1 /*
2  * srtp.c
3  *
4  * the secure real-time transport protocol
5  *
6  * David A. McGrew
7  * Cisco Systems, Inc.
8  */
9 /*
10  *
11  * Copyright (c) 2001-2017, Cisco Systems, Inc.
12  * All rights reserved.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  *
18  *   Redistributions of source code must retain the above copyright
19  *   notice, this list of conditions and the following disclaimer.
20  *
21  *   Redistributions in binary form must reproduce the above
22  *   copyright notice, this list of conditions and the following
23  *   disclaimer in the documentation and/or other materials provided
24  *   with the distribution.
25  *
26  *   Neither the name of the Cisco Systems, Inc. nor the names of its
27  *   contributors may be used to endorse or promote products derived
28  *   from this software without specific prior written permission.
29  *
30  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41  * OF THE POSSIBILITY OF SUCH DAMAGE.
42  *
43  */
44 
45 // Leave this as the top level import. Ensures the existence of defines
46 #include "config.h"
47 
48 #include "srtp_priv.h"
49 #include "crypto_types.h"
50 #include "err.h"
51 #include "ekt.h"   /* for SRTP Encrypted Key Transport */
52 #include "alloc.h" /* for srtp_crypto_alloc() */
53 
54 #ifdef GCM
55 #include "aes_gcm.h" /* for AES GCM mode */
56 #endif
57 
58 #ifdef OPENSSL_KDF
59 #include <openssl/kdf.h>
60 #include "aes_icm_ext.h"
61 #endif
62 
63 #include <limits.h>
64 #ifdef HAVE_NETINET_IN_H
65 #include <netinet/in.h>
66 #elif defined(HAVE_WINSOCK2_H)
67 #include <winsock2.h>
68 #endif
69 
70 /* the debug module for srtp */
71 srtp_debug_module_t mod_srtp = {
72     0,     /* debugging is off by default */
73     "srtp" /* printable name for module */
74 };
75 
76 #define octets_in_rtp_header 12
77 #define uint32s_in_rtp_header 3
78 #define octets_in_rtcp_header 8
79 #define uint32s_in_rtcp_header 2
80 #define octets_in_rtp_extn_hdr 4
81 
srtp_validate_rtp_header(void * rtp_hdr,int * pkt_octet_len)82 static srtp_err_status_t srtp_validate_rtp_header(void *rtp_hdr,
83                                                   int *pkt_octet_len)
84 {
85     srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
86     int rtp_header_len;
87 
88     if (*pkt_octet_len < octets_in_rtp_header)
89         return srtp_err_status_bad_param;
90 
91     /* Check RTP header length */
92     rtp_header_len = octets_in_rtp_header + 4 * hdr->cc;
93     if (hdr->x == 1)
94         rtp_header_len += octets_in_rtp_extn_hdr;
95 
96     if (*pkt_octet_len < rtp_header_len)
97         return srtp_err_status_bad_param;
98 
99     /* Verifing profile length. */
100     if (hdr->x == 1) {
101         srtp_hdr_xtnd_t *xtn_hdr =
102             (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header +
103                                 hdr->cc);
104         int profile_len = ntohs(xtn_hdr->length);
105         rtp_header_len += profile_len * 4;
106         /* profile length counts the number of 32-bit words */
107         if (*pkt_octet_len < rtp_header_len)
108             return srtp_err_status_bad_param;
109     }
110     return srtp_err_status_ok;
111 }
112 
srtp_get_version_string()113 const char *srtp_get_version_string()
114 {
115     /*
116      * Simply return the autotools generated string
117      */
118     return SRTP_VER_STRING;
119 }
120 
srtp_get_version()121 unsigned int srtp_get_version()
122 {
123     unsigned int major = 0, minor = 0, micro = 0;
124     unsigned int rv = 0;
125     int parse_rv;
126 
127     /*
128      * Parse the autotools generated version
129      */
130     parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, &micro);
131     if (parse_rv != 3) {
132         /*
133          * We're expected to parse all 3 version levels.
134          * If not, then this must not be an official release.
135          * Return all zeros on the version
136          */
137         return (0);
138     }
139 
140     /*
141      * We allow 8 bits for the major and minor, while
142      * allowing 16 bits for the micro.  16 bits for the micro
143      * may be beneficial for a continuous delivery model
144      * in the future.
145      */
146     rv |= (major & 0xFF) << 24;
147     rv |= (minor & 0xFF) << 16;
148     rv |= micro & 0xFF;
149     return rv;
150 }
151 
srtp_stream_dealloc(srtp_stream_ctx_t * stream,const srtp_stream_ctx_t * stream_template)152 srtp_err_status_t srtp_stream_dealloc(srtp_stream_ctx_t *stream,
153                                       const srtp_stream_ctx_t *stream_template)
154 {
155     srtp_err_status_t status;
156     unsigned int i = 0;
157     srtp_session_keys_t *session_keys = NULL;
158     srtp_session_keys_t *template_session_keys = NULL;
159 
160     /*
161      * we use a conservative deallocation strategy - if any deallocation
162      * fails, then we report that fact without trying to deallocate
163      * anything else
164      */
165     if (stream->session_keys) {
166         for (i = 0; i < stream->num_master_keys; i++) {
167             session_keys = &stream->session_keys[i];
168 
169             if (stream_template &&
170                 stream->num_master_keys == stream_template->num_master_keys) {
171                 template_session_keys = &stream_template->session_keys[i];
172             } else {
173                 template_session_keys = NULL;
174             }
175 
176             /*
177             * deallocate cipher, if it is not the same as that in template
178             */
179             if (template_session_keys &&
180                 session_keys->rtp_cipher == template_session_keys->rtp_cipher) {
181                 /* do nothing */
182             } else if (session_keys->rtp_cipher) {
183                 status = srtp_cipher_dealloc(session_keys->rtp_cipher);
184                 if (status)
185                     return status;
186             }
187 
188             /*
189              * deallocate auth function, if it is not the same as that in
190              * template
191              */
192             if (template_session_keys &&
193                 session_keys->rtp_auth == template_session_keys->rtp_auth) {
194                 /* do nothing */
195             } else if (session_keys->rtp_auth) {
196                 status = srtp_auth_dealloc(session_keys->rtp_auth);
197                 if (status)
198                     return status;
199             }
200 
201             if (template_session_keys &&
202                 session_keys->rtp_xtn_hdr_cipher ==
203                     template_session_keys->rtp_xtn_hdr_cipher) {
204                 /* do nothing */
205             } else if (session_keys->rtp_xtn_hdr_cipher) {
206                 status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher);
207                 if (status)
208                     return status;
209             }
210 
211             /*
212              * deallocate rtcp cipher, if it is not the same as that in
213              * template
214              */
215             if (template_session_keys &&
216                 session_keys->rtcp_cipher ==
217                     template_session_keys->rtcp_cipher) {
218                 /* do nothing */
219             } else if (session_keys->rtcp_cipher) {
220                 status = srtp_cipher_dealloc(session_keys->rtcp_cipher);
221                 if (status)
222                     return status;
223             }
224 
225             /*
226              * deallocate rtcp auth function, if it is not the same as that in
227              * template
228              */
229             if (template_session_keys &&
230                 session_keys->rtcp_auth == template_session_keys->rtcp_auth) {
231                 /* do nothing */
232             } else if (session_keys->rtcp_auth) {
233                 status = srtp_auth_dealloc(session_keys->rtcp_auth);
234                 if (status)
235                     return status;
236             }
237 
238             /*
239              * zeroize the salt value
240              */
241             octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN);
242             octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN);
243 
244             if (session_keys->mki_id) {
245                 octet_string_set_to_zero(session_keys->mki_id,
246                                          session_keys->mki_size);
247                 srtp_crypto_free(session_keys->mki_id);
248                 session_keys->mki_id = NULL;
249             }
250 
251             /*
252              * deallocate key usage limit, if it is not the same as that in
253              * template
254              */
255             if (template_session_keys &&
256                 session_keys->limit == template_session_keys->limit) {
257                 /* do nothing */
258             } else if (session_keys->limit) {
259                 srtp_crypto_free(session_keys->limit);
260             }
261         }
262         srtp_crypto_free(stream->session_keys);
263     }
264 
265     status = srtp_rdbx_dealloc(&stream->rtp_rdbx);
266     if (status)
267         return status;
268 
269     /* DAM - need to deallocate EKT here */
270 
271     if (stream_template &&
272         stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) {
273         /* do nothing */
274     } else if (stream->enc_xtn_hdr) {
275         srtp_crypto_free(stream->enc_xtn_hdr);
276     }
277 
278     /* deallocate srtp stream context */
279     srtp_crypto_free(stream);
280 
281     return srtp_err_status_ok;
282 }
283 
srtp_stream_alloc(srtp_stream_ctx_t ** str_ptr,const srtp_policy_t * p)284 srtp_err_status_t srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
285                                     const srtp_policy_t *p)
286 {
287     srtp_stream_ctx_t *str;
288     srtp_err_status_t stat;
289     unsigned int i = 0;
290     srtp_session_keys_t *session_keys = NULL;
291 
292     /*
293      * This function allocates the stream context, rtp and rtcp ciphers
294      * and auth functions, and key limit structure.  If there is a
295      * failure during allocation, we free all previously allocated
296      * memory and return a failure code.  The code could probably
297      * be improved, but it works and should be clear.
298      */
299 
300     /* allocate srtp stream and set str_ptr */
301     str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t));
302     if (str == NULL)
303         return srtp_err_status_alloc_fail;
304 
305     *str_ptr = str;
306 
307     /*
308      *To keep backwards API compatible if someone is using multiple master
309      * keys then key should be set to NULL
310      */
311     if (p->key != NULL) {
312         str->num_master_keys = 1;
313     } else {
314         str->num_master_keys = p->num_master_keys;
315     }
316 
317     str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc(
318         sizeof(srtp_session_keys_t) * str->num_master_keys);
319 
320     if (str->session_keys == NULL) {
321         srtp_stream_dealloc(str, NULL);
322         return srtp_err_status_alloc_fail;
323     }
324 
325     for (i = 0; i < str->num_master_keys; i++) {
326         session_keys = &str->session_keys[i];
327 
328         /* allocate cipher */
329         stat = srtp_crypto_kernel_alloc_cipher(
330             p->rtp.cipher_type, &session_keys->rtp_cipher,
331             p->rtp.cipher_key_len, p->rtp.auth_tag_len);
332         if (stat) {
333             srtp_stream_dealloc(str, NULL);
334             return stat;
335         }
336 
337         /* allocate auth function */
338         stat = srtp_crypto_kernel_alloc_auth(
339             p->rtp.auth_type, &session_keys->rtp_auth, p->rtp.auth_key_len,
340             p->rtp.auth_tag_len);
341         if (stat) {
342             srtp_stream_dealloc(str, NULL);
343             return stat;
344         }
345 
346         /*
347          * ...and now the RTCP-specific initialization - first, allocate
348          * the cipher
349          */
350         stat = srtp_crypto_kernel_alloc_cipher(
351             p->rtcp.cipher_type, &session_keys->rtcp_cipher,
352             p->rtcp.cipher_key_len, p->rtcp.auth_tag_len);
353         if (stat) {
354             srtp_stream_dealloc(str, NULL);
355             return stat;
356         }
357 
358         /* allocate auth function */
359         stat = srtp_crypto_kernel_alloc_auth(
360             p->rtcp.auth_type, &session_keys->rtcp_auth, p->rtcp.auth_key_len,
361             p->rtcp.auth_tag_len);
362         if (stat) {
363             srtp_stream_dealloc(str, NULL);
364             return stat;
365         }
366 
367         session_keys->mki_id = NULL;
368 
369         /* allocate key limit structure */
370         session_keys->limit = (srtp_key_limit_ctx_t *)srtp_crypto_alloc(
371             sizeof(srtp_key_limit_ctx_t));
372         if (session_keys->limit == NULL) {
373             srtp_stream_dealloc(str, NULL);
374             return srtp_err_status_alloc_fail;
375         }
376     }
377 
378     /* allocate ekt data associated with stream */
379     stat = srtp_ekt_alloc(&str->ekt, p->ekt);
380     if (stat) {
381         srtp_stream_dealloc(str, NULL);
382         return stat;
383     }
384 
385     if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) {
386         srtp_cipher_type_id_t enc_xtn_hdr_cipher_type;
387         int enc_xtn_hdr_cipher_key_len;
388 
389         str->enc_xtn_hdr = (int *)srtp_crypto_alloc(p->enc_xtn_hdr_count *
390                                                     sizeof(p->enc_xtn_hdr[0]));
391         if (!str->enc_xtn_hdr) {
392             srtp_stream_dealloc(str, NULL);
393             return srtp_err_status_alloc_fail;
394         }
395         memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr,
396                p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0]));
397         str->enc_xtn_hdr_count = p->enc_xtn_hdr_count;
398 
399         /*
400          * For GCM ciphers, the corresponding ICM cipher is used for header
401          * extensions encryption.
402          */
403         switch (p->rtp.cipher_type) {
404         case SRTP_AES_GCM_128:
405             enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128;
406             enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT;
407             break;
408         case SRTP_AES_GCM_256:
409             enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256;
410             enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
411             break;
412         default:
413             enc_xtn_hdr_cipher_type = p->rtp.cipher_type;
414             enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len;
415             break;
416         }
417 
418         for (i = 0; i < str->num_master_keys; i++) {
419             session_keys = &str->session_keys[i];
420 
421             /* allocate cipher for extensions header encryption */
422             stat = srtp_crypto_kernel_alloc_cipher(
423                 enc_xtn_hdr_cipher_type, &session_keys->rtp_xtn_hdr_cipher,
424                 enc_xtn_hdr_cipher_key_len, 0);
425             if (stat) {
426                 srtp_stream_dealloc(str, NULL);
427                 return stat;
428             }
429         }
430     } else {
431         for (i = 0; i < str->num_master_keys; i++) {
432             session_keys = &str->session_keys[i];
433             session_keys->rtp_xtn_hdr_cipher = NULL;
434         }
435 
436         str->enc_xtn_hdr = NULL;
437         str->enc_xtn_hdr_count = 0;
438     }
439 
440     return srtp_err_status_ok;
441 }
442 
443 /*
444  * srtp_stream_clone(stream_template, new) allocates a new stream and
445  * initializes it using the cipher and auth of the stream_template
446  *
447  * the only unique data in a cloned stream is the replay database and
448  * the SSRC
449  */
450 
srtp_stream_clone(const srtp_stream_ctx_t * stream_template,uint32_t ssrc,srtp_stream_ctx_t ** str_ptr)451 srtp_err_status_t srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
452                                     uint32_t ssrc,
453                                     srtp_stream_ctx_t **str_ptr)
454 {
455     srtp_err_status_t status;
456     srtp_stream_ctx_t *str;
457     unsigned int i = 0;
458     srtp_session_keys_t *session_keys = NULL;
459     const srtp_session_keys_t *template_session_keys = NULL;
460 
461     debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc));
462 
463     /* allocate srtp stream and set str_ptr */
464     str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t));
465     if (str == NULL)
466         return srtp_err_status_alloc_fail;
467     *str_ptr = str;
468 
469     str->num_master_keys = stream_template->num_master_keys;
470     str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc(
471         sizeof(srtp_session_keys_t) * str->num_master_keys);
472 
473     if (str->session_keys == NULL) {
474         srtp_stream_dealloc(*str_ptr, stream_template);
475         *str_ptr = NULL;
476         return srtp_err_status_alloc_fail;
477     }
478 
479     for (i = 0; i < stream_template->num_master_keys; i++) {
480         session_keys = &str->session_keys[i];
481         template_session_keys = &stream_template->session_keys[i];
482 
483         /* set cipher and auth pointers to those of the template */
484         session_keys->rtp_cipher = template_session_keys->rtp_cipher;
485         session_keys->rtp_auth = template_session_keys->rtp_auth;
486         session_keys->rtp_xtn_hdr_cipher =
487             template_session_keys->rtp_xtn_hdr_cipher;
488         session_keys->rtcp_cipher = template_session_keys->rtcp_cipher;
489         session_keys->rtcp_auth = template_session_keys->rtcp_auth;
490         session_keys->mki_size = template_session_keys->mki_size;
491 
492         if (template_session_keys->mki_size == 0) {
493             session_keys->mki_id = NULL;
494         } else {
495             session_keys->mki_id =
496                 srtp_crypto_alloc(template_session_keys->mki_size);
497 
498             if (session_keys->mki_id == NULL) {
499                 srtp_stream_dealloc(*str_ptr, stream_template);
500                 *str_ptr = NULL;
501                 return srtp_err_status_init_fail;
502             }
503             memcpy(session_keys->mki_id, template_session_keys->mki_id,
504                    session_keys->mki_size);
505         }
506         /* Copy the salt values */
507         memcpy(session_keys->salt, template_session_keys->salt,
508                SRTP_AEAD_SALT_LEN);
509         memcpy(session_keys->c_salt, template_session_keys->c_salt,
510                SRTP_AEAD_SALT_LEN);
511 
512         /* set key limit to point to that of the template */
513         status = srtp_key_limit_clone(template_session_keys->limit,
514                                       &session_keys->limit);
515         if (status) {
516             srtp_stream_dealloc(*str_ptr, stream_template);
517             *str_ptr = NULL;
518             return status;
519         }
520     }
521 
522     /* initialize replay databases */
523     status = srtp_rdbx_init(
524         &str->rtp_rdbx, srtp_rdbx_get_window_size(&stream_template->rtp_rdbx));
525     if (status) {
526         srtp_stream_dealloc(*str_ptr, stream_template);
527         *str_ptr = NULL;
528         return status;
529     }
530     srtp_rdb_init(&str->rtcp_rdb);
531     str->allow_repeat_tx = stream_template->allow_repeat_tx;
532 
533     /* set ssrc to that provided */
534     str->ssrc = ssrc;
535 
536     /* reset pending ROC */
537     str->pending_roc = 0;
538 
539     /* set direction and security services */
540     str->direction = stream_template->direction;
541     str->rtp_services = stream_template->rtp_services;
542     str->rtcp_services = stream_template->rtcp_services;
543 
544     /* set pointer to EKT data associated with stream */
545     str->ekt = stream_template->ekt;
546 
547     /* copy information about extensions header encryption */
548     str->enc_xtn_hdr = stream_template->enc_xtn_hdr;
549     str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count;
550 
551     /* defensive coding */
552     str->next = NULL;
553     return srtp_err_status_ok;
554 }
555 
556 /*
557  * key derivation functions, internal to libSRTP
558  *
559  * srtp_kdf_t is a key derivation context
560  *
561  * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher
562  * described by cipher_id, with the master key k with length in octets keylen.
563  *
564  * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
565  * corresponding to label l and puts it into kl; the length
566  * of the key in octets is provided as keylen.  this function
567  * should be called once for each subkey that is derived.
568  *
569  * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state
570  */
571 
572 typedef enum {
573     label_rtp_encryption = 0x00,
574     label_rtp_msg_auth = 0x01,
575     label_rtp_salt = 0x02,
576     label_rtcp_encryption = 0x03,
577     label_rtcp_msg_auth = 0x04,
578     label_rtcp_salt = 0x05,
579     label_rtp_header_encryption = 0x06,
580     label_rtp_header_salt = 0x07
581 } srtp_prf_label;
582 
583 #define MAX_SRTP_KEY_LEN 256
584 
585 #if defined(OPENSSL) && defined(OPENSSL_KDF)
586 #define MAX_SRTP_AESKEY_LEN 32
587 #define MAX_SRTP_SALT_LEN 14
588 
589 /*
590  * srtp_kdf_t represents a key derivation function.  The SRTP
591  * default KDF is the only one implemented at present.
