1 /*
2 * srtp.c
3 *
4 * the secure real-time transport protocol
5 *
6 * David A. McGrew
7 * Cisco Systems, Inc.
8 */
9 /*
10 *
11 * Copyright (c) 2001-2006, Cisco Systems, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 *
18 * Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 *
21 * Redistributions in binary form must reproduce the above
22 * copyright notice, this list of conditions and the following
23 * disclaimer in the documentation and/or other materials provided
24 * with the distribution.
25 *
26 * Neither the name of the Cisco Systems, Inc. nor the names of its
27 * contributors may be used to endorse or promote products derived
28 * from this software without specific prior written permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 *
43 */
44
45
46 #include "srtp.h"
47 #include "ekt.h" /* for SRTP Encrypted Key Transport */
48 #include "alloc.h" /* for crypto_alloc() */
49
50 #ifndef SRTP_KERNEL
51 # include <limits.h>
52 # ifdef HAVE_NETINET_IN_H
53 # include <netinet/in.h>
54 # elif defined(HAVE_WINSOCK2_H)
55 # include <winsock2.h>
56 # endif
57 #endif /* ! SRTP_KERNEL */
58
59
60 /* the debug module for srtp */
61
62 debug_module_t mod_srtp = {
63 0, /* debugging is off by default */
64 "srtp" /* printable name for module */
65 };
66
67 #define octets_in_rtp_header 12
68 #define uint32s_in_rtp_header 3
69 #define octets_in_rtcp_header 8
70 #define uint32s_in_rtcp_header 2
71
72
73 err_status_t
srtp_stream_alloc(srtp_stream_ctx_t ** str_ptr,const srtp_policy_t * p)74 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
75 const srtp_policy_t *p) {
76 srtp_stream_ctx_t *str;
77 err_status_t stat;
78
79 /*
80 * This function allocates the stream context, rtp and rtcp ciphers
81 * and auth functions, and key limit structure. If there is a
82 * failure during allocation, we free all previously allocated
83 * memory and return a failure code. The code could probably
84 * be improved, but it works and should be clear.
85 */
86
87 /* allocate srtp stream and set str_ptr */
88 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
89 if (str == NULL)
90 return err_status_alloc_fail;
91 *str_ptr = str;
92
93 /* allocate cipher */
94 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
95 &str->rtp_cipher,
96 p->rtp.cipher_key_len);
97 if (stat) {
98 crypto_free(str);
99 return stat;
100 }
101
102 /* allocate auth function */
103 stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
104 &str->rtp_auth,
105 p->rtp.auth_key_len,
106 p->rtp.auth_tag_len);
107 if (stat) {
108 cipher_dealloc(str->rtp_cipher);
109 crypto_free(str);
110 return stat;
111 }
112
113 /* allocate key limit structure */
114 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t));
115 if (str->limit == NULL) {
116 auth_dealloc(str->rtp_auth);
117 cipher_dealloc(str->rtp_cipher);
118 crypto_free(str);
119 return err_status_alloc_fail;
120 }
121
122 /*
123 * ...and now the RTCP-specific initialization - first, allocate
124 * the cipher
125 */
126 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
127 &str->rtcp_cipher,
128 p->rtcp.cipher_key_len);
129 if (stat) {
130 auth_dealloc(str->rtp_auth);
131 cipher_dealloc(str->rtp_cipher);
132 crypto_free(str->limit);
133 crypto_free(str);
134 return stat;
135 }
136
137 /* allocate auth function */
138 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
139 &str->rtcp_auth,
140 p->rtcp.auth_key_len,
141 p->rtcp.auth_tag_len);
142 if (stat) {
143 cipher_dealloc(str->rtcp_cipher);
144 auth_dealloc(str->rtp_auth);
145 cipher_dealloc(str->rtp_cipher);
146 crypto_free(str->limit);
147 crypto_free(str);
148 return stat;
149 }
150
151 /* allocate ekt data associated with stream */
152 stat = ekt_alloc(&str->ekt, p->ekt);
153 if (stat) {
154 auth_dealloc(str->rtcp_auth);
155 cipher_dealloc(str->rtcp_cipher);
156 auth_dealloc(str->rtp_auth);
157 cipher_dealloc(str->rtp_cipher);
158 crypto_free(str->limit);
159 crypto_free(str);
160 return stat;
161 }
162
163 return err_status_ok;
164 }
165
166 err_status_t
srtp_stream_dealloc(srtp_t session,srtp_stream_ctx_t * stream)167 srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) {
168 err_status_t status;
169
170 /*
171 * we use a conservative deallocation strategy - if any deallocation
172 * fails, then we report that fact without trying to deallocate
173 * anything else
174 */
175
176 /* deallocate cipher, if it is not the same as that in template */
177 if (session->stream_template
178 && stream->rtp_cipher == session->stream_template->rtp_cipher) {
179 /* do nothing */
180 } else {
181 status = cipher_dealloc(stream->rtp_cipher);
182 if (status)
183 return status;
184 }
185
186 /* deallocate auth function, if it is not the same as that in template */
187 if (session->stream_template
188 && stream->rtp_auth == session->stream_template->rtp_auth) {
189 /* do nothing */
190 } else {
191 status = auth_dealloc(stream->rtp_auth);
192 if (status)
193 return status;
194 }
195
196 /* deallocate key usage limit, if it is not the same as that in template */
197 if (session->stream_template
198 && stream->limit == session->stream_template->limit) {
199 /* do nothing */
200 } else {
201 crypto_free(stream->limit);
202 }
203
204 /*
205 * deallocate rtcp cipher, if it is not the same as that in
206 * template
207 */
208 if (session->stream_template
209 && stream->rtcp_cipher == session->stream_template->rtcp_cipher) {
210 /* do nothing */
211 } else {
212 status = cipher_dealloc(stream->rtcp_cipher);
213 if (status)
214 return status;
215 }
216
217 /*
218 * deallocate rtcp auth function, if it is not the same as that in
219 * template
220 */
221 if (session->stream_template
222 && stream->rtcp_auth == session->stream_template->rtcp_auth) {
223 /* do nothing */
224 } else {
225 status = auth_dealloc(stream->rtcp_auth);
226 if (status)
227 return status;
228 }
229
230 status = rdbx_dealloc(&stream->rtp_rdbx);
231 if (status)
232 return status;
233
234 /* DAM - need to deallocate EKT here */
235
236 /* deallocate srtp stream context */
237 crypto_free(stream);
238
239 return err_status_ok;
240 }
241
242
243 /*
244 * srtp_stream_clone(stream_template, new) allocates a new stream and
245 * initializes it using the cipher and auth of the stream_template
246 *
247 * the only unique data in a cloned stream is the replay database and
248 * the SSRC
249 */
250
251 err_status_t
srtp_stream_clone(const srtp_stream_ctx_t * stream_template,uint32_t ssrc,srtp_stream_ctx_t ** str_ptr)252 srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
253 uint32_t ssrc,
254 srtp_stream_ctx_t **str_ptr) {
255 err_status_t status;
256 srtp_stream_ctx_t *str;
257
258 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
259
260 /* allocate srtp stream and set str_ptr */
261 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
262 if (str == NULL)
263 return err_status_alloc_fail;
264 *str_ptr = str;
265
266 /* set cipher and auth pointers to those of the template */
267 str->rtp_cipher = stream_template->rtp_cipher;
268 str->rtp_auth = stream_template->rtp_auth;
269 str->rtcp_cipher = stream_template->rtcp_cipher;
270 str->rtcp_auth = stream_template->rtcp_auth;
271
272 /* set key limit to point to that of the template */
273 status = key_limit_clone(stream_template->limit, &str->limit);
274 if (status)
275 return status;
276
277 /* initialize replay databases */
278 status = rdbx_init(&str->rtp_rdbx,
279 rdbx_get_window_size(&stream_template->rtp_rdbx));
280 if (status)
281 return status;
282 rdb_init(&str->rtcp_rdb);
283 str->allow_repeat_tx = stream_template->allow_repeat_tx;
284
285 /* set ssrc to that provided */
286 str->ssrc = ssrc;
287
288 /* set direction and security services */
289 str->direction = stream_template->direction;
290 str->rtp_services = stream_template->rtp_services;
291 str->rtcp_services = stream_template->rtcp_services;
292
293 /* set pointer to EKT data associated with stream */
294 str->ekt = stream_template->ekt;
295
296 /* defensive coding */
297 str->next = NULL;
298
299 return err_status_ok;
300 }
301
302
303 /*
304 * key derivation functions, internal to libSRTP
305 *
306 * srtp_kdf_t is a key derivation context
307 *
308 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher
309 * described by cipher_id, with the master key k with length in octets keylen.
