1 /* 2 * srtp.c 3 * 4 * the secure real-time transport protocol 5 * 6 * David A. McGrew 7 * Cisco Systems, Inc. 8 */ 9 /* 10 * 11 * Copyright (c) 2001-2006, Cisco Systems, Inc. 12 * All rights reserved. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 18 * Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 21 * Redistributions in binary form must reproduce the above 22 * copyright notice, this list of conditions and the following 23 * disclaimer in the documentation and/or other materials provided 24 * with the distribution. 25 * 26 * Neither the name of the Cisco Systems, Inc. nor the names of its 27 * contributors may be used to endorse or promote products derived 28 * from this software without specific prior written permission. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 41 * OF THE POSSIBILITY OF SUCH DAMAGE. 42 * 43 */ 44 45 46 #include "srtp.h" 47 #include "ekt.h" /* for SRTP Encrypted Key Transport */ 48 #include "alloc.h" /* for crypto_alloc() */ 49 50 #ifndef SRTP_KERNEL 51 # include <limits.h> 52 # ifdef HAVE_NETINET_IN_H 53 # include <netinet/in.h> 54 # elif defined(HAVE_WINSOCK2_H) 55 # include <winsock2.h> 56 # endif 57 #endif /* ! SRTP_KERNEL */ 58 59 60 /* the debug module for srtp */ 61 62 debug_module_t mod_srtp = { 63 0, /* debugging is off by default */ 64 "srtp" /* printable name for module */ 65 }; 66 67 #define octets_in_rtp_header 12 68 #define uint32s_in_rtp_header 3 69 #define octets_in_rtcp_header 8 70 #define uint32s_in_rtcp_header 2 71 #define octets_in_rtp_extn_hdr 4 72 73 static err_status_t 74 srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) { 75 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; 76 77 /* Check RTP header length */ 78 int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc; 79 if (hdr->x == 1) 80 rtp_header_len += octets_in_rtp_extn_hdr; 81 82 if (*pkt_octet_len < rtp_header_len) 83 return err_status_bad_param; 84 85 /* Verifing profile length. */ 86 if (hdr->x == 1) { 87 srtp_hdr_xtnd_t *xtn_hdr = 88 (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc); 89 int profile_len = ntohs(xtn_hdr->length); 90 rtp_header_len += profile_len * 4; 91 /* profile length counts the number of 32-bit words */ 92 if (*pkt_octet_len < rtp_header_len) 93 return err_status_bad_param; 94 } 95 return err_status_ok; 96 } 97 98 err_status_t 99 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, 100 const srtp_policy_t *p) { 101 srtp_stream_ctx_t *str; 102 err_status_t stat; 103 104 /* 105 * This function allocates the stream context, rtp and rtcp ciphers 106 * and auth functions, and key limit structure. If there is a 107 * failure during allocation, we free all previously allocated 108 * memory and return a failure code. The code could probably 109 * be improved, but it works and should be clear. 110 */ 111 112 /* allocate srtp stream and set str_ptr */ 113 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t)); 114 if (str == NULL) 115 return err_status_alloc_fail; 116 *str_ptr = str; 117 118 /* allocate cipher */ 119 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type, 120 &str->rtp_cipher, 121 p->rtp.cipher_key_len); 122 if (stat) { 123 crypto_free(str); 124 return stat; 125 } 126 127 /* allocate auth function */ 128 stat = crypto_kernel_alloc_auth(p->rtp.auth_type, 129 &str->rtp_auth, 130 p->rtp.auth_key_len, 131 p->rtp.auth_tag_len); 132 if (stat) { 133 cipher_dealloc(str->rtp_cipher); 134 crypto_free(str); 135 return stat; 136 } 137 138 /* allocate key limit structure */ 139 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t)); 140 if (str->limit == NULL) { 141 auth_dealloc(str->rtp_auth); 142 cipher_dealloc(str->rtp_cipher); 143 crypto_free(str); 144 return err_status_alloc_fail; 145 } 146 147 /* 148 * ...and now the RTCP-specific initialization - first, allocate 149 * the cipher 150 */ 151 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type, 152 &str->rtcp_cipher, 153 p->rtcp.cipher_key_len); 154 if (stat) { 155 auth_dealloc(str->rtp_auth); 156 cipher_dealloc(str->rtp_cipher); 157 crypto_free(str->limit); 158 crypto_free(str); 159 return stat; 160 } 161 162 /* allocate auth function */ 163 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type, 164 &str->rtcp_auth, 165 p->rtcp.auth_key_len, 166 p->rtcp.auth_tag_len); 167 if (stat) { 168 cipher_dealloc(str->rtcp_cipher); 169 auth_dealloc(str->rtp_auth); 170 cipher_dealloc(str->rtp_cipher); 171 crypto_free(str->limit); 172 crypto_free(str); 173 return stat; 174 } 175 176 /* allocate ekt data associated with stream */ 177 stat = ekt_alloc(&str->ekt, p->ekt); 178 if (stat) { 179 auth_dealloc(str->rtcp_auth); 180 cipher_dealloc(str->rtcp_cipher); 181 auth_dealloc(str->rtp_auth); 182 cipher_dealloc(str->rtp_cipher); 183 crypto_free(str->limit); 184 crypto_free(str); 185 return stat; 186 } 187 188 return err_status_ok; 189 } 190 191 err_status_t 192 srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) { 193 err_status_t status; 194 195 /* 196 * we use a conservative deallocation strategy - if any deallocation 197 * fails, then we report that fact without trying to deallocate 198 * anything else 199 */ 200 201 /* deallocate cipher, if it is not the same as that in template */ 202 if (session->stream_template 203 && stream->rtp_cipher == session->stream_template->rtp_cipher) { 204 /* do nothing */ 205 } else { 206 status = cipher_dealloc(stream->rtp_cipher); 207 if (status) 208 return status; 209 } 210 211 /* deallocate auth function, if it is not the same as that in template */ 212 if (session->stream_template 213 && stream->rtp_auth == session->stream_template->rtp_auth) { 214 /* do nothing */ 215 } else { 216 status = auth_dealloc(stream->rtp_auth); 217 if (status) 218 return status; 219 } 220 221 /* deallocate key usage limit, if it is not the same as that in template */ 222 if (session->stream_template 223 && stream->limit == session->stream_template->limit) { 224 /* do nothing */ 225 } else { 226 crypto_free(stream->limit); 227 } 228 229 /* 230 * deallocate rtcp cipher, if it is not the same as that in 231 * template 232 */ 233 if (session->stream_template 234 && stream->rtcp_cipher == session->stream_template->rtcp_cipher) { 235 /* do nothing */ 236 } else { 237 status = cipher_dealloc(stream->rtcp_cipher); 238 if (status) 239 return status; 240 } 241 242 /* 243 * deallocate rtcp auth function, if it is not the same as that in 244 * template 245 */ 246 if (session->stream_template 247 && stream->rtcp_auth == session->stream_template->rtcp_auth) { 248 /* do nothing */ 249 } else { 250 status = auth_dealloc(stream->rtcp_auth); 251 if (status) 252 return status; 253 } 254 255 status = rdbx_dealloc(&stream->rtp_rdbx); 256 if (status) 257 return status; 258 259 /* DAM - need to deallocate EKT here */ 260 261 /* deallocate srtp stream context */ 262 crypto_free(stream); 263 264 return err_status_ok; 265 } 266 267 268 /* 269 * srtp_stream_clone(stream_template, new) allocates a new stream and 270 * initializes it using the cipher and auth of the stream_template 271 * 272 * the only unique data in a cloned stream is the replay database and 273 * the SSRC 274 */ 275 276 err_status_t 277 srtp_stream_clone(const srtp_stream_ctx_t *stream_template, 278 uint32_t ssrc, 279 srtp_stream_ctx_t **str_ptr) { 280 err_status_t status; 281 srtp_stream_ctx_t *str; 282 283 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc); 284 285 /* allocate srtp stream and set str_ptr */ 286 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t)); 287 if (str == NULL) 288 return err_status_alloc_fail; 289 *str_ptr = str; 290 291 /* set cipher and auth pointers to those of the template */ 292 str->rtp_cipher = stream_template->rtp_cipher; 293 str->rtp_auth = stream_template->rtp_auth; 294 str->rtcp_cipher = stream_template->rtcp_cipher; 295 str->rtcp_auth = stream_template->rtcp_auth; 296 297 /* set key limit to point to that of the template */ 298 status = key_limit_clone(stream_template->limit, &str->limit); 299 if (status) 300 return status; 301 302 /* initialize replay databases */ 303 status = rdbx_init(&str->rtp_rdbx, 304 rdbx_get_window_size(&stream_template->rtp_rdbx)); 305 if (status) 306 return status; 307 rdb_init(&str->rtcp_rdb); 308 str->allow_repeat_tx = stream_template->allow_repeat_tx; 309 310 /* set ssrc to that provided */ 311 str->ssrc = ssrc; 312 313 /* set direction and security services */ 314 str->direction = stream_template->direction; 315 str->rtp_services = stream_template->rtp_services; 316 str->rtcp_services = stream_template->rtcp_services; 317 318 /* set pointer to EKT data associated with stream */ 319 str->ekt = stream_template->ekt; 320 321 /* defensive coding */ 322 str->next = NULL; 323 324 return err_status_ok; 325 } 326 327 328 /* 329 * key derivation functions, internal to libSRTP 330 * 331 * srtp_kdf_t is a key derivation context 332 * 333 * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher 334 * described by cipher_id, with the master key k with length in octets keylen. 