592  */
593 typedef struct {
594     uint8_t master_key[MAX_SRTP_AESKEY_LEN];
595     uint8_t master_salt[MAX_SRTP_SALT_LEN];
596     const EVP_CIPHER *evp;
597 } srtp_kdf_t;
598 
srtp_kdf_init(srtp_kdf_t * kdf,const uint8_t * key,int key_len,int salt_len)599 static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf,
600                                        const uint8_t *key,
601                                        int key_len,
602                                        int salt_len)
603 {
604     memset(kdf, 0x0, sizeof(srtp_kdf_t));
605 
606     /* The NULL cipher has zero key length */
607     if (key_len == 0)
608         return srtp_err_status_ok;
609 
610     if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) {
611         return srtp_err_status_bad_param;
612     }
613     switch (key_len) {
614     case SRTP_AES_256_KEYSIZE:
615         kdf->evp = EVP_aes_256_ctr();
616         break;
617     case SRTP_AES_192_KEYSIZE:
618         kdf->evp = EVP_aes_192_ctr();
619         break;
620     case SRTP_AES_128_KEYSIZE:
621         kdf->evp = EVP_aes_128_ctr();
622         break;
623     default:
624         return srtp_err_status_bad_param;
625         break;
626     }
627     memcpy(kdf->master_key, key, key_len);
628     memcpy(kdf->master_salt, key + key_len, salt_len);
629     return srtp_err_status_ok;
630 }
631 
srtp_kdf_generate(srtp_kdf_t * kdf,srtp_prf_label label,uint8_t * key,unsigned int length)632 static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf,
633                                            srtp_prf_label label,
634                                            uint8_t *key,
635                                            unsigned int length)
636 {
637     int ret;
638 
639     /* The NULL cipher will not have an EVP */
640     if (!kdf->evp)
641         return srtp_err_status_ok;
642     octet_string_set_to_zero(key, length);
643 
644     /*
645      * Invoke the OpenSSL SRTP KDF function
646      * This is useful if OpenSSL is in FIPS mode and FIP
647      * compliance is required for SRTP.
648      */
649     ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key,
650                    (char *)&kdf->master_salt, NULL, NULL, label, (char *)key);
651     if (ret == -1) {
652         return (srtp_err_status_algo_fail);
653     }
654 
655     return srtp_err_status_ok;
656 }
657 
srtp_kdf_clear(srtp_kdf_t * kdf)658 static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf)
659 {
660     octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN);
661     octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN);
662     kdf->evp = NULL;
663 
664     return srtp_err_status_ok;
665 }
666 
667 #else  /* if OPENSSL_KDF */
668 
669 /*
670  * srtp_kdf_t represents a key derivation function.  The SRTP
671  * default KDF is the only one implemented at present.
672  */
673 typedef struct {
674     srtp_cipher_t *cipher; /* cipher used for key derivation  */
675 } srtp_kdf_t;
676 
srtp_kdf_init(srtp_kdf_t * kdf,const uint8_t * key,int key_len)677 static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf,
678                                        const uint8_t *key,
679                                        int key_len)
680 {
681     srtp_cipher_type_id_t cipher_id;
682     srtp_err_status_t stat;
683 
684     switch (key_len) {
685     case SRTP_AES_ICM_256_KEY_LEN_WSALT:
686         cipher_id = SRTP_AES_ICM_256;
687         break;
688     case SRTP_AES_ICM_192_KEY_LEN_WSALT:
689         cipher_id = SRTP_AES_ICM_192;
690         break;
691     case SRTP_AES_ICM_128_KEY_LEN_WSALT:
692         cipher_id = SRTP_AES_ICM_128;
693         break;
694     default:
695         return srtp_err_status_bad_param;
696         break;
697     }
698 
699     stat = srtp_crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, key_len, 0);
700     if (stat)
701         return stat;
702 
703     stat = srtp_cipher_init(kdf->cipher, key);
704     if (stat) {
705         srtp_cipher_dealloc(kdf->cipher);
706         return stat;
707     }
708     return srtp_err_status_ok;
709 }
710 
srtp_kdf_generate(srtp_kdf_t * kdf,srtp_prf_label label,uint8_t * key,unsigned int length)711 static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf,
712                                            srtp_prf_label label,
713                                            uint8_t *key,
714                                            unsigned int length)
715 {
716     srtp_err_status_t status;
717     v128_t nonce;
718 
719     /* set eigth octet of nonce to <label>, set the rest of it to zero */
720     v128_set_to_zero(&nonce);
721     nonce.v8[7] = label;
722 
723     status = srtp_cipher_set_iv(kdf->cipher, (uint8_t *)&nonce,
724                                 srtp_direction_encrypt);
725     if (status)
726         return status;
727 
728     /* generate keystream output */
729     octet_string_set_to_zero(key, length);
730     status = srtp_cipher_encrypt(kdf->cipher, key, &length);
731     if (status)
732         return status;
733 
734     return srtp_err_status_ok;
735 }
736 
srtp_kdf_clear(srtp_kdf_t * kdf)737 static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf)
738 {
739     srtp_err_status_t status;
740     status = srtp_cipher_dealloc(kdf->cipher);
741     if (status)
742         return status;
743     kdf->cipher = NULL;
744     return srtp_err_status_ok;
745 }
746 #endif /* else OPENSSL_KDF */
747 
748 /*
749  *  end of key derivation functions
750  */
751 
752 /* Get the base key length corresponding to a given combined key+salt
753  * length for the given cipher.
754  * TODO: key and salt lengths should be separate fields in the policy.  */
base_key_length(const srtp_cipher_type_t * cipher,int key_length)755 static inline int base_key_length(const srtp_cipher_type_t *cipher,
756                                   int key_length)
757 {
758     switch (cipher->id) {
759     case SRTP_AES_ICM_128:
760     case SRTP_AES_ICM_192:
761     case SRTP_AES_ICM_256:
762         /* The legacy modes are derived from
763          * the configured key length on the policy */
764         return key_length - SRTP_SALT_LEN;
765         break;
766     case SRTP_AES_GCM_128:
767         return key_length - SRTP_AEAD_SALT_LEN;
768         break;
769     case SRTP_AES_GCM_256:
770         return key_length - SRTP_AEAD_SALT_LEN;
771         break;
772     default:
773         return key_length;
774         break;
775     }
776 }
777 
srtp_validate_policy_master_keys(const srtp_policy_t * policy)778 unsigned int srtp_validate_policy_master_keys(const srtp_policy_t *policy)
779 {
780     unsigned long i = 0;
781 
782     if (policy->key == NULL) {
783         if (policy->num_master_keys <= 0)
784             return 0;
785 
786         if (policy->num_master_keys > SRTP_MAX_NUM_MASTER_KEYS)
787             return 0;
788 
789         for (i = 0; i < policy->num_master_keys; i++) {
790             if (policy->keys[i]->key == NULL)
791                 return 0;
792             if (policy->keys[i]->mki_size > SRTP_MAX_MKI_LEN)
793                 return 0;
794         }
795     }
796 
797     return 1;
798 }
799 
srtp_get_session_keys_with_mki_index(srtp_stream_ctx_t * stream,unsigned int use_mki,unsigned int mki_index)800 srtp_session_keys_t *srtp_get_session_keys_with_mki_index(
801     srtp_stream_ctx_t *stream,
802     unsigned int use_mki,
803     unsigned int mki_index)
804 {
805     if (use_mki) {
806         if (mki_index >= stream->num_master_keys) {
807             return NULL;
808         }
809         return &stream->session_keys[mki_index];
810     }
811 
812     return &stream->session_keys[0];
813 }
814 
srtp_inject_mki(uint8_t * mki_tag_location,srtp_session_keys_t * session_keys,unsigned int use_mki)815 unsigned int srtp_inject_mki(uint8_t *mki_tag_location,
816                              srtp_session_keys_t *session_keys,
817                              unsigned int use_mki)
818 {
819     unsigned int mki_size = 0;
820 
821     if (use_mki) {
822         mki_size = session_keys->mki_size;
823 
824         if (mki_size != 0) {
825             // Write MKI into memory
826             memcpy(mki_tag_location, session_keys->mki_id, mki_size);
827         }
828     }
829 
830     return mki_size;
831 }
832 
srtp_stream_init_all_master_keys(srtp_stream_ctx_t * srtp,unsigned char * key,srtp_master_key_t ** keys,const unsigned int max_master_keys)833 srtp_err_status_t srtp_stream_init_all_master_keys(
834     srtp_stream_ctx_t *srtp,
835     unsigned char *key,
836     srtp_master_key_t **keys,
837     const unsigned int max_master_keys)
838 {
839     unsigned int i = 0;
840     srtp_err_status_t status = srtp_err_status_ok;
841     srtp_master_key_t single_master_key;
842 
843     if (key != NULL) {
844         srtp->num_master_keys = 1;
845         single_master_key.key = key;
846         single_master_key.mki_id = NULL;
847         single_master_key.mki_size = 0;
848         status = srtp_stream_init_keys(srtp, &single_master_key, 0);
849     } else {
850         srtp->num_master_keys = max_master_keys;
851 
852         for (i = 0; i < srtp->num_master_keys && i < SRTP_MAX_NUM_MASTER_KEYS;
853              i++) {
854             status = srtp_stream_init_keys(srtp, keys[i], i);
855 
856             if (status) {
857                 return status;
858             }
859         }
860     }
861 
862     return status;
863 }
864 
srtp_stream_init_keys(srtp_stream_ctx_t * srtp,srtp_master_key_t * master_key,const unsigned int current_mki_index)865 srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp,
866                                         srtp_master_key_t *master_key,
867                                         const unsigned int current_mki_index)
868 {
869     srtp_err_status_t stat;
870     srtp_kdf_t kdf;
871     uint8_t tmp_key[MAX_SRTP_KEY_LEN];
872     int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
873     int rtp_base_key_len, rtp_salt_len;
874     int rtcp_base_key_len, rtcp_salt_len;
875     srtp_session_keys_t *session_keys = NULL;
876     unsigned char *key = master_key->key;
877 
878     /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
879     /* TODO: kdf algorithm, master key length, and master salt length should
880      * be part of srtp_policy_t.
881     */
882     session_keys = &srtp->session_keys[current_mki_index];
883 
884 /* initialize key limit to maximum value */
885 #ifdef NO_64BIT_MATH
886     {
887         uint64_t temp;
888         temp = make64(UINT_MAX, UINT_MAX);
889         srtp_key_limit_set(session_keys->limit, temp);
890     }
891 #else
892     srtp_key_limit_set(session_keys->limit, 0xffffffffffffLL);
893 #endif
894 
895     if (master_key->mki_size != 0) {
896         session_keys->mki_id = srtp_crypto_alloc(master_key->mki_size);
897 
898         if (session_keys->mki_id == NULL) {
899             return srtp_err_status_init_fail;
900         }
901         memcpy(session_keys->mki_id, master_key->mki_id, master_key->mki_size);
902     } else {
903         session_keys->mki_id = NULL;
904     }
905 
906     session_keys->mki_size = master_key->mki_size;
907 
908     rtp_keylen = srtp_cipher_get_key_length(session_keys->rtp_cipher);
909     rtcp_keylen = srtp_cipher_get_key_length(session_keys->rtcp_cipher);
910     rtp_base_key_len =
911         base_key_length(session_keys->rtp_cipher->type, rtp_keylen);
912     rtp_salt_len = rtp_keylen - rtp_base_key_len;
913 
914     if (rtp_keylen > kdf_keylen) {
915         kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
916     }
917 
918     if (rtcp_keylen > kdf_keylen) {
919         kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
920     }
921 
922     debug_print(mod_srtp, "srtp key len: %d", rtp_keylen);
923     debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen);
924     debug_print(mod_srtp, "base key len: %d", rtp_base_key_len);
925     debug_print(mod_srtp, "kdf key len: %d", kdf_keylen);
926     debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len);
927 
928     /*
929      * Make sure the key given to us is 'zero' appended.  GCM
930      * mode uses a shorter master SALT (96 bits), but still relies on
931      * the legacy CTR mode KDF, which uses a 112 bit master SALT.
932      */
933     memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN);
934     memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len));
935 
936 /* initialize KDF state     */
937 #if defined(OPENSSL) && defined(OPENSSL_KDF)
938     stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, rtp_base_key_len,
939                          rtp_salt_len);
940 #else
941     stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, kdf_keylen);
942 #endif
943     if (stat) {
944         /* zeroize temp buffer */
945         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
946         return srtp_err_status_init_fail;
947     }
948 
949     /* generate encryption key  */
950     stat = srtp_kdf_generate(&kdf, label_rtp_encryption, tmp_key,
951                              rtp_base_key_len);
952     if (stat) {
953         /* zeroize temp buffer */
954         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
955         return srtp_err_status_init_fail;
956     }
957     debug_print(mod_srtp, "cipher key: %s",
958                 srtp_octet_string_hex_string(tmp_key, rtp_base_key_len));
959 
960     /*
961      * if the cipher in the srtp context uses a salt, then we need
962      * to generate the salt value
963      */
964     if (rtp_salt_len > 0) {
965         debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
966 
967         /* generate encryption salt, put after encryption key */
968         stat = srtp_kdf_generate(&kdf, label_rtp_salt,
969                                  tmp_key + rtp_base_key_len, rtp_salt_len);
970         if (stat) {
971             /* zeroize temp buffer */
972             octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
973             return srtp_err_status_init_fail;
974         }
975         memcpy(session_keys->salt, tmp_key + rtp_base_key_len,
976                SRTP_AEAD_SALT_LEN);
977     }
978     if (rtp_salt_len > 0) {
979         debug_print(mod_srtp, "cipher salt: %s",
980                     srtp_octet_string_hex_string(tmp_key + rtp_base_key_len,
981                                                  rtp_salt_len));
982     }
983 
984     /* initialize cipher */
985     stat = srtp_cipher_init(session_keys->rtp_cipher, tmp_key);
986     if (stat) {
987         /* zeroize temp buffer */
988         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
989         return srtp_err_status_init_fail;
990     }
991 
992     if (session_keys->rtp_xtn_hdr_cipher) {
993         /* generate extensions header encryption key  */
994         int rtp_xtn_hdr_keylen;
995         int rtp_xtn_hdr_base_key_len;
996         int rtp_xtn_hdr_salt_len;
997         srtp_kdf_t tmp_kdf;
998         srtp_kdf_t *xtn_hdr_kdf;
999 
1000         if (session_keys->rtp_xtn_hdr_cipher->type !=
1001             session_keys->rtp_cipher->type) {
1002             /*
1003              * With GCM ciphers, the header extensions are still encrypted using
1004              * the corresponding ICM cipher.
1005              * See https://tools.ietf.org/html/rfc7714#section-8.3
1006              */
1007             uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN];
1008             rtp_xtn_hdr_keylen =
1009                 srtp_cipher_get_key_length(session_keys->rtp_xtn_hdr_cipher);
1010             rtp_xtn_hdr_base_key_len = base_key_length(
1011                 session_keys->rtp_xtn_hdr_cipher->type, rtp_xtn_hdr_keylen);
1012             rtp_xtn_hdr_salt_len =
1013                 rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len;
1014             if (rtp_xtn_hdr_salt_len > rtp_salt_len) {
1015                 switch (session_keys->rtp_cipher->type->id) {
1016                 case SRTP_AES_GCM_128:
1017                 case SRTP_AES_GCM_256:
1018                     /*
1019                      * The shorter GCM salt is padded to the required ICM salt
1020                      * length.
1021                      */
1022                     rtp_xtn_hdr_salt_len = rtp_salt_len;
1023                     break;
1024                 default:
1025                     /* zeroize temp buffer */
1026                     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1027                     return srtp_err_status_bad_param;
1028                 }
1029             }
1030             memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN);
1031             memcpy(tmp_xtn_hdr_key, key,
1032                    (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_len));
1033             xtn_hdr_kdf = &tmp_kdf;
1034 
1035 /* initialize KDF state */
1036 #if defined(OPENSSL) && defined(OPENSSL_KDF)
1037             stat =
1038                 srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key,
1039                               rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len);
1040 #else
1041             stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key,
1042                                  kdf_keylen);
1043 #endif
1044             octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN);
1045             if (stat) {
1046                 /* zeroize temp buffer */
1047                 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1048                 return srtp_err_status_init_fail;
1049             }
1050         } else {
1051             /* Reuse main KDF. */
1052             rtp_xtn_hdr_keylen = rtp_keylen;
1053             rtp_xtn_hdr_base_key_len = rtp_base_key_len;
1054             rtp_xtn_hdr_salt_len = rtp_salt_len;
1055             xtn_hdr_kdf = &kdf;
1056         }
1057 
1058         stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption,
1059                                  tmp_key, rtp_xtn_hdr_base_key_len);
1060         if (stat) {
1061             /* zeroize temp buffer */
1062             octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1063             return srtp_err_status_init_fail;
1064         }
1065         debug_print(
1066             mod_srtp, "extensions cipher key: %s",
1067             srtp_octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len));
1068 
1069         /*
1070          * if the cipher in the srtp context uses a salt, then we need
1071          * to generate the salt value
1072          */
1073         if (rtp_xtn_hdr_salt_len > 0) {
1074             debug_print(mod_srtp,
1075                         "found rtp_xtn_hdr_salt_len > 0, generating salt",
1076                         NULL);
1077 
1078             /* generate encryption salt, put after encryption key */
1079             stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt,
1080                                      tmp_key + rtp_xtn_hdr_base_key_len,
1081                                      rtp_xtn_hdr_salt_len);
1082             if (stat) {
1083                 /* zeroize temp buffer */
1084                 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1085                 return srtp_err_status_init_fail;
1086             }
1087         }
1088         if (rtp_xtn_hdr_salt_len > 0) {
1089             debug_print(
1090                 mod_srtp, "extensions cipher salt: %s",
1091                 srtp_octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len,
1092                                              rtp_xtn_hdr_salt_len));
1093         }
1094 
1095         /* initialize extensions header cipher */
1096         stat = srtp_cipher_init(session_keys->rtp_xtn_hdr_cipher, tmp_key);
1097         if (stat) {
1098             /* zeroize temp buffer */
1099             octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1100             return srtp_err_status_init_fail;
1101         }
1102 
1103         if (xtn_hdr_kdf != &kdf) {
1104             /* release memory for custom header extension encryption kdf */
1105             stat = srtp_kdf_clear(xtn_hdr_kdf);
1106             if (stat) {
1107                 /* zeroize temp buffer */
1108                 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1109                 return srtp_err_status_init_fail;
1110             }
1111         }
1112     }
1113 
1114     /* generate authentication key */
1115     stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, tmp_key,
1116                              srtp_auth_get_key_length(session_keys->rtp_auth));
1117     if (stat) {
1118         /* zeroize temp buffer */
1119         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1120         return srtp_err_status_init_fail;
1121     }
1122     debug_print(mod_srtp, "auth key:   %s",
1123                 srtp_octet_string_hex_string(
1124                     tmp_key, srtp_auth_get_key_length(session_keys->rtp_auth)));
1125 
1126     /* initialize auth function */
1127     stat = srtp_auth_init(session_keys->rtp_auth, tmp_key);
1128     if (stat) {
1129         /* zeroize temp buffer */
1130         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1131         return srtp_err_status_init_fail;
1132     }
1133 
1134     /*
1135      * ...now initialize SRTCP keys
1136      */
1137 
1138     rtcp_base_key_len =
1139         base_key_length(session_keys->rtcp_cipher->type, rtcp_keylen);
1140     rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
1141     debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len);
1142 
1143     /* generate encryption key  */
1144     stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, tmp_key,
1145                              rtcp_base_key_len);
1146     if (stat) {
1147         /* zeroize temp buffer */
1148         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1149         return srtp_err_status_init_fail;
1150     }
1151 
1152     /*
1153      * if the cipher in the srtp context uses a salt, then we need
1154      * to generate the salt value
1155      */
1156     if (rtcp_salt_len > 0) {
1157         debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
1158                     NULL);
1159 
1160         /* generate encryption salt, put after encryption key */
1161         stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
1162                                  tmp_key + rtcp_base_key_len, rtcp_salt_len);
1163         if (stat) {
1164             /* zeroize temp buffer */
1165             octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1166             return srtp_err_status_init_fail;
1167         }
1168         memcpy(session_keys->c_salt, tmp_key + rtcp_base_key_len,
1169                SRTP_AEAD_SALT_LEN);
1170     }
1171     debug_print(mod_srtp, "rtcp cipher key: %s",
1172                 srtp_octet_string_hex_string(tmp_key, rtcp_base_key_len));
1173     if (rtcp_salt_len > 0) {
1174         debug_print(mod_srtp, "rtcp cipher salt: %s",
1175                     srtp_octet_string_hex_string(tmp_key + rtcp_base_key_len,
1176                                                  rtcp_salt_len));
1177     }
1178 
1179     /* initialize cipher */
1180     stat = srtp_cipher_init(session_keys->rtcp_cipher, tmp_key);
1181     if (stat) {
1182         /* zeroize temp buffer */
1183         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1184         return srtp_err_status_init_fail;
1185     }
1186 
1187     /* generate authentication key */
1188     stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, tmp_key,
1189                              srtp_auth_get_key_length(session_keys->rtcp_auth));
1190     if (stat) {
1191         /* zeroize temp buffer */
1192         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1193         return srtp_err_status_init_fail;
1194     }
1195 
1196     debug_print(
1197         mod_srtp, "rtcp auth key:   %s",
1198         srtp_octet_string_hex_string(
1199             tmp_key, srtp_auth_get_key_length(session_keys->rtcp_auth)));
1200 
1201     /* initialize auth function */
1202     stat = srtp_auth_init(session_keys->rtcp_auth, tmp_key);
1203     if (stat) {
1204         /* zeroize temp buffer */
1205         octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1206         return srtp_err_status_init_fail;
1207     }
1208 
1209     /* clear memory then return */
1210     stat = srtp_kdf_clear(&kdf);
1211     octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
1212     if (stat)
1213         return srtp_err_status_init_fail;
1214 
1215     return srtp_err_status_ok;
1216 }
1217 
srtp_stream_init(srtp_stream_ctx_t * srtp,const srtp_policy_t * p)1218 srtp_err_status_t srtp_stream_init(srtp_stream_ctx_t *srtp,
1219                                    const srtp_policy_t *p)
1220 {
1221     srtp_err_status_t err;
1222 
1223     debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", p->ssrc.value);
1224 
1225     /* initialize replay database */
1226     /*
1227      * window size MUST be at least 64.  MAY be larger.  Values more than
1228      * 2^15 aren't meaningful due to how extended sequence numbers are
1229      * calculated.
