Home | History | Annotate | Download | only in srtp
      1 /*
      2  * srtp.c
      3  *
      4  * the secure real-time transport protocol
      5  *
      6  * David A. McGrew
      7  * Cisco Systems, Inc.
      8  */
      9 /*
     10  *
     11  * Copyright (c) 2001-2006, Cisco Systems, Inc.
     12  * All rights reserved.
     13  *
     14  * Redistribution and use in source and binary forms, with or without
     15  * modification, are permitted provided that the following conditions
     16  * are met:
     17  *
     18  *   Redistributions of source code must retain the above copyright
     19  *   notice, this list of conditions and the following disclaimer.
     20  *
     21  *   Redistributions in binary form must reproduce the above
     22  *   copyright notice, this list of conditions and the following
     23  *   disclaimer in the documentation and/or other materials provided
     24  *   with the distribution.
     25  *
     26  *   Neither the name of the Cisco Systems, Inc. nor the names of its
     27  *   contributors may be used to endorse or promote products derived
     28  *   from this software without specific prior written permission.
     29  *
     30  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     31  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     32  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
     33  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
     34  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
     35  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
     36  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
     37  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     38  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     39  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     40  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     41  * OF THE POSSIBILITY OF SUCH DAMAGE.
     42  *
     43  */
     44 
     45 
     46 #include "srtp.h"
     47 #include "ekt.h"             /* for SRTP Encrypted Key Transport */
     48 #include "alloc.h"           /* for crypto_alloc()          */
     49 
     50 #ifndef SRTP_KERNEL
     51 # include <limits.h>
     52 # ifdef HAVE_NETINET_IN_H
     53 #  include <netinet/in.h>
     54 # elif defined(HAVE_WINSOCK2_H)
     55 #  include <winsock2.h>
     56 # endif
     57 #endif /* ! SRTP_KERNEL */
     58 
     59 
     60 /* the debug module for srtp */
     61 
     62 debug_module_t mod_srtp = {
     63   0,                  /* debugging is off by default */
     64   "srtp"              /* printable name for module   */
     65 };
     66 
     67 #define octets_in_rtp_header   12
     68 #define uint32s_in_rtp_header  3
     69 #define octets_in_rtcp_header  8
     70 #define uint32s_in_rtcp_header 2
     71 #define octets_in_rtp_extn_hdr 4
     72 
     73 static err_status_t
     74 srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) {
     75   srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
     76 
     77   /* Check RTP header length */
     78   int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc;
     79   if (hdr->x == 1)
     80     rtp_header_len += octets_in_rtp_extn_hdr;
     81 
     82   if (*pkt_octet_len < rtp_header_len)
     83     return err_status_bad_param;
     84 
     85   /* Verifing profile length. */
     86   if (hdr->x == 1) {
     87     srtp_hdr_xtnd_t *xtn_hdr =
     88       (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc);
     89     int profile_len = ntohs(xtn_hdr->length);
     90     rtp_header_len += profile_len * 4;
     91     /* profile length counts the number of 32-bit words */
     92     if (*pkt_octet_len < rtp_header_len)
     93       return err_status_bad_param;
     94   }
     95   return err_status_ok;
     96 }
     97 
     98 err_status_t
     99 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
    100 		  const srtp_policy_t *p) {
    101   srtp_stream_ctx_t *str;
    102   err_status_t stat;
    103 
    104   /*
    105    * This function allocates the stream context, rtp and rtcp ciphers
    106    * and auth functions, and key limit structure.  If there is a
    107    * failure during allocation, we free all previously allocated
    108    * memory and return a failure code.  The code could probably
    109    * be improved, but it works and should be clear.
    110    */
    111 
    112   /* allocate srtp stream and set str_ptr */
    113   str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
    114   if (str == NULL)
    115     return err_status_alloc_fail;
    116   *str_ptr = str;
    117 
    118   /* allocate cipher */
    119   stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
    120 				    &str->rtp_cipher,
    121 				    p->rtp.cipher_key_len);
    122   if (stat) {
    123     crypto_free(str);
    124     return stat;
    125   }
    126 
    127   /* allocate auth function */
    128   stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
    129 				  &str->rtp_auth,
    130 				  p->rtp.auth_key_len,
    131 				  p->rtp.auth_tag_len);
    132   if (stat) {
    133     cipher_dealloc(str->rtp_cipher);
    134     crypto_free(str);
    135     return stat;
    136   }
    137 
    138   /* allocate key limit structure */
    139   str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t));
    140   if (str->limit == NULL) {
    141     auth_dealloc(str->rtp_auth);
    142     cipher_dealloc(str->rtp_cipher);
    143     crypto_free(str);
    144     return err_status_alloc_fail;
    145   }
    146 
    147   /*
    148    * ...and now the RTCP-specific initialization - first, allocate
    149    * the cipher
    150    */
    151   stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
    152 				    &str->rtcp_cipher,
    153 				    p->rtcp.cipher_key_len);
    154   if (stat) {
    155     auth_dealloc(str->rtp_auth);
    156     cipher_dealloc(str->rtp_cipher);
    157     crypto_free(str->limit);
    158     crypto_free(str);
    159     return stat;
    160   }
    161 
    162   /* allocate auth function */
    163   stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
    164 				  &str->rtcp_auth,
    165 				  p->rtcp.auth_key_len,
    166 				  p->rtcp.auth_tag_len);
    167   if (stat) {
    168     cipher_dealloc(str->rtcp_cipher);
    169     auth_dealloc(str->rtp_auth);
    170     cipher_dealloc(str->rtp_cipher);
    171     crypto_free(str->limit);
    172     crypto_free(str);
    173    return stat;
    174   }
    175 
    176   /* allocate ekt data associated with stream */
    177   stat = ekt_alloc(&str->ekt, p->ekt);
    178   if (stat) {
    179     auth_dealloc(str->rtcp_auth);
    180     cipher_dealloc(str->rtcp_cipher);
    181     auth_dealloc(str->rtp_auth);
    182     cipher_dealloc(str->rtp_cipher);
    183     crypto_free(str->limit);
    184     crypto_free(str);
    185    return stat;
    186   }
    187 
    188   return err_status_ok;
    189 }
    190 
    191 err_status_t
    192 srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) {
    193   err_status_t status;
    194 
    195   /*
    196    * we use a conservative deallocation strategy - if any deallocation
    197    * fails, then we report that fact without trying to deallocate
    198    * anything else
    199    */
    200 
    201   /* deallocate cipher, if it is not the same as that in template */
    202   if (session->stream_template
    203       && stream->rtp_cipher == session->stream_template->rtp_cipher) {
    204     /* do nothing */
    205   } else {
    206     status = cipher_dealloc(stream->rtp_cipher);
    207     if (status)
    208       return status;
    209   }
    210 
    211   /* deallocate auth function, if it is not the same as that in template */
    212   if (session->stream_template
    213       && stream->rtp_auth == session->stream_template->rtp_auth) {
    214     /* do nothing */
    215   } else {
    216     status = auth_dealloc(stream->rtp_auth);
    217     if (status)
    218       return status;
    219   }
    220 
    221   /* deallocate key usage limit, if it is not the same as that in template */
    222   if (session->stream_template
    223       && stream->limit == session->stream_template->limit) {
    224     /* do nothing */
    225   } else {
    226     crypto_free(stream->limit);
    227   }
    228 
    229   /*
    230    * deallocate rtcp cipher, if it is not the same as that in
    231    * template
    232    */
    233   if (session->stream_template
    234       && stream->rtcp_cipher == session->stream_template->rtcp_cipher) {
    235     /* do nothing */
    236   } else {
    237     status = cipher_dealloc(stream->rtcp_cipher);
    238     if (status)
    239       return status;
    240   }
    241 
    242   /*
    243    * deallocate rtcp auth function, if it is not the same as that in
    244    * template
    245    */
    246   if (session->stream_template
    247       && stream->rtcp_auth == session->stream_template->rtcp_auth) {
    248     /* do nothing */
    249   } else {
    250     status = auth_dealloc(stream->rtcp_auth);
    251     if (status)
    252       return status;
    253   }
    254 
    255   status = rdbx_dealloc(&stream->rtp_rdbx);
    256   if (status)
    257     return status;
    258 
    259   /* DAM - need to deallocate EKT here */
    260 
    261   /* deallocate srtp stream context */
    262   crypto_free(stream);
    263 
    264   return err_status_ok;
    265 }
    266 
    267 
    268 /*
    269  * srtp_stream_clone(stream_template, new) allocates a new stream and
    270  * initializes it using the cipher and auth of the stream_template
    271  *
    272  * the only unique data in a cloned stream is the replay database and
    273  * the SSRC
    274  */
    275 
    276 err_status_t
    277 srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
    278 		  uint32_t ssrc,
    279 		  srtp_stream_ctx_t **str_ptr) {
    280   err_status_t status;
    281   srtp_stream_ctx_t *str;
    282 
    283   debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
    284 
    285   /* allocate srtp stream and set str_ptr */
    286   str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
    287   if (str == NULL)
    288     return err_status_alloc_fail;
    289   *str_ptr = str;
    290 
    291   /* set cipher and auth pointers to those of the template */
    292   str->rtp_cipher  = stream_template->rtp_cipher;
    293   str->rtp_auth    = stream_template->rtp_auth;
    294   str->rtcp_cipher = stream_template->rtcp_cipher;
    295   str->rtcp_auth   = stream_template->rtcp_auth;
    296 
    297   /* set key limit to point to that of the template */
    298   status = key_limit_clone(stream_template->limit, &str->limit);
    299   if (status)
    300     return status;
    301 
    302   /* initialize replay databases */
    303   status = rdbx_init(&str->rtp_rdbx,
    304 		     rdbx_get_window_size(&stream_template->rtp_rdbx));
    305   if (status)
    306     return status;
    307   rdb_init(&str->rtcp_rdb);
    308   str->allow_repeat_tx = stream_template->allow_repeat_tx;
    309 
    310   /* set ssrc to that provided */
    311   str->ssrc = ssrc;
    312 
    313   /* set direction and security services */
    314   str->direction     = stream_template->direction;
    315   str->rtp_services  = stream_template->rtp_services;
    316   str->rtcp_services = stream_template->rtcp_services;
    317 
    318   /* set pointer to EKT data associated with stream */
    319   str->ekt = stream_template->ekt;
    320 
    321   /* defensive coding */
    322   str->next = NULL;
    323 
    324   return err_status_ok;
    325 }
    326 
    327 
    328 /*
    329  * key derivation functions, internal to libSRTP
    330  *
    331  * srtp_kdf_t is a key derivation context
    332  *
    333  * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher
    334  * described by cipher_id, with the master key k with length in octets keylen.