335 * 336 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key 337 * corresponding to label l and puts it into kl; the length 338 * of the key in octets is provided as keylen. this function 339 * should be called once for each subkey that is derived. 340 * 341 * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state 342 */ 343 344 typedef enum { 345 label_rtp_encryption = 0x00, 346 label_rtp_msg_auth = 0x01, 347 label_rtp_salt = 0x02, 348 label_rtcp_encryption = 0x03, 349 label_rtcp_msg_auth = 0x04, 350 label_rtcp_salt = 0x05 351 } srtp_prf_label; 352 353 354 /* 355 * srtp_kdf_t represents a key derivation function. The SRTP 356 * default KDF is the only one implemented at present. 357 */ 358 359 typedef struct { 360 cipher_t *cipher; /* cipher used for key derivation */ 361 } srtp_kdf_t; 362 363 err_status_t 364 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, int length) { 365 366 err_status_t stat; 367 stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length); 368 if (stat) 369 return stat; 370 371 stat = cipher_init(kdf->cipher, key, direction_encrypt); 372 if (stat) { 373 cipher_dealloc(kdf->cipher); 374 return stat; 375 } 376 377 return err_status_ok; 378 } 379 380 err_status_t 381 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, 382 uint8_t *key, unsigned length) { 383 384 v128_t nonce; 385 err_status_t status; 386 387 /* set eigth octet of nonce to <label>, set the rest of it to zero */ 388 v128_set_to_zero(&nonce); 389 nonce.v8[7] = label; 390 391 status = cipher_set_iv(kdf->cipher, &nonce); 392 if (status) 393 return status; 394 395 /* generate keystream output */ 396 octet_string_set_to_zero(key, length); 397 status = cipher_encrypt(kdf->cipher, key, &length); 398 if (status) 399 return status; 400 401 return err_status_ok; 402 } 403 404 err_status_t 405 srtp_kdf_clear(srtp_kdf_t *kdf) { 406 err_status_t status; 407 status = cipher_dealloc(kdf->cipher); 408 if (status) 409 return status; 410 kdf->cipher = NULL; 411 412 return err_status_ok; 413 } 414 415 /* 416 * end of key derivation functions 417 */ 418 419 #define MAX_SRTP_KEY_LEN 256 420 421 422 /* Get the base key length corresponding to a given combined key+salt 423 * length for the given cipher. 424 * Assumption is that for AES-ICM a key length < 30 is Ismacryp using 425 * AES-128 and short salts; everything else uses a salt length of 14. 426 * TODO: key and salt lengths should be separate fields in the policy. */ 427 static INLINE int base_key_length(const cipher_type_t *cipher, int key_length) 428 { 429 if (cipher->id != AES_ICM) 430 return key_length; 431 else if (key_length > 16 && key_length < 30) 432 return 16; 433 return key_length - 14; 434 } 435 436 err_status_t 437 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) { 438 err_status_t stat; 439 srtp_kdf_t kdf; 440 uint8_t tmp_key[MAX_SRTP_KEY_LEN]; 441 int kdf_keylen = 30, rtp_keylen, rtcp_keylen; 442 int rtp_base_key_len, rtp_salt_len; 443 int rtcp_base_key_len, rtcp_salt_len; 444 445 /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ 446 /* TODO: kdf algorithm, master key length, and master salt length should 447 * be part of srtp_policy_t. */ 448 rtp_keylen = cipher_get_key_length(srtp->rtp_cipher); 449 if (rtp_keylen > kdf_keylen) 450 kdf_keylen = rtp_keylen; 451 452 rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher); 453 if (rtcp_keylen > kdf_keylen) 454 kdf_keylen = rtcp_keylen; 455 456 /* initialize KDF state */ 457 stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)key, kdf_keylen); 458 if (stat) { 459 return err_status_init_fail; 460 } 461 462 rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen); 463 rtp_salt_len = rtp_keylen - rtp_base_key_len; 464 465 /* generate encryption key */ 466 stat = srtp_kdf_generate(&kdf, label_rtp_encryption, 467 tmp_key, rtp_base_key_len); 468 if (stat) { 469 /* zeroize temp buffer */ 470 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 471 return err_status_init_fail; 472 } 473 474 /* 475 * if the cipher in the srtp context uses a salt, then we need 476 * to generate the salt value 477 */ 478 if (rtp_salt_len > 0) { 479 debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); 480 481 /* generate encryption salt, put after encryption key */ 482 stat = srtp_kdf_generate(&kdf, label_rtp_salt, 483 tmp_key + rtp_base_key_len, rtp_salt_len); 484 if (stat) { 485 /* zeroize temp buffer */ 486 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 487 return err_status_init_fail; 488 } 489 } 490 debug_print(mod_srtp, "cipher key: %s", 491 octet_string_hex_string(tmp_key, rtp_base_key_len)); 492 if (rtp_salt_len > 0) { 493 debug_print(mod_srtp, "cipher salt: %s", 494 octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len)); 495 } 496 497 /* initialize cipher */ 498 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any); 499 if (stat) { 500 /* zeroize temp buffer */ 501 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 502 return err_status_init_fail; 503 } 504 505 /* generate authentication key */ 506 stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, 507 tmp_key, auth_get_key_length(srtp->rtp_auth)); 508 if (stat) { 509 /* zeroize temp buffer */ 510 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 511 return err_status_init_fail; 512 } 513 debug_print(mod_srtp, "auth key: %s", 514 octet_string_hex_string(tmp_key, 515 auth_get_key_length(srtp->rtp_auth))); 516 517 /* initialize auth function */ 518 stat = auth_init(srtp->rtp_auth, tmp_key); 519 if (stat) { 520 /* zeroize temp buffer */ 521 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 522 return err_status_init_fail; 523 } 524 525 /* 526 * ...now initialize SRTCP keys 527 */ 528 529 rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen); 530 rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; 531 532 /* generate encryption key */ 533 stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, 534 tmp_key, rtcp_base_key_len); 535 if (stat) { 536 /* zeroize temp buffer */ 537 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 538 return err_status_init_fail; 539 } 540 541 /* 542 * if the cipher in the srtp context uses a salt, then we need 543 * to generate the salt value 544 */ 545 if (rtcp_salt_len > 0) { 546 debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", 547 NULL); 548 549 /* generate encryption salt, put after encryption key */ 550 stat = srtp_kdf_generate(&kdf, label_rtcp_salt, 551 tmp_key + rtcp_base_key_len, rtcp_salt_len); 552 if (stat) { 553 /* zeroize temp buffer */ 554 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 555 return err_status_init_fail; 556 } 557 } 558 debug_print(mod_srtp, "rtcp cipher key: %s", 559 octet_string_hex_string(tmp_key, rtcp_base_key_len)); 560 if (rtcp_salt_len > 0) { 561 debug_print(mod_srtp, "rtcp cipher salt: %s", 562 octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_len)); 563 } 564 565 /* initialize cipher */ 566 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any); 567 if (stat) { 568 /* zeroize temp buffer */ 569 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 570 return err_status_init_fail; 571 } 572 573 /* generate authentication key */ 574 stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, 575 tmp_key, auth_get_key_length(srtp->rtcp_auth)); 576 if (stat) { 577 /* zeroize temp buffer */ 578 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 579 return