1230      * Let a window size of 0 imply the default value.
1231      */
1232 
1233     if (p->window_size != 0 &&
1234         (p->window_size < 64 || p->window_size >= 0x8000))
1235         return srtp_err_status_bad_param;
1236 
1237     if (p->window_size != 0)
1238         err = srtp_rdbx_init(&srtp->rtp_rdbx, p->window_size);
1239     else
1240         err = srtp_rdbx_init(&srtp->rtp_rdbx, 128);
1241     if (err)
1242         return err;
1243 
1244     /* set the SSRC value */
1245     srtp->ssrc = htonl(p->ssrc.value);
1246 
1247     /* reset pending ROC */
1248     srtp->pending_roc = 0;
1249 
1250     /* set the security service flags */
1251     srtp->rtp_services = p->rtp.sec_serv;
1252     srtp->rtcp_services = p->rtcp.sec_serv;
1253 
1254     /*
1255      * set direction to unknown - this flag gets checked in srtp_protect(),
1256      * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
1257      * gets set appropriately if it is set to unknown.
1258      */
1259     srtp->direction = dir_unknown;
1260 
1261     /* initialize SRTCP replay database */
1262     srtp_rdb_init(&srtp->rtcp_rdb);
1263 
1264     /* initialize allow_repeat_tx */
1265     /* guard against uninitialized memory: allow only 0 or 1 here */
1266     if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) {
1267         srtp_rdbx_dealloc(&srtp->rtp_rdbx);
1268         return srtp_err_status_bad_param;
1269     }
1270     srtp->allow_repeat_tx = p->allow_repeat_tx;
1271 
1272     /* DAM - no RTCP key limit at present */
1273 
1274     /* initialize keys */
1275     err = srtp_stream_init_all_master_keys(srtp, p->key, p->keys,
1276                                            p->num_master_keys);
1277     if (err) {
1278         srtp_rdbx_dealloc(&srtp->rtp_rdbx);
1279         return err;
1280     }
1281 
1282     /*
1283      * if EKT is in use, then initialize the EKT data associated with
1284      * the stream
1285      */
1286     err = srtp_ekt_stream_init_from_policy(srtp->ekt, p->ekt);
1287     if (err) {
1288         srtp_rdbx_dealloc(&srtp->rtp_rdbx);
1289         return err;
1290     }
1291 
1292     return srtp_err_status_ok;
1293 }
1294 
1295 /*
1296  * srtp_event_reporter is an event handler function that merely
1297  * reports the events that are reported by the callbacks
1298  */
1299 
srtp_event_reporter(srtp_event_data_t * data)1300 void srtp_event_reporter(srtp_event_data_t *data)
1301 {
1302     srtp_err_report(srtp_err_level_warning, "srtp: in stream 0x%x: ",
1303                     data->ssrc);
1304 
1305     switch (data->event) {
1306     case event_ssrc_collision:
1307         srtp_err_report(srtp_err_level_warning, "\tSSRC collision\n");
1308         break;
1309     case event_key_soft_limit:
1310         srtp_err_report(srtp_err_level_warning,
1311                         "\tkey usage soft limit reached\n");
1312         break;
1313     case event_key_hard_limit:
1314         srtp_err_report(srtp_err_level_warning,
1315                         "\tkey usage hard limit reached\n");
1316         break;
1317     case event_packet_index_limit:
1318         srtp_err_report(srtp_err_level_warning,
1319                         "\tpacket index limit reached\n");
1320         break;
1321     default:
1322         srtp_err_report(srtp_err_level_warning,
1323                         "\tunknown event reported to handler\n");
1324     }
1325 }
1326 
1327 /*
1328  * srtp_event_handler is a global variable holding a pointer to the
1329  * event handler function; this function is called for any unexpected
1330  * event that needs to be handled out of the SRTP data path.  see
1331  * srtp_event_t in srtp.h for more info
1332  *
1333  * it is okay to set srtp_event_handler to NULL, but we set
1334  * it to the srtp_event_reporter.
1335  */
1336 
1337 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
1338 
srtp_install_event_handler(srtp_event_handler_func_t func)1339 srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func)
1340 {
1341     /*
1342      * note that we accept NULL arguments intentionally - calling this
1343      * function with a NULL arguments removes an event handler that's
1344      * been previously installed
1345      */
1346 
1347     /* set global event handling function */
1348     srtp_event_handler = func;
1349     return srtp_err_status_ok;
1350 }
1351 
1352 /*
1353  * Check if the given extension header id is / should be encrypted.
1354  * Returns 1 if yes, otherwise 0.
1355  */
srtp_protect_extension_header(srtp_stream_ctx_t * stream,int id)1356 static int srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id)
1357 {
1358     int *enc_xtn_hdr = stream->enc_xtn_hdr;
1359     int count = stream->enc_xtn_hdr_count;
1360 
1361     if (!enc_xtn_hdr || count <= 0) {
1362         return 0;
1363     }
1364 
1365     while (count > 0) {
1366         if (*enc_xtn_hdr == id) {
1367             return 1;
1368         }
1369 
1370         enc_xtn_hdr++;
1371         count--;
1372     }
1373     return 0;
1374 }
1375 
1376 /*
1377  * extensions header encryption RFC 6904
1378  */
srtp_process_header_encryption(srtp_stream_ctx_t * stream,srtp_hdr_xtnd_t * xtn_hdr,srtp_session_keys_t * session_keys)1379 static srtp_err_status_t srtp_process_header_encryption(
1380     srtp_stream_ctx_t *stream,
1381     srtp_hdr_xtnd_t *xtn_hdr,
1382     srtp_session_keys_t *session_keys)
1383 {
1384     srtp_err_status_t status;
1385     uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */
1386     int keystream_pos;
1387     uint8_t *xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr;
1388     uint8_t *xtn_hdr_end =
1389         xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_t));
1390 
1391     if (ntohs(xtn_hdr->profile_specific) == 0xbede) {
1392         /* RFC 5285, section 4.2. One-Byte Header */
1393         while (xtn_hdr_data < xtn_hdr_end) {
1394             uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4;
1395             unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1;
1396             uint32_t xlen_with_header = 1 + xlen;
1397             xtn_hdr_data++;
1398 
1399             if (xtn_hdr_data + xlen > xtn_hdr_end)
1400                 return srtp_err_status_parse_err;
1401 
1402             if (xid == 15) {
1403                 /* found header 15, stop further processing. */
1404                 break;
1405             }
1406 
1407             status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher,
1408                                         keystream, &xlen_with_header);
1409             if (status)
1410                 return srtp_err_status_cipher_fail;
1411 
1412             if (srtp_protect_extension_header(stream, xid)) {
1413                 keystream_pos = 1;
1414                 while (xlen > 0) {
1415                     *xtn_hdr_data ^= keystream[keystream_pos++];
1416                     xtn_hdr_data++;
1417                     xlen--;
1418                 }
1419             } else {
1420                 xtn_hdr_data += xlen;
1421             }
1422 
1423             /* skip padding bytes. */
1424             while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) {
1425                 xtn_hdr_data++;
1426             }
1427         }
1428     } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) {
1429         /* RFC 5285, section 4.3. Two-Byte Header */
1430         while (xtn_hdr_data + 1 < xtn_hdr_end) {
1431             uint8_t xid = *xtn_hdr_data;
1432             unsigned int xlen = *(xtn_hdr_data + 1);
1433             uint32_t xlen_with_header = 2 + xlen;
1434             xtn_hdr_data += 2;
1435 
1436             if (xtn_hdr_data + xlen > xtn_hdr_end)
1437                 return srtp_err_status_parse_err;
1438 
1439             status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher,
1440                                         keystream, &xlen_with_header);
1441             if (status)
1442                 return srtp_err_status_cipher_fail;
1443 
1444             if (xlen > 0 && srtp_protect_extension_header(stream, xid)) {
1445                 keystream_pos = 2;
1446                 while (xlen > 0) {
1447                     *xtn_hdr_data ^= keystream[keystream_pos++];
1448                     xtn_hdr_data++;
1449                     xlen--;
1450                 }
1451             } else {
1452                 xtn_hdr_data += xlen;
1453             }
1454 
1455             /* skip padding bytes. */
1456             while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) {
1457                 xtn_hdr_data++;
1458             }
1459         }
1460     } else {
1461         /* unsupported extension header format. */
1462         return srtp_err_status_parse_err;
1463     }
1464 
1465     return srtp_err_status_ok;
1466 }
1467 
1468 /*
1469  * AEAD uses a new IV formation method.  This function implements
1470  * section 8.1. (SRTP IV Formation for AES-GCM) of RFC7714.
1471  * The calculation is defined as, where (+) is the xor operation:
1472  *
1473  *
1474  *              0  0  0  0  0  0  0  0  0  0  1  1
1475  *              0  1  2  3  4  5  6  7  8  9  0  1
1476  *            +--+--+--+--+--+--+--+--+--+--+--+--+
1477  *            |00|00|    SSRC   |     ROC   | SEQ |---+
1478  *            +--+--+--+--+--+--+--+--+--+--+--+--+   |
1479  *                                                    |
1480  *            +--+--+--+--+--+--+--+--+--+--+--+--+   |
1481  *            |         Encryption Salt           |->(+)
1482  *            +--+--+--+--+--+--+--+--+--+--+--+--+   |
1483  *                                                    |
1484  *            +--+--+--+--+--+--+--+--+--+--+--+--+   |
1485  *            |       Initialization Vector       |<--+
1486  *            +--+--+--+--+--+--+--+--+--+--+--+--+*
1487  *
1488  * Input:  *session_keys - pointer to SRTP stream context session keys,
1489  *                         used to retrieve the SALT
1490  *         *iv     - Pointer to receive the calculated IV
1491  *         *seq    - The ROC and SEQ value to use for the
1492  *                   IV calculation.
1493  *         *hdr    - The RTP header, used to get the SSRC value
1494  *
1495  */
1496 
srtp_calc_aead_iv(srtp_session_keys_t * session_keys,v128_t * iv,srtp_xtd_seq_num_t * seq,srtp_hdr_t * hdr)1497 static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys,
1498                               v128_t *iv,
1499                               srtp_xtd_seq_num_t *seq,
1500                               srtp_hdr_t *hdr)
1501 {
1502     v128_t in;
1503     v128_t salt;
1504 
1505 #ifdef NO_64BIT_MATH
1506     uint32_t local_roc = ((high32(*seq) << 16) | (low32(*seq) >> 16));
1507     uint16_t local_seq = (uint16_t)(low32(*seq));
1508 #else
1509     uint32_t local_roc = (uint32_t)(*seq >> 16);
1510     uint16_t local_seq = (uint16_t)*seq;
1511 #endif
1512 
1513     memset(&in, 0, sizeof(v128_t));
1514     memset(&salt, 0, sizeof(v128_t));
1515 
1516     in.v16[5] = htons(local_seq);
1517     local_roc = htonl(local_roc);
1518     memcpy(&in.v16[3], &local_roc, sizeof(local_roc));
1519 
1520     /*
1521      * Copy in the RTP SSRC value
1522      */
1523     memcpy(&in.v8[2], &hdr->ssrc, 4);
1524     debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in));
1525 
1526     /*
1527      * Get the SALT value from the context
1528      */
1529     memcpy(salt.v8, session_keys->salt, SRTP_AEAD_SALT_LEN);
1530     debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt));
1531 
1532     /*
1533      * Finally, apply tyhe SALT to the input
1534      */
1535     v128_xor(iv, &in, &salt);
1536 }
1537 
srtp_get_session_keys(srtp_stream_ctx_t * stream,uint8_t * hdr,const unsigned int * pkt_octet_len,unsigned int * mki_size)1538 srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream,
1539                                            uint8_t *hdr,
1540                                            const unsigned int *pkt_octet_len,
1541                                            unsigned int *mki_size)
1542 {
1543     unsigned int base_mki_start_location = *pkt_octet_len;
1544     unsigned int mki_start_location = 0;
1545     unsigned int tag_len = 0;
1546     unsigned int i = 0;
1547 
1548     // Determine the authentication tag size
1549     if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
1550         stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) {
1551         tag_len = 0;
1552     } else {
1553         tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth);
1554     }
1555 
1556     if (tag_len > base_mki_start_location) {
1557         *mki_size = 0;
1558         return NULL;
1559     }
1560 
1561     base_mki_start_location -= tag_len;
1562 
1563     for (i = 0; i < stream->num_master_keys; i++) {
1564         if (stream->session_keys[i].mki_size != 0 &&
1565             stream->session_keys[i].mki_size <= base_mki_start_location) {
1566             *mki_size = stream->session_keys[i].mki_size;
1567             mki_start_location = base_mki_start_location - *mki_size;
1568 
1569             if (memcmp(hdr + mki_start_location, stream->session_keys[i].mki_id,
1570                        *mki_size) == 0) {
1571                 return &stream->session_keys[i];
1572             }
1573         }
1574     }
1575 
1576     *mki_size = 0;
1577     return NULL;
1578 }
1579 
srtp_estimate_index(srtp_rdbx_t * rdbx,uint32_t roc,srtp_xtd_seq_num_t * est,srtp_sequence_number_t seq,int * delta)1580 static srtp_err_status_t srtp_estimate_index(srtp_rdbx_t *rdbx,
1581                                              uint32_t roc,
1582                                              srtp_xtd_seq_num_t *est,
1583                                              srtp_sequence_number_t seq,
1584                                              int *delta)
1585 {
1586 #ifdef NO_64BIT_MATH
1587     uint32_t internal_pkt_idx_reduced;
1588     uint32_t external_pkt_idx_reduced;
1589     uint32_t internal_roc;
1590     uint32_t roc_difference;
1591 #endif
1592 
1593 #ifdef NO_64BIT_MATH
1594     *est = (srtp_xtd_seq_num_t)make64(roc >> 16, (roc << 16) | seq);
1595     *delta = low32(est) - rdbx->index;
1596 #else
1597     *est = (srtp_xtd_seq_num_t)(((uint64_t)roc) << 16) | seq;
1598     *delta = (int)(*est - rdbx->index);
1599 #endif
1600 
1601     if (*est > rdbx->index) {
1602 #ifdef NO_64BIT_MATH
1603         internal_roc = (uint32_t)(rdbx->index >> 16);
1604         roc_difference = roc - internal_roc;
1605         if (roc_difference > 1) {
1606             *delta = 0;
1607             return srtp_err_status_pkt_idx_adv;
1608         }
1609 
1610         internal_pkt_idx_reduced = (uint32_t)(rdbx->index & 0xFFFF);
1611         external_pkt_idx_reduced = (uint32_t)((roc_difference << 16) | seq);
1612 
1613         if (external_pkt_idx_reduced - internal_pkt_idx_reduced >
1614             seq_num_median) {
1615             *delta = 0;
1616             return srtp_err_status_pkt_idx_adv;
1617         }
1618 #else
1619         if (*est - rdbx->index > seq_num_median) {
1620             *delta = 0;
1621             return srtp_err_status_pkt_idx_adv;
1622         }
1623 #endif
1624     } else if (*est < rdbx->index) {
1625 #ifdef NO_64BIT_MATH
1626 
1627         internal_roc = (uint32_t)(rdbx->index >> 16);
1628         roc_difference = internal_roc - roc;
1629         if (roc_difference > 1) {
1630             *delta = 0;
1631             return srtp_err_status_pkt_idx_adv;
1632         }
1633 
1634         internal_pkt_idx_reduced =
1635             (uint32_t)((roc_difference << 16) | rdbx->index & 0xFFFF);
1636         external_pkt_idx_reduced = (uint32_t)(seq);
1637 
1638         if (internal_pkt_idx_reduced - external_pkt_idx_reduced >
1639             seq_num_median) {
1640             *delta = 0;
1641             return srtp_err_status_pkt_idx_old;
1642         }
1643 #else
1644         if (rdbx->index - *est > seq_num_median) {
1645             *delta = 0;
1646             return srtp_err_status_pkt_idx_old;
1647         }
1648 #endif
1649     }
1650 
1651     return srtp_err_status_ok;
1652 }
1653 
srtp_get_est_pkt_index(srtp_hdr_t * hdr,srtp_stream_ctx_t * stream,srtp_xtd_seq_num_t * est,int * delta)1654 static srtp_err_status_t srtp_get_est_pkt_index(srtp_hdr_t *hdr,
1655                                                 srtp_stream_ctx_t *stream,
1656                                                 srtp_xtd_seq_num_t *est,
1657                                                 int *delta)
1658 {
1659     srtp_err_status_t result = srtp_err_status_ok;
1660 
1661     if (stream->pending_roc) {
1662         result = srtp_estimate_index(&stream->rtp_rdbx, stream->pending_roc,
1663                                      est, ntohs(hdr->seq), delta);
1664     } else {
1665         /* estimate packet index from seq. num. in header */
1666         *delta =
1667             srtp_rdbx_estimate_index(&stream->rtp_rdbx, est, ntohs(hdr->seq));
1668     }
1669 
1670 #ifdef NO_64BIT_MATH
1671     debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(*est),
1672                  low32(*est));
1673 #else
1674     debug_print(mod_srtp, "estimated u_packet index: %016llx", *est);
1675 #endif
1676     return result;
1677 }
1678 
1679 /*
1680  * This function handles outgoing SRTP packets while in AEAD mode,
1681  * which currently supports AES-GCM encryption.  All packets are
1682  * encrypted and authenticated.