310 *
311 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
312 * corresponding to label l and puts it into kl; the length
313 * of the key in octets is provided as keylen. this function
314 * should be called once for each subkey that is derived.
315 *
316 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state
317 */
318
319 typedef enum {
320 label_rtp_encryption = 0x00,
321 label_rtp_msg_auth = 0x01,
322 label_rtp_salt = 0x02,
323 label_rtcp_encryption = 0x03,
324 label_rtcp_msg_auth = 0x04,
325 label_rtcp_salt = 0x05
326 } srtp_prf_label;
327
328
329 /*
330 * srtp_kdf_t represents a key derivation function. The SRTP
331 * default KDF is the only one implemented at present.
332 */
333
334 typedef struct {
335 cipher_t *cipher; /* cipher used for key derivation */
336 } srtp_kdf_t;
337
338 err_status_t
srtp_kdf_init(srtp_kdf_t * kdf,cipher_type_id_t cipher_id,const uint8_t * key,int length)339 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, int length) {
340
341 err_status_t stat;
342 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length);
343 if (stat)
344 return stat;
345
346 stat = cipher_init(kdf->cipher, key, direction_encrypt);
347 if (stat) {
348 cipher_dealloc(kdf->cipher);
349 return stat;
350 }
351
352 return err_status_ok;
353 }
354
355 err_status_t
srtp_kdf_generate(srtp_kdf_t * kdf,srtp_prf_label label,uint8_t * key,unsigned length)356 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
357 uint8_t *key, unsigned length) {
358
359 v128_t nonce;
360 err_status_t status;
361
362 /* set eigth octet of nonce to <label>, set the rest of it to zero */
363 v128_set_to_zero(&nonce);
364 nonce.v8[7] = label;
365
366 status = cipher_set_iv(kdf->cipher, &nonce);
367 if (status)
368 return status;
369
370 /* generate keystream output */
371 octet_string_set_to_zero(key, length);
372 status = cipher_encrypt(kdf->cipher, key, &length);
373 if (status)
374 return status;
375
376 return err_status_ok;
377 }
378
379 err_status_t
srtp_kdf_clear(srtp_kdf_t * kdf)380 srtp_kdf_clear(srtp_kdf_t *kdf) {
381 err_status_t status;
382 status = cipher_dealloc(kdf->cipher);
383 if (status)
384 return status;
385 kdf->cipher = NULL;
386
387 return err_status_ok;
388 }
389
390 /*
391 * end of key derivation functions
392 */
393
394 #define MAX_SRTP_KEY_LEN 256
395
396
397 /* Get the base key length corresponding to a given combined key+salt
398 * length for the given cipher.
399 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using
400 * AES-128 and short salts; everything else uses a salt length of 14.
401 * TODO: key and salt lengths should be separate fields in the policy. */
base_key_length(const cipher_type_t * cipher,int key_length)402 static inline int base_key_length(const cipher_type_t *cipher, int key_length)
403 {
404 if (cipher->id != AES_ICM)
405 return key_length;
406 else if (key_length > 16 && key_length < 30)
407 return 16;
408 return key_length - 14;
409 }
410
411 err_status_t
srtp_stream_init_keys(srtp_stream_ctx_t * srtp,const void * key)412 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
413 err_status_t stat;
414 srtp_kdf_t kdf;
415 uint8_t tmp_key[MAX_SRTP_KEY_LEN];
416 int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
417 int rtp_base_key_len, rtp_salt_len;
418 int rtcp_base_key_len, rtcp_salt_len;
419
420 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
421 /* TODO: kdf algorithm, master key length, and master salt length should
422 * be part of srtp_policy_t. */
423 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher);
424 if (rtp_keylen > kdf_keylen)
425 kdf_keylen = rtp_keylen;
426
427 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher);
428 if (rtcp_keylen > kdf_keylen)
429 kdf_keylen = rtcp_keylen;
430
431 /* initialize KDF state */
432 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)key, kdf_keylen);
433 if (stat) {
434 return err_status_init_fail;
435 }
436
437 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
438 rtp_salt_len = rtp_keylen - rtp_base_key_len;
439
440 /* generate encryption key */
441 stat = srtp_kdf_generate(&kdf, label_rtp_encryption,
442 tmp_key, rtp_base_key_len);
443 if (stat) {
444 /* zeroize temp buffer */
445 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
446 return err_status_init_fail;
447 }
448
449 /*
450 * if the cipher in the srtp context uses a salt, then we need
451 * to generate the salt value
452 */
453 if (rtp_salt_len > 0) {
454 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
455
456 /* generate encryption salt, put after encryption key */
457 stat = srtp_kdf_generate(&kdf, label_rtp_salt,
458 tmp_key + rtp_base_key_len, rtp_salt_len);
459 if (stat) {
460 /* zeroize temp buffer */
461 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
462 return err_status_init_fail;
463 }
464 }
465 debug_print(mod_srtp, "cipher key: %s",
466 octet_string_hex_string(tmp_key, rtp_keylen));
467
468 /* initialize cipher */
469 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any);
470 if (stat) {
471 /* zeroize temp buffer */
472 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
473 return err_status_init_fail;
474 }
475
476 /* generate authentication key */
477 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth,
478 tmp_key, auth_get_key_length(srtp->rtp_auth));
479 if (stat) {
480 /* zeroize temp buffer */
481 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
482 return err_status_init_fail;
483 }
484 debug_print(mod_srtp, "auth key: %s",
485 octet_string_hex_string(tmp_key,
486 auth_get_key_length(srtp->rtp_auth)));
487
488 /* initialize auth function */
489 stat = auth_init(srtp->rtp_auth, tmp_key);
490 if (stat) {
491 /* zeroize temp buffer */
492 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
493 return err_status_init_fail;
494 }
495
496 /*
497 * ...now initialize SRTCP keys
498 */
499
500 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen);
501 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
502
503 /* generate encryption key */
504 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption,
505 tmp_key, rtcp_base_key_len);
506 if (stat) {
507 /* zeroize temp buffer */
508 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
509 return err_status_init_fail;
510 }
511
512 /*
513 * if the cipher in the srtp context uses a salt, then we need
514 * to generate the salt value
515 */
516 if (rtcp_salt_len > 0) {
517 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
518 NULL);
519
520 /* generate encryption salt, put after encryption key */
521 stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
522 tmp_key + rtcp_base_key_len, rtcp_salt_len);
523 if (stat) {
524 /* zeroize temp buffer */
525 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
526 return err_status_init_fail;
527 }
528 }
529 debug_print(mod_srtp, "rtcp cipher key: %s",
530 octet_string_hex_string(tmp_key, rtcp_keylen));
531
532 /* initialize cipher */
533 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any);
534 if (stat) {
535 /* zeroize temp buffer */
536 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
537 return err_status_init_fail;
538 }
539
540 /* generate authentication key */
541 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
542 tmp_key, auth_get_key_length(srtp->rtcp_auth));
543 if (stat) {
544 /* zeroize temp buffer */
545 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
546 return err_status_init_fail;
547 }
548
549 debug_print(mod_srtp, "rtcp auth key: %s",
550 octet_string_hex_string(tmp_key,
551 auth_get_key_length(srtp->rtcp_auth)));
552
553 /* initialize auth function */
554 stat = auth_init(srtp->rtcp_auth, tmp_key);
555 if (stat) {
556 /* zeroize temp buffer */
557 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
558 return err_status_init_fail;
559 }
560
561 /* clear memory then return */
562 stat = srtp_kdf_clear(&kdf);
563 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
564 if (stat)
565 return err_status_init_fail;
566
567 return err_status_ok;
568 }
569
570 err_status_t
srtp_stream_init(srtp_stream_ctx_t * srtp,const srtp_policy_t * p)571 srtp_stream_init(srtp_stream_ctx_t *srtp,
572 const srtp_policy_t *p) {
573 err_status_t err;
574
575 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)",
576 p->ssrc.value);
577
578 /* initialize replay database */
579 /* window size MUST be at least 64. MAY be larger. Values more than
580 * 2^15 aren't meaningful due to how extended sequence numbers are
581 * calculated. Let a window size of 0 imply the default value. */
582
583 if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000))
584 return err_status_bad_param;
585
586 if (p->window_size != 0)
587 err = rdbx_init(&srtp->rtp_rdbx, p->window_size);
588 else
589 err = rdbx_init(&srtp->rtp_rdbx, 128);
590 if (err) return err;
591
592 /* initialize key limit to maximum value */
593 #ifdef NO_64BIT_MATH
594 {
595 uint64_t temp;
596 temp = make64(UINT_MAX,UINT_MAX);
597 key_limit_set(srtp->limit, temp);
598 }
599 #else
600 key_limit_set(srtp->limit, 0xffffffffffffLL);
601 #endif
602
603 /* set the SSRC value */
604 srtp->ssrc = htonl(p->ssrc.value);
605
606 /* set the security service flags */
607 srtp->rtp_services = p->rtp.sec_serv;
608 srtp->rtcp_services = p->rtcp.sec_serv;
609
610 /*
611 * set direction to unknown - this flag gets checked in srtp_protect(),
612 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
613 * gets set appropriately if it is set to unknown.