err_status_init_fail; 580 } 581 582 debug_print(mod_srtp, "rtcp auth key: %s", 583 octet_string_hex_string(tmp_key, 584 auth_get_key_length(srtp->rtcp_auth))); 585 586 /* initialize auth function */ 587 stat = auth_init(srtp->rtcp_auth, tmp_key); 588 if (stat) { 589 /* zeroize temp buffer */ 590 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 591 return err_status_init_fail; 592 } 593 594 /* clear memory then return */ 595 stat = srtp_kdf_clear(&kdf); 596 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); 597 if (stat) 598 return err_status_init_fail; 599 600 return err_status_ok; 601 } 602 603 err_status_t 604 srtp_stream_init(srtp_stream_ctx_t *srtp, 605 const srtp_policy_t *p) { 606 err_status_t err; 607 608 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", 609 p->ssrc.value); 610 611 /* initialize replay database */ 612 /* window size MUST be at least 64. MAY be larger. Values more than 613 * 2^15 aren't meaningful due to how extended sequence numbers are 614 * calculated. Let a window size of 0 imply the default value. */ 615 616 if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000)) 617 return err_status_bad_param; 618 619 if (p->window_size != 0) 620 err = rdbx_init(&srtp->rtp_rdbx, p->window_size); 621 else 622 err = rdbx_init(&srtp->rtp_rdbx, 128); 623 if (err) return err; 624 625 /* initialize key limit to maximum value */ 626 #ifdef NO_64BIT_MATH 627 { 628 uint64_t temp; 629 temp = make64(UINT_MAX,UINT_MAX); 630 key_limit_set(srtp->limit, temp); 631 } 632 #else 633 key_limit_set(srtp->limit, 0xffffffffffffLL); 634 #endif 635 636 /* set the SSRC value */ 637 srtp->ssrc = htonl(p->ssrc.value); 638 639 /* set the security service flags */ 640 srtp->rtp_services = p->rtp.sec_serv; 641 srtp->rtcp_services = p->rtcp.sec_serv; 642 643 /* 644 * set direction to unknown - this flag gets checked in srtp_protect(), 645 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and 646 * gets set appropriately if it is set to unknown. 647 */ 648 srtp->direction = dir_unknown; 649 650 /* initialize SRTCP replay database */ 651 rdb_init(&srtp->rtcp_rdb); 652 653 /* initialize allow_repeat_tx */ 654 /* guard against uninitialized memory: allow only 0 or 1 here */ 655 if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) { 656 rdbx_dealloc(&srtp->rtp_rdbx); 657 return err_status_bad_param; 658 } 659 srtp->allow_repeat_tx = p->allow_repeat_tx; 660 661 /* DAM - no RTCP key limit at present */ 662 663 /* initialize keys */ 664 err = srtp_stream_init_keys(srtp, p->key); 665 if (err) { 666 rdbx_dealloc(&srtp->rtp_rdbx); 667 return err; 668 } 669 670 /* 671 * if EKT is in use, then initialize the EKT data associated with 672 * the stream 673 */ 674 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt); 675 if (err) { 676 rdbx_dealloc(&srtp->rtp_rdbx); 677 return err; 678 } 679 680 return err_status_ok; 681 } 682 683 684 /* 685 * srtp_event_reporter is an event handler function that merely 686 * reports the events that are reported by the callbacks 687 */ 688 689 void 690 srtp_event_reporter(srtp_event_data_t *data) { 691 692 err_report(err_level_warning, "srtp: in stream 0x%x: ", 693 data->stream->ssrc); 694 695 switch(data->event) { 696 case event_ssrc_collision: 697 err_report(err_level_warning, "\tSSRC collision\n"); 698 break; 699 case event_key_soft_limit: 700 err_report(err_level_warning, "\tkey usage soft limit reached\n"); 701 break; 702 case event_key_hard_limit: 703 err_report(err_level_warning, "\tkey usage hard limit reached\n"); 704 break; 705 case event_packet_index_limit: 706 err_report(err_level_warning, "\tpacket index limit reached\n"); 707 break; 708 default: 709 err_report(err_level_warning, "\tunknown event reported to handler\n"); 710 } 711 } 712 713 /* 714 * srtp_event_handler is a global variable holding a pointer to the 715 * event handler function; this function is called for any unexpected 716 * event that needs to be handled out of the SRTP data path. see 717 * srtp_event_t in srtp.h for more info 718 * 719 * it is okay to set srtp_event_handler to NULL, but we set 720 * it to the srtp_event_reporter. 721 */ 722 723 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter; 724 725 err_status_t 726 srtp_install_event_handler(srtp_event_handler_func_t func) { 727 728 /* 729 * note that we accept NULL arguments intentionally - calling this 730 * function with a NULL arguments removes an event handler that's 731 * been previously installed 732 */ 733 734 /* set global event handling function */ 735 srtp_event_handler = func; 736 return err_status_ok; 737 } 738 739 err_status_t 740 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { 741 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; 742 uint32_t *enc_start; /* pointer to start of encrypted portion */ 743 uint32_t *auth_start; /* pointer to start of auth. portion */ 744 unsigned enc_octet_len = 0; /* number of octets in encrypted portion */ 745 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 746 int delta; /* delta of local pkt idx and that in hdr */ 747 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 748 err_status_t status; 749 int tag_len; 750 srtp_stream_ctx_t *stream; 751 int prefix_len; 752 753 debug_print(mod_srtp, "function srtp_protect", NULL); 754 755 /* we assume the hdr is 32-bit aligned to start */ 756 757 /* Verify RTP header */ 758 status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); 759 if (status) 760 return status; 761 762 /* 763 * look up ssrc in srtp_stream list, and process the packet with 764 * the appropriate stream. if we haven't seen this stream before, 765 * there's a template key for this srtp_session, and the cipher 766 * supports key-sharing, then we assume that a new stream using 767 * that key has just started up 768 */ 769 stream = srtp_get_stream(ctx, hdr->ssrc); 770 if (stream == NULL) { 771 if (ctx->stream_template != NULL) { 772 srtp_stream_ctx_t *new_stream; 773 774 /* allocate and initialize a new stream */ 775 status = srtp_stream_clone(ctx->stream_template, 776 hdr->ssrc, &new_stream); 777 if (status) 778 return status; 779 780 /* add new stream to the head of the stream_list */ 781 new_stream->next = ctx->stream_list; 782 ctx->stream_list = new_stream; 783 784 /* set direction to outbound */ 785 new_stream->direction = dir_srtp_sender; 786 787 /* set stream (the pointer used in this function) */ 788 stream = new_stream; 789 } else { 790 /* no template stream, so we return an error */ 791 return err_status_no_ctx; 792 } 793 } 794 795 /* 796 * verify that stream is for sending traffic - this check will 797 * detect SSRC collisions, since a stream that appears in both 798 * srtp_protect() and srtp_unprotect() will fail this test in one of 799 * those functions. 800 */ 801 if (stream->direction != dir_srtp_sender) { 802 if (stream->direction == dir_unknown) { 803 stream->direction = dir_srtp_sender; 804 } else { 805 srtp_handle_event(ctx, stream, event_ssrc_collision); 806 } 807 } 808 809 /* 810 * update the key usage limit, and check it to make sure that we 811 * didn't just hit either the soft limit or the hard limit, and call 812 * the event handler if we hit either. 