1683  */
srtp_protect_aead(srtp_ctx_t * ctx,srtp_stream_ctx_t * stream,void * rtp_hdr,unsigned int * pkt_octet_len,srtp_session_keys_t * session_keys,unsigned int use_mki)1684 static srtp_err_status_t srtp_protect_aead(srtp_ctx_t *ctx,
1685                                            srtp_stream_ctx_t *stream,
1686                                            void *rtp_hdr,
1687                                            unsigned int *pkt_octet_len,
1688                                            srtp_session_keys_t *session_keys,
1689                                            unsigned int use_mki)
1690 {
1691     srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
1692     uint32_t *enc_start;    /* pointer to start of encrypted portion  */
1693     int enc_octet_len = 0;  /* number of octets in encrypted portion  */
1694     srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr        */
1695     int delta;              /* delta of local pkt idx and that in hdr */
1696     srtp_err_status_t status;
1697     uint32_t tag_len;
1698     v128_t iv;
1699     unsigned int aad_len;
1700     srtp_hdr_xtnd_t *xtn_hdr = NULL;
1701     unsigned int mki_size = 0;
1702     uint8_t *mki_location = NULL;
1703 
1704     debug_print(mod_srtp, "function srtp_protect_aead", NULL);
1705 
1706     /*
1707      * update the key usage limit, and check it to make sure that we
1708      * didn't just hit either the soft limit or the hard limit, and call
1709      * the event handler if we hit either.
1710      */
1711     switch (srtp_key_limit_update(session_keys->limit)) {
1712     case srtp_key_event_normal:
1713         break;
1714     case srtp_key_event_hard_limit:
1715         srtp_handle_event(ctx, stream, event_key_hard_limit);
1716         return srtp_err_status_key_expired;
1717     case srtp_key_event_soft_limit:
1718     default:
1719         srtp_handle_event(ctx, stream, event_key_soft_limit);
1720         break;
1721     }
1722 
1723     /* get tag length from stream */
1724     tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
1725 
1726     /*
1727      * find starting point for encryption and length of data to be
1728      * encrypted - the encrypted portion starts after the rtp header
1729      * extension, if present; otherwise, it starts after the last csrc,
1730      * if any are present
1731      */
1732     enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1733     if (hdr->x == 1) {
1734         xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1735         enc_start += (ntohs(xtn_hdr->length) + 1);
1736     }
1737     /* note: the passed size is without the auth tag */
1738     if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len))
1739         return srtp_err_status_parse_err;
1740     enc_octet_len =
1741         (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr));
1742     if (enc_octet_len < 0)
1743         return srtp_err_status_parse_err;
1744 
1745     /*
1746      * estimate the packet index using the start of the replay window
1747      * and the sequence number from the header
1748      */
1749     delta = srtp_rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
1750     status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
1751     if (status) {
1752         if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) {
1753             return status; /* we've been asked to reuse an index */
1754         }
1755     } else {
1756         srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
1757     }
1758 
1759 #ifdef NO_64BIT_MATH
1760     debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est),
1761                  low32(est));
1762 #else
1763     debug_print(mod_srtp, "estimated packet index: %016llx", est);
1764 #endif
1765 
1766     /*
1767      * AEAD uses a new IV formation method
1768      */
1769     srtp_calc_aead_iv(session_keys, &iv, &est, hdr);
1770 /* shift est, put into network byte order */
1771 #ifdef NO_64BIT_MATH
1772     est = be64_to_cpu(
1773         make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
1774 #else
1775     est = be64_to_cpu(est << 16);
1776 #endif
1777 
1778     status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
1779                                 srtp_direction_encrypt);
1780     if (!status && session_keys->rtp_xtn_hdr_cipher) {
1781         iv.v32[0] = 0;
1782         iv.v32[1] = hdr->ssrc;
1783         iv.v64[1] = est;
1784         status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
1785                                     (uint8_t *)&iv, srtp_direction_encrypt);
1786     }
1787     if (status) {
1788         return srtp_err_status_cipher_fail;
1789     }
1790 
1791     if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
1792         /*
1793          * extensions header encryption RFC 6904
1794          */
1795         status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
1796         if (status) {
1797             return status;
1798         }
1799     }
1800 
1801     /*
1802      * Set the AAD over the RTP header
1803      */
1804     aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
1805     status =
1806         srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len);
1807     if (status) {
1808         return (srtp_err_status_cipher_fail);
1809     }
1810 
1811     /* Encrypt the payload  */
1812     status = srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
1813                                  (unsigned int *)&enc_octet_len);
1814     if (status) {
1815         return srtp_err_status_cipher_fail;
1816     }
1817     /*
1818      * If we're doing GCM, we need to get the tag
1819      * and append that to the output
1820      */
1821     status =
1822         srtp_cipher_get_tag(session_keys->rtp_cipher,
1823                             (uint8_t *)enc_start + enc_octet_len, &tag_len);
1824     if (status) {
1825         return (srtp_err_status_cipher_fail);
1826     }
1827 
1828     mki_location = (uint8_t *)hdr + *pkt_octet_len + tag_len;
1829     mki_size = srtp_inject_mki(mki_location, session_keys, use_mki);
1830 
1831     /* increase the packet length by the length of the auth tag */
1832     *pkt_octet_len += tag_len;
1833 
1834     /* increase the packet length by the length of the mki_size */
1835     *pkt_octet_len += mki_size;
1836 
1837     return srtp_err_status_ok;
1838 }
1839 
1840 /*
1841  * This function handles incoming SRTP packets while in AEAD mode,
1842  * which currently supports AES-GCM encryption.  All packets are
1843  * encrypted and authenticated.  Note, the auth tag is at the end
1844  * of the packet stream and is automatically checked by GCM
1845  * when decrypting the payload.
1846  */
srtp_unprotect_aead(srtp_ctx_t * ctx,srtp_stream_ctx_t * stream,int delta,srtp_xtd_seq_num_t est,void * srtp_hdr,unsigned int * pkt_octet_len,srtp_session_keys_t * session_keys,unsigned int mki_size)1847 static srtp_err_status_t srtp_unprotect_aead(srtp_ctx_t *ctx,
1848                                              srtp_stream_ctx_t *stream,
1849                                              int delta,
1850                                              srtp_xtd_seq_num_t est,
1851                                              void *srtp_hdr,
1852                                              unsigned int *pkt_octet_len,
1853                                              srtp_session_keys_t *session_keys,
1854                                              unsigned int mki_size)
1855 {
1856     srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
1857     uint32_t *enc_start;            /* pointer to start of encrypted portion  */
1858     unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
1859     v128_t iv;
1860     srtp_err_status_t status;
1861     int tag_len;
1862     unsigned int aad_len;
1863     srtp_hdr_xtnd_t *xtn_hdr = NULL;
1864 
1865     debug_print(mod_srtp, "function srtp_unprotect_aead", NULL);
1866 
1867 #ifdef NO_64BIT_MATH
1868     debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),
1869                  low32(est));
1870 #else
1871     debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
1872 #endif
1873 
1874     /* get tag length from stream */
1875     tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
1876 
1877     /*
1878      * AEAD uses a new IV formation method
1879      */
1880     srtp_calc_aead_iv(session_keys, &iv, &est, hdr);
1881     status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
1882                                 srtp_direction_decrypt);
1883     if (!status && session_keys->rtp_xtn_hdr_cipher) {
1884         iv.v32[0] = 0;
1885         iv.v32[1] = hdr->ssrc;
1886 #ifdef NO_64BIT_MATH
1887         iv.v64[1] = be64_to_cpu(
1888             make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
1889 #else
1890         iv.v64[1] = be64_to_cpu(est << 16);
1891 #endif
1892         status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
1893                                     (uint8_t *)&iv, srtp_direction_encrypt);
1894     }
1895     if (status) {
1896         return srtp_err_status_cipher_fail;
1897     }
1898 
1899     /*
1900      * find starting point for decryption and length of data to be
1901      * decrypted - the encrypted portion starts after the rtp header
1902      * extension, if present; otherwise, it starts after the last csrc,
1903      * if any are present
1904      */
1905     enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
1906     if (hdr->x == 1) {
1907         xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
1908         enc_start += (ntohs(xtn_hdr->length) + 1);
1909     }
1910     if (!((uint8_t *)enc_start <=
1911           (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size)))
1912         return srtp_err_status_parse_err;
1913     /*
1914      * We pass the tag down to the cipher when doing GCM mode
1915      */
1916     enc_octet_len = (unsigned int)(*pkt_octet_len - mki_size -
1917                                    ((uint8_t *)enc_start - (uint8_t *)hdr));
1918 
1919     /*
1920      * Sanity check the encrypted payload length against
1921      * the tag size.  It must always be at least as large
1922      * as the tag length.
1923      */
1924     if (enc_octet_len < (unsigned int)tag_len) {
1925         return srtp_err_status_cipher_fail;
1926     }
1927 
1928     /*
1929      * update the key usage limit, and check it to make sure that we
1930      * didn't just hit either the soft limit or the hard limit, and call
1931      * the event handler if we hit either.
1932      */
1933     switch (srtp_key_limit_update(session_keys->limit)) {
1934     case srtp_key_event_normal:
1935         break;
1936     case srtp_key_event_soft_limit:
1937         srtp_handle_event(ctx, stream, event_key_soft_limit);
1938         break;
1939     case srtp_key_event_hard_limit:
1940         srtp_handle_event(ctx, stream, event_key_hard_limit);
1941         return srtp_err_status_key_expired;
1942     default:
1943         break;
1944     }
1945 
1946     /*
1947      * Set the AAD for AES-GCM, which is the RTP header
1948      */
1949     aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
1950     status =
1951         srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len);
1952     if (status) {
1953         return (srtp_err_status_cipher_fail);
1954     }
1955 
1956     /* Decrypt the ciphertext.  This also checks the auth tag based
1957      * on the AAD we just specified above */
1958     status = srtp_cipher_decrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
1959                                  &enc_octet_len);
1960     if (status) {
1961         return status;
1962     }
1963 
1964     if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
1965         /*
1966          * extensions header encryption RFC 6904
1967          */
1968         status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
1969         if (status) {
1970             return status;
1971         }
1972     }
1973 
1974     /*
1975      * verify that stream is for received traffic - this check will
1976      * detect SSRC collisions, since a stream that appears in both
1977      * srtp_protect() and srtp_unprotect() will fail this test in one of
1978      * those functions.
1979      *
1980      * we do this check *after* the authentication check, so that the
1981      * latter check will catch any attempts to fool us into thinking
1982      * that we've got a collision
1983      */
1984     if (stream->direction != dir_srtp_receiver) {
1985         if (stream->direction == dir_unknown) {
1986             stream->direction = dir_srtp_receiver;
1987         } else {
1988             srtp_handle_event(ctx, stream, event_ssrc_collision);
1989         }
1990     }
1991 
1992     /*
1993      * if the stream is a 'provisional' one, in which the template context
1994      * is used, then we need to allocate a new stream at this point, since
1995      * the authentication passed
1996      */
1997     if (stream == ctx->stream_template) {
1998         srtp_stream_ctx_t *new_stream;
1999 
2000         /*
2001          * allocate and initialize a new stream
2002          *
2003          * note that we indicate failure if we can't allocate the new
2004          * stream, and some implementations will want to not return
2005          * failure here
2006          */
2007         status =
2008             srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2009         if (status) {
2010             return status;
2011         }
2012 
2013         /* add new stream to the head of the stream_list */
2014         new_stream->next = ctx->stream_list;
2015         ctx->stream_list = new_stream;
2016 
2017         /* set stream (the pointer used in this function) */
2018         stream = new_stream;
2019     }
2020 
2021     /*
2022      * the message authentication function passed, so add the packet
2023      * index into the replay database
2024      */
2025     srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
2026 
2027     /* decrease the packet length by the length of the auth tag */
2028     *pkt_octet_len -= tag_len;
2029 
2030     /* decrease the packet length by the length of the mki_size */
2031     *pkt_octet_len -= mki_size;
2032 
2033     return srtp_err_status_ok;
2034 }
2035 
srtp_protect(srtp_ctx_t * ctx,void * rtp_hdr,int * pkt_octet_len)2036 srtp_err_status_t srtp_protect(srtp_ctx_t *ctx,
2037                                void *rtp_hdr,
2038                                int *pkt_octet_len)
2039 {
2040     return srtp_protect_mki(ctx, rtp_hdr, pkt_octet_len, 0, 0);
2041 }
2042 
srtp_protect_mki(srtp_ctx_t * ctx,void * rtp_hdr,int * pkt_octet_len,unsigned int use_mki,unsigned int mki_index)2043 srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx,
2044                                    void *rtp_hdr,
2045                                    int *pkt_octet_len,
2046                                    unsigned int use_mki,
2047                                    unsigned int mki_index)
2048 {
2049     srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
2050     uint32_t *enc_start;      /* pointer to start of encrypted portion  */
2051     uint32_t *auth_start;     /* pointer to start of auth. portion      */
2052     int enc_octet_len = 0;    /* number of octets in encrypted portion  */
2053     srtp_xtd_seq_num_t est;   /* estimated xtd_seq_num_t of *hdr        */
2054     int delta;                /* delta of local pkt idx and that in hdr */
2055     uint8_t *auth_tag = NULL; /* location of auth_tag within packet     */
2056     srtp_err_status_t status;
2057     int tag_len;
2058     srtp_stream_ctx_t *stream;
2059     uint32_t prefix_len;
2060     srtp_hdr_xtnd_t *xtn_hdr = NULL;
2061     unsigned int mki_size = 0;
2062     srtp_session_keys_t *session_keys = NULL;
2063     uint8_t *mki_location = NULL;
2064     int advance_packet_index = 0;
2065 
2066     debug_print(mod_srtp, "function srtp_protect", NULL);
2067 
2068     /* we assume the hdr is 32-bit aligned to start */
2069 
2070     /* Verify RTP header */
2071     status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len);
2072     if (status)
2073         return status;
2074 
2075     /* check the packet length - it must at least contain a full header */
2076     if (*pkt_octet_len < octets_in_rtp_header)
2077         return srtp_err_status_bad_param;
2078 
2079     /*
2080      * look up ssrc in srtp_stream list, and process the packet with
2081      * the appropriate stream.  if we haven't seen this stream before,
2082      * there's a template key for this srtp_session, and the cipher
2083      * supports key-sharing, then we assume that a new stream using
2084      * that key has just started up
2085      */
2086     stream = srtp_get_stream(ctx, hdr->ssrc);
2087     if (stream == NULL) {
2088         if (ctx->stream_template != NULL) {
2089             srtp_stream_ctx_t *new_stream;
2090 
2091             /* allocate and initialize a new stream */
2092             status =
2093                 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2094             if (status)
2095                 return status;
2096 
2097             /* add new stream to the head of the stream_list */
2098             new_stream->next = ctx->stream_list;
2099             ctx->stream_list = new_stream;
2100 
2101             /* set direction to outbound */
2102             new_stream->direction = dir_srtp_sender;
2103 
2104             /* set stream (the pointer used in this function) */
2105             stream = new_stream;
2106         } else {
2107             /* no template stream, so we return an error */
2108             return srtp_err_status_no_ctx;
2109         }
2110     }
2111 
2112     /*
2113      * verify that stream is for sending traffic - this check will
2114      * detect SSRC collisions, since a stream that appears in both
2115      * srtp_protect() and srtp_unprotect() will fail this test in one of
2116      * those functions.
2117      */
2118 
2119     if (stream->direction != dir_srtp_sender) {
2120         if (stream->direction == dir_unknown) {
2121             stream->direction = dir_srtp_sender;
2122         } else {
2123             srtp_handle_event(ctx, stream, event_ssrc_collision);
2124         }
2125     }
2126 
2127     session_keys =
2128         srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index);
2129 
2130     if (session_keys == NULL)
2131         return srtp_err_status_bad_mki;
2132 
2133     /*
2134      * Check if this is an AEAD stream (GCM mode).  If so, then dispatch
2135      * the request to our AEAD handler.
2136      */
2137     if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
2138         session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
2139         return srtp_protect_aead(ctx, stream, rtp_hdr,
2140                                  (unsigned int *)pkt_octet_len, session_keys,
2141                                  use_mki);
2142     }
2143 
2144     /*
2145      * update the key usage limit, and check it to make sure that we
2146      * didn't just hit either the soft limit or the hard limit, and call
2147      * the event handler if we hit either.