614 */
615 srtp->direction = dir_unknown;
616
617 /* initialize SRTCP replay database */
618 rdb_init(&srtp->rtcp_rdb);
619
620 /* initialize allow_repeat_tx */
621 /* guard against uninitialized memory: allow only 0 or 1 here */
622 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) {
623 rdbx_dealloc(&srtp->rtp_rdbx);
624 return err_status_bad_param;
625 }
626 srtp->allow_repeat_tx = p->allow_repeat_tx;
627
628 /* DAM - no RTCP key limit at present */
629
630 /* initialize keys */
631 err = srtp_stream_init_keys(srtp, p->key);
632 if (err) {
633 rdbx_dealloc(&srtp->rtp_rdbx);
634 return err;
635 }
636
637 /*
638 * if EKT is in use, then initialize the EKT data associated with
639 * the stream
640 */
641 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt);
642 if (err) {
643 rdbx_dealloc(&srtp->rtp_rdbx);
644 return err;
645 }
646
647 return err_status_ok;
648 }
649
650
651 /*
652 * srtp_event_reporter is an event handler function that merely
653 * reports the events that are reported by the callbacks
654 */
655
656 void
srtp_event_reporter(srtp_event_data_t * data)657 srtp_event_reporter(srtp_event_data_t *data) {
658
659 err_report(err_level_warning, "srtp: in stream 0x%x: ",
660 data->stream->ssrc);
661
662 switch(data->event) {
663 case event_ssrc_collision:
664 err_report(err_level_warning, "\tSSRC collision\n");
665 break;
666 case event_key_soft_limit:
667 err_report(err_level_warning, "\tkey usage soft limit reached\n");
668 break;
669 case event_key_hard_limit:
670 err_report(err_level_warning, "\tkey usage hard limit reached\n");
671 break;
672 case event_packet_index_limit:
673 err_report(err_level_warning, "\tpacket index limit reached\n");
674 break;
675 default:
676 err_report(err_level_warning, "\tunknown event reported to handler\n");
677 }
678 }
679
680 /*
681 * srtp_event_handler is a global variable holding a pointer to the
682 * event handler function; this function is called for any unexpected
683 * event that needs to be handled out of the SRTP data path. see
684 * srtp_event_t in srtp.h for more info
685 *
686 * it is okay to set srtp_event_handler to NULL, but we set
687 * it to the srtp_event_reporter.
688 */
689
690 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
691
692 err_status_t
srtp_install_event_handler(srtp_event_handler_func_t func)693 srtp_install_event_handler(srtp_event_handler_func_t func) {
694
695 /*
696 * note that we accept NULL arguments intentionally - calling this
697 * function with a NULL arguments removes an event handler that's
698 * been previously installed
699 */
700
701 /* set global event handling function */
702 srtp_event_handler = func;
703 return err_status_ok;
704 }
705
706 err_status_t
srtp_protect(srtp_ctx_t * ctx,void * rtp_hdr,int * pkt_octet_len)707 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
708 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
709 uint32_t *enc_start; /* pointer to start of encrypted portion */
710 uint32_t *auth_start; /* pointer to start of auth. portion */
711 unsigned enc_octet_len = 0; /* number of octets in encrypted portion */
712 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
713 int delta; /* delta of local pkt idx and that in hdr */
714 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
715 err_status_t status;
716 int tag_len;
717 srtp_stream_ctx_t *stream;
718 int prefix_len;
719
720 debug_print(mod_srtp, "function srtp_protect", NULL);
721
722 /* we assume the hdr is 32-bit aligned to start */
723
724 /* check the packet length - it must at least contain a full header */
725 if (*pkt_octet_len < octets_in_rtp_header)
726 return err_status_bad_param;
727
728 /*
729 * look up ssrc in srtp_stream list, and process the packet with
730 * the appropriate stream. if we haven't seen this stream before,
731 * there's a template key for this srtp_session, and the cipher
732 * supports key-sharing, then we assume that a new stream using
733 * that key has just started up
734 */
735 stream = srtp_get_stream(ctx, hdr->ssrc);
736 if (stream == NULL) {
737 if (ctx->stream_template != NULL) {
738 srtp_stream_ctx_t *new_stream;
739
740 /* allocate and initialize a new stream */
741 status = srtp_stream_clone(ctx->stream_template,
742 hdr->ssrc, &new_stream);
743 if (status)
744 return status;
745
746 /* add new stream to the head of the stream_list */
747 new_stream->next = ctx->stream_list;
748 ctx->stream_list = new_stream;
749
750 /* set direction to outbound */
751 new_stream->direction = dir_srtp_sender;
752
753 /* set stream (the pointer used in this function) */
754 stream = new_stream;
755 } else {
756 /* no template stream, so we return an error */
757 return err_status_no_ctx;
758 }
759 }
760
761 /*
762 * verify that stream is for sending traffic - this check will
763 * detect SSRC collisions, since a stream that appears in both
764 * srtp_protect() and srtp_unprotect() will fail this test in one of
765 * those functions.
766 */
767 if (stream->direction != dir_srtp_sender) {
768 if (stream->direction == dir_unknown) {
769 stream->direction = dir_srtp_sender;
770 } else {
771 srtp_handle_event(ctx, stream, event_ssrc_collision);
772 }
773 }
774
775 /*
776 * update the key usage limit, and check it to make sure that we
777 * didn't just hit either the soft limit or the hard limit, and call
778 * the event handler if we hit either.