813 */ 814 switch(key_limit_update(stream->limit)) { 815 case key_event_normal: 816 break; 817 case key_event_soft_limit: 818 srtp_handle_event(ctx, stream, event_key_soft_limit); 819 break; 820 case key_event_hard_limit: 821 srtp_handle_event(ctx, stream, event_key_hard_limit); 822 return err_status_key_expired; 823 default: 824 break; 825 } 826 827 /* get tag length from stream */ 828 tag_len = auth_get_tag_length(stream->rtp_auth); 829 830 /* 831 * find starting point for encryption and length of data to be 832 * encrypted - the encrypted portion starts after the rtp header 833 * extension, if present; otherwise, it starts after the last csrc, 834 * if any are present 835 * 836 * if we're not providing confidentiality, set enc_start to NULL 837 */ 838 if (stream->rtp_services & sec_serv_conf) { 839 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; 840 if (hdr->x == 1) { 841 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; 842 enc_start += (ntohs(xtn_hdr->length) + 1); 843 } 844 enc_octet_len = (unsigned int)(*pkt_octet_len 845 - ((enc_start - (uint32_t *)hdr) << 2)); 846 } else { 847 enc_start = NULL; 848 } 849 850 /* 851 * if we're providing authentication, set the auth_start and auth_tag 852 * pointers to the proper locations; otherwise, set auth_start to NULL 853 * to indicate that no authentication is needed 854 */ 855 if (stream->rtp_services & sec_serv_auth) { 856 auth_start = (uint32_t *)hdr; 857 auth_tag = (uint8_t *)hdr + *pkt_octet_len; 858 } else { 859 auth_start = NULL; 860 auth_tag = NULL; 861 } 862 863 /* 864 * estimate the packet index using the start of the replay window 865 * and the sequence number from the header 866 */ 867 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); 868 status = rdbx_check(&stream->rtp_rdbx, delta); 869 if (status) { 870 if (status != err_status_replay_fail || !stream->allow_repeat_tx) 871 return status; /* we've been asked to reuse an index */ 872 } 873 else 874 rdbx_add_index(&stream->rtp_rdbx, delta); 875 876 #ifdef NO_64BIT_MATH 877 debug_print2(mod_srtp, "estimated packet index: %08x%08x", 878 high32(est),low32(est)); 879 #else 880 debug_print(mod_srtp, "estimated packet index: %016llx", est); 881 #endif 882 883 /* 884 * if we're using rindael counter mode, set nonce and seq 885 */ 886 if (stream->rtp_cipher->type->id == AES_ICM) { 887 v128_t iv; 888 889 iv.v32[0] = 0; 890 iv.v32[1] = hdr->ssrc; 891 #ifdef NO_64BIT_MATH 892 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), 893 low32(est) << 16)); 894 #else 895 iv.v64[1] = be64_to_cpu(est << 16); 896 #endif 897 status = cipher_set_iv(stream->rtp_cipher, &iv); 898 899 } else { 900 v128_t iv; 901 902 /* otherwise, set the index to est */ 903 #ifdef NO_64BIT_MATH 904 iv.v32[0] = 0; 905 iv.v32[1] = 0; 906 #else 907 iv.v64[0] = 0; 908 #endif 909 iv.v64[1] = be64_to_cpu(est); 910 status = cipher_set_iv(stream->rtp_cipher, &iv); 911 } 912 if (status) 913 return err_status_cipher_fail; 914 915 /* shift est, put into network byte order */ 916 #ifdef NO_64BIT_MATH 917 est = be64_to_cpu(make64((high32(est) << 16) | 918 (low32(est) >> 16), 919 low32(est) << 16)); 920 #else 921 est = be64_to_cpu(est << 16); 922 #endif 923 924 /* 925 * if we're authenticating using a universal hash, put the keystream 926 * prefix into the authentication tag 927 */ 928 if (auth_start) { 929 930 prefix_len = auth_get_prefix_length(stream->rtp_auth); 931 if (prefix_len) { 932 status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len); 933 if (status) 934 return err_status_cipher_fail; 935 debug_print(mod_srtp, "keystream prefix: %s", 936 octet_string_hex_string(auth_tag, prefix_len)); 937 } 938 } 939 940 /* if we're encrypting, exor keystream into the message */ 941 if (enc_start) { 942 status = cipher_encrypt(stream->rtp_cipher, 943 (uint8_t *)enc_start, &enc_octet_len); 944 if (status) 945 return err_status_cipher_fail; 946 } 947 948 /* 949 * if we're authenticating, run authentication function and put result 950 * into the auth_tag 951 */ 952 if (auth_start) { 953 954 /* initialize auth func context */ 955 status = auth_start(stream->rtp_auth); 956 if (status) return status; 957 958 /* run auth func over packet */ 959 status = auth_update(stream->rtp_auth, 960 (uint8_t *)auth_start, *pkt_octet_len); 961 if (status) return status; 962 963 /* run auth func over ROC, put result into auth_tag */ 964 debug_print(mod_srtp, "estimated packet index: %016llx", est); 965 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag); 966 debug_print(mod_srtp, "srtp auth tag: %s", 967 octet_string_hex_string(auth_tag, tag_len)); 968 if (status) 969 return err_status_auth_fail; 970 971 } 972 973 if (auth_tag) { 974 975 /* increase the packet length by the length of the auth tag */ 976 *pkt_octet_len += tag_len; 977 } 978 979 return err_status_ok; 980 } 981 982 983 err_status_t 984 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) { 985 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; 986 uint32_t *enc_start; /* pointer to start of encrypted portion */ 987 uint32_t *auth_start; /* pointer to start of auth. portion */ 988 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ 989 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 990 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ 991 int delta; /* delta of local pkt idx and that in hdr */ 992 v128_t iv; 993 err_status_t status; 994 srtp_stream_ctx_t *stream; 995 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 996 int tag_len, prefix_len; 997 998 debug_print(mod_srtp, "function srtp_unprotect", NULL); 999 1000 /* we assume the hdr is 32-bit aligned to start */ 1001 1002 /* Verify RTP header */ 1003 status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); 1004 if (status) 1005 return status; 1006 1007 /* 1008 * look up ssrc in srtp_stream list, and process the packet with 1009 * the appropriate stream. if we haven't seen this stream before, 1010 * there's only one key for this srtp_session, and the cipher 1011 * supports key-sharing, then we assume that a new stream using 1012 * that key has just started up 1013 */ 1014 stream = srtp_get_stream(ctx, hdr->ssrc); 1015 if (stream == NULL) { 1016 if (ctx->stream_template != NULL) { 1017 stream = ctx->stream_template; 1018 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)", 1019 hdr->ssrc); 1020 1021 /* 1022 * set estimated packet index to sequence number from header, 1023 * and set delta equal to the same value 1024 */ 1025 #ifdef NO_64BIT_MATH 1026 est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq)); 1027 delta = low32(est); 1028 #else 1029 est = (xtd_seq_num_t) ntohs(hdr->seq); 1030 delta = (int)est; 1031 #endif 1032 } else { 1033 1034 /* 1035 * no stream corresponding to SSRC found, and we don't do 1036 * key-sharing, so return an error 1037 */ 1038 return err_status_no_ctx; 1039 } 1040 } else { 1041 1042 /* estimate packet index from seq. num. in header */ 1043 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); 1044 1045 /* check replay database */ 1046 status = rdbx_check(&stream->rtp_rdbx, delta); 1047 if (status) 1048 return status; 1049 } 1050 1051 #ifdef NO_64BIT_MATH 1052 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32(est)); 1053 #else 1054 debug_print(mod_srtp, "estimated u_packet index: %016llx", est); 1055 #endif 1056 1057 /* get tag length from stream */ 1058 tag_len = auth_get_tag_length(stream->rtp_auth); 1059 1060 /* 1061 * set the cipher's IV properly, depending on whatever cipher we 1062 * happen to be using 1063 */ 1064 if (stream->rtp_cipher->type->id == AES_ICM) { 1065 1066 /* aes counter mode */ 1067 iv.v32[0] = 0; 1068 iv.v32[1] = hdr->ssrc; /* still in network order */ 1069 #ifdef NO_64BIT_MATH 1070 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), 1071 low32(est) << 16)); 1072 #else 1073 iv.v64[1] = be64_to_cpu(est << 16); 1074 #endif 1075 status = cipher_set_iv(stream->rtp_cipher, &iv); 1076 } else { 1077 1078 /* no particular format - set the iv to the pakcet index */ 1079 #ifdef NO_64BIT_MATH 1080 iv.v32[0] = 0; 1081 iv.v32[1] = 0; 1082 #else 1083 iv.v64[0] = 0; 1084 #endif 1085 iv.v64[1] = be64_to_cpu(est); 1086 status = cipher_set_iv(stream->rtp_cipher, &iv); 1087 } 1088 if (status) 1089 return err_status_cipher_fail; 1090 1091 /* shift est, put into network byte order */ 1092 #ifdef NO_64BIT_MATH 1093 est = be64_to_cpu(make64((high32(est) << 16) | 1094 (low32(est) >> 16), 1095 low32(est) << 16)); 1096 #else 1097 est = be64_to_cpu(est << 16); 1098 #endif 1099 1100 /* 1101 * find starting point for decryption and length of data to be 1102 * decrypted - the encrypted portion starts after the rtp header 1103 * extension, if present; otherwise, it starts after the last csrc, 1104 * if any are present 1105 * 1106 * if we're not providing confidentiality, set enc_start to NULL 1107 */ 1108 if (stream->rtp_services & sec_serv_conf) { 1109 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; 1110 if (hdr->x == 1) { 1111 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; 1112 enc_start += (ntohs(xtn_hdr->length) + 1); 1113 } 1114 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 1115 - ((enc_start - (uint32_t *)hdr) << 2)); 1116 } else { 1117 enc_start = NULL; 1118 } 1119 1120 /* 1121 * if we're providing authentication, set the auth_start and auth_tag 1122 * pointers to the proper locations; otherwise, set auth_start to NULL 1123 * to indicate that no authentication is needed 1124 */ 1125 if (stream->rtp_services & sec_serv_auth) { 1126 auth_start = (uint32_t *)hdr; 1127 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len; 1128 } else { 1129 auth_start = NULL; 1130 auth_tag = NULL; 1131 } 1132 1133 /* 1134 * if we expect message authentication, run the authentication 1135 * function and compare the result with the value of the auth_tag 1136 */ 1137 if (auth_start) { 1138 1139 /* 1140 * if we're using a universal hash, then we need to compute the 1141 * keystream prefix for encrypting the universal hash output 1142 * 1143 * if the keystream prefix length is zero, then we know that 1144 * the authenticator isn't using a universal hash function 1145 */ 1146 if (stream->rtp_auth->prefix_len != 0) { 1147 1148 prefix_len = auth_get_prefix_length(stream->rtp_auth); 1149 status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len); 1150 debug_print(mod_srtp, "keystream prefix: %s", 1151 octet_string_hex_string(tmp_tag, prefix_len)); 1152 if (status) 1153 return err_status_cipher_fail; 1154 } 1155 1156 /* initialize auth func context */ 1157 status = auth_start(stream->rtp_auth); 1158 if (status) return status; 1159 1160 /* now compute auth function over packet */ 1161 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start, 1162 *pkt_octet_len - tag_len); 1163 1164 /* run auth func over ROC, then write tmp tag */ 1165 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag); 1166 1167 debug_print(mod_srtp, "computed auth tag: %s", 1168 octet_string_hex_string(tmp_tag, tag_len)); 1169 debug_print(mod_srtp, "packet auth tag: %s", 1170 octet_string_hex_string(auth_tag, tag_len)); 1171 if (status) 1172 return err_status_auth_fail; 1173 1174 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) 1175 return err_status_auth_fail; 1176 } 1177 1178 /* 1179 * update the key usage limit, and check it to make sure that we 1180 * didn't just hit either the soft limit or the hard limit, and call 1181 * the event handler if we hit either. 1182 */ 1183 switch(key_limit_update(stream->limit)) { 1184 case key_event_normal: 1185 break; 1186 case key_event_soft_limit: 1187 srtp_handle_event(ctx, stream, event_key_soft_limit); 1188 break; 1189 case key_event_hard_limit: 1190 srtp_handle_event(ctx, stream, event_key_hard_limit); 1191 return err_status_key_expired; 1192 default: 1193 break; 1194 } 1195 1196 /* if we're decrypting, add keystream into ciphertext */ 1197 if (enc_start) { 1198 status = cipher_decrypt(stream->rtp_cipher, 1199 (uint8_t *)enc_start, &enc_octet_len); 1200 if (status) 1201 return err_status_cipher_fail; 1202 } 1203 1204 /* 1205 * verify that stream is for received traffic - this check will 1206 * detect SSRC collisions, since a stream that appears in both 1207 * srtp_protect() and srtp_unprotect() will fail this test in one of 1208 * those functions. 1209 * 1210 * we do this check *after* the authentication check, so that the 1211 * latter check will catch any attempts to fool us into thinking 1212 * that we've got a collision 1213 */ 1214 if (stream->direction != dir_srtp_receiver) { 1215 if (stream->direction == dir_unknown) { 1216 stream->direction = dir_srtp_receiver; 1217 } else { 1218 srtp_handle_event(ctx, stream, event_ssrc_collision); 1219 } 1220 } 1221 1222 /* 1223 * if the stream is a 'provisional' one, in which the template context 1224 * is used, then we need to allocate a new stream at this point, since 1225 * the authentication passed 1226 */ 1227 if (stream == ctx->stream_template) { 1228 srtp_stream_ctx_t *new_stream; 1229 1230 /* 1231 * allocate and initialize a new stream 1232 * 1233 * note that we indicate failure if we can't allocate the new 1234 * stream, and some implementations will want to not return 1235 * failure here 1236 */ 1237 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 1238 if (status) 1239 return status; 1240 1241 /* add new stream to the head of the stream_list */ 1242 new_stream->next = ctx->stream_list; 1243 ctx->stream_list = new_stream; 1244 1245 /* set stream (the pointer used in this function) */ 1246 stream = new_stream; 1247 } 1248 1249 /* 1250 * the message authentication function passed, so add the packet 1251 * index into the replay database 1252 */ 1253 rdbx_add_index(&stream->rtp_rdbx, delta); 1254 1255 /* decrease the packet length by the length of the auth tag */ 1256 *pkt_octet_len -= tag_len; 1257 1258 return err_status_ok; 1259 } 1260 1261 err_status_t 1262 srtp_init() { 1263 err_status_t status; 1264 1265 /* initialize crypto kernel */ 1266 status = crypto_kernel_init(); 1267 if (status) 1268 return status; 1269 1270 /* load srtp debug module into the kernel */ 1271 status = crypto_kernel_load_debug_module(&mod_srtp); 1272 if (status) 1273 return status; 1274 1275 return err_status_ok; 1276 } 1277 1278 err_status_t 1279 srtp_shutdown() { 1280 err_status_t status; 1281 1282 /* shut down crypto kernel */ 1283 status = crypto_kernel_shutdown(); 1284 if (status) 1285 return status; 1286 1287 /* shutting down crypto kernel frees the srtp debug module as well */ 1288 1289 return err_status_ok; 1290 } 1291 1292 1293 /* 1294 * The following code is under consideration for removal. See 1295 * SRTP_MAX_TRAILER_LEN 1296 */ 1297 #if 0 1298 1299 /* 1300 * srtp_get_trailer_length(&a) returns the number of octets that will 1301 * be added to an RTP packet by the SRTP processing. This value 1302 * is constant for a given srtp_stream_t (i.e. between initializations). 1303 */ 1304 1305 int 1306 srtp_get_trailer_length(const srtp_stream_t s) { 1307 return auth_get_tag_length(s->rtp_auth); 1308 } 1309 1310 #endif 1311 1312 /* 1313 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding 1314 * to ssrc, or NULL if no stream exists for that ssrc 1315 * 1316 * this is an internal function 1317 */ 1318 1319 srtp_stream_ctx_t * 1320 srtp_get_stream(srtp_t srtp, uint32_t ssrc) { 1321 srtp_stream_ctx_t *stream; 1322 1323 /* walk down list until ssrc is found */ 1324 stream = srtp->stream_list; 1325 while (stream != NULL) { 1326 if (stream->ssrc == ssrc) 1327 return stream; 1328 stream = stream->next; 1329 } 1330 1331 /* we haven't found our ssrc, so return a null */ 1332 return NULL; 1333 } 1334 1335 err_status_t 1336 srtp_dealloc(srtp_t session) { 1337 srtp_stream_ctx_t *stream; 1338 err_status_t status; 1339 1340 /* 1341 * we take a conservative deallocation strategy - if we encounter an 1342 * error deallocating a stream, then we stop trying to deallocate 1343 * memory and just return an error 1344 */ 1345 1346 /* walk list of streams, deallocating as we go */ 1347 stream = session->stream_list; 1348 while (stream != NULL) { 1349 srtp_stream_t next = stream->next; 1350 status = srtp_stream_dealloc(session, stream); 1351 if (status) 1352 return status; 1353 stream = next; 1354 } 1355 1356 /* deallocate stream template, if there is one */ 1357 if (session->stream_template != NULL) { 1358 status = auth_dealloc(session->stream_template->rtcp_auth); 1359 if (status) 1360 return status; 1361 status = cipher_dealloc(session->stream_template->rtcp_cipher); 1362 if (status) 1363 return status; 1364 crypto_free(session->stream_template->limit); 1365 status = cipher_dealloc(session->stream_template->rtp_cipher); 1366 if (status) 1367 return status; 1368 status = auth_dealloc(session->stream_template->rtp_auth); 1369 if (status) 1370 return status; 1371 status = rdbx_dealloc(&session->stream_template->rtp_rdbx); 1372 if (status) 1373 return status; 1374 crypto_free(session->stream_template); 1375 } 1376 1377 /* deallocate session context */ 1378 crypto_free(session); 1379 1380 return err_status_ok; 1381 } 1382 1383 1384 err_status_t 1385 srtp_add_stream(srtp_t session, 1386 const srtp_policy_t *policy) { 1387 err_status_t status; 1388 srtp_stream_t tmp; 1389 1390 /* sanity check arguments */ 1391 if ((session == NULL) || (policy == NULL) || (policy->key == NULL)) 1392 return err_status_bad_param; 1393 1394 /* allocate stream */ 1395 status = srtp_stream_alloc(&tmp, policy); 