    335  *
    336  * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
    337  * corresponding to label l and puts it into kl; the length
    338  * of the key in octets is provided as keylen.  this function
    339  * should be called once for each subkey that is derived.
    340  *
    341  * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state
    342  */
    343 
    344 typedef enum {
    345   label_rtp_encryption  = 0x00,
    346   label_rtp_msg_auth    = 0x01,
    347   label_rtp_salt        = 0x02,
    348   label_rtcp_encryption = 0x03,
    349   label_rtcp_msg_auth   = 0x04,
    350   label_rtcp_salt       = 0x05
    351 } srtp_prf_label;
    352 
    353 
    354 /*
    355  * srtp_kdf_t represents a key derivation function.  The SRTP
    356  * default KDF is the only one implemented at present.
    357  */
    358 
    359 typedef struct {
    360   cipher_t *cipher;    /* cipher used for key derivation  */
    361 } srtp_kdf_t;
    362 
    363 err_status_t
    364 srtp_kdf_init(srtp_kdf_t *kdf, cipher_type_id_t cipher_id, const uint8_t *key, int length) {
    365 
    366   err_status_t stat;
    367   stat = crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, length);
    368   if (stat)
    369     return stat;
    370 
    371   stat = cipher_init(kdf->cipher, key, direction_encrypt);
    372   if (stat) {
    373     cipher_dealloc(kdf->cipher);
    374     return stat;
    375   }
    376 
    377   return err_status_ok;
    378 }
    379 
    380 err_status_t
    381 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
    382 		  uint8_t *key, unsigned length) {
    383 
    384   v128_t nonce;
    385   err_status_t status;
    386 
    387   /* set eigth octet of nonce to <label>, set the rest of it to zero */
    388   v128_set_to_zero(&nonce);
    389   nonce.v8[7] = label;
    390 
    391   status = cipher_set_iv(kdf->cipher, &nonce);
    392   if (status)
    393     return status;
    394 
    395   /* generate keystream output */
    396   octet_string_set_to_zero(key, length);
    397   status = cipher_encrypt(kdf->cipher, key, &length);
    398   if (status)
    399     return status;
    400 
    401   return err_status_ok;
    402 }
    403 
    404 err_status_t
    405 srtp_kdf_clear(srtp_kdf_t *kdf) {
    406   err_status_t status;
    407   status = cipher_dealloc(kdf->cipher);
    408   if (status)
    409     return status;
    410   kdf->cipher = NULL;
    411 
    412   return err_status_ok;
    413 }
    414 
    415 /*
    416  *  end of key derivation functions
    417  */
    418 
    419 #define MAX_SRTP_KEY_LEN 256
    420 
    421 
    422 /* Get the base key length corresponding to a given combined key+salt
    423  * length for the given cipher.
    424  * Assumption is that for AES-ICM a key length < 30 is Ismacryp using
    425  * AES-128 and short salts; everything else uses a salt length of 14.
    426  * TODO: key and salt lengths should be separate fields in the policy.  */
    427 static INLINE int base_key_length(const cipher_type_t *cipher, int key_length)
    428 {
    429   if (cipher->id != AES_ICM)
    430     return key_length;
    431   else if (key_length > 16 && key_length < 30)
    432     return 16;
    433   return key_length - 14;
    434 }
    435 
    436 err_status_t
    437 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
    438   err_status_t stat;
    439   srtp_kdf_t kdf;
    440   uint8_t tmp_key[MAX_SRTP_KEY_LEN];
    441   int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
    442   int rtp_base_key_len, rtp_salt_len;
    443   int rtcp_base_key_len, rtcp_salt_len;
    444 
    445   /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
    446   /* TODO: kdf algorithm, master key length, and master salt length should
    447    * be part of srtp_policy_t. */
    448   rtp_keylen = cipher_get_key_length(srtp->rtp_cipher);
    449   if (rtp_keylen > kdf_keylen)
    450     kdf_keylen = rtp_keylen;
    451 
    452   rtcp_keylen = cipher_get_key_length(srtp->rtcp_cipher);
    453   if (rtcp_keylen > kdf_keylen)
    454     kdf_keylen = rtcp_keylen;
    455 
    456   /* initialize KDF state     */
    457   stat = srtp_kdf_init(&kdf, AES_ICM, (const uint8_t *)key, kdf_keylen);
    458   if (stat) {
    459     return err_status_init_fail;
    460   }
    461 
    462   rtp_base_key_len = base_key_length(srtp->rtp_cipher->type, rtp_keylen);
    463   rtp_salt_len = rtp_keylen - rtp_base_key_len;
    464 
    465   /* generate encryption key  */
    466   stat = srtp_kdf_generate(&kdf, label_rtp_encryption,
    467 			   tmp_key, rtp_base_key_len);
    468   if (stat) {
    469     /* zeroize temp buffer */
    470     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    471     return err_status_init_fail;
    472   }
    473 
    474   /*
    475    * if the cipher in the srtp context uses a salt, then we need
    476    * to generate the salt value
    477    */
    478   if (rtp_salt_len > 0) {
    479     debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
    480 
    481     /* generate encryption salt, put after encryption key */
    482     stat = srtp_kdf_generate(&kdf, label_rtp_salt,
    483 			     tmp_key + rtp_base_key_len, rtp_salt_len);
    484     if (stat) {
    485       /* zeroize temp buffer */
    486       octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    487       return err_status_init_fail;
    488     }
    489   }
    490   debug_print(mod_srtp, "cipher key: %s",
    491 	      octet_string_hex_string(tmp_key, rtp_base_key_len));
    492   if (rtp_salt_len > 0) {
    493     debug_print(mod_srtp, "cipher salt: %s",
    494 		octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len));
    495   }
    496 
    497   /* initialize cipher */
    498   stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any);
    499   if (stat) {
    500     /* zeroize temp buffer */
    501     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    502     return err_status_init_fail;
    503   }
    504 
    505   /* generate authentication key */
    506   stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth,
    507 			   tmp_key, auth_get_key_length(srtp->rtp_auth));
    508   if (stat) {
    509     /* zeroize temp buffer */
    510     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    511     return err_status_init_fail;
    512   }
    513   debug_print(mod_srtp, "auth key:   %s",
    514 	      octet_string_hex_string(tmp_key,
    515 				      auth_get_key_length(srtp->rtp_auth)));
    516 
    517   /* initialize auth function */
    518   stat = auth_init(srtp->rtp_auth, tmp_key);
    519   if (stat) {
    520     /* zeroize temp buffer */
    521     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    522     return err_status_init_fail;
    523   }
    524 
    525   /*
    526    * ...now initialize SRTCP keys
    527    */
    528 
    529   rtcp_base_key_len = base_key_length(srtp->rtcp_cipher->type, rtcp_keylen);
    530   rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
    531 
    532   /* generate encryption key  */
    533   stat = srtp_kdf_generate(&kdf, label_rtcp_encryption,
    534 			   tmp_key, rtcp_base_key_len);
    535   if (stat) {
    536     /* zeroize temp buffer */
    537     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    538     return err_status_init_fail;
    539   }
    540 
    541   /*
    542    * if the cipher in the srtp context uses a salt, then we need
    543    * to generate the salt value
    544    */
    545   if (rtcp_salt_len > 0) {
    546     debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
    547 		NULL);
    548 
    549     /* generate encryption salt, put after encryption key */
    550     stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
    551 			     tmp_key + rtcp_base_key_len, rtcp_salt_len);
    552     if (stat) {
    553       /* zeroize temp buffer */
    554       octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    555       return err_status_init_fail;
    556     }
    557   }
    558   debug_print(mod_srtp, "rtcp cipher key: %s",
    559 	      octet_string_hex_string(tmp_key, rtcp_base_key_len));
    560   if (rtcp_salt_len > 0) {
    561     debug_print(mod_srtp, "rtcp cipher salt: %s",
    562 		octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_len));
    563   }
    564 
    565   /* initialize cipher */
    566   stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any);
    567   if (stat) {
    568     /* zeroize temp buffer */
    569     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    570     return err_status_init_fail;
    571   }
    572 
    573   /* generate authentication key */
    574   stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
    575 			   tmp_key, auth_get_key_length(srtp->rtcp_auth));
    576   if (stat) {
    577     /* zeroize temp buffer */
    578     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    579     return err_status_init_fail;
    580   }
    581 
    582   debug_print(mod_srtp, "rtcp auth key:   %s",
    583 	      octet_string_hex_string(tmp_key,
    584 		     auth_get_key_length(srtp->rtcp_auth)));
    585 
    586   /* initialize auth function */
    587   stat = auth_init(srtp->rtcp_auth, tmp_key);
    588   if (stat) {
    589     /* zeroize temp buffer */
    590     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    591     return err_status_init_fail;
    592   }
    593 
    594   /* clear memory then return */
    595   stat = srtp_kdf_clear(&kdf);
    596   octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
    597   if (stat)
    598     return err_status_init_fail;
    599 
    600   return err_status_ok;
    601 }
    602 
    603 err_status_t
    604 srtp_stream_init(srtp_stream_ctx_t *srtp,
    605 		  const srtp_policy_t *p) {
    606   err_status_t err;
    607 
    608    debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)",
    609 	       p->ssrc.value);
    610 
    611    /* initialize replay database */
    612    /* window size MUST be at least 64.  MAY be larger.  Values more than
    613     * 2^15 aren't meaningful due to how extended sequence numbers are
    614     * calculated.   Let a window size of 0 imply the default value. */
    615 
    616    if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000))
    617      return err_status_bad_param;
    618 
    619    if (p->window_size != 0)
    620      err = rdbx_init(&srtp->rtp_rdbx, p->window_size);
    621    else
    622      err = rdbx_init(&srtp->rtp_rdbx, 128);
    623    if (err) return err;
    624 
    625    /* initialize key limit to maximum value */
    626 #ifdef NO_64BIT_MATH
    627 {
    628    uint64_t temp;
    629    temp = make64(UINT_MAX,UINT_MAX);
    630    key_limit_set(srtp->limit, temp);
    631 }
    632 #else
    633    key_limit_set(srtp->limit, 0xffffffffffffLL);
    634 #endif
    635 
    636    /* set the SSRC value */
    637    srtp->ssrc = htonl(p->ssrc.value);
    638 
    639    /* set the security service flags */
    640    srtp->rtp_services  = p->rtp.sec_serv;
    641    srtp->rtcp_services = p->rtcp.sec_serv;
    642 
    643    /*
    644     * set direction to unknown - this flag gets checked in srtp_protect(),
    645     * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
    646     * gets set appropriately if it is set to unknown.