2148      */
2149     switch (srtp_key_limit_update(session_keys->limit)) {
2150     case srtp_key_event_normal:
2151         break;
2152     case srtp_key_event_soft_limit:
2153         srtp_handle_event(ctx, stream, event_key_soft_limit);
2154         break;
2155     case srtp_key_event_hard_limit:
2156         srtp_handle_event(ctx, stream, event_key_hard_limit);
2157         return srtp_err_status_key_expired;
2158     default:
2159         break;
2160     }
2161 
2162     /* get tag length from stream */
2163     tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
2164 
2165     /*
2166      * find starting point for encryption and length of data to be
2167      * encrypted - the encrypted portion starts after the rtp header
2168      * extension, if present; otherwise, it starts after the last csrc,
2169      * if any are present
2170      *
2171      * if we're not providing confidentiality, set enc_start to NULL
2172      */
2173     if (stream->rtp_services & sec_serv_conf) {
2174         enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
2175         if (hdr->x == 1) {
2176             xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
2177             enc_start += (ntohs(xtn_hdr->length) + 1);
2178         }
2179         /* note: the passed size is without the auth tag */
2180         if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len))
2181             return srtp_err_status_parse_err;
2182         enc_octet_len =
2183             (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr));
2184         if (enc_octet_len < 0)
2185             return srtp_err_status_parse_err;
2186     } else {
2187         enc_start = NULL;
2188     }
2189 
2190     mki_location = (uint8_t *)hdr + *pkt_octet_len;
2191     mki_size = srtp_inject_mki(mki_location, session_keys, use_mki);
2192 
2193     /*
2194      * if we're providing authentication, set the auth_start and auth_tag
2195      * pointers to the proper locations; otherwise, set auth_start to NULL
2196      * to indicate that no authentication is needed
2197      */
2198     if (stream->rtp_services & sec_serv_auth) {
2199         auth_start = (uint32_t *)hdr;
2200         auth_tag = (uint8_t *)hdr + *pkt_octet_len + mki_size;
2201     } else {
2202         auth_start = NULL;
2203         auth_tag = NULL;
2204     }
2205 
2206     /*
2207      * estimate the packet index using the start of the replay window
2208      * and the sequence number from the header
2209      */
2210     status = srtp_get_est_pkt_index(hdr, stream, &est, &delta);
2211 
2212     if (status && (status != srtp_err_status_pkt_idx_adv))
2213         return status;
2214 
2215     if (status == srtp_err_status_pkt_idx_adv)
2216         advance_packet_index = 1;
2217 
2218     if (advance_packet_index) {
2219         srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, (uint32_t)(est >> 16),
2220                               (uint16_t)(est & 0xFFFF));
2221         stream->pending_roc = 0;
2222         srtp_rdbx_add_index(&stream->rtp_rdbx, 0);
2223     } else {
2224         status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
2225         if (status) {
2226             if (status != srtp_err_status_replay_fail ||
2227                 !stream->allow_repeat_tx)
2228                 return status; /* we've been asked to reuse an index */
2229         }
2230         srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
2231     }
2232 
2233 #ifdef NO_64BIT_MATH
2234     debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est),
2235                  low32(est));
2236 #else
2237     debug_print(mod_srtp, "estimated packet index: %016llx", est);
2238 #endif
2239 
2240     /*
2241      * if we're using rindael counter mode, set nonce and seq
2242      */
2243     if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 ||
2244         session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 ||
2245         session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) {
2246         v128_t iv;
2247 
2248         iv.v32[0] = 0;
2249         iv.v32[1] = hdr->ssrc;
2250 #ifdef NO_64BIT_MATH
2251         iv.v64[1] = be64_to_cpu(
2252             make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
2253 #else
2254         iv.v64[1] = be64_to_cpu(est << 16);
2255 #endif
2256         status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
2257                                     srtp_direction_encrypt);
2258         if (!status && session_keys->rtp_xtn_hdr_cipher) {
2259             status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
2260                                         (uint8_t *)&iv, srtp_direction_encrypt);
2261         }
2262     } else {
2263         v128_t iv;
2264 
2265 /* otherwise, set the index to est */
2266 #ifdef NO_64BIT_MATH
2267         iv.v32[0] = 0;
2268         iv.v32[1] = 0;
2269 #else
2270         iv.v64[0] = 0;
2271 #endif
2272         iv.v64[1] = be64_to_cpu(est);
2273         status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
2274                                     srtp_direction_encrypt);
2275         if (!status && session_keys->rtp_xtn_hdr_cipher) {
2276             status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
2277                                         (uint8_t *)&iv, srtp_direction_encrypt);
2278         }
2279     }
2280     if (status)
2281         return srtp_err_status_cipher_fail;
2282 
2283 /* shift est, put into network byte order */
2284 #ifdef NO_64BIT_MATH
2285     est = be64_to_cpu(
2286         make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
2287 #else
2288     est = be64_to_cpu(est << 16);
2289 #endif
2290 
2291     /*
2292      * if we're authenticating using a universal hash, put the keystream
2293      * prefix into the authentication tag
2294      */
2295     if (auth_start) {
2296         prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth);
2297         if (prefix_len) {
2298             status = srtp_cipher_output(session_keys->rtp_cipher, auth_tag,
2299                                         &prefix_len);
2300             if (status)
2301                 return srtp_err_status_cipher_fail;
2302             debug_print(mod_srtp, "keystream prefix: %s",
2303                         srtp_octet_string_hex_string(auth_tag, prefix_len));
2304         }
2305     }
2306 
2307     if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
2308         /*
2309          * extensions header encryption RFC 6904
2310          */
2311         status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
2312         if (status) {
2313             return status;
2314         }
2315     }
2316 
2317     /* if we're encrypting, exor keystream into the message */
2318     if (enc_start) {
2319         status =
2320             srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
2321                                 (unsigned int *)&enc_octet_len);
2322         if (status)
2323             return srtp_err_status_cipher_fail;
2324     }
2325 
2326     /*
2327      *  if we're authenticating, run authentication function and put result
2328      *  into the auth_tag
2329      */
2330     if (auth_start) {
2331         /* initialize auth func context */
2332         status = srtp_auth_start(session_keys->rtp_auth);
2333         if (status)
2334             return status;
2335 
2336         /* run auth func over packet */
2337         status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start,
2338                                   *pkt_octet_len);
2339         if (status)
2340             return status;
2341 
2342         /* run auth func over ROC, put result into auth_tag */
2343         debug_print(mod_srtp, "estimated packet index: %016llx", est);
2344         status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4,
2345                                    auth_tag);
2346         debug_print(mod_srtp, "srtp auth tag:    %s",
2347                     srtp_octet_string_hex_string(auth_tag, tag_len));
2348         if (status)
2349             return srtp_err_status_auth_fail;
2350     }
2351 
2352     if (auth_tag) {
2353         /* increase the packet length by the length of the auth tag */
2354         *pkt_octet_len += tag_len;
2355     }
2356 
2357     if (use_mki) {
2358         /* increate the packet length by the mki size */
2359         *pkt_octet_len += mki_size;
2360     }
2361 
2362     return srtp_err_status_ok;
2363 }
2364 
srtp_unprotect(srtp_ctx_t * ctx,void * srtp_hdr,int * pkt_octet_len)2365 srtp_err_status_t srtp_unprotect(srtp_ctx_t *ctx,
2366                                  void *srtp_hdr,
2367                                  int *pkt_octet_len)
2368 {
2369     return srtp_unprotect_mki(ctx, srtp_hdr, pkt_octet_len, 0);
2370 }
2371 
srtp_unprotect_mki(srtp_ctx_t * ctx,void * srtp_hdr,int * pkt_octet_len,unsigned int use_mki)2372 srtp_err_status_t srtp_unprotect_mki(srtp_ctx_t *ctx,
2373                                      void *srtp_hdr,
2374                                      int *pkt_octet_len,
2375                                      unsigned int use_mki)
2376 {
2377     srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
2378     uint32_t *enc_start;            /* pointer to start of encrypted portion  */
2379     uint32_t *auth_start;           /* pointer to start of auth. portion      */
2380     unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
2381     uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
2382     srtp_xtd_seq_num_t est;         /* estimated xtd_seq_num_t of *hdr        */
2383     int delta;                      /* delta of local pkt idx and that in hdr */
2384     v128_t iv;
2385     srtp_err_status_t status;
2386     srtp_stream_ctx_t *stream;
2387     uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
2388     uint32_t tag_len, prefix_len;
2389     srtp_hdr_xtnd_t *xtn_hdr = NULL;
2390     unsigned int mki_size = 0;
2391     srtp_session_keys_t *session_keys = NULL;
2392     int advance_packet_index = 0;
2393     uint32_t roc_to_set = 0;
2394     uint16_t seq_to_set = 0;
2395 
2396     debug_print(mod_srtp, "function srtp_unprotect", NULL);
2397 
2398     /* we assume the hdr is 32-bit aligned to start */
2399 
2400     /* Verify RTP header */
2401     status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len);
2402     if (status)
2403         return status;
2404 
2405     /* check the packet length - it must at least contain a full header */
2406     if (*pkt_octet_len < octets_in_rtp_header)
2407         return srtp_err_status_bad_param;
2408 
2409     /*
2410      * look up ssrc in srtp_stream list, and process the packet with
2411      * the appropriate stream.  if we haven't seen this stream before,
2412      * there's only one key for this srtp_session, and the cipher
2413      * supports key-sharing, then we assume that a new stream using
2414      * that key has just started up
2415      */
2416     stream = srtp_get_stream(ctx, hdr->ssrc);
2417     if (stream == NULL) {
2418         if (ctx->stream_template != NULL) {
2419             stream = ctx->stream_template;
2420             debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
2421                         ntohl(hdr->ssrc));
2422 
2423 /*
2424  * set estimated packet index to sequence number from header,
2425  * and set delta equal to the same value
2426  */
2427 #ifdef NO_64BIT_MATH
2428             est = (srtp_xtd_seq_num_t)make64(0, ntohs(hdr->seq));
2429             delta = low32(est);
2430 #else
2431             est = (srtp_xtd_seq_num_t)ntohs(hdr->seq);
2432             delta = (int)est;
2433 #endif
2434         } else {
2435             /*
2436              * no stream corresponding to SSRC found, and we don't do
2437              * key-sharing, so return an error
2438              */
2439             return srtp_err_status_no_ctx;
2440         }
2441     } else {
2442         status = srtp_get_est_pkt_index(hdr, stream, &est, &delta);
2443 
2444         if (status && (status != srtp_err_status_pkt_idx_adv))
2445             return status;
2446 
2447         if (status == srtp_err_status_pkt_idx_adv) {
2448             advance_packet_index = 1;
2449             roc_to_set = (uint32_t)(est >> 16);
2450             seq_to_set = (uint16_t)(est & 0xFFFF);
2451         }
2452 
2453         /* check replay database */
2454         if (!advance_packet_index) {
2455             status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
2456             if (status)
2457                 return status;
2458         }
2459     }
2460 
2461 #ifdef NO_64BIT_MATH
2462     debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),
2463                  low32(est));
2464 #else
2465     debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
2466 #endif
2467 
2468     /* Determine if MKI is being used and what session keys should be used */
2469     if (use_mki) {
2470         session_keys = srtp_get_session_keys(
2471             stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len,
2472             &mki_size);
2473 
2474         if (session_keys == NULL)
2475             return srtp_err_status_bad_mki;
2476     } else {
2477         session_keys = &stream->session_keys[0];
2478     }
2479 
2480     /*
2481      * Check if this is an AEAD stream (GCM mode).  If so, then dispatch
2482      * the request to our AEAD handler.
2483      */
2484     if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
2485         session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
2486         return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr,
2487                                    (unsigned int *)pkt_octet_len, session_keys,
2488                                    mki_size);
2489     }
2490 
2491     /* get tag length from stream */
2492     tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
2493 
2494     /*
2495      * set the cipher's IV properly, depending on whatever cipher we
2496      * happen to be using
2497      */
2498     if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 ||
2499         session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 ||
2500         session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) {
2501         /* aes counter mode */
2502         iv.v32[0] = 0;
2503         iv.v32[1] = hdr->ssrc; /* still in network order */
2504 #ifdef NO_64BIT_MATH
2505         iv.v64[1] = be64_to_cpu(
2506             make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
2507 #else
2508         iv.v64[1] = be64_to_cpu(est << 16);
2509 #endif
2510         status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
2511                                     srtp_direction_decrypt);
2512         if (!status && session_keys->rtp_xtn_hdr_cipher) {
2513             status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
2514                                         (uint8_t *)&iv, srtp_direction_decrypt);
2515         }
2516     } else {
2517 /* no particular format - set the iv to the pakcet index */
2518 #ifdef NO_64BIT_MATH
2519         iv.v32[0] = 0;
2520         iv.v32[1] = 0;
2521 #else
2522         iv.v64[0] = 0;
2523 #endif
2524         iv.v64[1] = be64_to_cpu(est);
2525         status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
2526                                     srtp_direction_decrypt);
2527         if (!status && session_keys->rtp_xtn_hdr_cipher) {
2528             status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
2529                                         (uint8_t *)&iv, srtp_direction_decrypt);
2530         }
2531     }
2532     if (status)
2533         return srtp_err_status_cipher_fail;
2534 
2535 /* shift est, put into network byte order */
2536 #ifdef NO_64BIT_MATH
2537     est = be64_to_cpu(
2538         make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
2539 #else
2540     est = be64_to_cpu(est << 16);
2541 #endif
2542 
2543     /*
2544      * find starting point for decryption and length of data to be
2545      * decrypted - the encrypted portion starts after the rtp header
2546      * extension, if present; otherwise, it starts after the last csrc,
2547      * if any are present
2548      *
2549      * if we're not providing confidentiality, set enc_start to NULL
2550      */
2551     if (stream->rtp_services & sec_serv_conf) {
2552         enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
2553         if (hdr->x == 1) {
2554             xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
2555             enc_start += (ntohs(xtn_hdr->length) + 1);
2556         }
2557         if (!((uint8_t *)enc_start <=
2558               (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size)))
2559             return srtp_err_status_parse_err;
2560         enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - mki_size -
2561                                    ((uint8_t *)enc_start - (uint8_t *)hdr));
2562     } else {
2563         enc_start = NULL;
2564     }
2565 
2566     /*
2567      * if we're providing authentication, set the auth_start and auth_tag
2568      * pointers to the proper locations; otherwise, set auth_start to NULL
2569      * to indicate that no authentication is needed
2570      */
2571     if (stream->rtp_services & sec_serv_auth) {
2572         auth_start = (uint32_t *)hdr;
2573         auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
2574     } else {
2575         auth_start = NULL;
2576         auth_tag = NULL;
2577     }
2578 
2579     /*
2580      * if we expect message authentication, run the authentication
2581      * function and compare the result with the value of the auth_tag
2582      */
2583     if (auth_start) {
2584         /*
2585          * if we're using a universal hash, then we need to compute the
2586          * keystream prefix for encrypting the universal hash output
2587          *
2588          * if the keystream prefix length is zero, then we know that
2589          * the authenticator isn't using a universal hash function
2590          */
2591         if (session_keys->rtp_auth->prefix_len != 0) {
2592             prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth);
2593             status = srtp_cipher_output(session_keys->rtp_cipher, tmp_tag,
2594                                         &prefix_len);
2595             debug_print(mod_srtp, "keystream prefix: %s",
2596                         srtp_octet_string_hex_string(tmp_tag, prefix_len));
2597             if (status)
2598                 return srtp_err_status_cipher_fail;
2599         }
2600 
2601         /* initialize auth func context */
2602         status = srtp_auth_start(session_keys->rtp_auth);
2603         if (status)
2604             return status;
2605 
2606         /* now compute auth function over packet */
2607         status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start,
2608                                   *pkt_octet_len - tag_len - mki_size);
2609 
2610         /* run auth func over ROC, then write tmp tag */
2611         status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4,
2612                                    tmp_tag);
2613 
2614         debug_print(mod_srtp, "computed auth tag:    %s",
2615                     srtp_octet_string_hex_string(tmp_tag, tag_len));
2616         debug_print(mod_srtp, "packet auth tag:      %s",
2617                     srtp_octet_string_hex_string(auth_tag, tag_len));
2618         if (status)
2619             return srtp_err_status_auth_fail;
2620 
2621         if (srtp_octet_string_is_eq(tmp_tag, auth_tag, tag_len))
2622             return srtp_err_status_auth_fail;
2623     }
2624 
2625     /*
2626      * update the key usage limit, and check it to make sure that we
2627      * didn't just hit either the soft limit or the hard limit, and call
2628      * the event handler if we hit either.
2629      */
2630     switch (srtp_key_limit_update(session_keys->limit)) {
2631     case srtp_key_event_normal:
2632         break;
2633     case srtp_key_event_soft_limit:
2634         srtp_handle_event(ctx, stream, event_key_soft_limit);
2635         break;
2636     case srtp_key_event_hard_limit:
2637         srtp_handle_event(ctx, stream, event_key_hard_limit);
2638         return srtp_err_status_key_expired;
2639     default:
2640         break;
2641     }
2642 
2643     if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
2644         /* extensions header encryption RFC 6904 */
2645         status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
2646         if (status) {
2647             return status;
2648         }
2649     }
2650 
2651     /* if we're decrypting, add keystream into ciphertext */
2652     if (enc_start) {
2653         status = srtp_cipher_decrypt(session_keys->rtp_cipher,
2654                                      (uint8_t *)enc_start, &enc_octet_len);
2655         if (status)
2656             return srtp_err_status_cipher_fail;
2657     }
2658 
2659     /*
2660      * verify that stream is for received traffic - this check will
2661      * detect SSRC collisions, since a stream that appears in both
2662      * srtp_protect() and srtp_unprotect() will fail this test in one of
2663      * those functions.
2664      *
2665      * we do this check *after* the authentication check, so that the
2666      * latter check will catch any attempts to fool us into thinking
2667      * that we've got a collision
2668      */
2669     if (stream->direction != dir_srtp_receiver) {
2670         if (stream->direction == dir_unknown) {
2671             stream->direction = dir_srtp_receiver;
2672         } else {
2673             srtp_handle_event(ctx, stream, event_ssrc_collision);
2674         }
2675     }
2676 
2677     /*
2678      * if the stream is a 'provisional' one, in which the template context
2679      * is used, then we need to allocate a new stream at this point, since
2680      * the authentication passed
2681      */
2682     if (stream == ctx->stream_template) {
2683         srtp_stream_ctx_t *new_stream;
2684 
2685         /*
2686          * allocate and initialize a new stream
2687          *
2688          * note that we indicate failure if we can't allocate the new
2689          * stream, and some implementations will want to not return
2690          * failure here
2691          */
2692         status =
2693             srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
2694         if (status)
2695             return status;
2696 
2697         /* add new stream to the head of the stream_list */
2698         new_stream->next = ctx->stream_list;
2699         ctx->stream_list = new_stream;
2700 
2701         /* set stream (the pointer used in this function) */
2702         stream = new_stream;
2703     }
2704 
2705     /*
2706      * the message authentication function passed, so add the packet
2707      * index into the replay database
2708      */
2709     if (advance_packet_index) {
2710         srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, roc_to_set, seq_to_set);
2711         stream->pending_roc = 0;
2712         srtp_rdbx_add_index(&stream->rtp_rdbx, 0);
2713     } else {
2714         srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
2715     }
2716 
2717     /* decrease the packet length by the length of the auth tag */
2718     *pkt_octet_len -= tag_len;
2719 
2720     /* decrease the packet length by the mki size */
2721     *pkt_octet_len -= mki_size;
2722 
2723     return srtp_err_status_ok;
2724 }
2725 
srtp_init()2726 srtp_err_status_t srtp_init()
2727 {
2728     srtp_err_status_t status;
2729 
2730     /* initialize crypto kernel */
2731     status = srtp_crypto_kernel_init();
2732     if (status)
2733         return status;
2734 
2735     /* load srtp debug module into the kernel */
2736     status = srtp_crypto_kernel_load_debug_module(&mod_srtp);
2737     if (status)
2738         return status;
2739 
2740     return srtp_err_status_ok;
2741 }
2742 
srtp_shutdown()2743 srtp_err_status_t srtp_shutdown()
2744 {
2745     srtp_err_status_t status;
2746 
2747     /* shut down crypto kernel */
2748     status = srtp_crypto_kernel_shutdown();
2749     if (status)
2750         return status;
2751 
2752     /* shutting down crypto kernel frees the srtp debug module as well */
2753 
2754     return srtp_err_status_ok;
2755 }
2756 
2757 /*
2758  * The following code is under consideration for removal.  See
2759  * SRTP_MAX_TRAILER_LEN
2760  */
2761 #if 0
2762 
2763 /*
2764  * srtp_get_trailer_length(&a) returns the number of octets that will
2765  * be added to an RTP packet by the SRTP processing.  This value
2766  * is constant for a given srtp_stream_t (i.e. between initializations).