779 */
780 switch(key_limit_update(stream->limit)) {
781 case key_event_normal:
782 break;
783 case key_event_soft_limit:
784 srtp_handle_event(ctx, stream, event_key_soft_limit);
785 break;
786 case key_event_hard_limit:
787 srtp_handle_event(ctx, stream, event_key_hard_limit);
788 return err_status_key_expired;
789 default:
790 break;
791 }
792
793 /* get tag length from stream */
794 tag_len = auth_get_tag_length(stream->rtp_auth);
795
796 /*
797 * find starting point for encryption and length of data to be
798 * encrypted - the encrypted portion starts after the rtp header
799 * extension, if present; otherwise, it starts after the last csrc,
800 * if any are present
801 *
802 * if we're not providing confidentiality, set enc_start to NULL
803 */
804 if (stream->rtp_services & sec_serv_conf) {
805 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
806 if (hdr->x == 1) {
807 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
808 enc_start += (ntohs(xtn_hdr->length) + 1);
809 }
810 if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len))
811 return err_status_parse_err;
812 enc_octet_len = (unsigned int)(*pkt_octet_len
813 - ((enc_start - (uint32_t *)hdr) << 2));
814 } else {
815 enc_start = NULL;
816 }
817
818 /*
819 * if we're providing authentication, set the auth_start and auth_tag
820 * pointers to the proper locations; otherwise, set auth_start to NULL
821 * to indicate that no authentication is needed
822 */
823 if (stream->rtp_services & sec_serv_auth) {
824 auth_start = (uint32_t *)hdr;
825 auth_tag = (uint8_t *)hdr + *pkt_octet_len;
826 } else {
827 auth_start = NULL;
828 auth_tag = NULL;
829 }
830
831 /*
832 * estimate the packet index using the start of the replay window
833 * and the sequence number from the header
834 */
835 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
836 status = rdbx_check(&stream->rtp_rdbx, delta);
837 if (status) {
838 if (status != err_status_replay_fail || !stream->allow_repeat_tx)
839 return status; /* we've been asked to reuse an index */
840 }
841 else
842 rdbx_add_index(&stream->rtp_rdbx, delta);
843
844 #ifdef NO_64BIT_MATH
845 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
846 high32(est),low32(est));
847 #else
848 debug_print(mod_srtp, "estimated packet index: %016llx", est);
849 #endif
850
851 /*
852 * if we're using rindael counter mode, set nonce and seq
853 */
854 if (stream->rtp_cipher->type->id == AES_ICM) {
855 v128_t iv;
856
857 iv.v32[0] = 0;
858 iv.v32[1] = hdr->ssrc;
859 #ifdef NO_64BIT_MATH
860 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
861 low32(est) << 16));
862 #else
863 iv.v64[1] = be64_to_cpu(est << 16);
864 #endif
865 status = cipher_set_iv(stream->rtp_cipher, &iv);
866
867 } else {
868 v128_t iv;
869
870 /* otherwise, set the index to est */
871 #ifdef NO_64BIT_MATH
872 iv.v32[0] = 0;
873 iv.v32[1] = 0;
874 #else
875 iv.v64[0] = 0;
876 #endif
877 iv.v64[1] = be64_to_cpu(est);
878 status = cipher_set_iv(stream->rtp_cipher, &iv);
879 }
880 if (status)
881 return err_status_cipher_fail;
882
883 /* shift est, put into network byte order */
884 #ifdef NO_64BIT_MATH
885 est = be64_to_cpu(make64((high32(est) << 16) |
886 (low32(est) >> 16),
887 low32(est) << 16));
888 #else
889 est = be64_to_cpu(est << 16);
890 #endif
891
892 /*
893 * if we're authenticating using a universal hash, put the keystream
894 * prefix into the authentication tag
895 */
896 if (auth_start) {
897
898 prefix_len = auth_get_prefix_length(stream->rtp_auth);
899 if (prefix_len) {
900 status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len);
901 if (status)
902 return err_status_cipher_fail;
903 debug_print(mod_srtp, "keystream prefix: %s",
904 octet_string_hex_string(auth_tag, prefix_len));
905 }
906 }
907
908 /* if we're encrypting, exor keystream into the message */
909 if (enc_start) {
910 status = cipher_encrypt(stream->rtp_cipher,
911 (uint8_t *)enc_start, &enc_octet_len);
912 if (status)
913 return err_status_cipher_fail;
914 }
915
916 /*
917 * if we're authenticating, run authentication function and put result
918 * into the auth_tag
919 */
920 if (auth_start) {
921
922 /* initialize auth func context */
923 status = auth_start(stream->rtp_auth);
924 if (status) return status;
925
926 /* run auth func over packet */
927 status = auth_update(stream->rtp_auth,
928 (uint8_t *)auth_start, *pkt_octet_len);
929 if (status) return status;
930
931 /* run auth func over ROC, put result into auth_tag */
932 debug_print(mod_srtp, "estimated packet index: %016llx", est);
933 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);
934 debug_print(mod_srtp, "srtp auth tag: %s",
935 octet_string_hex_string(auth_tag, tag_len));
936 if (status)
937 return err_status_auth_fail;
938
939 }
940
941 if (auth_tag) {
942
943 /* increase the packet length by the length of the auth tag */
944 *pkt_octet_len += tag_len;
945 }
946
947 return err_status_ok;
948 }
949
950
951 err_status_t
srtp_unprotect(srtp_ctx_t * ctx,void * srtp_hdr,int * pkt_octet_len)952 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
953 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
954 uint32_t *enc_start; /* pointer to start of encrypted portion */
955 uint32_t *auth_start; /* pointer to start of auth. portion */
956 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
957 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
958 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
959 int delta; /* delta of local pkt idx and that in hdr */
960 v128_t iv;
961 err_status_t status;
962 srtp_stream_ctx_t *stream;
963 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
964 int tag_len, prefix_len;
965
966 debug_print(mod_srtp, "function srtp_unprotect", NULL);
967
968 /* we assume the hdr is 32-bit aligned to start */
969
970 /* check the packet length - it must at least contain a full header */
971 if (*pkt_octet_len < octets_in_rtp_header)
972 return err_status_bad_param;
973
974 /*
975 * look up ssrc in srtp_stream list, and process the packet with
976 * the appropriate stream. if we haven't seen this stream before,
977 * there's only one key for this srtp_session, and the cipher
978 * supports key-sharing, then we assume that a new stream using
979 * that key has just started up
980 */
981 stream = srtp_get_stream(ctx, hdr->ssrc);
982 if (stream == NULL) {
983 if (ctx->stream_template != NULL) {
984 stream = ctx->stream_template;
985 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
986 hdr->ssrc);
987
988 /*
989 * set estimated packet index to sequence number from header,
990 * and set delta equal to the same value
991 */
992 #ifdef NO_64BIT_MATH
993 est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq));
994 delta = low32(est);
995 #else
996 est = (xtd_seq_num_t) ntohs(hdr->seq);
997 delta = (int)est;
998 #endif
999 } else {
1000
1001 /*
1002 * no stream corresponding to SSRC found, and we don't do
1003 * key-sharing, so return an error
1004 */
1005 return err_status_no_ctx;
1006 }
1007 } else {
1008
1009 /* estimate packet index from seq. num. in header */
1010 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
1011
1012 /* check replay database */
1013 status = rdbx_check(&stream->rtp_rdbx, delta);
1014 if (status)
1015 return status;
1016 }
1017
1018 #ifdef NO_64BIT_MATH
1019 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32(est));
1020 #else
1021 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1022 #endif
1023
1024 /* get tag length from stream */
1025 tag_len = auth_get_tag_length(stream->rtp_auth);
1026
1027 /*
1028 * set the cipher's IV properly, depending on whatever cipher we
1029 * happen to be using
1030 */
1031 if (stream->rtp_cipher->type->id == AES_ICM) {
1032
1033 /* aes counter mode */
1034 iv.v32[0] = 0;
1035 iv.v32[1] = hdr->ssrc; /* still in network order */
1036 #ifdef NO_64BIT_MATH
1037 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
1038 low32(est) << 16));
1039 #else
1040 iv.v64[1] = be64_to_cpu(est << 16);
1041 #endif
1042 status = cipher_set_iv(stream->rtp_cipher, &iv);
1043 } else {
1044
1045 /* no particular format - set the iv to the pakcet index */
1046 #ifdef NO_64BIT_MATH
1047 iv.v32[0] = 0;
1048 iv.v32[1] = 0;
1049 #else
1050 iv.v64[0] = 0;
1051 #endif
1052 iv.v64[1] = be64_to_cpu(est);
1053 status = cipher_set_iv(stream->rtp_cipher, &iv);
1054 }
1055 if (status)
1056 return err_status_cipher_fail;
1057
1058 /* shift est, put into network byte order */
1059 #ifdef NO_64BIT_MATH
1060 est = be64_to_cpu(make64((high32(est) << 16) |
1061 (low32(est) >> 16),
1062 low32(est) << 16));
1063 #else
1064 est = be64_to_cpu(est << 16);
1065 #endif
1066
1067 /*
1068 * find starting point for decryption and length of data to be
1069 * decrypted - the encrypted portion starts after the rtp header
1070 * extension, if present; otherwise, it starts after the last csrc,
1071 * if any are present
1072 *
1073 * if we're not providing confidentiality, set enc_start to NULL
1074 */
1075 if (stream->rtp_services & sec_serv_conf) {
1076 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1077 if (hdr->x == 1) {
1078 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1079 enc_start += (ntohs(xtn_hdr->length) + 1);
1080 }
1081 if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
1082 return err_status_parse_err;
1083 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
1084 - ((enc_start - (uint32_t *)hdr) << 2));
1085 } else {
1086 enc_start = NULL;
1087 }
1088
1089 /*
1090 * if we're providing authentication, set the auth_start and auth_tag
1091 * pointers to the proper locations; otherwise, set auth_start to NULL
1092 * to indicate that no authentication is needed
1093 */
1094 if (stream->rtp_services & sec_serv_auth) {
1095 auth_start = (uint32_t *)hdr;
1096 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
1097 } else {
1098 auth_start = NULL;
1099 auth_tag = NULL;
1100 }
1101
1102 /*
1103 * if we expect message authentication, run the authentication
1104 * function and compare the result with the value of the auth_tag
1105 */
1106 if (auth_start) {
1107
1108 /*
1109 * if we're using a universal hash, then we need to compute the
1110 * keystream prefix for encrypting the universal hash output
1111 *
1112 * if the keystream prefix length is zero, then we know that
1113 * the authenticator isn't using a universal hash function
1114 */
1115 if (stream->rtp_auth->prefix_len != 0) {
1116
1117 prefix_len = auth_get_prefix_length(stream->rtp_auth);
1118 status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len);
1119 debug_print(mod_srtp, "keystream prefix: %s",
1120 octet_string_hex_string(tmp_tag, prefix_len));
1121 if (status)
1122 return err_status_cipher_fail;
1123 }
1124
1125 /* initialize auth func context */
1126 status = auth_start(stream->rtp_auth);
1127 if (status) return status;
1128
1129 /* now compute auth function over packet */
1130 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,
1131 *pkt_octet_len - tag_len);
1132
1133 /* run auth func over ROC, then write tmp tag */
1134 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);
1135
1136 debug_print(mod_srtp, "computed auth tag: %s",
1137 octet_string_hex_string(tmp_tag, tag_len));
1138 debug_print(mod_srtp, "packet auth tag: %s",
1139 octet_string_hex_string(auth_tag, tag_len));
1140 if (status)
1141 return err_status_auth_fail;
1142
1143 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1144 return err_status_auth_fail;
1145 }
1146
1147 /*
1148 * update the key usage limit, and check it to make sure that we
1149 * didn't just hit either the soft limit or the hard limit, and call
1150 * the event handler if we hit either.