1396 if (status) { 1397 return status; 1398 } 1399 1400 /* initialize stream */ 1401 status = srtp_stream_init(tmp, policy); 1402 if (status) { 1403 crypto_free(tmp); 1404 return status; 1405 } 1406 1407 /* 1408 * set the head of the stream list or the template to point to the 1409 * stream that we've just alloced and init'ed, depending on whether 1410 * or not it has a wildcard SSRC value or not 1411 * 1412 * if the template stream has already been set, then the policy is 1413 * inconsistent, so we return a bad_param error code 1414 */ 1415 switch (policy->ssrc.type) { 1416 case (ssrc_any_outbound): 1417 if (session->stream_template) { 1418 return err_status_bad_param; 1419 } 1420 session->stream_template = tmp; 1421 session->stream_template->direction = dir_srtp_sender; 1422 break; 1423 case (ssrc_any_inbound): 1424 if (session->stream_template) { 1425 return err_status_bad_param; 1426 } 1427 session->stream_template = tmp; 1428 session->stream_template->direction = dir_srtp_receiver; 1429 break; 1430 case (ssrc_specific): 1431 tmp->next = session->stream_list; 1432 session->stream_list = tmp; 1433 break; 1434 case (ssrc_undefined): 1435 default: 1436 crypto_free(tmp); 1437 return err_status_bad_param; 1438 } 1439 1440 return err_status_ok; 1441 } 1442 1443 1444 err_status_t 1445 srtp_create(srtp_t *session, /* handle for session */ 1446 const srtp_policy_t *policy) { /* SRTP policy (list) */ 1447 err_status_t stat; 1448 srtp_ctx_t *ctx; 1449 1450 /* sanity check arguments */ 1451 if (session == NULL) 1452 return err_status_bad_param; 1453 1454 /* allocate srtp context and set ctx_ptr */ 1455 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t)); 1456 if (ctx == NULL) 1457 return err_status_alloc_fail; 1458 *session = ctx; 1459 1460 /* 1461 * loop over elements in the policy list, allocating and 1462 * initializing a stream for each element 1463 */ 1464 ctx->stream_template = NULL; 1465 ctx->stream_list = NULL; 1466 while (policy != NULL) { 1467 1468 stat = srtp_add_stream(ctx, policy); 1469 if (stat) { 1470 /* clean up everything */ 1471 srtp_dealloc(*session); 1472 return stat; 1473 } 1474 1475 /* set policy to next item in list */ 1476 policy = policy->next; 1477 } 1478 1479 return err_status_ok; 1480 } 1481 1482 1483 err_status_t 1484 srtp_remove_stream(srtp_t session, uint32_t ssrc) { 1485 srtp_stream_ctx_t *stream, *last_stream; 1486 err_status_t status; 1487 1488 /* sanity check arguments */ 1489 if (session == NULL) 1490 return err_status_bad_param; 1491 1492 /* find stream in list; complain if not found */ 1493 last_stream = stream = session->stream_list; 1494 while ((stream != NULL) && (ssrc != stream->ssrc)) { 1495 last_stream = stream; 1496 stream = stream->next; 1497 } 1498 if (stream == NULL) 1499 return err_status_no_ctx; 1500 1501 /* remove stream from the list */ 1502 if (last_stream == stream) 1503 /* stream was first in list */ 1504 session->stream_list = stream->next; 1505 else 1506 last_stream->next = stream->next; 1507 1508 /* deallocate the stream */ 1509 status = srtp_stream_dealloc(session, stream); 1510 if (status) 1511 return status; 1512 1513 return err_status_ok; 1514 } 1515 1516 1517 /* 1518 * the default policy - provides a convenient way for callers to use 1519 * the default security policy 1520 * 1521 * this policy is that defined in the current SRTP internet draft. 1522 * 1523 */ 1524 1525 /* 1526 * NOTE: cipher_key_len is really key len (128 bits) plus salt len 1527 * (112 bits) 1528 */ 1529 /* There are hard-coded 16's for base_key_len in the key generation code */ 1530 1531 void 1532 crypto_policy_set_rtp_default(crypto_policy_t *p) { 1533 1534 p->cipher_type = AES_ICM; 1535 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */ 1536 p->auth_type = HMAC_SHA1; 1537 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 1538 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 1539 p->sec_serv = sec_serv_conf_and_auth; 1540 1541 } 1542 1543 void 1544 crypto_policy_set_rtcp_default(crypto_policy_t *p) { 1545 1546 p->cipher_type = AES_ICM; 1547 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */ 1548 p->auth_type = HMAC_SHA1; 1549 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 1550 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 1551 p->sec_serv = sec_serv_conf_and_auth; 1552 1553 } 1554 1555 void 1556 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) { 1557 1558 /* 1559 * corresponds to RFC 4568 1560 * 1561 * note that this crypto policy is intended for SRTP, but not SRTCP 1562 */ 1563 1564 p->cipher_type = AES_ICM; 1565 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */ 1566 p->auth_type = HMAC_SHA1; 1567 p->auth_key_len = 20; /* 160 bit key */ 1568 p->auth_tag_len = 4; /* 32 bit tag */ 1569 p->sec_serv = sec_serv_conf_and_auth; 1570 1571 } 1572 1573 1574 void 1575 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) { 1576 1577 /* 1578 * corresponds to RFC 4568 1579 * 1580 * note that this crypto policy is intended for SRTP, but not SRTCP 1581 */ 1582 1583 p->cipher_type = AES_ICM; 1584 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */ 1585 p->auth_type = NULL_AUTH; 1586 p->auth_key_len = 0; 1587 p->auth_tag_len = 0; 1588 p->sec_serv = sec_serv_conf; 1589 1590 } 1591 1592 1593 void 1594 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) { 1595 1596 /* 1597 * corresponds to RFC 4568 1598 */ 1599 1600 p->cipher_type = NULL_CIPHER; 1601 p->cipher_key_len = 0; 1602 p->auth_type = HMAC_SHA1; 1603 p->auth_key_len = 20; 1604 p->auth_tag_len = 10; 1605 p->sec_serv = sec_serv_auth; 1606 1607 } 1608 1609 1610 void 1611 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) { 1612 1613 /* 1614 * corresponds to draft-ietf-avt-big-aes-03.txt 1615 */ 1616 1617 p->cipher_type = AES_ICM; 1618 p->cipher_key_len = 46; 1619 p->auth_type = HMAC_SHA1; 1620 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 1621 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ 1622 p->sec_serv = sec_serv_conf_and_auth; 1623 } 1624 1625 1626 void 1627 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) { 1628 1629 /* 1630 * corresponds to draft-ietf-avt-big-aes-03.txt 1631 * 1632 * note that this crypto policy is intended for SRTP, but not SRTCP 1633 */ 1634 1635 p->cipher_type = AES_ICM; 1636 p->cipher_key_len = 46; 1637 p->auth_type = HMAC_SHA1; 1638 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ 1639 p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ 1640 p->sec_serv = sec_serv_conf_and_auth; 1641 } 1642 1643 1644 /* 1645 * secure rtcp functions 1646 */ 1647 1648 err_status_t 1649 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) { 1650 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; 1651 uint32_t *enc_start; /* pointer to start of encrypted portion */ 1652 uint32_t *auth_start; /* pointer to start of auth. portion */ 1653 uint32_t *trailer; /* pointer to start of trailer */ 1654 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ 1655 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 1656 err_status_t status; 1657 int tag_len; 1658 srtp_stream_ctx_t *stream; 1659 int prefix_len; 1660 uint32_t seq_num; 1661 1662 /* we assume the hdr is 32-bit aligned to start */ 1663 /* 1664 * look up ssrc in srtp_stream list, and process the packet with 1665 * the appropriate stream. if we haven't seen this stream before, 1666 * there's only one key for this srtp_session, and the cipher 1667 * supports key-sharing, then we assume that a new stream using 1668 * that key has just started up 1669 */ 1670 stream = srtp_get_stream(ctx, hdr->ssrc); 1671 if (stream == NULL) { 1672 if (ctx->stream_template != NULL) { 1673 srtp_stream_ctx_t *new_stream; 1674 1675 /* allocate and initialize a new stream */ 1676 status = srtp_stream_clone(ctx->stream_template, 1677 hdr->ssrc, &new_stream); 1678 if (status) 1679 return status; 1680 1681 /* add new stream to the head of the stream_list */ 1682 new_stream->next = ctx->stream_list; 1683 ctx->stream_list = new_stream; 1684 1685 /* set stream (the pointer used in this function) */ 1686 stream = new_stream; 1687 } else { 1688 /* no template stream, so we return an error */ 1689 return err_status_no_ctx; 1690 } 1691 } 1692 1693 /* 1694 * verify that stream is for sending traffic - this check will 1695 * detect SSRC collisions, since a stream that appears in both 1696 * srtp_protect() and srtp_unprotect() will fail this test in one of 1697 * those functions. 