AES_ICM) {
1760 v128_t iv;
1761
1762 iv.v32[0] = 0;
1763 iv.v32[1] = hdr->ssrc; /* still in network order! */
1764 iv.v32[2] = htonl(seq_num >> 16);
1765 iv.v32[3] = htonl(seq_num << 16);
1766 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1767
1768 } else {
1769 v128_t iv;
1770
1771 /* otherwise, just set the index to seq_num */
1772 iv.v32[0] = 0;
1773 iv.v32[1] = 0;
1774 iv.v32[2] = 0;
1775 iv.v32[3] = htonl(seq_num);
1776 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1777 }
1778 if (status)
1779 return err_status_cipher_fail;
1780
1781 /*
1782 * if we're authenticating using a universal hash, put the keystream
1783 * prefix into the authentication tag
1784 */
1785
1786 /* if auth_start is non-null, then put keystream into tag */
1787 if (auth_start) {
1788
1789 /* put keystream prefix into auth_tag */
1790 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1791 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1792
1793 debug_print(mod_srtp, "keystream prefix: %s",
1794 octet_string_hex_string(auth_tag, prefix_len));
1795
1796 if (status)
1797 return err_status_cipher_fail;
1798 }
1799
1800 /* if we're encrypting, exor keystream into the message */
1801 if (enc_start) {
1802 status = cipher_encrypt(stream->rtcp_cipher,
1803 (uint8_t *)enc_start, &enc_octet_len);
1804 if (status)
1805 return err_status_cipher_fail;
1806 }
1807
1808 /* initialize auth func context */
1809 auth_start(stream->rtcp_auth);
1810
1811 /*
1812 * run auth func over packet (including trailer), and write the
1813 * result at auth_tag
1814 */
1815 status = auth_compute(stream->rtcp_auth,
1816 (uint8_t *)auth_start,
1817 (*pkt_octet_len) + sizeof(srtcp_trailer_t),
1818 auth_tag);
1819 debug_print(mod_srtp, "srtcp auth tag: %s",
1820 octet_string_hex_string(auth_tag, tag_len));
1821 if (status)
1822 return err_status_auth_fail;
1823
1824 /* increase the packet length by the length of the auth tag and seq_num*/
1825 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
1826
1827 return err_status_ok;
1828 }
1829
1830
1831 err_status_t
srtp_unprotect_rtcp(srtp_t ctx,void * srtcp_hdr,int * pkt_octet_len)1832 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
1833 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
1834 uint32_t *enc_start; /* pointer to start of encrypted portion */
1835 uint32_t *auth_start; /* pointer to start of auth. portion */
1836 uint32_t *trailer; /* pointer to start of trailer */
1837 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1838 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1839 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
1840 uint8_t tag_copy[SRTP_MAX_TAG_LEN];
1841 err_status_t status;
1842 unsigned auth_len;
1843 int tag_len;
1844 srtp_stream_ctx_t *stream;
1845 int prefix_len;
1846 uint32_t seq_num;
1847
1848 /* we assume the hdr is 32-bit aligned to start */
1849 /*
1850 * look up ssrc in srtp_stream list, and process the packet with
1851 * the appropriate stream. if we haven't seen this stream before,
1852 * there's only one key for this srtp_session, and the cipher
1853 * supports key-sharing, then we assume that a new stream using
1854 * that key has just started up
1855 */
1856 stream = srtp_get_stream(ctx, hdr->ssrc);
1857 if (stream == NULL) {
1858 if (ctx->stream_template != NULL) {
1859 stream = ctx->stream_template;
1860
1861 /*
1862 * check to see if stream_template has an EKT data structure, in
1863 * which case we initialize the template using the EKT policy
1864 * referenced by that data (which consists of decrypting the
1865 * master key from the EKT field)
1866 *
1867 * this function initializes a *provisional* stream, and this
1868 * stream should not be accepted until and unless the packet
1869 * passes its authentication check
1870 */
1871 if (stream->ekt != NULL) {
1872 status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len);
1873 if (status)
1874 return status;
1875 }
1876
1877 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
1878 hdr->ssrc);
1879 } else {
1880 /* no template stream, so we return an error */
1881 return err_status_no_ctx;
1882 }
1883 }
1884
1885 /* get tag length from stream context */
1886 tag_len = auth_get_tag_length(stream->rtcp_auth);
1887
1888 /*
1889 * set encryption start, encryption length, and trailer
1890 */
1891 enc_octet_len = *pkt_octet_len -
1892 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