1151 */
1152 switch(key_limit_update(stream->limit)) {
1153 case key_event_normal:
1154 break;
1155 case key_event_soft_limit:
1156 srtp_handle_event(ctx, stream, event_key_soft_limit);
1157 break;
1158 case key_event_hard_limit:
1159 srtp_handle_event(ctx, stream, event_key_hard_limit);
1160 return err_status_key_expired;
1161 default:
1162 break;
1163 }
1164
1165 /* if we're decrypting, add keystream into ciphertext */
1166 if (enc_start) {
1167 status = cipher_decrypt(stream->rtp_cipher,
1168 (uint8_t *)enc_start, &enc_octet_len);
1169 if (status)
1170 return err_status_cipher_fail;
1171 }
1172
1173 /*
1174 * verify that stream is for received traffic - this check will
1175 * detect SSRC collisions, since a stream that appears in both
1176 * srtp_protect() and srtp_unprotect() will fail this test in one of
1177 * those functions.
1178 *
1179 * we do this check *after* the authentication check, so that the
1180 * latter check will catch any attempts to fool us into thinking
1181 * that we've got a collision
1182 */
1183 if (stream->direction != dir_srtp_receiver) {
1184 if (stream->direction == dir_unknown) {
1185 stream->direction = dir_srtp_receiver;
1186 } else {
1187 srtp_handle_event(ctx, stream, event_ssrc_collision);
1188 }
1189 }
1190
1191 /*
1192 * if the stream is a 'provisional' one, in which the template context
1193 * is used, then we need to allocate a new stream at this point, since
1194 * the authentication passed
1195 */
1196 if (stream == ctx->stream_template) {
1197 srtp_stream_ctx_t *new_stream;
1198
1199 /*
1200 * allocate and initialize a new stream
1201 *
1202 * note that we indicate failure if we can't allocate the new
1203 * stream, and some implementations will want to not return
1204 * failure here
1205 */
1206 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1207 if (status)
1208 return status;
1209
1210 /* add new stream to the head of the stream_list */
1211 new_stream->next = ctx->stream_list;
1212 ctx->stream_list = new_stream;
1213
1214 /* set stream (the pointer used in this function) */
1215 stream = new_stream;
1216 }
1217
1218 /*
1219 * the message authentication function passed, so add the packet
1220 * index into the replay database
1221 */
1222 rdbx_add_index(&stream->rtp_rdbx, delta);
1223
1224 /* decrease the packet length by the length of the auth tag */
1225 *pkt_octet_len -= tag_len;
1226
1227 return err_status_ok;
1228 }
1229
1230 err_status_t
srtp_init()1231 srtp_init() {
1232 err_status_t status;
1233
1234 /* initialize crypto kernel */
1235 status = crypto_kernel_init();
1236 if (status)
1237 return status;
1238
1239 /* load srtp debug module into the kernel */
1240 status = crypto_kernel_load_debug_module(&mod_srtp);
1241 if (status)
1242 return status;
1243
1244 return err_status_ok;
1245 }
1246
1247 err_status_t
srtp_shutdown()1248 srtp_shutdown() {
1249 err_status_t status;
1250
1251 /* shut down crypto kernel */
1252 status = crypto_kernel_shutdown();
1253 if (status)
1254 return status;
1255
1256 /* shutting down crypto kernel frees the srtp debug module as well */
1257
1258 return err_status_ok;
1259 }
1260
1261
1262 /*
1263 * The following code is under consideration for removal. See
1264 * SRTP_MAX_TRAILER_LEN
1265 */
1266 #if 0
1267
1268 /*
1269 * srtp_get_trailer_length(&a) returns the number of octets that will
1270 * be added to an RTP packet by the SRTP processing. This value
1271 * is constant for a given srtp_stream_t (i.e. between initializations).
1272 */
1273
1274 int
1275 srtp_get_trailer_length(const srtp_stream_t s) {
1276 return auth_get_tag_length(s->rtp_auth);
1277 }
1278
1279 #endif
1280
1281 /*
1282 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
1283 * to ssrc, or NULL if no stream exists for that ssrc
1284 *
1285 * this is an internal function
1286 */
1287
1288 srtp_stream_ctx_t *
srtp_get_stream(srtp_t srtp,uint32_t ssrc)1289 srtp_get_stream(srtp_t srtp, uint32_t ssrc) {
1290 srtp_stream_ctx_t *stream;
1291
1292 /* walk down list until ssrc is found */
1293 stream = srtp->stream_list;
1294 while (stream != NULL) {
1295 if (stream->ssrc == ssrc)
1296 return stream;
1297 stream = stream->next;
1298 }
1299
1300 /* we haven't found our ssrc, so return a null */
1301 return NULL;
1302 }
1303
1304 err_status_t
srtp_dealloc(srtp_t session)1305 srtp_dealloc(srtp_t session) {
1306 srtp_stream_ctx_t *stream;
1307 err_status_t status;
1308
1309 /*
1310 * we take a conservative deallocation strategy - if we encounter an
1311 * error deallocating a stream, then we stop trying to deallocate
1312 * memory and just return an error
1313 */
1314
1315 /* walk list of streams, deallocating as we go */
1316 stream = session->stream_list;
1317 while (stream != NULL) {
1318 srtp_stream_t next = stream->next;
1319 status = srtp_stream_dealloc(session, stream);
1320 if (status)
1321 return status;
1322 stream = next;
1323 }
1324
1325 /* deallocate stream template, if there is one */
1326 if (session->stream_template != NULL) {
1327 status = auth_dealloc(session->stream_template->rtcp_auth);
1328 if (status)
1329 return status;
1330 status = cipher_dealloc(session->stream_template->rtcp_cipher);
1331 if (status)
1332 return status;
1333 crypto_free(session->stream_template->limit);
1334 status = cipher_dealloc(session->stream_template->rtp_cipher);
1335 if (status)
1336 return status;
1337 status = auth_dealloc(session->stream_template->rtp_auth);
1338 if (status)
1339 return status;
1340 status = rdbx_dealloc(&session->stream_template->rtp_rdbx);
1341 if (status)
1342 return status;
1343 crypto_free(session->stream_template);
1344 }
1345
1346 /* deallocate session context */
1347 crypto_free(session);
1348
1349 return err_status_ok;
1350 }
1351
1352
1353 err_status_t
srtp_add_stream(srtp_t session,const srtp_policy_t * policy)1354 srtp_add_stream(srtp_t session,
1355 const srtp_policy_t *policy) {
1356 err_status_t status;
1357 srtp_stream_t tmp;
1358
1359 /* sanity check arguments */
1360 if ((session == NULL) || (policy == NULL) || (policy->key == NULL))
1361 return err_status_bad_param;
1362
1363 /* allocate stream */
1364 status = srtp_stream_alloc(&tmp, policy);
1365 if (status) {
1366 return status;
1367 }
1368
1369 /* initialize stream */
1370 status = srtp_stream_init(tmp, policy);
1371 if (status) {
1372 crypto_free(tmp);
1373 return status;
1374 }
1375
1376 /*
1377 * set the head of the stream list or the template to point to the
1378 * stream that we've just alloced and init'ed, depending on whether
1379 * or not it has a wildcard SSRC value or not
1380 *
1381 * if the template stream has already been set, then the policy is
1382 * inconsistent, so we return a bad_param error code
1383 */
1384 switch (policy->ssrc.type) {
1385 case (ssrc_any_outbound):
1386 if (session->stream_template) {
1387 return err_status_bad_param;
1388 }
1389 session->stream_template = tmp;
1390 session->stream_template->direction = dir_srtp_sender;
1391 break;
1392 case (ssrc_any_inbound):
1393 if (session->stream_template) {
1394 return err_status_bad_param;
1395 }
1396 session->stream_template = tmp;
1397 session->stream_template->direction = dir_srtp_receiver;
1398 break;
1399 case (ssrc_specific):
1400 tmp->next = session->stream_list;
1401 session->stream_list = tmp;
1402 break;
1403 case (ssrc_undefined):
1404 default:
1405 crypto_free(tmp);
1406 return err_status_bad_param;
1407 }
1408
1409 return err_status_ok;
1410 }
1411
1412
1413 err_status_t
srtp_create(srtp_t * session,const srtp_policy_t * policy)1414 srtp_create(srtp_t *session, /* handle for session */
