/* * srtp.c * * the secure real-time transport protocol * * David A. McGrew * Cisco Systems, Inc. */ /* * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * */ // Leave this as the top level import. Ensures the existence of defines #include "config.h" #include "srtp_priv.h" #include "crypto_types.h" #include "err.h" #include "alloc.h" /* for srtp_crypto_alloc() */ #ifdef GCM #include "aes_gcm.h" /* for AES GCM mode */ #endif #ifdef OPENSSL_KDF #include #include "aes_icm_ext.h" #endif #include #ifdef HAVE_NETINET_IN_H #include #elif defined(HAVE_WINSOCK2_H) #include #endif /* the debug module for srtp */ srtp_debug_module_t mod_srtp = { 0, /* debugging is off by default */ "srtp" /* printable name for module */ }; #define octets_in_rtp_header 12 #define uint32s_in_rtp_header 3 #define octets_in_rtcp_header 8 #define uint32s_in_rtcp_header 2 #define octets_in_rtp_extn_hdr 4 static srtp_err_status_t srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) { srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; int rtp_header_len; if (*pkt_octet_len < octets_in_rtp_header) return srtp_err_status_bad_param; /* Check RTP header length */ rtp_header_len = octets_in_rtp_header + 4 * hdr->cc; if (hdr->x == 1) rtp_header_len += octets_in_rtp_extn_hdr; if (*pkt_octet_len < rtp_header_len) return srtp_err_status_bad_param; /* Verifing profile length. */ if (hdr->x == 1) { srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc); int profile_len = ntohs(xtn_hdr->length); rtp_header_len += profile_len * 4; /* profile length counts the number of 32-bit words */ if (*pkt_octet_len < rtp_header_len) return srtp_err_status_bad_param; } return srtp_err_status_ok; } const char *srtp_get_version_string() { /* * Simply return the autotools generated string */ return SRTP_VER_STRING; } unsigned int srtp_get_version() { unsigned int major = 0, minor = 0, micro = 0; unsigned int rv = 0; int parse_rv; /* * Parse the autotools generated version */ parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, µ); if (parse_rv != 3) { /* * We're expected to parse all 3 version levels. * If not, then this must not be an official release. * Return all zeros on the version */ return (0); } /* * We allow 8 bits for the major and minor, while * allowing 16 bits for the micro. 16 bits for the micro * may be beneficial for a continuous delivery model * in the future. */ rv |= (major & 0xFF) << 24; rv |= (minor & 0xFF) << 16; rv |= micro & 0xFF; return rv; } srtp_err_status_t srtp_stream_dealloc(srtp_stream_ctx_t *stream, const srtp_stream_ctx_t *stream_template) { srtp_err_status_t status; unsigned int i = 0; srtp_session_keys_t *session_keys = NULL; srtp_session_keys_t *template_session_keys = NULL; /* * we use a conservative deallocation strategy - if any deallocation * fails, then we report that fact without trying to deallocate * anything else */ if (stream->session_keys) { for (i = 0; i < stream->num_master_keys; i++) { session_keys = &stream->session_keys[i]; if (stream_template && stream->num_master_keys == stream_template->num_master_keys) { template_session_keys = &stream_template->session_keys[i]; } else { template_session_keys = NULL; } /* * deallocate cipher, if it is not the same as that in template */ if (template_session_keys && session_keys->rtp_cipher == template_session_keys->rtp_cipher) { /* do nothing */ } else if (session_keys->rtp_cipher) { status = srtp_cipher_dealloc(session_keys->rtp_cipher); if (status) return status; } /* * deallocate auth function, if it is not the same as that in * template */ if (template_session_keys && session_keys->rtp_auth == template_session_keys->rtp_auth) { /* do nothing */ } else if (session_keys->rtp_auth) { status = srtp_auth_dealloc(session_keys->rtp_auth); if (status) return status; } if (template_session_keys && session_keys->rtp_xtn_hdr_cipher == template_session_keys->rtp_xtn_hdr_cipher) { /* do nothing */ } else if (session_keys->rtp_xtn_hdr_cipher) { status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher); if (status) return status; } /* * deallocate rtcp cipher, if it is not the same as that in * template */ if (template_session_keys && session_keys->rtcp_cipher == template_session_keys->rtcp_cipher) { /* do