1698 */ 1699 if (stream->direction != dir_srtp_sender) { 1700 if (stream->direction == dir_unknown) { 1701 stream->direction = dir_srtp_sender; 1702 } else { 1703 srtp_handle_event(ctx, stream, event_ssrc_collision); 1704 } 1705 } 1706 1707 /* get tag length from stream context */ 1708 tag_len = auth_get_tag_length(stream->rtcp_auth); 1709 1710 /* 1711 * set encryption start and encryption length - if we're not 1712 * providing confidentiality, set enc_start to NULL 1713 */ 1714 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; 1715 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; 1716 1717 /* all of the packet, except the header, gets encrypted */ 1718 /* NOTE: hdr->length is not usable - it refers to only the first 1719 RTCP report in the compound packet! */ 1720 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always 1721 multiples of 32-bits (RFC 3550 6.1) */ 1722 trailer = (uint32_t *) ((char *)enc_start + enc_octet_len); 1723 1724 if (stream->rtcp_services & sec_serv_conf) { 1725 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ 1726 } else { 1727 enc_start = NULL; 1728 enc_octet_len = 0; 1729 /* 0 is network-order independant */ 1730 *trailer = 0x00000000; /* set encrypt bit */ 1731 } 1732 1733 /* 1734 * set the auth_start and auth_tag pointers to the proper locations 1735 * (note that srtpc *always* provides authentication, unlike srtp) 1736 */ 1737 /* Note: This would need to change for optional mikey data */ 1738 auth_start = (uint32_t *)hdr; 1739 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t); 1740 1741 /* perform EKT processing if needed */ 1742 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len, 1743 rdbx_get_packet_index(&stream->rtp_rdbx)); 1744 1745 /* 1746 * check sequence number for overruns, and copy it into the packet 1747 * if its value isn't too big 1748 */ 1749 status = rdb_increment(&stream->rtcp_rdb); 1750 if (status) 1751 return status; 1752 seq_num = rdb_get_value(&stream->rtcp_rdb); 1753 *trailer |= htonl(seq_num); 1754 debug_print(mod_srtp, "srtcp index: %x", seq_num); 1755 1756 /* 1757 * if we're using rindael counter mode, set nonce and seq 1758 */ 1759 if (stream->rtcp_cipher->type->id == AES_ICM) { 1760 v128_t iv; 1761 1762 iv.v32[0] = 0; 1763 iv.v32[1] = hdr->ssrc; /* still in network order! */ 1764 iv.v32[2] = htonl(seq_num >> 16); 1765 iv.v32[3] = htonl(seq_num << 16); 1766 status = cipher_set_iv(stream->rtcp_cipher, &iv); 1767 1768 } else { 1769 v128_t iv; 1770 1771 /* otherwise, just set the index to seq_num */ 1772 iv.v32[0] = 0; 1773 iv.v32[1] = 0; 1774 iv.v32[2] = 0; 1775 iv.v32[3] = htonl(seq_num); 1776 status = cipher_set_iv(stream->rtcp_cipher, &iv); 1777 } 1778 if (status) 1779 return err_status_cipher_fail; 1780 1781 /* 1782 * if we're authenticating using a universal hash, put the keystream 1783 * prefix into the authentication tag 1784 */ 1785 1786 /* if auth_start is non-null, then put keystream into tag */ 1787 if (auth_start) { 1788 1789 /* put keystream prefix into auth_tag */ 1790 prefix_len = auth_get_prefix_length(stream->rtcp_auth); 1791 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len); 1792 1793 debug_print(mod_srtp, "keystream prefix: %s", 1794 octet_string_hex_string(auth_tag, prefix_len)); 1795 1796 if (status) 1797 return err_status_cipher_fail; 1798 } 1799 1800 /* if we're encrypting, exor keystream into the message */ 1801 if (enc_start) { 1802 status = cipher_encrypt(stream->rtcp_cipher, 1803 (uint8_t *)enc_start, &enc_octet_len); 1804 if (status) 1805 return err_status_cipher_fail; 1806 } 1807 1808 /* initialize auth func context */ 1809 auth_start(stream->rtcp_auth); 1810 1811 /* 1812 * run auth func over packet (including trailer), and write the 1813 * result at auth_tag 1814 */ 1815 status = auth_compute(stream->rtcp_auth, 1816 (uint8_t *)auth_start, 1817 (*pkt_octet_len) + sizeof(srtcp_trailer_t), 1818 auth_tag); 1819 debug_print(mod_srtp, "srtcp auth tag: %s", 1820 octet_string_hex_string(auth_tag, tag_len)); 1821 if (status) 1822 return err_status_auth_fail; 1823 1824 /* increase the packet length by the length of the auth tag and seq_num*/ 1825 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); 1826 1827 return err_status_ok; 1828 } 1829 1830 1831 err_status_t 1832 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) { 1833 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; 1834 uint32_t *enc_start; /* pointer to start of encrypted portion */ 1835 uint32_t *auth_start; /* pointer to start of auth. portion */ 1836 uint32_t *trailer; /* pointer to start of trailer */ 1837 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */ 1838 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ 1839 uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; 1840 uint8_t tag_copy[SRTP_MAX_TAG_LEN]; 1841 err_status_t status; 1842 unsigned auth_len; 1843 int tag_len; 1844 srtp_stream_ctx_t *stream; 1845 int prefix_len; 1846 uint32_t seq_num; 1847 1848 /* we assume the hdr is 32-bit aligned to start */ 1849 /* 1850 * look up ssrc in srtp_stream list, and process the packet with 1851 * the appropriate stream. if we haven't seen this stream before, 1852 * there's only one key for this srtp_session, and the cipher 1853 * supports key-sharing, then we assume that a new stream using 1854 * that key has just started up 1855 */ 1856 stream = srtp_get_stream(ctx, hdr->ssrc); 1857 if (stream == NULL) { 1858 if (ctx->stream_template != NULL) { 1859 stream = ctx->stream_template; 1860 1861 /* 1862 * check to see if stream_template has an EKT data structure, in 1863 * which case we initialize the template using the EKT policy 1864 * referenced by that data (which consists of decrypting the 1865 * master key from the EKT field) 1866 * 1867 * this function initializes a *provisional* stream, and this 1868 * stream should not be accepted until and unless the packet 1869 * passes its authentication check 1870 */ 1871 if (stream->ekt != NULL) { 1872 status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len); 1873 if (status) 1874 return status; 1875 } 1876 1877 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", 1878 hdr->ssrc); 1879 } else { 1880 /* no template stream, so we return an error */ 1881 return err_status_no_ctx; 1882 } 1883 } 1884 1885 /* get tag length from stream context */ 1886 tag_len = auth_get_tag_length(stream->rtcp_auth); 1887 1888 /* 1889 * set encryption start, encryption length, and trailer 1890 */ 1891 enc_octet_len = *pkt_octet_len - 1892 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t)); 1893 /* index & E (encryption) bit follow normal data. hdr->len 1894 is the number of words (32-bit) in the normal packet minus 1 */ 1895 /* This should point trailer to the word past the end of the 1896 normal data. */ 1897 /* This would need to be modified for optional mikey data */ 1898 /* 1899 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always 1900 * multiples of 32-bits (RFC 3550 6.1) 1901 */ 1902 trailer = (uint32_t *) ((char *) hdr + 1903 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); 1904 if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) { 1905 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; 1906 } else { 1907 enc_octet_len = 0; 1908 enc_start = NULL; /* this indicates that there's no encryption */ 1909 } 1910 1911 /* 1912 * set the auth_start and auth_tag pointers to the proper locations 1913 * (note that srtcp *always* uses authentication, unlike srtp) 1914 */ 1915 auth_start = (uint32_t *)hdr; 1916 auth_len = *pkt_octet_len - tag_len; 1917 auth_tag = (uint8_t *)hdr + auth_len; 1918 1919 /* 1920 * if EKT is in use, then we make a copy of the tag from the packet, 1921 * and then zeroize the location of the base tag 1922 * 1923 * we first re-position the auth_tag pointer so that it points to 1924 * the base tag 1925 */ 1926 if (stream->ekt) { 1927 auth_tag -= ekt_octets_after_base_tag(stream->ekt); 1928 memcpy(tag_copy, auth_tag, tag_len); 1929 