    647     */
    648    srtp->direction = dir_unknown;
    649 
    650    /* initialize SRTCP replay database */
    651    rdb_init(&srtp->rtcp_rdb);
    652 
    653    /* initialize allow_repeat_tx */
    654    /* guard against uninitialized memory: allow only 0 or 1 here */
    655    if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) {
    656      rdbx_dealloc(&srtp->rtp_rdbx);
    657      return err_status_bad_param;
    658    }
    659    srtp->allow_repeat_tx = p->allow_repeat_tx;
    660 
    661    /* DAM - no RTCP key limit at present */
    662 
    663    /* initialize keys */
    664    err = srtp_stream_init_keys(srtp, p->key);
    665    if (err) {
    666      rdbx_dealloc(&srtp->rtp_rdbx);
    667      return err;
    668    }
    669 
    670    /*
    671     * if EKT is in use, then initialize the EKT data associated with
    672     * the stream
    673     */
    674    err = ekt_stream_init_from_policy(srtp->ekt, p->ekt);
    675    if (err) {
    676      rdbx_dealloc(&srtp->rtp_rdbx);
    677      return err;
    678    }
    679 
    680    return err_status_ok;
    681  }
    682 
    683 
    684  /*
    685   * srtp_event_reporter is an event handler function that merely
    686   * reports the events that are reported by the callbacks
    687   */
    688 
    689  void
    690  srtp_event_reporter(srtp_event_data_t *data) {
    691 
    692    err_report(err_level_warning, "srtp: in stream 0x%x: ",
    693 	      data->stream->ssrc);
    694 
    695    switch(data->event) {
    696    case event_ssrc_collision:
    697      err_report(err_level_warning, "\tSSRC collision\n");
    698      break;
    699    case event_key_soft_limit:
    700      err_report(err_level_warning, "\tkey usage soft limit reached\n");
    701      break;
    702    case event_key_hard_limit:
    703      err_report(err_level_warning, "\tkey usage hard limit reached\n");
    704      break;
    705    case event_packet_index_limit:
    706      err_report(err_level_warning, "\tpacket index limit reached\n");
    707      break;
    708    default:
    709      err_report(err_level_warning, "\tunknown event reported to handler\n");
    710    }
    711  }
    712 
    713  /*
    714   * srtp_event_handler is a global variable holding a pointer to the
    715   * event handler function; this function is called for any unexpected
    716   * event that needs to be handled out of the SRTP data path.  see
    717   * srtp_event_t in srtp.h for more info
    718   *
    719   * it is okay to set srtp_event_handler to NULL, but we set
    720   * it to the srtp_event_reporter.
    721   */
    722 
    723  static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
    724 
    725  err_status_t
    726  srtp_install_event_handler(srtp_event_handler_func_t func) {
    727 
    728    /*
    729     * note that we accept NULL arguments intentionally - calling this
    730     * function with a NULL arguments removes an event handler that's
    731     * been previously installed
    732     */
    733 
    734    /* set global event handling function */
    735    srtp_event_handler = func;
    736    return err_status_ok;
    737  }
    738 
    739  err_status_t
    740  srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
    741    srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
    742    uint32_t *enc_start;        /* pointer to start of encrypted portion  */
    743    uint32_t *auth_start;       /* pointer to start of auth. portion      */
    744    unsigned enc_octet_len = 0; /* number of octets in encrypted portion  */
    745    xtd_seq_num_t est;          /* estimated xtd_seq_num_t of *hdr        */
    746    int delta;                  /* delta of local pkt idx and that in hdr */
    747    uint8_t *auth_tag = NULL;   /* location of auth_tag within packet     */
    748    err_status_t status;
    749    int tag_len;
    750    srtp_stream_ctx_t *stream;
    751    int prefix_len;
    752 
    753    debug_print(mod_srtp, "function srtp_protect", NULL);
    754 
    755   /* we assume the hdr is 32-bit aligned to start */
    756 
    757   /* Verify RTP header */
    758   status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len);
    759   if (status)
    760     return status;
    761 
    762    /*
    763     * look up ssrc in srtp_stream list, and process the packet with
    764     * the appropriate stream.  if we haven't seen this stream before,
    765     * there's a template key for this srtp_session, and the cipher
    766     * supports key-sharing, then we assume that a new stream using
    767     * that key has just started up
    768     */
    769    stream = srtp_get_stream(ctx, hdr->ssrc);
    770    if (stream == NULL) {
    771      if (ctx->stream_template != NULL) {
    772        srtp_stream_ctx_t *new_stream;
    773 
    774        /* allocate and initialize a new stream */
    775        status = srtp_stream_clone(ctx->stream_template,
    776 				  hdr->ssrc, &new_stream);
    777        if (status)
    778 	 return status;
    779 
    780        /* add new stream to the head of the stream_list */
    781        new_stream->next = ctx->stream_list;
    782        ctx->stream_list = new_stream;
    783 
    784        /* set direction to outbound */
    785        new_stream->direction = dir_srtp_sender;
    786 
    787        /* set stream (the pointer used in this function) */
    788        stream = new_stream;
    789      } else {
    790        /* no template stream, so we return an error */
    791        return err_status_no_ctx;
    792      }
    793    }
    794 
    795    /*
    796     * verify that stream is for sending traffic - this check will
    797     * detect SSRC collisions, since a stream that appears in both
    798     * srtp_protect() and srtp_unprotect() will fail this test in one of
    799     * those functions.
    800     */
    801    if (stream->direction != dir_srtp_sender) {
    802      if (stream->direction == dir_unknown) {
    803        stream->direction = dir_srtp_sender;
    804      } else {
    805        srtp_handle_event(ctx, stream, event_ssrc_collision);
    806      }
    807    }
    808 
    809   /*
    810    * update the key usage limit, and check it to make sure that we
    811    * didn't just hit either the soft limit or the hard limit, and call
    812    * the event handler if we hit either.