1415 const srtp_policy_t *policy) { /* SRTP policy (list) */
1416 err_status_t stat;
1417 srtp_ctx_t *ctx;
1418
1419 /* sanity check arguments */
1420 if (session == NULL)
1421 return err_status_bad_param;
1422
1423 /* allocate srtp context and set ctx_ptr */
1424 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));
1425 if (ctx == NULL)
1426 return err_status_alloc_fail;
1427 *session = ctx;
1428
1429 /*
1430 * loop over elements in the policy list, allocating and
1431 * initializing a stream for each element
1432 */
1433 ctx->stream_template = NULL;
1434 ctx->stream_list = NULL;
1435 while (policy != NULL) {
1436
1437 stat = srtp_add_stream(ctx, policy);
1438 if (stat) {
1439 /* clean up everything */
1440 srtp_dealloc(*session);
1441 return stat;
1442 }
1443
1444 /* set policy to next item in list */
1445 policy = policy->next;
1446 }
1447
1448 return err_status_ok;
1449 }
1450
1451
1452 err_status_t
srtp_remove_stream(srtp_t session,uint32_t ssrc)1453 srtp_remove_stream(srtp_t session, uint32_t ssrc) {
1454 srtp_stream_ctx_t *stream, *last_stream;
1455 err_status_t status;
1456
1457 /* sanity check arguments */
1458 if (session == NULL)
1459 return err_status_bad_param;
1460
1461 /* find stream in list; complain if not found */
1462 last_stream = stream = session->stream_list;
1463 while ((stream != NULL) && (ssrc != stream->ssrc)) {
1464 last_stream = stream;
1465 stream = stream->next;
1466 }
1467 if (stream == NULL)
1468 return err_status_no_ctx;
1469
1470 /* remove stream from the list */
1471 if (last_stream == stream)
1472 /* stream was first in list */
1473 session->stream_list = stream->next;
1474 else
1475 last_stream->next = stream->next;
1476
1477 /* deallocate the stream */
1478 status = srtp_stream_dealloc(session, stream);
1479 if (status)
1480 return status;
1481
1482 return err_status_ok;
1483 }
1484
1485
1486 /*
1487 * the default policy - provides a convenient way for callers to use
1488 * the default security policy
1489 *
1490 * this policy is that defined in the current SRTP internet draft.
1491 *
1492 */
1493
1494 /*
1495 * NOTE: cipher_key_len is really key len (128 bits) plus salt len
1496 * (112 bits)
1497 */
1498 /* There are hard-coded 16's for base_key_len in the key generation code */
1499
1500 void
crypto_policy_set_rtp_default(crypto_policy_t * p)1501 crypto_policy_set_rtp_default(crypto_policy_t *p) {
1502
1503 p->cipher_type = AES_ICM;
1504 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1505 p->auth_type = HMAC_SHA1;
1506 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1507 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1508 p->sec_serv = sec_serv_conf_and_auth;
1509
1510 }
1511
1512 void
crypto_policy_set_rtcp_default(crypto_policy_t * p)1513 crypto_policy_set_rtcp_default(crypto_policy_t *p) {
1514
1515 p->cipher_type = AES_ICM;
1516 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1517 p->auth_type = HMAC_SHA1;
1518 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1519 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1520 p->sec_serv = sec_serv_conf_and_auth;
1521
1522 }
1523
1524 void
crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t * p)1525 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {
1526
1527 /*
1528 * corresponds to RFC 4568
1529 *
1530 * note that this crypto policy is intended for SRTP, but not SRTCP
1531 */
1532
1533 p->cipher_type = AES_ICM;
1534 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1535 p->auth_type = HMAC_SHA1;
1536 p->auth_key_len = 20; /* 160 bit key */
1537 p->auth_tag_len = 4; /* 32 bit tag */
1538 p->sec_serv = sec_serv_conf_and_auth;
1539
1540 }
1541
1542
1543 void
crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t * p)1544 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {
1545
1546 /*
1547 * corresponds to RFC 4568
1548 *
1549 * note that this crypto policy is intended for SRTP, but not SRTCP
1550 */
1551
1552 p->cipher_type = AES_ICM;
1553 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1554 p->auth_type = NULL_AUTH;
1555 p->auth_key_len = 0;
1556 p->auth_tag_len = 0;
1557 p->sec_serv = sec_serv_conf;
1558
1559 }
1560
1561
1562 void
crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t * p)1563 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {
1564
1565 /*
1566 * corresponds to RFC 4568
1567 */
1568
1569 p->cipher_type = NULL_CIPHER;
1570 p->cipher_key_len = 0;
1571 p->auth_type = HMAC_SHA1;
1572 p->auth_key_len = 20;
1573 p->auth_tag_len = 10;
1574 p->sec_serv = sec_serv_auth;
1575
1576 }
1577
1578
1579 void
crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t * p)1580 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) {
1581
1582 /*
1583 * corresponds to draft-ietf-avt-big-aes-03.txt
1584 */
1585
1586 p->cipher_type = AES_ICM;
1587 p->cipher_key_len = 46;
1588 p->auth_type = HMAC_SHA1;
1589 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1590 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1591 p->sec_serv = sec_serv_conf_and_auth;
1592 }
1593
1594
1595 void
crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t * p)1596 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) {
1597
1598 /*
1599 * corresponds to draft-ietf-avt-big-aes-03.txt
1600 *
1601 * note that this crypto policy is intended for SRTP, but not SRTCP
1602 */
1603
1604 p->cipher_type = AES_ICM;
1605 p->cipher_key_len = 46;
1606 p->auth_type = HMAC_SHA1;
1607 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1608 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */
1609 p->sec_serv = sec_serv_conf_and_auth;
1610 }
1611
1612
1613 /*
1614 * secure rtcp functions
1615 */
1616
1617 err_status_t
srtp_protect_rtcp(srtp_t ctx,void * rtcp_hdr,int * pkt_octet_len)1618 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
1619 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
1620 uint32_t *enc_start; /* pointer to start of encrypted portion */
1621 uint32_t *auth_start; /* pointer to start of auth. portion */
1622 uint32_t *trailer; /* pointer to start of trailer */
1623 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1624 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1625 err_status_t status;
1626 int tag_len;
1627 srtp_stream_ctx_t *stream;
1628 int prefix_len;
1629 uint32_t seq_num;
1630
1631 /* we assume the hdr is 32-bit aligned to start */
1632 /*
1633 * look up ssrc in srtp_stream list, and process the packet with
1634 * the appropriate stream. if we haven't seen this stream before,
1635 * there's only one key for this srtp_session, and the cipher
1636 * supports key-sharing, then we assume that a new stream using
1637 * that key has just started up
1638 */
1639 stream = srtp_get_stream(ctx, hdr->ssrc);
1640 if (stream == NULL) {
1641 if (ctx->stream_template != NULL) {
1642 srtp_stream_ctx_t *new_stream;
1643
1644 /* allocate and initialize a new stream */
1645 status = srtp_stream_clone(ctx->stream_template,
1646 hdr->ssrc, &new_stream);
1647 if (status)
1648 return status;
1649
1650 /* add new stream to the head of the stream_list */
1651 new_stream->next = ctx->stream_list;
1652 ctx->stream_list = new_stream;
1653
1654 /* set stream (the pointer used in this function) */
1655 stream = new_stream;
1656 } else {
1657 /* no template stream, so we return an error */
1658 return err_status_no_ctx;
1659 }
1660 }
1661
1662 /*
1663 * verify that stream is for sending traffic - this check will
1664 * detect SSRC collisions, since a stream that appears in both
1665 * srtp_protect() and srtp_unprotect() will fail this test in one of
1666 * those functions.