1893 /* index & E (encryption) bit follow normal data. hdr->len
1894 is the number of words (32-bit) in the normal packet minus 1 */
1895 /* This should point trailer to the word past the end of the
1896 normal data. */
1897 /* This would need to be modified for optional mikey data */
1898 /*
1899 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1900 * multiples of 32-bits (RFC 3550 6.1)
1901 */
1902 trailer = (uint32_t *) ((char *) hdr +
1903 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
1904 if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) {
1905 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1906 } else {
1907 enc_octet_len = 0;
1908 enc_start = NULL; /* this indicates that there's no encryption */
1909 }
1910
1911 /*
1912 * set the auth_start and auth_tag pointers to the proper locations
1913 * (note that srtcp *always* uses authentication, unlike srtp)
1914 */
1915 auth_start = (uint32_t *)hdr;
1916 auth_len = *pkt_octet_len - tag_len;
1917 auth_tag = (uint8_t *)hdr + auth_len;
1918
1919 /*
1920 * if EKT is in use, then we make a copy of the tag from the packet,
1921 * and then zeroize the location of the base tag
1922 *
1923 * we first re-position the auth_tag pointer so that it points to
1924 * the base tag
1925 */
1926 if (stream->ekt) {
1927 auth_tag -= ekt_octets_after_base_tag(stream->ekt);
1928 memcpy(tag_copy, auth_tag, tag_len);
1929 octet_string_set_to_zero(auth_tag, tag_len);
1930 auth_tag = tag_copy;
1931 auth_len += tag_len;
1932 }
1933
1934 /*
1935 * check the sequence number for replays
1936 */
1937 /* this is easier than dealing with bitfield access */
1938 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
1939 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1940 status = rdb_check(&stream->rtcp_rdb, seq_num);
1941 if (status)
1942 return status;
1943
1944 /*
1945 * if we're using aes counter mode, set nonce and seq
1946 */
1947 if (stream->rtcp_cipher->type->id == AES_ICM) {
1948 v128_t iv;
1949
1950 iv.v32[0] = 0;
1951 iv.v32[1] = hdr->ssrc; /* still in network order! */
1952 iv.v32[2] = htonl(seq_num >> 16);
1953 iv.v32[3] = htonl(seq_num << 16);
1954 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1955
1956 } else {
1957 v128_t iv;
1958
1959 /* otherwise, just set the index to seq_num */
1960 iv.v32[0] = 0;
1961 iv.v32[1] = 0;
1962 iv.v32[2] = 0;
1963 iv.v32[3] = htonl(seq_num);
1964 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1965
1966 }
1967 if (status)
1968 return err_status_cipher_fail;
1969
1970 /* initialize auth func context */
1971 auth_start(stream->rtcp_auth);
1972
1973 /* run auth func over packet, put result into tmp_tag */
1974 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
1975 auth_len, tmp_tag);
1976 debug_print(mod_srtp, "srtcp computed tag: %s",
1977 octet_string_hex_string(tmp_tag, tag_len));
1978 if (status)
1979 return err_status_auth_fail;
1980
1981 /* compare the tag just computed with the one in the packet */
1982 debug_print(mod_srtp, "srtcp tag from packet: %s",
1983 octet_string_hex_string(auth_tag, tag_len));
1984 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1985 return err_status_auth_fail;
1986
1987 /*
1988 * if we're authenticating using a universal hash, put the keystream
1989 * prefix into the authentication tag
1990 */
1991 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1992 if (prefix_len) {
1993 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1994 debug_print(mod_srtp, "keystream prefix: %s",
1995 octet_string_hex_string(auth_tag, prefix_len));
1996 if (status)
1997 return err_status_cipher_fail;
1998 }
1999
2000 /* if we're decrypting, exor keystream into the message */
2001 if (enc_start) {
2002 status = cipher_decrypt(stream->rtcp_cipher,
2003 (uint8_t *)enc_start, &enc_octet_len);
2004 if (status)
2005 return err_status_cipher_fail;
2006 }
2007
2008 /* decrease the packet length by the length of the auth tag and seq_num */
2009 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
2010
2011 /*
2012 * if EKT is in effect, subtract the EKT data out of the packet
2013 * length
2014 */
2015 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt);
2016
2017 /*
2018 * verify that stream is for received traffic - this check will
2019 * detect SSRC collisions, since a stream that appears in both
2020 * srtp_protect() and srtp_unprotect() will fail this test in one of
2021 * those functions.