    813    */
    814   switch(key_limit_update(stream->limit)) {
    815   case key_event_normal:
    816     break;
    817   case key_event_soft_limit:
    818     srtp_handle_event(ctx, stream, event_key_soft_limit);
    819     break;
    820   case key_event_hard_limit:
    821     srtp_handle_event(ctx, stream, event_key_hard_limit);
    822 	return err_status_key_expired;
    823   default:
    824     break;
    825   }
    826 
    827    /* get tag length from stream */
    828    tag_len = auth_get_tag_length(stream->rtp_auth);
    829 
    830    /*
    831     * find starting point for encryption and length of data to be
    832     * encrypted - the encrypted portion starts after the rtp header
    833     * extension, if present; otherwise, it starts after the last csrc,
    834     * if any are present
    835     *
    836     * if we're not providing confidentiality, set enc_start to NULL
    837     */
    838    if (stream->rtp_services & sec_serv_conf) {
    839      enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
    840      if (hdr->x == 1) {
    841        srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
    842        enc_start += (ntohs(xtn_hdr->length) + 1);
    843      }
    844      enc_octet_len = (unsigned int)(*pkt_octet_len
    845 				    - ((enc_start - (uint32_t *)hdr) << 2));
    846    } else {
    847      enc_start = NULL;
    848    }
    849 
    850    /*
    851     * if we're providing authentication, set the auth_start and auth_tag
    852     * pointers to the proper locations; otherwise, set auth_start to NULL
    853     * to indicate that no authentication is needed
    854     */
    855    if (stream->rtp_services & sec_serv_auth) {
    856      auth_start = (uint32_t *)hdr;
    857      auth_tag = (uint8_t *)hdr + *pkt_octet_len;
    858    } else {
    859      auth_start = NULL;
    860      auth_tag = NULL;
    861    }
    862 
    863    /*
    864     * estimate the packet index using the start of the replay window
    865     * and the sequence number from the header
    866     */
    867    delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
    868    status = rdbx_check(&stream->rtp_rdbx, delta);
    869    if (status) {
    870      if (status != err_status_replay_fail || !stream->allow_repeat_tx)
    871        return status;  /* we've been asked to reuse an index */
    872    }
    873    else
    874      rdbx_add_index(&stream->rtp_rdbx, delta);
    875 
    876 #ifdef NO_64BIT_MATH
    877    debug_print2(mod_srtp, "estimated packet index: %08x%08x",
    878 		high32(est),low32(est));
    879 #else
    880    debug_print(mod_srtp, "estimated packet index: %016llx", est);
    881 #endif
    882 
    883    /*
    884     * if we're using rindael counter mode, set nonce and seq
    885     */
    886    if (stream->rtp_cipher->type->id == AES_ICM) {
    887      v128_t iv;
    888 
    889      iv.v32[0] = 0;
    890      iv.v32[1] = hdr->ssrc;
    891 #ifdef NO_64BIT_MATH
    892      iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
    893 								 low32(est) << 16));
    894 #else
    895      iv.v64[1] = be64_to_cpu(est << 16);
    896 #endif
    897      status = cipher_set_iv(stream->rtp_cipher, &iv);
    898 
    899    } else {
    900      v128_t iv;
    901 
    902      /* otherwise, set the index to est */
    903 #ifdef NO_64BIT_MATH
    904      iv.v32[0] = 0;
    905      iv.v32[1] = 0;
    906 #else
    907      iv.v64[0] = 0;
    908 #endif
    909      iv.v64[1] = be64_to_cpu(est);
    910      status = cipher_set_iv(stream->rtp_cipher, &iv);
    911    }
    912    if (status)
    913      return err_status_cipher_fail;
    914 
    915    /* shift est, put into network byte order */
    916 #ifdef NO_64BIT_MATH
    917    est = be64_to_cpu(make64((high32(est) << 16) |
    918 						 (low32(est) >> 16),
    919 						 low32(est) << 16));
    920 #else
    921    est = be64_to_cpu(est << 16);
    922 #endif
    923 
    924    /*
    925     * if we're authenticating using a universal hash, put the keystream
    926     * prefix into the authentication tag
    927     */
    928    if (auth_start) {
    929 
    930     prefix_len = auth_get_prefix_length(stream->rtp_auth);
    931     if (prefix_len) {
    932       status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len);
    933       if (status)
    934 	return err_status_cipher_fail;
    935       debug_print(mod_srtp, "keystream prefix: %s",
    936 		  octet_string_hex_string(auth_tag, prefix_len));
    937     }
    938   }
    939 
    940   /* if we're encrypting, exor keystream into the message */
    941   if (enc_start) {
    942     status = cipher_encrypt(stream->rtp_cipher,
    943 			    (uint8_t *)enc_start, &enc_octet_len);
    944     if (status)
    945       return err_status_cipher_fail;
    946   }
    947 
    948   /*
    949    *  if we're authenticating, run authentication function and put result
    950    *  into the auth_tag
    951    */
    952   if (auth_start) {
    953 
    954     /* initialize auth func context */
    955     status = auth_start(stream->rtp_auth);
    956     if (status) return status;
    957 
    958     /* run auth func over packet */
    959     status = auth_update(stream->rtp_auth,
    960 			 (uint8_t *)auth_start, *pkt_octet_len);
    961     if (status) return status;
    962 
    963     /* run auth func over ROC, put result into auth_tag */
    964     debug_print(mod_srtp, "estimated packet index: %016llx", est);
    965     status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);
    966     debug_print(mod_srtp, "srtp auth tag:    %s",
    967 		octet_string_hex_string(auth_tag, tag_len));
    968     if (status)
    969       return err_status_auth_fail;
    970 
    971   }
    972 
    973   if (auth_tag) {
    974 
    975     /* increase the packet length by the length of the auth tag */
    976     *pkt_octet_len += tag_len;
    977   }
    978 
    979   return err_status_ok;
    980 }
    981 
    982 
    983 err_status_t
    984 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
    985   srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
    986   uint32_t *enc_start;      /* pointer to start of encrypted portion  */
    987   uint32_t *auth_start;     /* pointer to start of auth. portion      */
    988   unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
    989   uint8_t *auth_tag = NULL; /* location of auth_tag within packet     */
    990   xtd_seq_num_t est;        /* estimated xtd_seq_num_t of *hdr        */
    991   int delta;                /* delta of local pkt idx and that in hdr */
    992   v128_t iv;
    993   err_status_t status;
    994   srtp_stream_ctx_t *stream;
    995   uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
    996   int tag_len, prefix_len;
    997 
    998   debug_print(mod_srtp, "function srtp_unprotect", NULL);
    999 
   1000   /* we assume the hdr is 32-bit aligned to start */
   1001 
   1002   /* Verify RTP header */
   1003   status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len);
   1004   if (status)
   1005     return status;
   1006 
   1007   /*
   1008    * look up ssrc in srtp_stream list, and process the packet with
   1009    * the appropriate stream.  if we haven't seen this stream before,
   1010    * there's only one key for this srtp_session, and the cipher
   1011    * supports key-sharing, then we assume that a new stream using
   1012    * that key has just started up
   1013    */
   1014   stream = srtp_get_stream(ctx, hdr->ssrc);
   1015   if (stream == NULL) {
   1016     if (ctx->stream_template != NULL) {
   1017       stream = ctx->stream_template;
   1018       debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
   1019 		  hdr->ssrc);
   1020 
   1021       /*
   1022        * set estimated packet index to sequence number from header,
   1023        * and set delta equal to the same value
   1024        */
   1025 #ifdef NO_64BIT_MATH
   1026       est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq));
   1027       delta = low32(est);
   1028 #else
   1029       est = (xtd_seq_num_t) ntohs(hdr->seq);
   1030       delta = (int)est;
   1031 #endif
   1032     } else {
   1033 
   1034       /*
   1035        * no stream corresponding to SSRC found, and we don't do
   1036        * key-sharing, so return an error
   1037        */
   1038       return err_status_no_ctx;
   1039     }
   1040   } else {
   1041 
   1042     /* estimate packet index from seq. num. in header */
   1043     delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
   1044 
   1045     /* check replay database */
   1046     status = rdbx_check(&stream->rtp_rdbx, delta);
   1047     if (status)
   1048       return status;
   1049   }
   1050 
   1051 #ifdef NO_64BIT_MATH
   1052   debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32(est));
   1053 #else
   1054   debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
   1055 #endif
   1056 
   1057   /* get tag length from stream */
   1058   tag_len = auth_get_tag_length(stream->rtp_auth);
   1059 
   1060   /*
   1061    * set the cipher's IV properly, depending on whatever cipher we
   1062    * happen to be using
   1063    */
   1064   if (stream->rtp_cipher->type->id == AES_ICM) {
   1065 
   1066     /* aes counter mode */
   1067     iv.v32[0] = 0;
   1068     iv.v32[1] = hdr->ssrc;  /* still in network order */
   1069 #ifdef NO_64BIT_MATH
   1070     iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
   1071 			         low32(est) << 16));
   1072 #else
   1073     iv.v64[1] = be64_to_cpu(est << 16);
   1074 #endif
   1075     status = cipher_set_iv(stream->rtp_cipher, &iv);
   1076   } else {
   1077 
   1078     /* no particular format - set the iv to the pakcet index */
   1079 #ifdef NO_64BIT_MATH
   1080     iv.v32[0] = 0;
   1081     iv.v32[1] = 0;
   1082 #else
   1083     iv.v64[0] = 0;
   1084 #endif
   1085     iv.v64[1] = be64_to_cpu(est);
   1086     status = cipher_set_iv(stream->rtp_cipher, &iv);
   1087   }
   1088   if (status)
   1089     return err_status_cipher_fail;
   1090 
   1091   /* shift est, put into network byte order */
   1092 #ifdef NO_64BIT_MATH
   1093   est = be64_to_cpu(make64((high32(est) << 16) |
   1094 					    (low32(est) >> 16),
   1095 					    low32(est) << 16));
   1096 #else
   1097   est = be64_to_cpu(est << 16);
   1098 #endif
   1099 
   1100   /*
   1101    * find starting point for decryption and length of data to be
   1102    * decrypted - the encrypted portion starts after the rtp header
   1103    * extension, if present; otherwise, it starts after the last csrc,
   1104    * if any are present
   1105    *
   1106    * if we're not providing confidentiality, set enc_start to NULL
   1107    */
   1108   if (stream->rtp_services & sec_serv_conf) {
   1109     enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
   1110     if (hdr->x == 1) {
   1111       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
   1112       enc_start += (ntohs(xtn_hdr->length) + 1);
   1113     }
   1114     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
   1115 			       - ((enc_start - (uint32_t *)hdr) << 2));
   1116   } else {
   1117     enc_start = NULL;
   1118   }
   1119 
   1120   /*
   1121    * if we're providing authentication, set the auth_start and auth_tag
   1122    * pointers to the proper locations; otherwise, set auth_start to NULL
   1123    * to indicate that no authentication is needed
   1124    */
   1125   if (stream->rtp_services & sec_serv_auth) {
   1126     auth_start = (uint32_t *)hdr;
   1127     auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
   1128   } else {
   1129     auth_start = NULL;
   1130     auth_tag = NULL;
   1131   }
   1132 
   1133   /*
   1134    * if we expect message authentication, run the authentication
   1135    * function and compare the result with the value of the auth_tag
   1136    */
   1137   if (auth_start) {
   1138 
   1139     /*
   1140      * if we're using a universal hash, then we need to compute the
   1141      * keystream prefix for encrypting the universal hash output
   1142      *
   1143      * if the keystream prefix length is zero, then we know that
   1144      * the authenticator isn't using a universal hash function
   1145      */
   1146     if (stream->rtp_auth->prefix_len != 0) {
   1147 
   1148       prefix_len = auth_get_prefix_length(stream->rtp_auth);
   1149       status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len);
   1150       debug_print(mod_srtp, "keystream prefix: %s",
   1151 		  octet_string_hex_string(tmp_tag, prefix_len));
   1152       if (status)
   1153 	return err_status_cipher_fail;
   1154     }
   1155 
   1156     /* initialize auth func context */
   1157     status = auth_start(stream->rtp_auth);
   1158     if (status) return status;
   1159 
   1160     /* now compute auth function over packet */
   1161     status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,
   1162 			 *pkt_octet_len - tag_len);
   1163 
   1164     /* run auth func over ROC, then write tmp tag */
   1165     status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);
   1166 
   1167     debug_print(mod_srtp, "computed auth tag:    %s",
   1168 		octet_string_hex_string(tmp_tag, tag_len));
   1169     debug_print(mod_srtp, "packet auth tag:      %s",
   1170 		octet_string_hex_string(auth_tag, tag_len));
   1171     if (status)
   1172       return err_status_auth_fail;
   1173 
   1174     if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
   1175       return err_status_auth_fail;
   1176   }
   1177 
   1178   /*
   1179    * update the key usage limit, and check it to make sure that we
   1180    * didn't just hit either the soft limit or the hard limit, and call
   1181    * the event handler if we hit either.