octet_string_set_to_zero(auth_tag, tag_len); 1930 auth_tag = tag_copy; 1931 auth_len += tag_len; 1932 } 1933 1934 /* 1935 * check the sequence number for replays 1936 */ 1937 /* this is easier than dealing with bitfield access */ 1938 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; 1939 debug_print(mod_srtp, "srtcp index: %x", seq_num); 1940 status = rdb_check(&stream->rtcp_rdb, seq_num); 1941 if (status) 1942 return status; 1943 1944 /* 1945 * if we're using aes counter mode, set nonce and seq 1946 */ 1947 if (stream->rtcp_cipher->type->id == AES_ICM) { 1948 v128_t iv; 1949 1950 iv.v32[0] = 0; 1951 iv.v32[1] = hdr->ssrc; /* still in network order! */ 1952 iv.v32[2] = htonl(seq_num >> 16); 1953 iv.v32[3] = htonl(seq_num << 16); 1954 status = cipher_set_iv(stream->rtcp_cipher, &iv); 1955 1956 } else { 1957 v128_t iv; 1958 1959 /* otherwise, just set the index to seq_num */ 1960 iv.v32[0] = 0; 1961 iv.v32[1] = 0; 1962 iv.v32[2] = 0; 1963 iv.v32[3] = htonl(seq_num); 1964 status = cipher_set_iv(stream->rtcp_cipher, &iv); 1965 1966 } 1967 if (status) 1968 return err_status_cipher_fail; 1969 1970 /* initialize auth func context */ 1971 auth_start(stream->rtcp_auth); 1972 1973 /* run auth func over packet, put result into tmp_tag */ 1974 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start, 1975 auth_len, tmp_tag); 1976 debug_print(mod_srtp, "srtcp computed tag: %s", 1977 octet_string_hex_string(tmp_tag, tag_len)); 1978 if (status) 1979 return err_status_auth_fail; 1980 1981 /* compare the tag just computed with the one in the packet */ 1982 debug_print(mod_srtp, "srtcp tag from packet: %s", 1983 octet_string_hex_string(auth_tag, tag_len)); 1984 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) 1985 return err_status_auth_fail; 1986 1987 /* 1988 * if we're authenticating using a universal hash, put the keystream 1989 * prefix into the authentication tag 1990 */ 1991 prefix_len = auth_get_prefix_length(stream->rtcp_auth); 1992 if (prefix_len) { 1993 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len); 1994 debug_print(mod_srtp, "keystream prefix: %s", 1995 octet_string_hex_string(auth_tag, prefix_len)); 1996 if (status) 1997 return err_status_cipher_fail; 1998 } 1999 2000 /* if we're decrypting, exor keystream into the message */ 2001 if (enc_start) { 2002 status = cipher_decrypt(stream->rtcp_cipher, 2003 (uint8_t *)enc_start, &enc_octet_len); 2004 if (status) 2005 return err_status_cipher_fail; 2006 } 2007 2008 /* decrease the packet length by the length of the auth tag and seq_num */ 2009 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); 2010 2011 /* 2012 * if EKT is in effect, subtract the EKT data out of the packet 2013 * length 2014 */ 2015 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt); 2016 2017 /* 2018 * verify that stream is for received traffic - this check will 2019 * detect SSRC collisions, since a stream that appears in both 2020 * srtp_protect() and srtp_unprotect() will fail this test in one of 2021 * those functions. 2022 * 2023 * we do this check *after* the authentication check, so that the 2024 * latter check will catch any attempts to fool us into thinking 2025 * that we've got a collision 2026 */ 2027 if (stream->direction != dir_srtp_receiver) { 2028 if (stream->direction == dir_unknown) { 2029 stream->direction = dir_srtp_receiver; 2030 } else { 2031 srtp_handle_event(ctx, stream, event_ssrc_collision); 2032 } 2033 } 2034 2035 /* 2036 * if the stream is a 'provisional' one, in which the template context 2037 * is used, then we need to allocate a new stream at this point, since 2038 * the authentication passed 2039 */ 2040 if (stream == ctx->stream_template) { 2041 srtp_stream_ctx_t *new_stream; 2042 2043 /* 2044 * allocate and initialize a new stream 2045 * 2046 * note that we indicate failure if we can't allocate the new 2047 * stream, and some implementations will want to not return 2048 * failure here 2049 */ 2050 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); 2051 if (status) 2052 return status; 2053 2054 /* add new stream to the head of the stream_list */ 2055 new_stream->next = ctx->stream_list; 2056 ctx->stream_list = new_stream; 2057 2058 /* set stream (the pointer used in this function) */ 2059 stream = new_stream; 2060 } 2061 2062 /* we've passed the authentication check, so add seq_num to the rdb */ 2063 rdb_add_index(&stream->rtcp_rdb, seq_num); 2064 2065 2066 return err_status_ok; 2067 } 2068 2069 2070 2071 /* 2072 * dtls keying for srtp 2073 */ 2074 2075 err_status_t 2076 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy, 2077 srtp_profile_t profile) { 2078 2079 /* set SRTP policy from the SRTP profile in the key set */ 2080 switch(profile) { 2081 case srtp_profile_aes128_cm_sha1_80: 2082 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 2083 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 2084 break; 2085 case srtp_profile_aes128_cm_sha1_32: 2086 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); 2087 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 2088 break; 2089 case srtp_profile_null_sha1_80: 2090 crypto_policy_set_null_cipher_hmac_sha1_80(policy); 2091 crypto_policy_set_null_cipher_hmac_sha1_80(policy); 2092 break; 2093 case srtp_profile_aes256_cm_sha1_80: 2094 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 2095 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 2096 break; 2097 case srtp_profile_aes256_cm_sha1_32: 2098 crypto_policy_set_aes_cm_256_hmac_sha1_32(policy); 2099 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 2100 break; 2101 /* the following profiles are not (yet) supported */ 2102 case srtp_profile_null_sha1_32: 2103 default: 2104 return err_status_bad_param; 2105 } 2106 2107 return err_status_ok; 2108 } 2109 2110 err_status_t 2111 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy, 2112 srtp_profile_t profile) { 2113 2114 /* set SRTP policy from the SRTP profile in the key set */ 2115 switch(profile) { 2116 case srtp_profile_aes128_cm_sha1_80: 2117 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 2118 break; 2119 case srtp_profile_aes128_cm_sha1_32: 2120 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); 2121 break; 2122 case srtp_profile_null_sha1_80: 2123 crypto_policy_set_null_cipher_hmac_sha1_80(policy); 2124 break; 2125 case srtp_profile_aes256_cm_sha1_80: 2126 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 2127 break; 2128 case srtp_profile_aes256_cm_sha1_32: 2129 crypto_policy_set_aes_cm_256_hmac_sha1_80(policy); 2130 break; 2131 /* the following profiles are not (yet) supported */ 2132 case srtp_profile_null_sha1_32: 2133 default: 2134 return err_status_bad_param; 2135 } 2136 2137 return err_status_ok; 2138 } 2139 2140 void 2141 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key, 2142 uint8_t *salt, unsigned int bytes_in_salt) { 2143 2144 memcpy(key + bytes_in_key, salt, bytes_in_salt); 2145 2146 } 2147 2148 unsigned int 2149 srtp_profile_get_master_key_length(srtp_profile_t profile) { 2150 2151 switch(profile) { 2152 case srtp_profile_aes128_cm_sha1_80: 2153 return 16; 2154 break; 2155 case srtp_profile_aes128_cm_sha1_32: 2156 return 16; 2157 break; 2158 case srtp_profile_null_sha1_80: 2159 return 16; 2160 break; 2161 case srtp_profile_aes256_cm_sha1_80: 2162 return 32; 2163 break; 2164 case srtp_profile_aes256_cm_sha1_32: 2165 return 32; 2166 break; 2167 /* the following profiles are not (yet) supported */ 2168 case srtp_profile_null_sha1_32: 2169 default: 2170 return 0; /* indicate error by returning a zero */ 2171 } 2172 } 2173 2174 unsigned int 2175 srtp_profile_get_master_salt_length(srtp_profile_t profile) { 2176 2177 switch(profile) { 2178 case srtp_profile_aes128_cm_sha1_80: 2179 return 14; 2180 break; 2181 case srtp_profile_aes128_cm_sha1_32: 2182 return 14; 2183 break; 2184 case srtp_profile_null_sha1_80: 2185 return 14; 2186 break; 2187 case srtp_profile_aes256_cm_sha1_80: 2188 return 14; 2189 break; 2190 case srtp_profile_aes256_cm_sha1_32: 2191 return 14; 2192 break; 2193 /* the following profiles are not (yet) supported */ 2194 case srtp_profile_null_sha1_32: 2195 default: 2196 return 0; /* indicate error by returning a zero */ 2197 } 2198 } 2199