2767  */
2768 
2769 int
2770 srtp_get_trailer_length(const srtp_stream_t s) {
2771   return srtp_auth_get_tag_length(s->rtp_auth);
2772 }
2773 
2774 #endif
2775 
2776 /*
2777  * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
2778  * to ssrc, or NULL if no stream exists for that ssrc
2779  *
2780  * this is an internal function
2781  */
2782 
srtp_get_stream(srtp_t srtp,uint32_t ssrc)2783 srtp_stream_ctx_t *srtp_get_stream(srtp_t srtp, uint32_t ssrc)
2784 {
2785     srtp_stream_ctx_t *stream;
2786 
2787     /* walk down list until ssrc is found */
2788     stream = srtp->stream_list;
2789     while (stream != NULL) {
2790         if (stream->ssrc == ssrc)
2791             return stream;
2792         stream = stream->next;
2793     }
2794 
2795     /* we haven't found our ssrc, so return a null */
2796     return NULL;
2797 }
2798 
srtp_dealloc(srtp_t session)2799 srtp_err_status_t srtp_dealloc(srtp_t session)
2800 {
2801     srtp_stream_ctx_t *stream;
2802     srtp_err_status_t status;
2803 
2804     /*
2805      * we take a conservative deallocation strategy - if we encounter an
2806      * error deallocating a stream, then we stop trying to deallocate
2807      * memory and just return an error
2808      */
2809 
2810     /* walk list of streams, deallocating as we go */
2811     stream = session->stream_list;
2812     while (stream != NULL) {
2813         srtp_stream_t next = stream->next;
2814         status = srtp_stream_dealloc(stream, session->stream_template);
2815         if (status)
2816             return status;
2817         stream = next;
2818     }
2819 
2820     /* deallocate stream template, if there is one */
2821     if (session->stream_template != NULL) {
2822         status = srtp_stream_dealloc(session->stream_template, NULL);
2823         if (status)
2824             return status;
2825     }
2826 
2827     /* deallocate session context */
2828     srtp_crypto_free(session);
2829 
2830     return srtp_err_status_ok;
2831 }
2832 
srtp_add_stream(srtp_t session,const srtp_policy_t * policy)2833 srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy)
2834 {
2835     srtp_err_status_t status;
2836     srtp_stream_t tmp;
2837 
2838     /* sanity check arguments */
2839     if ((session == NULL) || (policy == NULL) ||
2840         (!srtp_validate_policy_master_keys(policy)))
2841         return srtp_err_status_bad_param;
2842 
2843     /* allocate stream  */
2844     status = srtp_stream_alloc(&tmp, policy);
2845     if (status) {
2846         return status;
2847     }
2848 
2849     /* initialize stream  */
2850     status = srtp_stream_init(tmp, policy);
2851     if (status) {
2852         srtp_stream_dealloc(tmp, NULL);
2853         return status;
2854     }
2855 
2856     /*
2857      * set the head of the stream list or the template to point to the
2858      * stream that we've just alloced and init'ed, depending on whether
2859      * or not it has a wildcard SSRC value or not
2860      *
2861      * if the template stream has already been set, then the policy is
2862      * inconsistent, so we return a bad_param error code
2863      */
2864     switch (policy->ssrc.type) {
2865     case (ssrc_any_outbound):
2866         if (session->stream_template) {
2867             srtp_stream_dealloc(tmp, NULL);
2868             return srtp_err_status_bad_param;
2869         }
2870         session->stream_template = tmp;
2871         session->stream_template->direction = dir_srtp_sender;
2872         break;
2873     case (ssrc_any_inbound):
2874         if (session->stream_template) {
2875             srtp_stream_dealloc(tmp, NULL);
2876             return srtp_err_status_bad_param;
2877         }
2878         session->stream_template = tmp;
2879         session->stream_template->direction = dir_srtp_receiver;
2880         break;
2881     case (ssrc_specific):
2882         tmp->next = session->stream_list;
2883         session->stream_list = tmp;
2884         break;
2885     case (ssrc_undefined):
2886     default:
2887         srtp_stream_dealloc(tmp, NULL);
2888         return srtp_err_status_bad_param;
2889     }
2890 
2891     return srtp_err_status_ok;
2892 }
2893 
srtp_create(srtp_t * session,const srtp_policy_t * policy)2894 srtp_err_status_t srtp_create(srtp_t *session, /* handle for session     */
2895                               const srtp_policy_t *policy)
2896 { /* SRTP policy (list)     */
2897     srtp_err_status_t stat;
2898     srtp_ctx_t *ctx;
2899 
2900     /* sanity check arguments */
2901     if (session == NULL)
2902         return srtp_err_status_bad_param;
2903 
2904     /* allocate srtp context and set ctx_ptr */
2905     ctx = (srtp_ctx_t *)srtp_crypto_alloc(sizeof(srtp_ctx_t));
2906     if (ctx == NULL)
2907         return srtp_err_status_alloc_fail;
2908     *session = ctx;
2909 
2910     /*
2911      * loop over elements in the policy list, allocating and
2912      * initializing a stream for each element
2913      */
2914     ctx->stream_template = NULL;
2915     ctx->stream_list = NULL;
2916     ctx->user_data = NULL;
2917     while (policy != NULL) {
2918         stat = srtp_add_stream(ctx, policy);
2919         if (stat) {
2920             /* clean up everything */
2921             srtp_dealloc(*session);
2922             *session = NULL;
2923             return stat;
2924         }
2925 
2926         /* set policy to next item in list  */
2927         policy = policy->next;
2928     }
2929 
2930     return srtp_err_status_ok;
2931 }
2932 
srtp_remove_stream(srtp_t session,uint32_t ssrc)2933 srtp_err_status_t srtp_remove_stream(srtp_t session, uint32_t ssrc)
2934 {
2935     srtp_stream_ctx_t *stream, *last_stream;
2936     srtp_err_status_t status;
2937 
2938     /* sanity check arguments */
2939     if (session == NULL)
2940         return srtp_err_status_bad_param;
2941 
2942     /* find stream in list; complain if not found */
2943     last_stream = stream = session->stream_list;
2944     while ((stream != NULL) && (ssrc != stream->ssrc)) {
2945         last_stream = stream;
2946         stream = stream->next;
2947     }
2948     if (stream == NULL)
2949         return srtp_err_status_no_ctx;
2950 
2951     /* remove stream from the list */
2952     if (last_stream == stream)
2953         /* stream was first in list */
2954         session->stream_list = stream->next;
2955     else
2956         last_stream->next = stream->next;
2957 
2958     /* deallocate the stream */
2959     status = srtp_stream_dealloc(stream, session->stream_template);
2960     if (status)
2961         return status;
2962 
2963     return srtp_err_status_ok;
2964 }
2965 
srtp_update(srtp_t session,const srtp_policy_t * policy)2966 srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy)
2967 {
2968     srtp_err_status_t stat;
2969 
2970     /* sanity check arguments */
2971     if ((session == NULL) || (policy == NULL) ||
2972         (!srtp_validate_policy_master_keys(policy))) {
2973         return srtp_err_status_bad_param;
2974     }
2975 
2976     while (policy != NULL) {
2977         stat = srtp_update_stream(session, policy);
2978         if (stat) {
2979             return stat;
2980         }
2981 
2982         /* set policy to next item in list  */
2983         policy = policy->next;
2984     }
2985     return srtp_err_status_ok;
2986 }
2987 
update_template_streams(srtp_t session,const srtp_policy_t * policy)2988 static srtp_err_status_t update_template_streams(srtp_t session,
2989                                                  const srtp_policy_t *policy)
2990 {
2991     srtp_err_status_t status;
2992     srtp_stream_t new_stream_template;
2993     srtp_stream_t new_stream_list = NULL;
2994 
2995     if (session->stream_template == NULL) {
2996         return srtp_err_status_bad_param;
2997     }
2998 
2999     /* allocate new template stream  */
3000     status = srtp_stream_alloc(&new_stream_template, policy);
3001     if (status) {
3002         return status;
3003     }
3004 
3005     /* initialize new template stream  */
3006     status = srtp_stream_init(new_stream_template, policy);
3007     if (status) {
3008         srtp_crypto_free(new_stream_template);
3009         return status;
3010     }
3011 
3012     /* for all old templated streams */
3013     for (;;) {
3014         srtp_stream_t stream;
3015         uint32_t ssrc;
3016         srtp_xtd_seq_num_t old_index;
3017         srtp_rdb_t old_rtcp_rdb;
3018 
3019         stream = session->stream_list;
3020         while ((stream != NULL) &&
3021                (stream->session_keys[0].rtp_auth !=
3022                 session->stream_template->session_keys[0].rtp_auth)) {
3023             stream = stream->next;
3024         }
3025         if (stream == NULL) {
3026             /* no more templated streams */
3027             break;
3028         }
3029 
3030         /* save old extendard seq */
3031         ssrc = stream->ssrc;
3032         old_index = stream->rtp_rdbx.index;
3033         old_rtcp_rdb = stream->rtcp_rdb;
3034 
3035         /* remove stream */
3036         status = srtp_remove_stream(session, ssrc);
3037         if (status) {
3038             /* free new allocations */
3039             while (new_stream_list != NULL) {
3040                 srtp_stream_t next = new_stream_list->next;
3041                 srtp_stream_dealloc(new_stream_list, new_stream_template);
3042                 new_stream_list = next;
3043             }
3044             srtp_stream_dealloc(new_stream_template, NULL);
3045             return status;
3046         }
3047 
3048         /* allocate and initialize a new stream */
3049         status = srtp_stream_clone(new_stream_template, ssrc, &stream);
3050         if (status) {
3051             /* free new allocations */
3052             while (new_stream_list != NULL) {
3053                 srtp_stream_t next = new_stream_list->next;
3054                 srtp_stream_dealloc(new_stream_list, new_stream_template);
3055                 new_stream_list = next;
3056             }
3057             srtp_stream_dealloc(new_stream_template, NULL);
3058             return status;
3059         }
3060 
3061         /* add new stream to the head of the new_stream_list */
3062         stream->next = new_stream_list;
3063         new_stream_list = stream;
3064 
3065         /* restore old extended seq */
3066         stream->rtp_rdbx.index = old_index;
3067         stream->rtcp_rdb = old_rtcp_rdb;
3068     }
3069     /* dealloc old template */
3070     srtp_stream_dealloc(session->stream_template, NULL);
3071     /* set new template */
3072     session->stream_template = new_stream_template;
3073     /* add new list */
3074     if (new_stream_list) {
3075         srtp_stream_t tail = new_stream_list;
3076         while (tail->next) {
3077             tail = tail->next;
3078         }
3079         tail->next = session->stream_list;
3080         session->stream_list = new_stream_list;
3081     }
3082     return status;
3083 }
3084 
update_stream(srtp_t session,const srtp_policy_t * policy)3085 static srtp_err_status_t update_stream(srtp_t session,
3086                                        const srtp_policy_t *policy)
3087 {
3088     srtp_err_status_t status;
3089     srtp_xtd_seq_num_t old_index;
3090     srtp_rdb_t old_rtcp_rdb;
3091     srtp_stream_t stream;
3092 
3093     stream = srtp_get_stream(session, htonl(policy->ssrc.value));
3094     if (stream == NULL) {
3095         return srtp_err_status_bad_param;
3096     }
3097 
3098     /* save old extendard seq */
3099     old_index = stream->rtp_rdbx.index;
3100     old_rtcp_rdb = stream->rtcp_rdb;
3101 
3102     status = srtp_remove_stream(session, htonl(policy->ssrc.value));
3103     if (status) {
3104         return status;
3105     }
3106 
3107     status = srtp_add_stream(session, policy);
3108     if (status) {
3109         return status;
3110     }
3111 
3112     stream = srtp_get_stream(session, htonl(policy->ssrc.value));
3113     if (stream == NULL) {
3114         return srtp_err_status_fail;
3115     }
3116 
3117     /* restore old extended seq */
3118     stream->rtp_rdbx.index = old_index;
3119     stream->rtcp_rdb = old_rtcp_rdb;
3120 
3121     return srtp_err_status_ok;
3122 }
3123 
srtp_update_stream(srtp_t session,const srtp_policy_t * policy)3124 srtp_err_status_t srtp_update_stream(srtp_t session,
3125                                      const srtp_policy_t *policy)
3126 {
3127     srtp_err_status_t status;
3128 
3129     /* sanity check arguments */
3130     if ((session == NULL) || (policy == NULL) ||
3131         (!srtp_validate_policy_master_keys(policy)))
3132         return srtp_err_status_bad_param;
3133 
3134     switch (policy->ssrc.type) {
3135     case (ssrc_any_outbound):
3136     case (ssrc_any_inbound):
3137         status = update_template_streams(session, policy);
3138         break;
3139     case (ssrc_specific):
3140         status = update_stream(session, policy);
3141         break;
3142     case (ssrc_undefined):
3143     default:
3144         return srtp_err_status_bad_param;
3145     }
3146 
3147     return status;
3148 }
3149 
3150 /*
3151  * The default policy - provides a convenient way for callers to use
3152  * the default security policy
3153  *
3154  * The default policy is defined in RFC 3711
3155  * (Section 5. Default and mandatory-to-implement Transforms)
3156  *
3157  */
3158 
3159 /*
3160  * NOTE: cipher_key_len is really key len (128 bits) plus salt len
3161  *  (112 bits)
3162  */
3163 /* There are hard-coded 16's for base_key_len in the key generation code */
3164 
srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t * p)3165 void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p)
3166 {
3167     p->cipher_type = SRTP_AES_ICM_128;
3168     p->cipher_key_len =
3169         SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */
3170     p->auth_type = SRTP_HMAC_SHA1;
3171     p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3172     p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
3173     p->sec_serv = sec_serv_conf_and_auth;
3174 }
3175 
srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t * p)3176 void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p)
3177 {
3178     p->cipher_type = SRTP_AES_ICM_128;
3179     p->cipher_key_len =
3180         SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */
3181     p->auth_type = SRTP_HMAC_SHA1;
3182     p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3183     p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
3184     p->sec_serv = sec_serv_conf_and_auth;
3185 }
3186 
srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t * p)3187 void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p)
3188 {
3189     /*
3190      * corresponds to RFC 4568
3191      *
3192      * note that this crypto policy is intended for SRTP, but not SRTCP
3193      */
3194 
3195     p->cipher_type = SRTP_AES_ICM_128;
3196     p->cipher_key_len =
3197         SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */
3198     p->auth_type = SRTP_HMAC_SHA1;
3199     p->auth_key_len = 20; /* 160 bit key               */
3200     p->auth_tag_len = 4;  /* 32 bit tag                */
3201     p->sec_serv = sec_serv_conf_and_auth;
3202 }
3203 
srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t * p)3204 void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p)
3205 {
3206     /*
3207      * corresponds to RFC 4568
3208      *
3209      * note that this crypto policy is intended for SRTP, but not SRTCP
3210      */
3211 
3212     p->cipher_type = SRTP_AES_ICM_128;
3213     p->cipher_key_len =
3214         SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */
3215     p->auth_type = SRTP_NULL_AUTH;
3216     p->auth_key_len = 0;
3217     p->auth_tag_len = 0;
3218     p->sec_serv = sec_serv_conf;
3219 }
3220 
srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t * p)3221 void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p)
3222 {
3223     /*
3224      * corresponds to RFC 4568
3225      */
3226 
3227     p->cipher_type = SRTP_NULL_CIPHER;
3228     p->cipher_key_len = 0;
3229     p->auth_type = SRTP_HMAC_SHA1;
3230     p->auth_key_len = 20;
3231     p->auth_tag_len = 10;
3232     p->sec_serv = sec_serv_auth;
3233 }
3234 
srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t * p)3235 void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p)
3236 {
3237     /*
3238      * Should only be used for testing
3239      */
3240 
3241     p->cipher_type = SRTP_NULL_CIPHER;
3242     p->cipher_key_len = 0;
3243     p->auth_type = SRTP_NULL_AUTH;
3244     p->auth_key_len = 0;
3245     p->auth_tag_len = 0;
3246     p->sec_serv = sec_serv_none;
3247 }
3248 
srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t * p)3249 void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p)
3250 {
3251     /*
3252      * corresponds to RFC 6188
3253      */
3254 
3255     p->cipher_type = SRTP_AES_ICM_256;
3256     p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
3257     p->auth_type = SRTP_HMAC_SHA1;
3258     p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3259     p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
3260     p->sec_serv = sec_serv_conf_and_auth;
3261 }
3262 
srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t * p)3263 void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p)
3264 {
3265     /*
3266      * corresponds to RFC 6188
3267      *
3268      * note that this crypto policy is intended for SRTP, but not SRTCP
3269      */
3270 
3271     p->cipher_type = SRTP_AES_ICM_256;
3272     p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
3273     p->auth_type = SRTP_HMAC_SHA1;
3274     p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3275     p->auth_tag_len = 4;  /* default 80 bits per RFC 3711 */
3276     p->sec_serv = sec_serv_conf_and_auth;
3277 }
3278 
3279 /*
3280  * AES-256 with no authentication.
3281  */
srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t * p)3282 void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p)
3283 {
3284     p->cipher_type = SRTP_AES_ICM_256;
3285     p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
3286     p->auth_type = SRTP_NULL_AUTH;
3287     p->auth_key_len = 0;
3288     p->auth_tag_len = 0;
3289     p->sec_serv = sec_serv_conf;
3290 }
3291 
srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t * p)3292 void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p)
3293 {
3294     /*
3295      * corresponds to RFC 6188
3296      */
3297 
3298     p->cipher_type = SRTP_AES_ICM_192;
3299     p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
3300     p->auth_type = SRTP_HMAC_SHA1;
3301     p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3302     p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
3303     p->sec_serv = sec_serv_conf_and_auth;
3304 }
3305 
srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t * p)3306 void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p)
3307 {
3308     /*
3309      * corresponds to RFC 6188
3310      *
3311      * note that this crypto policy is intended for SRTP, but not SRTCP
3312      */
3313 
3314     p->cipher_type = SRTP_AES_ICM_192;
3315     p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
3316     p->auth_type = SRTP_HMAC_SHA1;
3317     p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
3318     p->auth_tag_len = 4;  /* default 80 bits per RFC 3711 */
3319     p->sec_serv = sec_serv_conf_and_auth;
3320 }
3321 
3322 /*
3323  * AES-192 with no authentication.
3324  */
srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t * p)3325 void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p)
3326 {
3327     p->cipher_type = SRTP_AES_ICM_192;
3328     p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
3329     p->auth_type = SRTP_NULL_AUTH;
3330     p->auth_key_len = 0;
3331     p->auth_tag_len = 0;
3332     p->sec_serv = sec_serv_conf;
3333 }
3334 
3335 /*
3336  * AES-128 GCM mode with 8 octet auth tag.
3337  */
srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t * p)3338 void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p)
3339 {
3340     p->cipher_type = SRTP_AES_GCM_128;
3341     p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
3342     p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3343     p->auth_key_len = 0;
3344     p->auth_tag_len = 8; /* 8 octet tag length */
3345     p->sec_serv = sec_serv_conf_and_auth;
3346 }
3347 
3348 /*
3349  * AES-256 GCM mode with 8 octet auth tag.
3350  */
srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t * p)3351 void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p)
3352 {
3353     p->cipher_type = SRTP_AES_GCM_256;
3354     p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
3355     p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3356     p->auth_key_len = 0;
3357     p->auth_tag_len = 8; /* 8 octet tag length */
3358     p->sec_serv = sec_serv_conf_and_auth;
3359 }
3360 
3361 /*
3362  * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption.
3363  */
srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t * p)3364 void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p)
3365 {
3366     p->cipher_type = SRTP_AES_GCM_128;
3367     p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
3368     p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3369     p->auth_key_len = 0;
3370     p->auth_tag_len = 8;         /* 8 octet tag length */
3371     p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
3372 }
3373 
3374 /*
3375  * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption.
3376  */
srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t * p)3377 void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p)
3378 {
3379     p->cipher_type = SRTP_AES_GCM_256;
3380     p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
3381     p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3382     p->auth_key_len = 0;
3383     p->auth_tag_len = 8;         /* 8 octet tag length */
3384     p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
3385 }
3386 
3387 /*
3388  * AES-128 GCM mode with 16 octet auth tag.
3389  */
srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t * p)3390 void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p)
3391 {
3392     p->cipher_type = SRTP_AES_GCM_128;
3393     p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
3394     p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3395     p->auth_key_len = 0;
3396     p->auth_tag_len = 16; /* 16 octet tag length */
3397     p->sec_serv = sec_serv_conf_and_auth;
3398 }
3399 
3400 /*
3401  * AES-256 GCM mode with 16 octet auth tag.
3402  */
srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t * p)3403 void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p)
3404 {
3405     p->cipher_type = SRTP_AES_GCM_256;
3406     p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
3407     p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
3408     p->auth_key_len = 0;
3409     p->auth_tag_len = 16; /* 16 octet tag length */
3410     p->sec_serv = sec_serv_conf_and_auth;
3411 }
3412 
3413 /*
3414  * secure rtcp functions
3415  */
3416 
3417 /*
3418  * AEAD uses a new IV formation method.  This function implements
3419  * section 9.1 (SRTCP IV Formation for AES-GCM) from RFC7714.
3420  * The calculation is defined as, where (+) is the xor operation:
3421  *
3422  *                0  1  2  3  4  5  6  7  8  9 10 11
3423  *               +--+--+--+--+--+--+--+--+--+--+--+--+
3424  *               |00|00|    SSRC   |00|00|0+SRTCP Idx|---+
3425  *               +--+--+--+--+--+--+--+--+--+--+--+--+   |
3426  *                                                       |
3427  *               +--+--+--+--+--+--+--+--+--+--+--+--+   |
3428  *               |         Encryption Salt           |->(+)
3429  *               +--+--+--+--+--+--+--+--+--+--+--+--+   |
3430  *                                                       |
3431  *               +--+--+--+--+--+--+--+--+--+--+--+--+   |
3432  *               |       Initialization Vector       |<--+
3433  *               +--+--+--+--+--+--+--+--+--+--+--+--+*
3434  *
3435  * Input:  *session_keys - pointer to SRTP stream context session keys,
3436  *                        used to retrieve the SALT
3437  *         *iv           - Pointer to recieve the calculated IV
3438  *         seq_num       - The SEQ value to use for the IV calculation.