   1182    */
   1183   switch(key_limit_update(stream->limit)) {
   1184   case key_event_normal:
   1185     break;
   1186   case key_event_soft_limit:
   1187     srtp_handle_event(ctx, stream, event_key_soft_limit);
   1188     break;
   1189   case key_event_hard_limit:
   1190     srtp_handle_event(ctx, stream, event_key_hard_limit);
   1191     return err_status_key_expired;
   1192   default:
   1193     break;
   1194   }
   1195 
   1196   /* if we're decrypting, add keystream into ciphertext */
   1197   if (enc_start) {
   1198     status = cipher_decrypt(stream->rtp_cipher,
   1199 			    (uint8_t *)enc_start, &enc_octet_len);
   1200     if (status)
   1201       return err_status_cipher_fail;
   1202   }
   1203 
   1204   /*
   1205    * verify that stream is for received traffic - this check will
   1206    * detect SSRC collisions, since a stream that appears in both
   1207    * srtp_protect() and srtp_unprotect() will fail this test in one of
   1208    * those functions.
   1209    *
   1210    * we do this check *after* the authentication check, so that the
   1211    * latter check will catch any attempts to fool us into thinking
   1212    * that we've got a collision
   1213    */
   1214   if (stream->direction != dir_srtp_receiver) {
   1215     if (stream->direction == dir_unknown) {
   1216       stream->direction = dir_srtp_receiver;
   1217     } else {
   1218       srtp_handle_event(ctx, stream, event_ssrc_collision);
   1219     }
   1220   }
   1221 
   1222   /*
   1223    * if the stream is a 'provisional' one, in which the template context
   1224    * is used, then we need to allocate a new stream at this point, since
   1225    * the authentication passed
   1226    */
   1227   if (stream == ctx->stream_template) {
   1228     srtp_stream_ctx_t *new_stream;
   1229 
   1230     /*
   1231      * allocate and initialize a new stream
   1232      *
   1233      * note that we indicate failure if we can't allocate the new
   1234      * stream, and some implementations will want to not return
   1235      * failure here
   1236      */
   1237     status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
   1238     if (status)
   1239       return status;
   1240 
   1241     /* add new stream to the head of the stream_list */
   1242     new_stream->next = ctx->stream_list;
   1243     ctx->stream_list = new_stream;
   1244 
   1245     /* set stream (the pointer used in this function) */
   1246     stream = new_stream;
   1247   }
   1248 
   1249   /*
   1250    * the message authentication function passed, so add the packet
   1251    * index into the replay database
   1252    */
   1253   rdbx_add_index(&stream->rtp_rdbx, delta);
   1254 
   1255   /* decrease the packet length by the length of the auth tag */
   1256   *pkt_octet_len -= tag_len;
   1257 
   1258   return err_status_ok;
   1259 }
   1260 
   1261 err_status_t
   1262 srtp_init() {
   1263   err_status_t status;
   1264 
   1265   /* initialize crypto kernel */
   1266   status = crypto_kernel_init();
   1267   if (status)
   1268     return status;
   1269 
   1270   /* load srtp debug module into the kernel */
   1271   status = crypto_kernel_load_debug_module(&mod_srtp);
   1272   if (status)
   1273     return status;
   1274 
   1275   return err_status_ok;
   1276 }
   1277 
   1278 err_status_t
   1279 srtp_shutdown() {
   1280   err_status_t status;
   1281 
   1282   /* shut down crypto kernel */
   1283   status = crypto_kernel_shutdown();
   1284   if (status)
   1285     return status;
   1286 
   1287   /* shutting down crypto kernel frees the srtp debug module as well */
   1288 
   1289   return err_status_ok;
   1290 }
   1291 
   1292 
   1293 /*
   1294  * The following code is under consideration for removal.  See
   1295  * SRTP_MAX_TRAILER_LEN
   1296  */
   1297 #if 0
   1298 
   1299 /*
   1300  * srtp_get_trailer_length(&a) returns the number of octets that will
   1301  * be added to an RTP packet by the SRTP processing.  This value
   1302  * is constant for a given srtp_stream_t (i.e. between initializations).
   1303  */
   1304 
   1305 int
   1306 srtp_get_trailer_length(const srtp_stream_t s) {
   1307   return auth_get_tag_length(s->rtp_auth);
   1308 }
   1309 
   1310 #endif
   1311 
   1312 /*
   1313  * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
   1314  * to ssrc, or NULL if no stream exists for that ssrc
   1315  *
   1316  * this is an internal function
   1317  */
   1318 
   1319 srtp_stream_ctx_t *
   1320 srtp_get_stream(srtp_t srtp, uint32_t ssrc) {
   1321   srtp_stream_ctx_t *stream;
   1322 
   1323   /* walk down list until ssrc is found */
   1324   stream = srtp->stream_list;
   1325   while (stream != NULL) {
   1326     if (stream->ssrc == ssrc)
   1327       return stream;
   1328     stream = stream->next;
   1329   }
   1330 
   1331   /* we haven't found our ssrc, so return a null */
   1332   return NULL;
   1333 }
   1334 
   1335 err_status_t
   1336 srtp_dealloc(srtp_t session) {
   1337   srtp_stream_ctx_t *stream;
   1338   err_status_t status;
   1339 
   1340   /*
   1341    * we take a conservative deallocation strategy - if we encounter an
   1342    * error deallocating a stream, then we stop trying to deallocate
   1343    * memory and just return an error
   1344    */
   1345 
   1346   /* walk list of streams, deallocating as we go */
   1347   stream = session->stream_list;
   1348   while (stream != NULL) {
   1349     srtp_stream_t next = stream->next;
   1350     status = srtp_stream_dealloc(session, stream);
   1351     if (status)
   1352       return status;
   1353     stream = next;
   1354   }
   1355 
   1356   /* deallocate stream template, if there is one */
   1357   if (session->stream_template != NULL) {
   1358     status = auth_dealloc(session->stream_template->rtcp_auth);
   1359     if (status)
   1360       return status;
   1361     status = cipher_dealloc(session->stream_template->rtcp_cipher);
   1362     if (status)
   1363       return status;
   1364     crypto_free(session->stream_template->limit);
   1365     status = cipher_dealloc(session->stream_template->rtp_cipher);
   1366     if (status)
   1367       return status;
   1368     status = auth_dealloc(session->stream_template->rtp_auth);
   1369     if (status)
   1370       return status;
   1371     status = rdbx_dealloc(&session->stream_template->rtp_rdbx);
   1372     if (status)
   1373       return status;
   1374     crypto_free(session->stream_template);
   1375   }
   1376 
   1377   /* deallocate session context */
   1378   crypto_free(session);
   1379 
   1380   return err_status_ok;
   1381 }
   1382 
   1383 
   1384 err_status_t
   1385 srtp_add_stream(srtp_t session,
   1386 		const srtp_policy_t *policy)  {
   1387   err_status_t status;
   1388   srtp_stream_t tmp;
   1389 
   1390   /* sanity check arguments */
   1391   if ((session == NULL) || (policy == NULL) || (policy->key == NULL))
   1392     return err_status_bad_param;
   1393 
   1394   /* allocate stream  */
   1395   status = srtp_stream_alloc(&tmp, policy);
   1396   if (status) {
   1397     return status;
   1398   }
   1399 
   1400   /* initialize stream  */
   1401   status = srtp_stream_init(tmp, policy);
   1402   if (status) {
   1403     crypto_free(tmp);
   1404     return status;
   1405   }
   1406 
   1407   /*
   1408    * set the head of the stream list or the template to point to the
   1409    * stream that we've just alloced and init'ed, depending on whether
   1410    * or not it has a wildcard SSRC value or not
   1411    *
   1412    * if the template stream has already been set, then the policy is
   1413    * inconsistent, so we return a bad_param error code
   1414    */
   1415   switch (policy->ssrc.type) {
   1416   case (ssrc_any_outbound):
   1417     if (session->stream_template) {
   1418       return err_status_bad_param;
   1419     }
   1420     session->stream_template = tmp;
   1421     session->stream_template->direction = dir_srtp_sender;
   1422     break;
   1423   case (ssrc_any_inbound):
   1424     if (session->stream_template) {
   1425       return err_status_bad_param;
   1426     }
   1427     session->stream_template = tmp;
   1428     session->stream_template->direction = dir_srtp_receiver;
   1429     break;
   1430   case (ssrc_specific):
   1431     tmp->next = session->stream_list;
   1432     session->stream_list = tmp;
   1433     break;
   1434   case (ssrc_undefined):
   1435   default:
   1436     crypto_free(tmp);
   1437     return err_status_bad_param;
   1438   }
   1439 
   1440   return err_status_ok;
   1441 }
   1442 
   1443 
   1444 err_status_t
   1445 srtp_create(srtp_t *session,               /* handle for session     */