1667 */
1668 if (stream->direction != dir_srtp_sender) {
1669 if (stream->direction == dir_unknown) {
1670 stream->direction = dir_srtp_sender;
1671 } else {
1672 srtp_handle_event(ctx, stream, event_ssrc_collision);
1673 }
1674 }
1675
1676 /* get tag length from stream context */
1677 tag_len = auth_get_tag_length(stream->rtcp_auth);
1678
1679 /*
1680 * set encryption start and encryption length - if we're not
1681 * providing confidentiality, set enc_start to NULL
1682 */
1683 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1684 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
1685
1686 /* all of the packet, except the header, gets encrypted */
1687 /* NOTE: hdr->length is not usable - it refers to only the first
1688 RTCP report in the compound packet! */
1689 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1690 multiples of 32-bits (RFC 3550 6.1) */
1691 trailer = (uint32_t *) ((char *)enc_start + enc_octet_len);
1692
1693 if (stream->rtcp_services & sec_serv_conf) {
1694 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
1695 } else {
1696 enc_start = NULL;
1697 enc_octet_len = 0;
1698 /* 0 is network-order independant */
1699 *trailer = 0x00000000; /* set encrypt bit */
1700 }
1701
1702 /*
1703 * set the auth_start and auth_tag pointers to the proper locations
1704 * (note that srtpc *always* provides authentication, unlike srtp)
1705 */
1706 /* Note: This would need to change for optional mikey data */
1707 auth_start = (uint32_t *)hdr;
1708 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t);
1709
1710 /* perform EKT processing if needed */
1711 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
1712 rdbx_get_packet_index(&stream->rtp_rdbx));
1713
1714 /*
1715 * check sequence number for overruns, and copy it into the packet
1716 * if its value isn't too big
1717 */
1718 status = rdb_increment(&stream->rtcp_rdb);
1719 if (status)
1720 return status;
1721 seq_num = rdb_get_value(&stream->rtcp_rdb);
1722 *trailer |= htonl(seq_num);
1723 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1724
1725 /*
1726 * if we're using rindael counter mode, set nonce and seq
1727 */
1728 if (stream->rtcp_cipher->type->id == AES_ICM) {
1729 v128_t iv;
1730
1731 iv.v32[0] = 0;
1732 iv.v32[1] = hdr->ssrc; /* still in network order! */
1733 iv.v32[2] = htonl(seq_num >> 16);
1734 iv.v32[3] = htonl(seq_num << 16);
1735 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1736
1737 } else {
1738 v128_t iv;
1739
1740 /* otherwise, just set the index to seq_num */
1741 iv.v32[0] = 0;
1742 iv.v32[1] = 0;
1743 iv.v32[2] = 0;
1744 iv.v32[3] = htonl(seq_num);
1745 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1746 }
1747 if (status)
1748 return err_status_cipher_fail;
1749
1750 /*
1751 * if we're authenticating using a universal hash, put the keystream
1752 * prefix into the authentication tag
1753 */
1754
1755 /* if auth_start is non-null, then put keystream into tag */
1756 if (auth_start) {
1757
1758 /* put keystream prefix into auth_tag */
1759 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1760 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1761
1762 debug_print(mod_srtp, "keystream prefix: %s",
1763 octet_string_hex_string(auth_tag, prefix_len));
1764
1765 if (status)
1766 return err_status_cipher_fail;
1767 }
1768
1769 /* if we're encrypting, exor keystream into the message */
1770 if (enc_start) {
1771 status = cipher_encrypt(stream->rtcp_cipher,
1772 (uint8_t *)enc_start, &enc_octet_len);
1773 if (status)
1774 return err_status_cipher_fail;
1775 }
1776
1777 /* initialize auth func context */
1778 auth_start(stream->rtcp_auth);
1779
1780 /*
1781 * run auth func over packet (including trailer), and write the
1782 * result at auth_tag
1783 */
1784 status = auth_compute(stream->rtcp_auth,
1785 (uint8_t *)auth_start,
1786 (*pkt_octet_len) + sizeof(srtcp_trailer_t),
1787 auth_tag);
1788 debug_print(mod_srtp, "srtcp auth tag: %s",
1789 octet_string_hex_string(auth_tag, tag_len));
1790 if (status)
1791 return err_status_auth_fail;
1792
1793 /* increase the packet length by the length of the auth tag and seq_num*/
1794 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
1795
1796 return err_status_ok;
1797 }
1798
1799
1800 err_status_t
srtp_unprotect_rtcp(srtp_t ctx,void * srtcp_hdr,int * pkt_octet_len)1801 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
1802 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
1803 uint32_t *enc_start; /* pointer to start of encrypted portion */
1804 uint32_t *auth_start; /* pointer to start of auth. portion */
1805 uint32_t *trailer; /* pointer to start of trailer */
1806 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1807 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1808 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
1809 uint8_t tag_copy[SRTP_MAX_TAG_LEN];
1810 err_status_t status;
1811 unsigned auth_len;
1812 int tag_len;
1813 srtp_stream_ctx_t *stream;
1814 int prefix_len;
1815 uint32_t seq_num;
1816
1817 /* we assume the hdr is 32-bit aligned to start */
1818 /*
1819 * look up ssrc in srtp_stream list, and process the packet with
1820 * the appropriate stream. if we haven't seen this stream before,
1821 * there's only one key for this srtp_session, and the cipher
1822 * supports key-sharing, then we assume that a new stream using
1823 * that key has just started up
1824 */
1825 stream = srtp_get_stream(ctx, hdr->ssrc);
1826 if (stream == NULL) {
1827 if (ctx->stream_template != NULL) {
1828 stream = ctx->stream_template;
1829
1830 /*
1831 * check to see if stream_template has an EKT data structure, in
1832 * which case we initialize the template using the EKT policy
1833 * referenced by that data (which consists of decrypting the
1834 * master key from the EKT field)
1835 *
1836 * this function initializes a *provisional* stream, and this
1837 * stream should not be accepted until and unless the packet
1838 * passes its authentication check
1839 */
1840 if (stream->ekt != NULL) {
1841 status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len);
1842 if (status)
1843 return status;
1844 }
1845
1846 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
1847 hdr->ssrc);
1848 } else {
1849 /* no template stream, so we return an error */
1850 return err_status_no_ctx;
1851 }
1852 }
1853
1854 /* get tag length from stream context */
1855 tag_len = auth_get_tag_length(stream->rtcp_auth);
1856
1857 /*
1858 * set encryption start, encryption length, and trailer
1859 */
1860 enc_octet_len = *pkt_octet_len -
1861 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
1862 /* index & E (encryption) bit follow normal data. hdr->len
1863 is the number of words (32-bit) in the normal packet minus 1 */
1864 /* This should point trailer to the word past the end of the
1865 normal data. */
1866 /* This would need to be modified for optional mikey data */
1867 /*
1868 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1869 * multiples of 32-bits (RFC 3550 6.1)
1870 */
1871 trailer = (uint32_t *) ((char *) hdr +
1872 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
1873 if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) {
1874 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1875 } else {
1876 enc_octet_len = 0;
1877 enc_start = NULL; /* this indicates that there's no encryption */
1878 }
1879
1880 /*
1881 * set the auth_start and auth_tag pointers to the proper locations
1882 * (note that srtcp *always* uses authentication, unlike srtp)
1883 */
1884 auth_start = (uint32_t *)hdr;
1885 auth_len = *pkt_octet_len - tag_len;
1886 auth_tag = (uint8_t *)hdr + auth_len;
1887
1888 /*
1889 * if EKT is in use, then we make a copy of the tag from the packet,
1890 * and then zeroize the location of the base tag
1891 *
1892 * we first re-position the auth_tag pointer so that it points to
1893 * the base tag
1894 */
1895 if (stream->ekt) {
1896 auth_tag -= ekt_octets_after_base_tag(stream->ekt);
1897 memcpy(tag_copy, auth_tag, tag_len);
1898 octet_string_set_to_zero(auth_tag, tag_len);
1899 auth_tag = tag_copy;
1900 auth_len += tag_len;
1901 }
1902
1903 /*
1904 * check the sequence number for replays
1905 */
1906 /* this is easier than dealing with bitfield access */
1907 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