3439  *         *hdr          - The RTP header, used to get the SSRC value
3440  *
3441  * Returns: srtp_err_status_ok if no error or srtp_err_status_bad_param
3442  *          if seq_num is invalid
3443  *
3444  */
srtp_calc_aead_iv_srtcp(srtp_session_keys_t * session_keys,v128_t * iv,uint32_t seq_num,srtcp_hdr_t * hdr)3445 static srtp_err_status_t srtp_calc_aead_iv_srtcp(
3446     srtp_session_keys_t *session_keys,
3447     v128_t *iv,
3448     uint32_t seq_num,
3449     srtcp_hdr_t *hdr)
3450 {
3451     v128_t in;
3452     v128_t salt;
3453 
3454     memset(&in, 0, sizeof(v128_t));
3455     memset(&salt, 0, sizeof(v128_t));
3456 
3457     in.v16[0] = 0;
3458     memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */
3459     in.v16[3] = 0;
3460 
3461     /*
3462      *  The SRTCP index (seq_num) spans bits 0 through 30 inclusive.
3463      *  The most significant bit should be zero.
3464      */
3465     if (seq_num & 0x80000000UL) {
3466         return srtp_err_status_bad_param;
3467     }
3468     in.v32[2] = htonl(seq_num);
3469 
3470     debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in));
3471 
3472     /*
3473      * Get the SALT value from the context
3474      */
3475     memcpy(salt.v8, session_keys->c_salt, 12);
3476     debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt));
3477 
3478     /*
3479      * Finally, apply the SALT to the input
3480      */
3481     v128_xor(iv, &in, &salt);
3482 
3483     return srtp_err_status_ok;
3484 }
3485 
3486 /*
3487  * This code handles AEAD ciphers for outgoing RTCP.  We currently support
3488  * AES-GCM mode with 128 or 256 bit keys.
3489  */
srtp_protect_rtcp_aead(srtp_t ctx,srtp_stream_ctx_t * stream,void * rtcp_hdr,unsigned int * pkt_octet_len,srtp_session_keys_t * session_keys,unsigned int use_mki)3490 static srtp_err_status_t srtp_protect_rtcp_aead(
3491     srtp_t ctx,
3492     srtp_stream_ctx_t *stream,
3493     void *rtcp_hdr,
3494     unsigned int *pkt_octet_len,
3495     srtp_session_keys_t *session_keys,
3496     unsigned int use_mki)
3497 {
3498     srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
3499     uint32_t *enc_start;            /* pointer to start of encrypted portion  */
3500     uint32_t *trailer_p;            /* pointer to start of trailer            */
3501     uint32_t trailer;               /* trailer value                          */
3502     unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
3503     uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
3504     srtp_err_status_t status;
3505     uint32_t tag_len;
3506     uint32_t seq_num;
3507     v128_t iv;
3508     uint32_t tseq;
3509     unsigned int mki_size = 0;
3510 
3511     /* get tag length from stream context */
3512     tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
3513 
3514     /*
3515      * set encryption start and encryption length - if we're not
3516      * providing confidentiality, set enc_start to NULL
3517      */
3518     enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
3519     enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
3520 
3521     /* NOTE: hdr->length is not usable - it refers to only the first
3522      * RTCP report in the compound packet!
3523      */
3524     trailer_p = (uint32_t *)((char *)enc_start + enc_octet_len + tag_len);
3525 
3526     if (stream->rtcp_services & sec_serv_conf) {
3527         trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
3528     } else {
3529         enc_start = NULL;
3530         enc_octet_len = 0;
3531         /* 0 is network-order independant */
3532         trailer = 0x00000000; /* set encrypt bit */
3533     }
3534 
3535     mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + tag_len +
3536                                    sizeof(srtcp_trailer_t),
3537                                session_keys, use_mki);
3538 
3539     /*
3540      * set the auth_tag pointer to the proper location, which is after
3541      * the payload, but before the trailer
3542      * (note that srtpc *always* provides authentication, unlike srtp)
3543      */
3544     /* Note: This would need to change for optional mikey data */
3545     auth_tag = (uint8_t *)hdr + *pkt_octet_len;
3546 
3547     /*
3548      * check sequence number for overruns, and copy it into the packet
3549      * if its value isn't too big
3550      */
3551     status = srtp_rdb_increment(&stream->rtcp_rdb);
3552     if (status) {
3553         return status;
3554     }
3555     seq_num = srtp_rdb_get_value(&stream->rtcp_rdb);
3556     trailer |= htonl(seq_num);
3557     debug_print(mod_srtp, "srtcp index: %x", seq_num);
3558 
3559     memcpy(trailer_p, &trailer, sizeof(trailer));
3560 
3561     /*
3562      * Calculate and set the IV
3563      */
3564     status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr);
3565     if (status) {
3566         return srtp_err_status_cipher_fail;
3567     }
3568     status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
3569                                 srtp_direction_encrypt);
3570     if (status) {
3571         return srtp_err_status_cipher_fail;
3572     }
3573 
3574     /*
3575      * Set the AAD for GCM mode
3576      */
3577     if (enc_start) {
3578         /*
3579          * If payload encryption is enabled, then the AAD consist of
3580          * the RTCP header and the seq# at the end of the packet
3581          */
3582         status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
3583                                      octets_in_rtcp_header);
3584         if (status) {
3585             return (srtp_err_status_cipher_fail);
3586         }
3587     } else {
3588         /*
3589          * Since payload encryption is not enabled, we must authenticate
3590          * the entire packet as described in RFC 7714 (Section 9.3. Data
3591          * Types in Unencrypted SRTCP Compound Packets)
3592          */
3593         status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
3594                                      *pkt_octet_len);
3595         if (status) {
3596             return (srtp_err_status_cipher_fail);
3597         }
3598     }
3599     /*
3600      * Process the sequence# as AAD
3601      */
3602     tseq = trailer;
3603     status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq,
3604                                  sizeof(srtcp_trailer_t));
3605     if (status) {
3606         return (srtp_err_status_cipher_fail);
3607     }
3608 
3609     /* if we're encrypting, exor keystream into the message */
3610     if (enc_start) {
3611         status = srtp_cipher_encrypt(session_keys->rtcp_cipher,
3612                                      (uint8_t *)enc_start, &enc_octet_len);
3613         if (status) {
3614             return srtp_err_status_cipher_fail;
3615         }
3616         /*
3617          * Get the tag and append that to the output
3618          */
3619         status = srtp_cipher_get_tag(session_keys->rtcp_cipher,
3620                                      (uint8_t *)auth_tag, &tag_len);
3621         if (status) {
3622             return (srtp_err_status_cipher_fail);
3623         }
3624         enc_octet_len += tag_len;
3625     } else {
3626         /*
3627          * Even though we're not encrypting the payload, we need
3628          * to run the cipher to get the auth tag.
3629          */
3630         unsigned int nolen = 0;
3631         status = srtp_cipher_encrypt(session_keys->rtcp_cipher, NULL, &nolen);
3632         if (status) {
3633             return srtp_err_status_cipher_fail;
3634         }
3635         /*
3636          * Get the tag and append that to the output
3637          */
3638         status = srtp_cipher_get_tag(session_keys->rtcp_cipher,
3639                                      (uint8_t *)auth_tag, &tag_len);
3640         if (status) {
3641             return (srtp_err_status_cipher_fail);
3642         }
3643         enc_octet_len += tag_len;
3644     }
3645 
3646     /* increase the packet length by the length of the auth tag and seq_num*/
3647     *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
3648 
3649     /* increase the packet by the mki_size */
3650     *pkt_octet_len += mki_size;
3651 
3652     return srtp_err_status_ok;
3653 }
3654 
3655 /*
3656  * This function handles incoming SRTCP packets while in AEAD mode,
3657  * which currently supports AES-GCM encryption.  Note, the auth tag is
3658  * at the end of the packet stream and is automatically checked by GCM
3659  * when decrypting the payload.
3660  */
srtp_unprotect_rtcp_aead(srtp_t ctx,srtp_stream_ctx_t * stream,void * srtcp_hdr,unsigned int * pkt_octet_len,srtp_session_keys_t * session_keys,unsigned int use_mki)3661 static srtp_err_status_t srtp_unprotect_rtcp_aead(
3662     srtp_t ctx,
3663     srtp_stream_ctx_t *stream,
3664     void *srtcp_hdr,
3665     unsigned int *pkt_octet_len,
3666     srtp_session_keys_t *session_keys,
3667     unsigned int use_mki)
3668 {
3669     srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
3670     uint32_t *enc_start;            /* pointer to start of encrypted portion  */
3671     uint32_t *trailer_p;            /* pointer to start of trailer            */
3672     uint32_t trailer;               /* trailer value                          */
3673     unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
3674     uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
3675     srtp_err_status_t status;
3676     int tag_len;
3677     unsigned int tmp_len;
3678     uint32_t seq_num;
3679     v128_t iv;
3680     uint32_t tseq;
3681     unsigned int mki_size = 0;
3682 
3683     /* get tag length from stream context */
3684     tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
3685 
3686     if (use_mki) {
3687         mki_size = session_keys->mki_size;
3688     }
3689 
3690     /*
3691      * set encryption start, encryption length, and trailer
3692      */
3693     /* index & E (encryption) bit follow normal data. hdr->len is the number of
3694      * words (32-bit) in the normal packet minus 1
3695      */
3696     /* This should point trailer to the word past the end of the normal data. */
3697     /* This would need to be modified for optional mikey data */
3698     trailer_p = (uint32_t *)((char *)hdr + *pkt_octet_len -
3699                              sizeof(srtcp_trailer_t) - mki_size);
3700     memcpy(&trailer, trailer_p, sizeof(trailer));
3701 
3702     /*
3703      * We pass the tag down to the cipher when doing GCM mode
3704      */
3705     enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header +
3706                                       sizeof(srtcp_trailer_t) + mki_size);
3707     auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len - mki_size -
3708                sizeof(srtcp_trailer_t);
3709 
3710     if (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) {
3711         enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
3712     } else {
3713         enc_octet_len = 0;
3714         enc_start = NULL; /* this indicates that there's no encryption */
3715     }
3716 
3717     /*
3718      * check the sequence number for replays
3719      */
3720     /* this is easier than dealing with bitfield access */
3721     seq_num = ntohl(trailer) & SRTCP_INDEX_MASK;
3722     debug_print(mod_srtp, "srtcp index: %x", seq_num);
3723     status = srtp_rdb_check(&stream->rtcp_rdb, seq_num);
3724     if (status) {
3725         return status;
3726     }
3727 
3728     /*
3729      * Calculate and set the IV
3730      */
3731     status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr);
3732     if (status) {
3733         return srtp_err_status_cipher_fail;
3734     }
3735     status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
3736                                 srtp_direction_decrypt);
3737     if (status) {
3738         return srtp_err_status_cipher_fail;
3739     }
3740 
3741     /*
3742      * Set the AAD for GCM mode
3743      */
3744     if (enc_start) {
3745         /*
3746          * If payload encryption is enabled, then the AAD consist of
3747          * the RTCP header and the seq# at the end of the packet
3748          */
3749         status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
3750                                      octets_in_rtcp_header);
3751         if (status) {
3752             return (srtp_err_status_cipher_fail);
3753         }
3754     } else {
3755         /*
3756          * Since payload encryption is not enabled, we must authenticate
3757          * the entire packet as described in RFC 7714 (Section 9.3. Data
3758          * Types in Unencrypted SRTCP Compound Packets)
3759          */
3760         status = srtp_cipher_set_aad(
3761             session_keys->rtcp_cipher, (uint8_t *)hdr,
3762             (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t) - mki_size));
3763         if (status) {
3764             return (srtp_err_status_cipher_fail);
3765         }
3766     }
3767 
3768     /*
3769      * Process the sequence# as AAD
3770      */
3771     tseq = trailer;
3772     status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq,
3773                                  sizeof(srtcp_trailer_t));
3774     if (status) {
3775         return (srtp_err_status_cipher_fail);
3776     }
3777 
3778     /* if we're decrypting, exor keystream into the message */
3779     if (enc_start) {
3780         status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
3781                                      (uint8_t *)enc_start, &enc_octet_len);
3782         if (status) {
3783             return status;
3784         }
3785     } else {
3786         /*
3787          * Still need to run the cipher to check the tag
3788          */
3789         tmp_len = tag_len;
3790         status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
3791                                      (uint8_t *)auth_tag, &tmp_len);
3792         if (status) {
3793             return status;
3794         }
3795     }
3796 
3797     /* decrease the packet length by the length of the auth tag and seq_num*/
3798     *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) + mki_size);
3799 
3800     /*
3801      * verify that stream is for received traffic - this check will
3802      * detect SSRC collisions, since a stream that appears in both
3803      * srtp_protect() and srtp_unprotect() will fail this test in one of
3804      * those functions.
3805      *
3806      * we do this check *after* the authentication check, so that the
3807      * latter check will catch any attempts to fool us into thinking
3808      * that we've got a collision
3809      */
3810     if (stream->direction != dir_srtp_receiver) {
3811         if (stream->direction == dir_unknown) {
3812             stream->direction = dir_srtp_receiver;
3813         } else {
3814             srtp_handle_event(ctx, stream, event_ssrc_collision);
3815         }
3816     }
3817 
3818     /*
3819      * if the stream is a 'provisional' one, in which the template context
3820      * is used, then we need to allocate a new stream at this point, since
3821      * the authentication passed
3822      */
3823     if (stream == ctx->stream_template) {
3824         srtp_stream_ctx_t *new_stream;
3825 
3826         /*
3827          * allocate and initialize a new stream
3828          *
3829          * note that we indicate failure if we can't allocate the new
3830          * stream, and some implementations will want to not return
3831          * failure here
3832          */
3833         status =
3834             srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
3835         if (status) {
3836             return status;
3837         }
3838 
3839         /* add new stream to the head of the stream_list */
3840         new_stream->next = ctx->stream_list;
3841         ctx->stream_list = new_stream;
3842 
3843         /* set stream (the pointer used in this function) */
3844         stream = new_stream;
3845     }
3846 
3847     /* we've passed the authentication check, so add seq_num to the rdb */
3848     srtp_rdb_add_index(&stream->rtcp_rdb, seq_num);
3849 
3850     return srtp_err_status_ok;
3851 }
3852 
srtp_protect_rtcp(srtp_t ctx,void * rtcp_hdr,int * pkt_octet_len)3853 srtp_err_status_t srtp_protect_rtcp(srtp_t ctx,
3854                                     void *rtcp_hdr,
3855                                     int *pkt_octet_len)
3856 {
3857     return srtp_protect_rtcp_mki(ctx, rtcp_hdr, pkt_octet_len, 0, 0);
3858 }
3859 
srtp_protect_rtcp_mki(srtp_t ctx,void * rtcp_hdr,int * pkt_octet_len,unsigned int use_mki,unsigned int mki_index)3860 srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx,
3861                                         void *rtcp_hdr,
3862                                         int *pkt_octet_len,
3863                                         unsigned int use_mki,
3864                                         unsigned int mki_index)
3865 {
3866     srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
3867     uint32_t *enc_start;            /* pointer to start of encrypted portion  */
3868     uint32_t *auth_start;           /* pointer to start of auth. portion      */
3869     uint32_t *trailer_p;            /* pointer to start of trailer            */
3870     uint32_t trailer;               /* trailer value                          */
3871     unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
3872     uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
3873     srtp_err_status_t status;
3874     int tag_len;
3875     srtp_stream_ctx_t *stream;
3876     uint32_t prefix_len;
3877     uint32_t seq_num;
3878     unsigned int mki_size = 0;
3879     srtp_session_keys_t *session_keys = NULL;
3880 
3881     /* we assume the hdr is 32-bit aligned to start */
3882 
3883     /* check the packet length - it must at least contain a full header */
3884     if (*pkt_octet_len < octets_in_rtcp_header)
3885         return srtp_err_status_bad_param;
3886 
3887     /*
3888      * look up ssrc in srtp_stream list, and process the packet with
3889      * the appropriate stream.  if we haven't seen this stream before,
3890      * there's only one key for this srtp_session, and the cipher
3891      * supports key-sharing, then we assume that a new stream using
3892      * that key has just started up
3893      */
3894     stream = srtp_get_stream(ctx, hdr->ssrc);
3895     if (stream == NULL) {
3896         if (ctx->stream_template != NULL) {
3897             srtp_stream_ctx_t *new_stream;
3898 
3899             /* allocate and initialize a new stream */
3900             status =
3901                 srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
3902             if (status)
3903                 return status;
3904 
3905             /* add new stream to the head of the stream_list */
3906             new_stream->next = ctx->stream_list;
3907             ctx->stream_list = new_stream;
3908 
3909             /* set stream (the pointer used in this function) */
3910             stream = new_stream;
3911         } else {
3912             /* no template stream, so we return an error */
3913             return srtp_err_status_no_ctx;
3914         }
3915     }
3916 
3917     /*
3918      * verify that stream is for sending traffic - this check will
3919      * detect SSRC collisions, since a stream that appears in both
3920      * srtp_protect() and srtp_unprotect() will fail this test in one of
3921      * those functions.
3922      */
3923     if (stream->direction != dir_srtp_sender) {
3924         if (stream->direction == dir_unknown) {
3925             stream->direction = dir_srtp_sender;
3926         } else {
3927             srtp_handle_event(ctx, stream, event_ssrc_collision);
3928         }
3929     }
3930 
3931     session_keys =
3932         srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index);
3933 
3934     if (session_keys == NULL)
3935         return srtp_err_status_bad_mki;
3936 
3937     /*
3938      * Check if this is an AEAD stream (GCM mode).  If so, then dispatch
3939      * the request to our AEAD handler.
3940      */
3941     if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
3942         session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
3943         return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr,
3944                                       (unsigned int *)pkt_octet_len,
3945                                       session_keys, use_mki);
3946     }
3947 
3948     /* get tag length from stream context */
3949     tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
3950 
3951     /*
3952      * set encryption start and encryption length - if we're not
3953      * providing confidentiality, set enc_start to NULL
3954      */
3955     enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
3956     enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
3957 
3958     /* all of the packet, except the header, gets encrypted */
3959     /*
3960      * NOTE: hdr->length is not usable - it refers to only the first RTCP report
3961      * in the compound packet!