   1446 	    const srtp_policy_t *policy) { /* SRTP policy (list)     */
   1447   err_status_t stat;
   1448   srtp_ctx_t *ctx;
   1449 
   1450   /* sanity check arguments */
   1451   if (session == NULL)
   1452     return err_status_bad_param;
   1453 
   1454   /* allocate srtp context and set ctx_ptr */
   1455   ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));
   1456   if (ctx == NULL)
   1457     return err_status_alloc_fail;
   1458   *session = ctx;
   1459 
   1460   /*
   1461    * loop over elements in the policy list, allocating and
   1462    * initializing a stream for each element
   1463    */
   1464   ctx->stream_template = NULL;
   1465   ctx->stream_list = NULL;
   1466   while (policy != NULL) {
   1467 
   1468     stat = srtp_add_stream(ctx, policy);
   1469     if (stat) {
   1470       /* clean up everything */
   1471       srtp_dealloc(*session);
   1472       return stat;
   1473     }
   1474 
   1475     /* set policy to next item in list  */
   1476     policy = policy->next;
   1477   }
   1478 
   1479   return err_status_ok;
   1480 }
   1481 
   1482 
   1483 err_status_t
   1484 srtp_remove_stream(srtp_t session, uint32_t ssrc) {
   1485   srtp_stream_ctx_t *stream, *last_stream;
   1486   err_status_t status;
   1487 
   1488   /* sanity check arguments */
   1489   if (session == NULL)
   1490     return err_status_bad_param;
   1491 
   1492   /* find stream in list; complain if not found */
   1493   last_stream = stream = session->stream_list;
   1494   while ((stream != NULL) && (ssrc != stream->ssrc)) {
   1495     last_stream = stream;
   1496     stream = stream->next;
   1497   }
   1498   if (stream == NULL)
   1499     return err_status_no_ctx;
   1500 
   1501   /* remove stream from the list */
   1502   if (last_stream == stream)
   1503     /* stream was first in list */
   1504     session->stream_list = stream->next;
   1505   else
   1506     last_stream->next = stream->next;
   1507 
   1508   /* deallocate the stream */
   1509   status = srtp_stream_dealloc(session, stream);
   1510   if (status)
   1511     return status;
   1512 
   1513   return err_status_ok;
   1514 }
   1515 
   1516 
   1517 /*
   1518  * the default policy - provides a convenient way for callers to use
   1519  * the default security policy
   1520  *
   1521  * this policy is that defined in the current SRTP internet draft.
   1522  *
   1523  */
   1524 
   1525 /*
   1526  * NOTE: cipher_key_len is really key len (128 bits) plus salt len
   1527  *  (112 bits)
   1528  */
   1529 /* There are hard-coded 16's for base_key_len in the key generation code */
   1530 
   1531 void
   1532 crypto_policy_set_rtp_default(crypto_policy_t *p) {
   1533 
   1534   p->cipher_type     = AES_ICM;
   1535   p->cipher_key_len  = 30;                /* default 128 bits per RFC 3711 */
   1536   p->auth_type       = HMAC_SHA1;
   1537   p->auth_key_len    = 20;                /* default 160 bits per RFC 3711 */
   1538   p->auth_tag_len    = 10;                /* default 80 bits per RFC 3711 */
   1539   p->sec_serv        = sec_serv_conf_and_auth;
   1540 
   1541 }
   1542 
   1543 void
   1544 crypto_policy_set_rtcp_default(crypto_policy_t *p) {
   1545 
   1546   p->cipher_type     = AES_ICM;
   1547   p->cipher_key_len  = 30;                 /* default 128 bits per RFC 3711 */
   1548   p->auth_type       = HMAC_SHA1;
   1549   p->auth_key_len    = 20;                 /* default 160 bits per RFC 3711 */
   1550   p->auth_tag_len    = 10;                 /* default 80 bits per RFC 3711 */
   1551   p->sec_serv        = sec_serv_conf_and_auth;
   1552 
   1553 }
   1554 
   1555 void
   1556 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {
   1557 
   1558   /*
   1559    * corresponds to RFC 4568
   1560    *
   1561    * note that this crypto policy is intended for SRTP, but not SRTCP
   1562    */
   1563 
   1564   p->cipher_type     = AES_ICM;
   1565   p->cipher_key_len  = 30;                /* 128 bit key, 112 bit salt */
   1566   p->auth_type       = HMAC_SHA1;
   1567   p->auth_key_len    = 20;                /* 160 bit key               */
   1568   p->auth_tag_len    = 4;                 /* 32 bit tag                */
   1569   p->sec_serv        = sec_serv_conf_and_auth;
   1570 
   1571 }
   1572 
   1573 
   1574 void
   1575 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {
   1576 
   1577   /*
   1578    * corresponds to RFC 4568
   1579    *
   1580    * note that this crypto policy is intended for SRTP, but not SRTCP
   1581    */
   1582 
   1583   p->cipher_type     = AES_ICM;
   1584   p->cipher_key_len  = 30;                /* 128 bit key, 112 bit salt */
   1585   p->auth_type       = NULL_AUTH;
   1586   p->auth_key_len    = 0;
   1587   p->auth_tag_len    = 0;
   1588   p->sec_serv        = sec_serv_conf;
   1589 
   1590 }
   1591 
   1592 
   1593 void
   1594 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {
   1595 
   1596   /*
   1597    * corresponds to RFC 4568
   1598    */
   1599 
   1600   p->cipher_type     = NULL_CIPHER;
   1601   p->cipher_key_len  = 0;
   1602   p->auth_type       = HMAC_SHA1;
   1603   p->auth_key_len    = 20;
   1604   p->auth_tag_len    = 10;
   1605   p->sec_serv        = sec_serv_auth;
   1606 
   1607 }
   1608 
   1609 
   1610 void
   1611 crypto_policy_set_aes_cm_256_hmac_sha1_80(crypto_policy_t *p) {
   1612 
   1613   /*
   1614    * corresponds to draft-ietf-avt-big-aes-03.txt
   1615    */
   1616 
   1617   p->cipher_type     = AES_ICM;
   1618   p->cipher_key_len  = 46;
   1619   p->auth_type       = HMAC_SHA1;
   1620   p->auth_key_len    = 20;                /* default 160 bits per RFC 3711 */
   1621   p->auth_tag_len    = 10;                /* default 80 bits per RFC 3711 */
   1622   p->sec_serv        = sec_serv_conf_and_auth;
   1623 }
   1624 
   1625 
   1626 void
   1627 crypto_policy_set_aes_cm_256_hmac_sha1_32(crypto_policy_t *p) {
   1628 
   1629   /*
   1630    * corresponds to draft-ietf-avt-big-aes-03.txt
   1631    *
   1632    * note that this crypto policy is intended for SRTP, but not SRTCP
   1633    */
   1634 
   1635   p->cipher_type     = AES_ICM;
   1636   p->cipher_key_len  = 46;
   1637   p->auth_type       = HMAC_SHA1;
   1638   p->auth_key_len    = 20;                /* default 160 bits per RFC 3711 */
   1639   p->auth_tag_len    = 4;                 /* default 80 bits per RFC 3711 */
   1640   p->sec_serv        = sec_serv_conf_and_auth;
   1641 }
   1642 
   1643 
   1644 /*
   1645  * secure rtcp functions
   1646  */
   1647 
   1648 err_status_t
   1649 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
   1650   srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
   1651   uint32_t *enc_start;      /* pointer to start of encrypted portion  */
   1652   uint32_t *auth_start;     /* pointer to start of auth. portion      */
   1653   uint32_t *trailer;        /* pointer to start of trailer            */
   1654   unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
   1655   uint8_t *auth_tag = NULL; /* location of auth_tag within packet     */
   1656   err_status_t status;
   1657   int tag_len;
   1658   srtp_stream_ctx_t *stream;
   1659   int prefix_len;
   1660   uint32_t seq_num;
   1661 
   1662   /* we assume the hdr is 32-bit aligned to start */
   1663   /*
   1664    * look up ssrc in srtp_stream list, and process the packet with
   1665    * the appropriate stream.  if we haven't seen this stream before,
   1666    * there's only one key for this srtp_session, and the cipher
   1667    * supports key-sharing, then we assume that a new stream using
   1668    * that key has just started up
   1669    */
   1670   stream = srtp_get_stream(ctx, hdr->ssrc);
   1671   if (stream == NULL) {
   1672     if (ctx->stream_template != NULL) {
   1673       srtp_stream_ctx_t *new_stream;
   1674 
   1675       /* allocate and initialize a new stream */
   1676       status = srtp_stream_clone(ctx->stream_template,
   1677 				 hdr->ssrc, &new_stream);
   1678       if (status)
   1679 	return status;
   1680 
   1681       /* add new stream to the head of the stream_list */
   1682       new_stream->next = ctx->stream_list;
   1683       ctx->stream_list = new_stream;
   1684 
   1685       /* set stream (the pointer used in this function) */
   1686       stream = new_stream;
   1687     } else {
   1688       /* no template stream, so we return an error */
   1689       return err_status_no_ctx;
   1690     }
   1691   }
   1692 
   1693   /*
   1694    * verify that stream is for sending traffic - this check will
   1695    * detect SSRC collisions, since a stream that appears in both
   1696    * srtp_protect() and srtp_unprotect() will fail this test in one of
   1697    * those functions.