1908 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1909 status = rdb_check(&stream->rtcp_rdb, seq_num);
1910 if (status)
1911 return status;
1912
1913 /*
1914 * if we're using aes counter mode, set nonce and seq
1915 */
1916 if (stream->rtcp_cipher->type->id == AES_ICM) {
1917 v128_t iv;
1918
1919 iv.v32[0] = 0;
1920 iv.v32[1] = hdr->ssrc; /* still in network order! */
1921 iv.v32[2] = htonl(seq_num >> 16);
1922 iv.v32[3] = htonl(seq_num << 16);
1923 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1924
1925 } else {
1926 v128_t iv;
1927
1928 /* otherwise, just set the index to seq_num */
1929 iv.v32[0] = 0;
1930 iv.v32[1] = 0;
1931 iv.v32[2] = 0;
1932 iv.v32[3] = htonl(seq_num);
1933 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1934
1935 }
1936 if (status)
1937 return err_status_cipher_fail;
1938
1939 /* initialize auth func context */
1940 auth_start(stream->rtcp_auth);
1941
1942 /* run auth func over packet, put result into tmp_tag */
1943 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
1944 auth_len, tmp_tag);
1945 debug_print(mod_srtp, "srtcp computed tag: %s",
1946 octet_string_hex_string(tmp_tag, tag_len));
1947 if (status)
1948 return err_status_auth_fail;
1949
1950 /* compare the tag just computed with the one in the packet */
1951 debug_print(mod_srtp, "srtcp tag from packet: %s",
1952 octet_string_hex_string(auth_tag, tag_len));
1953 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1954 return err_status_auth_fail;
1955
1956 /*
1957 * if we're authenticating using a universal hash, put the keystream
1958 * prefix into the authentication tag
1959 */
1960 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1961 if (prefix_len) {
1962 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1963 debug_print(mod_srtp, "keystream prefix: %s",
1964 octet_string_hex_string(auth_tag, prefix_len));
1965 if (status)
1966 return err_status_cipher_fail;
1967 }
1968
1969 /* if we're decrypting, exor keystream into the message */
1970 if (enc_start) {
1971 status = cipher_decrypt(stream->rtcp_cipher,
1972 (uint8_t *)enc_start, &enc_octet_len);
1973 if (status)
1974 return err_status_cipher_fail;
1975 }
1976
1977 /* decrease the packet length by the length of the auth tag and seq_num */
1978 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
1979
1980 /*
1981 * if EKT is in effect, subtract the EKT data out of the packet
1982 * length
1983 */
1984 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt);
1985
1986 /*
1987 * verify that stream is for received traffic - this check will
1988 * detect SSRC collisions, since a stream that appears in both
1989 * srtp_protect() and srtp_unprotect() will fail this test in one of
1990 * those functions.
1991 *
1992 * we do this check *after* the authentication check, so that the
1993 * latter check will catch any attempts to fool us into thinking
1994 * that we've got a collision
1995 */
1996 if (stream->direction != dir_srtp_receiver) {
1997 if (stream->direction == dir_unknown) {
1998 stream->direction = dir_srtp_receiver;
1999 } else {
2000 srtp_handle_event(ctx, stream, event_ssrc_collision);
2001 }
2002 }
2003
2004 /*
2005 * if the stream is a 'provisional' one, in which the template context
2006 * is used, then we need to allocate a new stream at this point, since
2007 * the authentication passed
2008 */
2009 if (stream == ctx->stream_template) {
2010 srtp_stream_ctx_t *new_stream;
2011
2012 /*
2013 * allocate and initialize a new stream
2014 *
2015 * note that we indicate failure if we can't allocate the new
2016 * stream, and some implementations will want to not return
2017 * failure here
2018 */
2019 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2020 if (status)
2021 return status;
2022
2023 /* add new stream to the head of the stream_list */
2024 new_stream->next = ctx->stream_list;
2025 ctx->stream_list = new_stream;
2026
2027 /* set stream (the pointer used in this function) */
2028 stream = new_stream;
2029 }
2030
2031 /* we've passed the authentication check, so add seq_num to the rdb */
2032 rdb_add_index(&stream->rtcp_rdb, seq_num);
2033
2034
2035 return err_status_ok;
2036 }
2037
2038
2039
2040 /*
2041 * dtls keying for srtp
2042 */
2043
2044 err_status_t
crypto_policy_set_from_profile_for_rtp(crypto_policy_t * policy,srtp_profile_t profile)2045 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
2046 srtp_profile_t profile) {
2047
2048 /* set SRTP policy from the SRTP profile in the key set */
2049 switch(profile) {
2050 case srtp_profile_aes128_cm_sha1_80:
2051 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2052 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2053 break;
2054 case srtp_profile_aes128_cm_sha1_32:
2055 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
2056 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2057 break;
2058 case srtp_profile_null_sha1_80:
2059 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2060 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2061 break;
2062 case srtp_profile_aes256_cm_sha1_80:
2063 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2064 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2065 break;
2066 case srtp_profile_aes256_cm_sha1_32:
2067 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
2068 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2069 break;
2070 /* the following profiles are not (yet) supported */
2071 case srtp_profile_null_sha1_32:
2072 default:
2073 return err_status_bad_param;
2074 }
2075
2076 return err_status_ok;
2077 }
2078
2079 err_status_t
crypto_policy_set_from_profile_for_rtcp(crypto_policy_t * policy,srtp_profile_t profile)2080 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
2081 srtp_profile_t profile) {
2082
2083 /* set SRTP policy from the SRTP profile in the key set */
2084 switch(profile) {
2085 case srtp_profile_aes128_cm_sha1_80:
2086 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2087 break;
2088 case srtp_profile_aes128_cm_sha1_32:
2089 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
2090 break;
2091 case srtp_profile_null_sha1_80:
2092 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
2093 break;
2094 case srtp_profile_aes256_cm_sha1_80:
2095 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2096 break;
2097 case srtp_profile_aes256_cm_sha1_32:
2098 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
2099 break;
2100 /* the following profiles are not (yet) supported */
2101 case srtp_profile_null_sha1_32:
2102 default:
2103 return err_status_bad_param;
2104 }
2105
2106 return err_status_ok;
2107 }
2108
2109 void
append_salt_to_key(uint8_t * key,unsigned int bytes_in_key,uint8_t * salt,unsigned int bytes_in_salt)2110 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key,
2111 uint8_t *salt, unsigned int bytes_in_salt) {
2112
2113 memcpy(key + bytes_in_key, salt, bytes_in_salt);
2114
2115 }
2116
2117 unsigned int
srtp_profile_get_master_key_length(srtp_profile_t profile)2118 srtp_profile_get_master_key_length(srtp_profile_t profile) {
2119
2120 switch(profile) {
2121 case srtp_profile_aes128_cm_sha1_80:
2122 return 16;
2123 break;
2124 case srtp_profile_aes128_cm_sha1_32:
2125 return 16;
2126 break;
2127 case srtp_profile_null_sha1_80:
2128 return 16;
2129 break;
2130 case srtp_profile_aes256_cm_sha1_80:
2131 return 32;
2132 break;
2133 case srtp_profile_aes256_cm_sha1_32:
2134 return 32;
2135 break;
2136 /* the following profiles are not (yet) supported */
2137 case srtp_profile_null_sha1_32:
2138 default:
2139 return 0; /* indicate error by returning a zero */
2140 }
2141 }
2142
2143 unsigned int
srtp_profile_get_master_salt_length(srtp_profile_t profile)2144 srtp_profile_get_master_salt_length(srtp_profile_t profile) {
2145
2146 switch(profile) {
2147 case srtp_profile_aes128_cm_sha1_80:
2148 return 14;
2149 break;
2150 case srtp_profile_aes128_cm_sha1_32:
2151 return 14;
2152 break;
2153 case srtp_profile_null_sha1_80:
2154 return 14;
2155 break;
2156 case srtp_profile_aes256_cm_sha1_80:
2157 return 14;
2158 break;
2159 case srtp_profile_aes256_cm_sha1_32:
2160 return 14;
2161 break;
2162 /* the following profiles are not (yet) supported */
2163 case srtp_profile_null_sha1_32:
2164 default:
2165 return 0; /* indicate error by returning a zero */
2166 }
2167 }
2168