2022 *
2023 * we do this check *after* the authentication check, so that the
2024 * latter check will catch any attempts to fool us into thinking
2025 * that we've got a collision
2026 */
2027 if (stream->direction != dir_srtp_receiver) {
2028 if (stream->direction == dir_unknown) {
2029 stream->direction = dir_srtp_receiver;
2030 } else {
2031 srtp_handle_event(ctx, stream, event_ssrc_collision);
2032 }
2033 }
2034
2035 /*
2036 * if the stream is a 'provisional' one, in which the template context
2037 * is used, then we need to allocate a new stream at this point, since
2038 * the authentication passed
2039 */
2040 if (stream == ctx->stream_template) {
2041 srtp_stream_ctx_t *new_stream;
2042
2043 /*
2044 * allocate and initialize a new stream
2045 *
2046 * note that we indicate failure if we can't allocate the new
2047 * stream, and some implementations will want to not return
2048 * failure here
2049 */
2050 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2051 if (status)
2052 return status;
2053
2054 /* add new stream to the head of the stream_list */
2055 new_stream->next = ctx->stream_list;
2056 ctx->stream_list = new_stream;
2057
2058 /* set stream (the pointer used in this function) */
2059 stream = new_stream;
2060 }
2061
2062 /* we've passed the authentication check, so add seq_num to the rdb */
2063 rdb_add_index(&stream->rtcp_rdb, seq_num);
2064
2065
2066 return err_status_ok;
2067 }
2068
2069
2070
2071 /*
2072 * dtls keying for srtp
2073 */
2074
2075 err_status_t
crypto_policy_set_from_profile_for_rtp(crypto_policy_t * policy,srtp_profile_t profile)2076 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
2077 srtp_profile_t profile) {
2078
2079 /* set SRTP policy from the SRTP profile in the key set */
2080 switch(profile) {
2081 case srtp_profile_aes128_cm_sha1_80:
2082 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2083 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2084 break;
2085 case srtp_profile_aes128_cm_sha1_32:
2086 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
2087 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2088 break;
2089 case srtp_profile_null_sha1_80:
2090 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2091 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2092 break;
2093 case srtp_profile_aes256_cm_sha1_80:
2094 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2095 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2096 break;
2097 case srtp_profile_aes256_cm_sha1_32:
2098 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
2099 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2100 break;
2101 /* the following profiles are not (yet) supported */
2102 case srtp_profile_null_sha1_32:
2103 default:
2104 return err_status_bad_param;
2105 }
2106
2107 return err_status_ok;
2108 }
2109
2110 err_status_t
crypto_policy_set_from_profile_for_rtcp(crypto_policy_t * policy,srtp_profile_t profile)2111 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
2112 srtp_profile_t profile) {
2113
2114 /* set SRTP policy from the SRTP profile in the key set */
2115 switch(profile) {
2116 case srtp_profile_aes128_cm_sha1_80:
2117 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2118 break;
2119 case srtp_profile_aes128_cm_sha1_32:
2120 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2121 break;
2122 case srtp_profile_null_sha1_80:
2123 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2124 break;
2125 case srtp_profile_aes256_cm_sha1_80:
2126 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2127 break;
2128 case srtp_profile_aes256_cm_sha1_32:
2129 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2130 break;
2131 /* the following profiles are not (yet) supported */
2132 case srtp_profile_null_sha1_32:
2133 default:
2134 return err_status_bad_param;
2135 }
2136
2137 return err_status_ok;
2138 }
2139
2140 void
append_salt_to_key(uint8_t * key,unsigned int bytes_in_key,uint8_t * salt,unsigned int bytes_in_salt)2141 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key,
2142 uint8_t *salt, unsigned int bytes_in_salt) {
2143
2144 memcpy(key + bytes_in_key, salt, bytes_in_salt);
2145
2146 }
2147
2148 unsigned int
srtp_profile_get_master_key_length(srtp_profile_t profile)2149 srtp_profile_get_master_key_length(srtp_profile_t profile) {
2150
2151 switch(profile) {
2152 case srtp_profile_aes128_cm_sha1_80:
2153 return 16;
2154 break;
2155 case srtp_profile_aes128_cm_sha1_32:
2156 return 16;
2157 break;
2158 case srtp_profile_null_sha1_80:
2159 return 16;
2160 break;
2161 case srtp_profile_aes256_cm_sha1_80:
2162 return 32;
2163 break;
2164 case srtp_profile_aes256_cm_sha1_32:
2165 return 32;
2166 break;
2167 /* the following profiles are not (yet) supported */
2168 case srtp_profile_null_sha1_32:
2169 default:
2170 return 0; /* indicate error by returning a zero */
2171 }
2172 }
2173
2174 unsigned int
srtp_profile_get_master_salt_length(srtp_profile_t profile)2175 srtp_profile_get_master_salt_length(srtp_profile_t profile) {
2176
2177 switch(profile) {
2178 case srtp_profile_aes128_cm_sha1_80:
2179 return 14;
2180 break;
2181 case srtp_profile_aes128_cm_sha1_32:
2182 return 14;
2183 break;
2184 case srtp_profile_null_sha1_80:
2185 return 14;
2186 break;
2187 case srtp_profile_aes256_cm_sha1_80:
2188 return 14;
2189 break;
2190 case srtp_profile_aes256_cm_sha1_32:
2191 return 14;
2192 break;
2193 /* the following profiles are not (yet) supported */
2194 case srtp_profile_null_sha1_32:
2195 default:
2196 return 0; /* indicate error by returning a zero */
2197 }
2198 }
2199