   1698    */
   1699   if (stream->direction != dir_srtp_sender) {
   1700     if (stream->direction == dir_unknown) {
   1701       stream->direction = dir_srtp_sender;
   1702     } else {
   1703       srtp_handle_event(ctx, stream, event_ssrc_collision);
   1704     }
   1705   }
   1706 
   1707   /* get tag length from stream context */
   1708   tag_len = auth_get_tag_length(stream->rtcp_auth);
   1709 
   1710   /*
   1711    * set encryption start and encryption length - if we're not
   1712    * providing confidentiality, set enc_start to NULL
   1713    */
   1714   enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
   1715   enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
   1716 
   1717   /* all of the packet, except the header, gets encrypted */
   1718   /* NOTE: hdr->length is not usable - it refers to only the first
   1719 	 RTCP report in the compound packet! */
   1720   /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
   1721 	 multiples of 32-bits (RFC 3550 6.1) */
   1722   trailer = (uint32_t *) ((char *)enc_start + enc_octet_len);
   1723 
   1724   if (stream->rtcp_services & sec_serv_conf) {
   1725     *trailer = htonl(SRTCP_E_BIT);     /* set encrypt bit */
   1726   } else {
   1727     enc_start = NULL;
   1728     enc_octet_len = 0;
   1729 	/* 0 is network-order independant */
   1730     *trailer = 0x00000000;     /* set encrypt bit */
   1731   }
   1732 
   1733   /*
   1734    * set the auth_start and auth_tag pointers to the proper locations
   1735    * (note that srtpc *always* provides authentication, unlike srtp)
   1736    */
   1737   /* Note: This would need to change for optional mikey data */
   1738   auth_start = (uint32_t *)hdr;
   1739   auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t);
   1740 
   1741   /* perform EKT processing if needed */
   1742   ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
   1743 		 rdbx_get_packet_index(&stream->rtp_rdbx));
   1744 
   1745   /*
   1746    * check sequence number for overruns, and copy it into the packet
   1747    * if its value isn't too big
   1748    */
   1749   status = rdb_increment(&stream->rtcp_rdb);
   1750   if (status)
   1751     return status;
   1752   seq_num = rdb_get_value(&stream->rtcp_rdb);
   1753   *trailer |= htonl(seq_num);
   1754   debug_print(mod_srtp, "srtcp index: %x", seq_num);
   1755 
   1756   /*
   1757    * if we're using rindael counter mode, set nonce and seq
   1758    */
   1759   if (stream->rtcp_cipher->type->id == AES_ICM) {
   1760     v128_t iv;
   1761 
   1762     iv.v32[0] = 0;
   1763     iv.v32[1] = hdr->ssrc;  /* still in network order! */
   1764     iv.v32[2] = htonl(seq_num >> 16);
   1765     iv.v32[3] = htonl(seq_num << 16);
   1766     status = cipher_set_iv(stream->rtcp_cipher, &iv);
   1767 
   1768   } else {
   1769     v128_t iv;
   1770 
   1771     /* otherwise, just set the index to seq_num */
   1772     iv.v32[0] = 0;
   1773     iv.v32[1] = 0;
   1774     iv.v32[2] = 0;
   1775     iv.v32[3] = htonl(seq_num);
   1776     status = cipher_set_iv(stream->rtcp_cipher, &iv);
   1777   }
   1778   if (status)
   1779     return err_status_cipher_fail;
   1780 
   1781   /*
   1782    * if we're authenticating using a universal hash, put the keystream
   1783    * prefix into the authentication tag
   1784    */
   1785 
   1786   /* if auth_start is non-null, then put keystream into tag  */
   1787   if (auth_start) {
   1788 
   1789     /* put keystream prefix into auth_tag */
   1790     prefix_len = auth_get_prefix_length(stream->rtcp_auth);
   1791     status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
   1792 
   1793     debug_print(mod_srtp, "keystream prefix: %s",
   1794 		octet_string_hex_string(auth_tag, prefix_len));
   1795 
   1796     if (status)
   1797       return err_status_cipher_fail;
   1798   }
   1799 
   1800   /* if we're encrypting, exor keystream into the message */
   1801   if (enc_start) {
   1802     status = cipher_encrypt(stream->rtcp_cipher,
   1803 			    (uint8_t *)enc_start, &enc_octet_len);
   1804     if (status)
   1805       return err_status_cipher_fail;
   1806   }
   1807 
   1808   /* initialize auth func context */
   1809   auth_start(stream->rtcp_auth);
   1810 
   1811   /*
   1812    * run auth func over packet (including trailer), and write the
   1813    * result at auth_tag
   1814    */
   1815   status = auth_compute(stream->rtcp_auth,
   1816 			(uint8_t *)auth_start,
   1817 			(*pkt_octet_len) + sizeof(srtcp_trailer_t),
   1818 			auth_tag);
   1819   debug_print(mod_srtp, "srtcp auth tag:    %s",
   1820 	      octet_string_hex_string(auth_tag, tag_len));
   1821   if (status)
   1822     return err_status_auth_fail;
   1823 
   1824   /* increase the packet length by the length of the auth tag and seq_num*/
   1825   *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
   1826 
   1827   return err_status_ok;
   1828 }
   1829 
   1830 
   1831 err_status_t
   1832 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
   1833   srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
   1834   uint32_t *enc_start;      /* pointer to start of encrypted portion  */
   1835   uint32_t *auth_start;     /* pointer to start of auth. portion      */
   1836   uint32_t *trailer;        /* pointer to start of trailer            */
   1837   unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
   1838   uint8_t *auth_tag = NULL; /* location of auth_tag within packet     */
   1839   uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
   1840   uint8_t tag_copy[SRTP_MAX_TAG_LEN];
   1841   err_status_t status;
   1842   unsigned auth_len;
   1843   int tag_len;
   1844   srtp_stream_ctx_t *stream;
   1845   int prefix_len;
   1846   uint32_t seq_num;
   1847 
   1848   /* we assume the hdr is 32-bit aligned to start */
   1849   /*
   1850    * look up ssrc in srtp_stream list, and process the packet with
   1851    * the appropriate stream.  if we haven't seen this stream before,
   1852    * there's only one key for this srtp_session, and the cipher
   1853    * supports key-sharing, then we assume that a new stream using
   1854    * that key has just started up
   1855    */
   1856   stream = srtp_get_stream(ctx, hdr->ssrc);
   1857   if (stream == NULL) {
   1858     if (ctx->stream_template != NULL) {
   1859       stream = ctx->stream_template;
   1860 
   1861       /*
   1862        * check to see if stream_template has an EKT data structure, in
   1863        * which case we initialize the template using the EKT policy
   1864        * referenced by that data (which consists of decrypting the
   1865        * master key from the EKT field)
   1866        *
   1867        * this function initializes a *provisional* stream, and this
   1868        * stream should not be accepted until and unless the packet
   1869        * passes its authentication check
   1870        */
   1871       if (stream->ekt != NULL) {
   1872 	status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len);
   1873 	if (status)
   1874 	  return status;
   1875       }
   1876 
   1877       debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
   1878 		  hdr->ssrc);
   1879     } else {
   1880       /* no template stream, so we return an error */
   1881       return err_status_no_ctx;
   1882     }
   1883   }
   1884 
   1885   /* get tag length from stream context */
   1886   tag_len = auth_get_tag_length(stream->rtcp_auth);
   1887 
   1888   /*
   1889    * set encryption start, encryption length, and trailer
   1890    */
   1891   enc_octet_len = *pkt_octet_len -
   1892                   (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
   1893   /* index & E (encryption) bit follow normal data.  hdr->len
   1894 	 is the number of words (32-bit) in the normal packet minus 1 */
   1895   /* This should point trailer to the word past the end of the
   1896 	 normal data. */
   1897   /* This would need to be modified for optional mikey data */
   1898   /*
   1899    * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
   1900    *	 multiples of 32-bits (RFC 3550 6.1)
   1901    */
   1902   trailer = (uint32_t *) ((char *) hdr +
   1903 		     *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
   1904   if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) {
   1905     enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
   1906   } else {
   1907     enc_octet_len = 0;
   1908     enc_start = NULL; /* this indicates that there's no encryption */
   1909   }
   1910 
   1911   /*
   1912    * set the auth_start and auth_tag pointers to the proper locations
   1913    * (note that srtcp *always* uses authentication, unlike srtp)
   1914    */
   1915   auth_start = (uint32_t *)hdr;
   1916   auth_len = *pkt_octet_len - tag_len;
   1917   auth_tag = (uint8_t *)hdr + auth_len;
   1918 
   1919   /*
   1920    * if EKT is in use, then we make a copy of the tag from the packet,
   1921    * and then zeroize the location of the base tag
   1922    *
   1923    * we first re-position the auth_tag pointer so that it points to
   1924    * the base tag
   1925    */
   1926   if (stream->ekt) {
   1927     auth_tag -= ekt_octets_after_base_tag(stream->ekt);
   1928     memcpy(tag_copy, auth_tag, tag_len);
   1929     octet_string_set_to_zero(auth_tag, tag_len);
   1930     auth_tag = tag_copy;
   1931     auth_len += tag_len;
   1932   }
   1933 
   1934   /*
   1935    * check the sequence number for replays