nothing */ } else if (session_keys->rtcp_cipher) { status = srtp_cipher_dealloc(session_keys->rtcp_cipher); if (status) return status; } /* * deallocate rtcp auth function, if it is not the same as that in * template */ if (template_session_keys && session_keys->rtcp_auth == template_session_keys->rtcp_auth) { /* do nothing */ } else if (session_keys->rtcp_auth) { status = srtp_auth_dealloc(session_keys->rtcp_auth); if (status) return status; } /* * zeroize the salt value */ octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN); octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN); if (session_keys->mki_id) { octet_string_set_to_zero(session_keys->mki_id, session_keys->mki_size); srtp_crypto_free(session_keys->mki_id); session_keys->mki_id = NULL; } /* * deallocate key usage limit, if it is not the same as that in * template */ if (template_session_keys && session_keys->limit == template_session_keys->limit) { /* do nothing */ } else if (session_keys->limit) { srtp_crypto_free(session_keys->limit); } } srtp_crypto_free(stream->session_keys); } status = srtp_rdbx_dealloc(&stream->rtp_rdbx); if (status) return status; if (stream_template && stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) { /* do nothing */ } else if (stream->enc_xtn_hdr) { srtp_crypto_free(stream->enc_xtn_hdr); } /* deallocate srtp stream context */ srtp_crypto_free(stream); return srtp_err_status_ok; } static srtp_err_status_t srtp_valid_policy(const srtp_policy_t *p) { if (p != NULL && p->deprecated_ekt != NULL) { return srtp_err_status_bad_param; } return srtp_err_status_ok; } srtp_err_status_t srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, const srtp_policy_t *p) { srtp_stream_ctx_t *str; srtp_err_status_t stat; unsigned int i = 0; srtp_session_keys_t *session_keys = NULL; stat = srtp_valid_policy(p); if (stat != srtp_err_status_ok) { return stat; } /* * This function allocates the stream context, rtp and rtcp ciphers * and auth functions, and key limit structure. If there is a * failure during allocation, we free all previously allocated * memory and return a failure code. The code could probably * be improved, but it works and should be clear. */ /* allocate srtp stream and set str_ptr */ str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); if (str == NULL) return srtp_err_status_alloc_fail; *str_ptr = str; /* *To keep backwards API compatible if someone is using multiple master * keys then key should be set to NULL */ if (p->key != NULL) { str->num_master_keys = 1; } else { str->num_master_keys = p->num_master_keys; } str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( sizeof(srtp_session_keys_t) * str->num_master_keys); if (str->session_keys == NULL) { srtp_stream_dealloc(str, NULL); return srtp_err_status_alloc_fail; } for (i = 0; i < str->num_master_keys; i++) { session_keys = &str->session_keys[i]; /* allocate cipher */ stat = srtp_crypto_kernel_alloc_cipher( p->rtp.cipher_type, &session_keys->rtp_cipher, p->rtp.cipher_key_len, p->rtp.auth_tag_len); if (stat) { srtp_stream_dealloc(str, NULL); return stat; } /* allocate auth function */ stat = srtp_crypto_kernel_alloc_auth( p->rtp.auth_type, &session_keys->rtp_auth, p->rtp.auth_key_len, p->rtp.auth_tag_len); if (stat) { srtp_stream_dealloc(str, NULL); return stat; } /* * ...and now the RTCP-specific initialization - first, allocate * the cipher */ stat = srtp_crypto_kernel_alloc_cipher( p->rtcp.cipher_type, &session_keys->rtcp_cipher, p->rtcp.cipher_key_len, p->rtcp.auth_tag_len); if (stat) { srtp_stream_dealloc(str, NULL); return stat; } /* allocate auth function */ stat = srtp_crypto_kernel_alloc_auth( p->rtcp.auth_type, &session_keys->rtcp_auth, p->rtcp.auth_key_len, p->rtcp.auth_tag_len); if (stat) { srtp_stream_dealloc(str, NULL); return stat; } session_keys->mki_id = NULL; /* allocate key limit structure */ session_keys->limit = (srtp_key_limit_ctx_t *)srtp_crypto_alloc( sizeof(srtp_key_limit_ctx_t)); if (session_keys->limit == NULL) { srtp_stream_dealloc(str, NULL); return srtp_err_status_alloc_fail; } } if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) { srtp_cipher_type_id_t enc_xtn_hdr_cipher_type; int enc_xtn_hdr_cipher_key_len; str->enc_xtn_hdr = (int *)srtp_crypto_alloc(p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); if (!str->enc_xtn_hdr) { srtp_stream_dealloc(str, NULL); return srtp_err_status_alloc_fail; } memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr, p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); str->enc_xtn_hdr_count = p->enc_xtn_hdr_count; /* * For GCM ciphers, the corresponding ICM cipher is used for header * extensions encryption. */ switch (p->rtp.cipher_type) { case SRTP_AES_GCM_128: enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128; enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; break; case SRTP_AES_GCM_256: enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256; enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; break; default: enc_xtn_hdr_cipher_type = p->rtp.cipher_type; enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len; break; } for (i = 0; i < str->num_master_keys; i++) { session_keys = &str->session_keys[i]; /* allocate cipher for extensions header encryption */ stat = srtp_crypto_kernel_alloc_cipher( enc_xtn_hdr_cipher_type, &session_keys->rtp_xtn_hdr_cipher, enc_xtn_hdr_cipher_key_len, 0); if (stat) { srtp_stream_dealloc(str, NULL); return stat; } } } else { for (i = 0; i < str->num_master_keys; i++) { session_keys = &str->session_keys[i]; session_keys->rtp_xtn_hdr_cipher = NULL; } str->enc_xtn_hdr = NULL; str->enc_xtn_hdr_count = 0; } return srtp_err_status_ok; } /* * srtp_stream_clone(stream_template, new) allocates a new stream and * initializes it using the cipher and auth of the stream_template * * the only unique data in a cloned stream is the replay database and * the SSRC */ srtp_err_status_t srtp_stream_clone(const srtp_stream_ctx_t *stream_template, uint32_t ssrc, srtp_stream_ctx_t **str_ptr) { srtp_err_status_t status; srtp_stream_ctx_t *str; unsigned int i = 0; srtp_session_keys_t *session_keys = NULL; const srtp_session_keys_t *template_session_keys = NULL; debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc)); /* allocate srtp stream and set str_ptr */ str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); if (str == NULL) return srtp_err_status_alloc_fail; *str_ptr = str; str->num_master_keys = stream_template->num_master_keys; str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( sizeof(srtp_session_keys_t) * str->num_master_keys); if (str->session_keys == NULL) { srtp_stream_dealloc(*str_ptr, stream_template); *str_ptr = NULL; return srtp_err_status_alloc_fail; } for (i = 0; i < stream_template->num_master_keys; i++) { session_keys = &str->session_keys[i]; template_session_keys = &stream_template->session_keys[i]; /* set cipher and auth pointers to those of the template */ session_keys->rtp_cipher = template_session_keys->rtp_cipher; session_keys->rtp_auth = template_session_keys->rtp_auth; session_keys->rtp_xtn_hdr_cipher = template_session_keys->rtp_xtn_hdr_cipher; session_keys->rtcp_cipher = template_session_keys->rtcp_cipher; session_keys->rtcp_auth = template_session_keys->rtcp_auth; session_keys->mki_size = template_session_keys->mki_size; if (template_session_keys->mki_size == 0) { session_keys->mki_id = NULL; } else { session_keys->mki_id = srtp_crypto_alloc(template_session_keys->mki_size); if (session_keys->mki_id == NULL) { srtp_stream_dealloc(*str_ptr, stream_template); *str_ptr = NULL; return srtp_err_status_init_fail; } memcpy(session_keys->mki_id, template_session_keys->mki_id, session_keys->mki_size); } /* Copy the salt values */ memcpy(session_keys->salt, template_session_keys->salt, SRTP_AEAD_SALT_LEN); memcpy(session_keys->c_salt, template_session_keys->c_salt, SRTP_AEAD_SALT_LEN); /* set key limit to point to that of the template */ status = srtp_key_limit_clone(template_session_keys->limit, &session_keys->limit); if (status) { srtp_stream_dealloc(*str_ptr, stream_template); *str_ptr = NULL; return status; } } /* initialize replay databases */ status = srtp_rdbx_init( &str->rtp_rdbx, srtp_rdbx_get_window_size(&stream_template->rtp_rdbx)); if (status) { srtp_stream_dealloc(*str_ptr, stream_template); *str_ptr = NULL; return status; } srtp_rdb_init(&str->rtcp_rdb); str->allow_repeat_tx = stream_template->allow_repeat_tx; /* set ssrc to that provided */ str->ssrc = ssrc; /* reset pending ROC */ str->pending_roc = 0; /* set direction and security services */ str->direction = stream_template->direction; str->rtp_services = stream_template->rtp_services; str->rtcp_services = stream_template->rtcp_services; /* copy information about extensions header encryption */ str->enc_xtn_hdr = stream_template->enc_xtn_hdr; str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count; /* defensive coding */ str->next = NULL; return srtp_err_status_ok; } /* * key derivation functions, internal to libSRTP * * srtp_kdf_t is a key derivation context * * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher * described by cipher_id, with the master key k with length in octets keylen. * * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key * corresponding to label l and puts it into kl; the length * of the key in octets is provided as keylen. this function * should be called once for each subkey that is derived. * * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state */ typedef enum { label_rtp_encryption = 0x00, label_rtp_msg_auth = 0x01, label_rtp_salt = 0x02, label_rtcp_encryption = 0x03, label_rtcp_msg_auth = 0x04, label_rtcp_salt = 0x05, label_rtp_header_encryption = 0x06, label_rtp_header_salt = 0x07 } srtp_prf_label; #define MAX_SRTP_KEY_LEN 256 #if defined(OPENSSL) && defined(OPENSSL_KDF) #define MAX_SRTP_AESKEY_LEN 32 #define MAX_SRTP_SALT_LEN 14 /* * srtp_kdf_t represents a key derivation function. The SRTP * default KDF is the only one implemented at present. */ typedef struct { uint8_t master_key[MAX_SRTP_AESKEY_LEN]; uint8_t master_salt[MAX_SRTP_SALT_LEN]; const EVP_CIPHER *evp; } srtp_kdf_t; static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int key_len, int salt_len) { memset(kdf, 0x0, sizeof(srtp_kdf_t)); /* The NULL cipher has zero key length */ if (key_len == 0) return srtp_err_status_ok; if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) { return srtp_err_status_bad_param; } switch (key_len) { case SRTP_AES_256_KEYSIZE: kdf->evp = EVP_aes_256_ctr(); break; case SRTP_AES_192_KEYSIZE: kdf->evp = EVP_aes_192_ctr(); break; case SRTP_AES_128_KEYSIZE: kdf->evp = EVP_aes_128_ctr(); break; default: return srtp_err_status_bad_param; break; } memcpy(kdf->master_key, key, key_len); memcpy(kdf->master_salt, key + key_len, salt_len); return srtp_err_status_ok; } static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, uint8_t *key, unsigned int length) { int ret; /* The NULL cipher will not have an EVP */ if (!kdf->evp) return srtp_err_status_ok; octet_string_set_to_zero(key, length); /* * Invoke the OpenSSL SRTP KDF function * This is useful if OpenSSL is in FIPS mode and FIP * compliance is required for SRTP. */ ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key, (char *)&kdf->master_salt, NULL, NULL, label, (char *)key); if (ret == -1) { return (srtp_err_status_algo_fail); } return srtp_err_status_ok; } static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) { octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN); octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN); kdf->evp = NULL; return srtp_err_status_ok; } #else /* if OPENSSL_KDF */ /* * srtp_kdf_t represents a key derivation function. The SRTP * default KDF is the only one implemented at present. */ typedef struct { srtp_cipher_t *cipher; /* cipher used for key derivation */ } srtp_kdf_t; static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int key_len) { srtp_cipher_type_id_t cipher_id; srtp_err_status_t stat; switch (key_len) { case SRTP_AES_ICM_256_KEY_LEN_WSALT: cipher_id = SRTP_AES_ICM_256; break; case SRTP_AES_ICM_192_KEY_LEN_WSALT: cipher_id = SRTP_AES_ICM_192; break; case SRTP_AES_ICM_128_KEY_LEN_WSALT: cipher_id = SRTP_AES_ICM_128; break; default: return srtp_err_status_bad_param; break; } stat = srtp_crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, key_len, 0); if (stat) return stat; stat = srtp_cipher_init(kdf->cipher, key); if (stat) { srtp_cipher_dealloc(kdf->cipher); return stat; } return srtp_err_status_ok; } static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, uint8_t *key, unsigned int length) { srtp_err_status_t status; v128_t nonce; /* set eigth octet of nonce to