   1936    */
   1937   /* this is easier than dealing with bitfield access */
   1938   seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
   1939   debug_print(mod_srtp, "srtcp index: %x", seq_num);
   1940   status = rdb_check(&stream->rtcp_rdb, seq_num);
   1941   if (status)
   1942     return status;
   1943 
   1944   /*
   1945    * if we're using aes counter mode, set nonce and seq
   1946    */
   1947   if (stream->rtcp_cipher->type->id == AES_ICM) {
   1948     v128_t iv;
   1949 
   1950     iv.v32[0] = 0;
   1951     iv.v32[1] = hdr->ssrc; /* still in network order! */
   1952     iv.v32[2] = htonl(seq_num >> 16);
   1953     iv.v32[3] = htonl(seq_num << 16);
   1954     status = cipher_set_iv(stream->rtcp_cipher, &iv);
   1955 
   1956   } else {
   1957     v128_t iv;
   1958 
   1959     /* otherwise, just set the index to seq_num */
   1960     iv.v32[0] = 0;
   1961     iv.v32[1] = 0;
   1962     iv.v32[2] = 0;
   1963     iv.v32[3] = htonl(seq_num);
   1964     status = cipher_set_iv(stream->rtcp_cipher, &iv);
   1965 
   1966   }
   1967   if (status)
   1968     return err_status_cipher_fail;
   1969 
   1970   /* initialize auth func context */
   1971   auth_start(stream->rtcp_auth);
   1972 
   1973   /* run auth func over packet, put result into tmp_tag */
   1974   status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
   1975 			auth_len, tmp_tag);
   1976   debug_print(mod_srtp, "srtcp computed tag:       %s",
   1977 	      octet_string_hex_string(tmp_tag, tag_len));
   1978   if (status)
   1979     return err_status_auth_fail;
   1980 
   1981   /* compare the tag just computed with the one in the packet */
   1982   debug_print(mod_srtp, "srtcp tag from packet:    %s",
   1983 	      octet_string_hex_string(auth_tag, tag_len));
   1984   if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
   1985     return err_status_auth_fail;
   1986 
   1987   /*
   1988    * if we're authenticating using a universal hash, put the keystream
   1989    * prefix into the authentication tag
   1990    */
   1991   prefix_len = auth_get_prefix_length(stream->rtcp_auth);
   1992   if (prefix_len) {
   1993     status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
   1994     debug_print(mod_srtp, "keystream prefix: %s",
   1995 		octet_string_hex_string(auth_tag, prefix_len));
   1996     if (status)
   1997       return err_status_cipher_fail;
   1998   }
   1999 
   2000   /* if we're decrypting, exor keystream into the message */
   2001   if (enc_start) {
   2002     status = cipher_decrypt(stream->rtcp_cipher,
   2003 			    (uint8_t *)enc_start, &enc_octet_len);
   2004     if (status)
   2005       return err_status_cipher_fail;
   2006   }
   2007 
   2008   /* decrease the packet length by the length of the auth tag and seq_num */
   2009   *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
   2010 
   2011   /*
   2012    * if EKT is in effect, subtract the EKT data out of the packet
   2013    * length
   2014    */
   2015   *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt);
   2016 
   2017   /*
   2018    * verify that stream is for received traffic - this check will
   2019    * detect SSRC collisions, since a stream that appears in both
   2020    * srtp_protect() and srtp_unprotect() will fail this test in one of
   2021    * those functions.
   2022    *
   2023    * we do this check *after* the authentication check, so that the
   2024    * latter check will catch any attempts to fool us into thinking
   2025    * that we've got a collision
   2026    */
   2027   if (stream->direction != dir_srtp_receiver) {
   2028     if (stream->direction == dir_unknown) {
   2029       stream->direction = dir_srtp_receiver;
   2030     } else {
   2031       srtp_handle_event(ctx, stream, event_ssrc_collision);
   2032     }
   2033   }
   2034 
   2035   /*
   2036    * if the stream is a 'provisional' one, in which the template context
   2037    * is used, then we need to allocate a new stream at this point, since
   2038    * the authentication passed
   2039    */
   2040   if (stream == ctx->stream_template) {
   2041     srtp_stream_ctx_t *new_stream;
   2042 
   2043     /*
   2044      * allocate and initialize a new stream
   2045      *
   2046      * note that we indicate failure if we can't allocate the new
   2047      * stream, and some implementations will want to not return
   2048      * failure here
   2049      */
   2050     status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
   2051     if (status)
   2052       return status;
   2053 
   2054     /* add new stream to the head of the stream_list */
   2055     new_stream->next = ctx->stream_list;
   2056     ctx->stream_list = new_stream;
   2057 
   2058     /* set stream (the pointer used in this function) */
   2059     stream = new_stream;
   2060   }
   2061 
   2062   /* we've passed the authentication check, so add seq_num to the rdb */
   2063   rdb_add_index(&stream->rtcp_rdb, seq_num);
   2064 
   2065 
   2066   return err_status_ok;
   2067 }
   2068 
   2069 
   2070 
   2071 /*
   2072  * dtls keying for srtp
   2073  */
   2074 
   2075 err_status_t
   2076 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
   2077 				       srtp_profile_t profile) {
   2078 
   2079   /* set SRTP policy from the SRTP profile in the key set */
   2080   switch(profile) {
   2081   case srtp_profile_aes128_cm_sha1_80:
   2082     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
   2083     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
   2084     break;
   2085   case srtp_profile_aes128_cm_sha1_32:
   2086     crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
   2087     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
   2088     break;
   2089   case srtp_profile_null_sha1_80:
   2090     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
   2091     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
   2092     break;
   2093   case srtp_profile_aes256_cm_sha1_80:
   2094     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
   2095     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
   2096     break;
   2097   case srtp_profile_aes256_cm_sha1_32:
   2098     crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
   2099     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
   2100     break;
   2101     /* the following profiles are not (yet) supported */
   2102   case srtp_profile_null_sha1_32:
   2103   default:
   2104     return err_status_bad_param;
   2105   }
   2106 
   2107   return err_status_ok;
   2108 }
   2109 
   2110 err_status_t
   2111 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
   2112 					srtp_profile_t profile) {
   2113 
   2114   /* set SRTP policy from the SRTP profile in the key set */
   2115   switch(profile) {
   2116   case srtp_profile_aes128_cm_sha1_80:
   2117     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
   2118     break;
   2119   case srtp_profile_aes128_cm_sha1_32:
   2120     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
   2121     break;
   2122   case srtp_profile_null_sha1_80:
   2123     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
   2124     break;
   2125   case srtp_profile_aes256_cm_sha1_80:
   2126     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
   2127     break;
   2128   case srtp_profile_aes256_cm_sha1_32:
   2129     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
   2130     break;
   2131     /* the following profiles are not (yet) supported */
   2132   case srtp_profile_null_sha1_32:
   2133   default:
   2134     return err_status_bad_param;
   2135   }
   2136 
   2137   return err_status_ok;
   2138 }
   2139 
   2140 void
   2141 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key,
   2142 		   uint8_t *salt, unsigned int bytes_in_salt) {
   2143 
   2144   memcpy(key + bytes_in_key, salt, bytes_in_salt);
   2145 
   2146 }
   2147 
   2148 unsigned int
   2149 srtp_profile_get_master_key_length(srtp_profile_t profile) {
   2150 
   2151   switch(profile) {
   2152   case srtp_profile_aes128_cm_sha1_80:
   2153     return 16;
   2154     break;
   2155   case srtp_profile_aes128_cm_sha1_32:
   2156     return 16;
   2157     break;
   2158   case srtp_profile_null_sha1_80:
   2159     return 16;
   2160     break;
   2161   case srtp_profile_aes256_cm_sha1_80:
   2162     return 32;
   2163     break;
   2164   case srtp_profile_aes256_cm_sha1_32:
   2165     return 32;
   2166     break;
   2167     /* the following profiles are not (yet) supported */
   2168   case srtp_profile_null_sha1_32:
   2169   default:
   2170     return 0;  /* indicate error by returning a zero */
   2171   }
   2172 }
   2173 
   2174 unsigned int
   2175 srtp_profile_get_master_salt_length(srtp_profile_t profile) {
   2176 
   2177   switch(profile) {
   2178   case srtp_profile_aes128_cm_sha1_80:
   2179     return 14;
   2180     break;
   2181   case srtp_profile_aes128_cm_sha1_32:
   2182     return 14;
   2183     break;
   2184   case srtp_profile_null_sha1_80:
   2185     return 14;
   2186     break;
   2187   case srtp_profile_aes256_cm_sha1_80:
   2188     return 14;
   2189     break;
   2190   case srtp_profile_aes256_cm_sha1_32:
   2191     return 14;
   2192     break;
   2193     /* the following profiles are not (yet) supported */
   2194   case srtp_profile_null_sha1_32:
   2195   default:
   2196     return 0;  /* indicate error by returning a zero */
   2197   }
   2198 }
   2199