3962      */
3963     trailer_p = (uint32_t *)((char *)enc_start + enc_octet_len);
3964 
3965     if (stream->rtcp_services & sec_serv_conf) {
3966         trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
3967     } else {
3968         enc_start = NULL;
3969         enc_octet_len = 0;
3970         /* 0 is network-order independant */
3971         trailer = 0x00000000; /* set encrypt bit */
3972     }
3973 
3974     mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len +
3975                                    sizeof(srtcp_trailer_t),
3976                                session_keys, use_mki);
3977 
3978     /*
3979      * set the auth_start and auth_tag pointers to the proper locations
3980      * (note that srtpc *always* provides authentication, unlike srtp)
3981      */
3982     /* Note: This would need to change for optional mikey data */
3983     auth_start = (uint32_t *)hdr;
3984     auth_tag =
3985         (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) + mki_size;
3986 
3987     /* perform EKT processing if needed */
3988     srtp_ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
3989                         srtp_rdbx_get_packet_index(&stream->rtp_rdbx));
3990 
3991     /*
3992      * check sequence number for overruns, and copy it into the packet
3993      * if its value isn't too big
3994      */
3995     status = srtp_rdb_increment(&stream->rtcp_rdb);
3996     if (status)
3997         return status;
3998     seq_num = srtp_rdb_get_value(&stream->rtcp_rdb);
3999     trailer |= htonl(seq_num);
4000     debug_print(mod_srtp, "srtcp index: %x", seq_num);
4001 
4002     memcpy(trailer_p, &trailer, sizeof(trailer));
4003 
4004     /*
4005      * if we're using rindael counter mode, set nonce and seq
4006      */
4007     if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 ||
4008         session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 ||
4009         session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) {
4010         v128_t iv;
4011 
4012         iv.v32[0] = 0;
4013         iv.v32[1] = hdr->ssrc; /* still in network order! */
4014         iv.v32[2] = htonl(seq_num >> 16);
4015         iv.v32[3] = htonl(seq_num << 16);
4016         status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
4017                                     srtp_direction_encrypt);
4018 
4019     } else {
4020         v128_t iv;
4021 
4022         /* otherwise, just set the index to seq_num */
4023         iv.v32[0] = 0;
4024         iv.v32[1] = 0;
4025         iv.v32[2] = 0;
4026         iv.v32[3] = htonl(seq_num);
4027         status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
4028                                     srtp_direction_encrypt);
4029     }
4030     if (status)
4031         return srtp_err_status_cipher_fail;
4032 
4033     /*
4034      * if we're authenticating using a universal hash, put the keystream
4035      * prefix into the authentication tag
4036      */
4037 
4038     /* if auth_start is non-null, then put keystream into tag  */
4039     if (auth_start) {
4040         /* put keystream prefix into auth_tag */
4041         prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth);
4042         status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag,
4043                                     &prefix_len);
4044 
4045         debug_print(mod_srtp, "keystream prefix: %s",
4046                     srtp_octet_string_hex_string(auth_tag, prefix_len));
4047 
4048         if (status)
4049             return srtp_err_status_cipher_fail;
4050     }
4051 
4052     /* if we're encrypting, exor keystream into the message */
4053     if (enc_start) {
4054         status = srtp_cipher_encrypt(session_keys->rtcp_cipher,
4055                                      (uint8_t *)enc_start, &enc_octet_len);
4056         if (status)
4057             return srtp_err_status_cipher_fail;
4058     }
4059 
4060     /* initialize auth func context */
4061     srtp_auth_start(session_keys->rtcp_auth);
4062 
4063     /*
4064      * run auth func over packet (including trailer), and write the
4065      * result at auth_tag
4066      */
4067     status =
4068         srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start,
4069                           (*pkt_octet_len) + sizeof(srtcp_trailer_t), auth_tag);
4070     debug_print(mod_srtp, "srtcp auth tag:    %s",
4071                 srtp_octet_string_hex_string(auth_tag, tag_len));
4072     if (status)
4073         return srtp_err_status_auth_fail;
4074 
4075     /* increase the packet length by the length of the auth tag and seq_num*/
4076     *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
4077 
4078     /* increase the packet by the mki_size */
4079     *pkt_octet_len += mki_size;
4080 
4081     return srtp_err_status_ok;
4082 }
4083 
srtp_unprotect_rtcp(srtp_t ctx,void * srtcp_hdr,int * pkt_octet_len)4084 srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx,
4085                                       void *srtcp_hdr,
4086                                       int *pkt_octet_len)
4087 {
4088     return srtp_unprotect_rtcp_mki(ctx, srtcp_hdr, pkt_octet_len, 0);
4089 }
4090 
srtp_unprotect_rtcp_mki(srtp_t ctx,void * srtcp_hdr,int * pkt_octet_len,unsigned int use_mki)4091 srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx,
4092                                           void *srtcp_hdr,
4093                                           int *pkt_octet_len,
4094                                           unsigned int use_mki)
4095 {
4096     srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
4097     uint32_t *enc_start;            /* pointer to start of encrypted portion  */
4098     uint32_t *auth_start;           /* pointer to start of auth. portion      */
4099     uint32_t *trailer_p;            /* pointer to start of trailer            */
4100     uint32_t trailer;               /* trailer value                          */
4101     unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
4102     uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
4103     uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
4104     uint8_t tag_copy[SRTP_MAX_TAG_LEN];
4105     srtp_err_status_t status;
4106     unsigned int auth_len;
4107     int tag_len;
4108     srtp_stream_ctx_t *stream;
4109     uint32_t prefix_len;
4110     uint32_t seq_num;
4111     int e_bit_in_packet; /* whether the E-bit was found in the packet */
4112     int sec_serv_confidentiality; /* whether confidentiality was requested */
4113     unsigned int mki_size = 0;
4114     srtp_session_keys_t *session_keys = NULL;
4115 
4116     /* we assume the hdr is 32-bit aligned to start */
4117 
4118     if (*pkt_octet_len < 0)
4119         return srtp_err_status_bad_param;
4120 
4121     /*
4122      * check that the length value is sane; we'll check again once we
4123      * know the tag length, but we at least want to know that it is
4124      * a positive value
4125      */
4126     if ((unsigned int)(*pkt_octet_len) <
4127         octets_in_rtcp_header + sizeof(srtcp_trailer_t))
4128         return srtp_err_status_bad_param;
4129 
4130     /*
4131      * look up ssrc in srtp_stream list, and process the packet with
4132      * the appropriate stream.  if we haven't seen this stream before,
4133      * there's only one key for this srtp_session, and the cipher
4134      * supports key-sharing, then we assume that a new stream using
4135      * that key has just started up
4136      */
4137     stream = srtp_get_stream(ctx, hdr->ssrc);
4138     if (stream == NULL) {
4139         if (ctx->stream_template != NULL) {
4140             stream = ctx->stream_template;
4141 
4142             /*
4143              * check to see if stream_template has an EKT data structure, in
4144              * which case we initialize the template using the EKT policy
4145              * referenced by that data (which consists of decrypting the
4146              * master key from the EKT field)
4147              *
4148              * this function initializes a *provisional* stream, and this
4149              * stream should not be accepted until and unless the packet
4150              * passes its authentication check
4151              */
4152             if (stream->ekt != NULL) {
4153                 status = srtp_stream_init_from_ekt(stream, srtcp_hdr,
4154                                                    *pkt_octet_len);
4155                 if (status)
4156                     return status;
4157             }
4158 
4159             debug_print(mod_srtp,
4160                         "srtcp using provisional stream (SSRC: 0x%08x)",
4161                         ntohl(hdr->ssrc));
4162         } else {
4163             /* no template stream, so we return an error */
4164             return srtp_err_status_no_ctx;
4165         }
4166     }
4167 
4168     /*
4169      * Determine if MKI is being used and what session keys should be used
4170      */
4171     if (use_mki) {
4172         session_keys = srtp_get_session_keys(
4173             stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len,
4174             &mki_size);
4175 
4176         if (session_keys == NULL)
4177             return srtp_err_status_bad_mki;
4178     } else {
4179         session_keys = &stream->session_keys[0];
4180     }
4181 
4182     /* get tag length from stream context */
4183     tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
4184 
4185     /* check the packet length - it must contain at least a full RTCP
4186        header, an auth tag (if applicable), and the SRTCP encrypted flag
4187        and 31-bit index value */
4188     if (*pkt_octet_len < (int)(octets_in_rtcp_header + tag_len + mki_size +
4189                                sizeof(srtcp_trailer_t))) {
4190         return srtp_err_status_bad_param;
4191     }
4192 
4193     /*
4194      * Check if this is an AEAD stream (GCM mode).  If so, then dispatch
4195      * the request to our AEAD handler.
4196      */
4197     if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
4198         session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
4199         return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr,
4200                                         (unsigned int *)pkt_octet_len,
4201                                         session_keys, mki_size);
4202     }
4203 
4204     sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf ||
4205                                stream->rtcp_services == sec_serv_conf_and_auth;
4206 
4207     /*
4208      * set encryption start, encryption length, and trailer
4209      */
4210     enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + tag_len +
4211                                       mki_size + sizeof(srtcp_trailer_t));
4212     /*
4213      *index & E (encryption) bit follow normal data. hdr->len is the number of
4214      * words (32-bit) in the normal packet minus 1
4215      */
4216     /* This should point trailer to the word past the end of the normal data. */
4217     /* This would need to be modified for optional mikey data */
4218     trailer_p = (uint32_t *)((char *)hdr + *pkt_octet_len -
4219                              (tag_len + mki_size + sizeof(srtcp_trailer_t)));
4220     memcpy(&trailer, trailer_p, sizeof(trailer));
4221 
4222     e_bit_in_packet =
4223         (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT;
4224     if (e_bit_in_packet != sec_serv_confidentiality) {
4225         return srtp_err_status_cant_check;
4226     }
4227     if (sec_serv_confidentiality) {
4228         enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
4229     } else {
4230         enc_octet_len = 0;
4231         enc_start = NULL; /* this indicates that there's no encryption */
4232     }
4233 
4234     /*
4235      * set the auth_start and auth_tag pointers to the proper locations
4236      * (note that srtcp *always* uses authentication, unlike srtp)
4237      */
4238     auth_start = (uint32_t *)hdr;
4239 
4240     /*
4241      * The location of the auth tag in the packet needs to know MKI
4242      * could be present.  The data needed to calculate the Auth tag
4243      * must not include the MKI
4244      */
4245     auth_len = *pkt_octet_len - tag_len - mki_size;
4246     auth_tag = (uint8_t *)hdr + auth_len + mki_size;
4247 
4248     /*
4249      * if EKT is in use, then we make a copy of the tag from the packet,
4250      * and then zeroize the location of the base tag
4251      *
4252      * we first re-position the auth_tag pointer so that it points to
4253      * the base tag
4254      */
4255     if (stream->ekt) {
4256         auth_tag -= srtp_ekt_octets_after_base_tag(stream->ekt);
4257         memcpy(tag_copy, auth_tag, tag_len);
4258         octet_string_set_to_zero(auth_tag, tag_len);
4259         auth_tag = tag_copy;
4260         auth_len += tag_len;
4261     }
4262 
4263     /*
4264      * check the sequence number for replays
4265      */
4266     /* this is easier than dealing with bitfield access */
4267     seq_num = ntohl(trailer) & SRTCP_INDEX_MASK;
4268     debug_print(mod_srtp, "srtcp index: %x", seq_num);
4269     status = srtp_rdb_check(&stream->rtcp_rdb, seq_num);
4270     if (status)
4271         return status;
4272 
4273     /*
4274      * if we're using aes counter mode, set nonce and seq
4275      */
4276     if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 ||
4277         session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 ||
4278         session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) {
4279         v128_t iv;
4280 
4281         iv.v32[0] = 0;
4282         iv.v32[1] = hdr->ssrc; /* still in network order! */
4283         iv.v32[2] = htonl(seq_num >> 16);
4284         iv.v32[3] = htonl(seq_num << 16);
4285         status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
4286                                     srtp_direction_decrypt);
4287 
4288     } else {
4289         v128_t iv;
4290 
4291         /* otherwise, just set the index to seq_num */
4292         iv.v32[0] = 0;
4293         iv.v32[1] = 0;
4294         iv.v32[2] = 0;
4295         iv.v32[3] = htonl(seq_num);
4296         status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
4297                                     srtp_direction_decrypt);
4298     }
4299     if (status)
4300         return srtp_err_status_cipher_fail;
4301 
4302     /* initialize auth func context */
4303     srtp_auth_start(session_keys->rtcp_auth);
4304 
4305     /* run auth func over packet, put result into tmp_tag */
4306     status = srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start,
4307                                auth_len, tmp_tag);
4308     debug_print(mod_srtp, "srtcp computed tag:       %s",
4309                 srtp_octet_string_hex_string(tmp_tag, tag_len));
4310     if (status)
4311         return srtp_err_status_auth_fail;
4312 
4313     /* compare the tag just computed with the one in the packet */
4314     debug_print(mod_srtp, "srtcp tag from packet:    %s",
4315                 srtp_octet_string_hex_string(auth_tag, tag_len));
4316     if (srtp_octet_string_is_eq(tmp_tag, auth_tag, tag_len))
4317         return srtp_err_status_auth_fail;
4318 
4319     /*
4320      * if we're authenticating using a universal hash, put the keystream
4321      * prefix into the authentication tag
4322      */
4323     prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth);
4324     if (prefix_len) {
4325         status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag,
4326                                     &prefix_len);
4327         debug_print(mod_srtp, "keystream prefix: %s",
4328                     srtp_octet_string_hex_string(auth_tag, prefix_len));
4329         if (status)
4330             return srtp_err_status_cipher_fail;
4331     }
4332 
4333     /* if we're decrypting, exor keystream into the message */
4334     if (enc_start) {
4335         status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
4336                                      (uint8_t *)enc_start, &enc_octet_len);
4337         if (status)
4338             return srtp_err_status_cipher_fail;
4339     }
4340 
4341     /* decrease the packet length by the length of the auth tag and seq_num */
4342     *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
4343 
4344     /* decrease the packet length by the length of the mki_size */
4345     *pkt_octet_len -= mki_size;
4346 
4347     /*
4348      * if EKT is in effect, subtract the EKT data out of the packet
4349      * length
4350      */
4351     *pkt_octet_len -= srtp_ekt_octets_after_base_tag(stream->ekt);
4352 
4353     /*
4354      * verify that stream is for received traffic - this check will
4355      * detect SSRC collisions, since a stream that appears in both
4356      * srtp_protect() and srtp_unprotect() will fail this test in one of
4357      * those functions.
4358      *
4359      * we do this check *after* the authentication check, so that the
4360      * latter check will catch any attempts to fool us into thinking
4361      * that we've got a collision
4362      */
4363     if (stream->direction != dir_srtp_receiver) {
4364         if (stream->direction == dir_unknown) {
4365             stream->direction = dir_srtp_receiver;
4366         } else {
4367             srtp_handle_event(ctx, stream, event_ssrc_collision);
4368         }
4369     }
4370 
4371     /*
4372      * if the stream is a 'provisional' one, in which the template context
4373      * is used, then we need to allocate a new stream at this point, since
4374      * the authentication passed
4375      */
4376     if (stream == ctx->stream_template) {
4377         srtp_stream_ctx_t *new_stream;
4378 
4379         /*
4380          * allocate and initialize a new stream
4381          *
4382          * note that we indicate failure if we can't allocate the new
4383          * stream, and some implementations will want to not return
4384          * failure here
4385          */
4386         status =
4387             srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
4388         if (status)
4389             return status;
4390 
4391         /* add new stream to the head of the stream_list */
4392         new_stream->next = ctx->stream_list;
4393         ctx->stream_list = new_stream;
4394 
4395         /* set stream (the pointer used in this function) */
4396         stream = new_stream;
4397     }
4398 
4399     /* we've passed the authentication check, so add seq_num to the rdb */
4400     srtp_rdb_add_index(&stream->rtcp_rdb, seq_num);
4401 
4402     return srtp_err_status_ok;
4403 }
4404 
4405 /*
4406  * user data within srtp_t context
4407  */
4408 
srtp_set_user_data(srtp_t ctx,void * data)4409 void srtp_set_user_data(srtp_t ctx, void *data)
4410 {
4411     ctx->user_data = data;
4412 }
4413 
srtp_get_user_data(srtp_t ctx)4414 void *srtp_get_user_data(srtp_t ctx)
4415 {
4416     return ctx->user_data;
4417 }
4418 
4419 /*
4420  * dtls keying for srtp
4421  */
4422 
srtp_crypto_policy_set_from_profile_for_rtp(srtp_crypto_policy_t * policy,srtp_profile_t profile)4423 srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp(
4424     srtp_crypto_policy_t *policy,
4425     srtp_profile_t profile)
4426 {
4427     /* set SRTP policy from the SRTP profile in the key set */
4428     switch (profile) {
4429     case srtp_profile_aes128_cm_sha1_80:
4430         srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
4431         break;
4432     case srtp_profile_aes128_cm_sha1_32:
4433         srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
4434         break;
4435     case srtp_profile_null_sha1_80:
4436         srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy);
4437         break;
4438 #ifdef GCM
4439     case srtp_profile_aead_aes_128_gcm:
4440         srtp_crypto_policy_set_aes_gcm_128_16_auth(policy);
4441         break;
4442     case srtp_profile_aead_aes_256_gcm:
4443         srtp_crypto_policy_set_aes_gcm_256_16_auth(policy);
4444         break;
4445 #endif
4446     /* the following profiles are not (yet) supported */
4447     case srtp_profile_null_sha1_32:
4448     default:
4449         return srtp_err_status_bad_param;
4450     }
4451 
4452     return srtp_err_status_ok;
4453 }
4454 
srtp_crypto_policy_set_from_profile_for_rtcp(srtp_crypto_policy_t * policy,srtp_profile_t profile)4455 srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp(
4456     srtp_crypto_policy_t *policy,
4457     srtp_profile_t profile)
4458 {
4459     /* set SRTP policy from the SRTP profile in the key set */
4460     switch (profile) {
4461     case srtp_profile_aes128_cm_sha1_80:
4462         srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
4463         break;
4464     case srtp_profile_aes128_cm_sha1_32:
4465         /* We do not honor the 32-bit auth tag request since
4466          * this is not compliant with RFC 3711 */
4467         srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
4468         break;
4469     case srtp_profile_null_sha1_80:
4470         srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy);
4471         break;
4472 #ifdef GCM
4473     case srtp_profile_aead_aes_128_gcm:
4474         srtp_crypto_policy_set_aes_gcm_128_16_auth(policy);
4475         break;
4476     case srtp_profile_aead_aes_256_gcm:
4477         srtp_crypto_policy_set_aes_gcm_256_16_auth(policy);
4478         break;
4479 #endif
4480     /* the following profiles are not (yet) supported */
4481     case srtp_profile_null_sha1_32:
4482     default:
4483         return srtp_err_status_bad_param;
4484     }
4485 
4486     return srtp_err_status_ok;
4487 }
4488 
srtp_append_salt_to_key(uint8_t * key,unsigned int bytes_in_key,uint8_t * salt,unsigned int bytes_in_salt)4489 void srtp_append_salt_to_key(uint8_t *key,
4490                              unsigned int bytes_in_key,
4491                              uint8_t *salt,
4492                              unsigned int bytes_in_salt)
4493 {
4494     memcpy(key + bytes_in_key, salt, bytes_in_salt);
4495 }
4496 
srtp_profile_get_master_key_length(srtp_profile_t profile)4497 unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile)
4498 {
4499     switch (profile) {
4500     case srtp_profile_aes128_cm_sha1_80:
4501         return SRTP_AES_128_KEY_LEN;
4502         break;
4503     case srtp_profile_aes128_cm_sha1_32:
4504         return SRTP_AES_128_KEY_LEN;
4505         break;
4506     case srtp_profile_null_sha1_80:
4507         return SRTP_AES_128_KEY_LEN;
4508         break;
4509     case srtp_profile_aead_aes_128_gcm:
4510         return SRTP_AES_128_KEY_LEN;
4511         break;
4512     case srtp_profile_aead_aes_256_gcm:
4513         return SRTP_AES_256_KEY_LEN;
4514         break;
4515     /* the following profiles are not (yet) supported */
4516     case srtp_profile_null_sha1_32:
4517     default:
4518         return 0; /* indicate error by returning a zero */
4519     }
4520 }
4521 
srtp_profile_get_master_salt_length(srtp_profile_t profile)4522 unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile)
4523 {
4524     switch (profile) {
4525     case srtp_profile_aes128_cm_sha1_80:
4526         return SRTP_SALT_LEN;
4527         break;
4528     case srtp_profile_aes128_cm_sha1_32:
4529         return SRTP_SALT_LEN;
4530         break;
4531     case srtp_profile_null_sha1_80:
4532         return SRTP_SALT_LEN;
4533         break;
4534     case srtp_profile_aead_aes_128_gcm:
4535         return SRTP_AEAD_SALT_LEN;
4536         break;
4537     case srtp_profile_aead_aes_256_gcm:
4538         return SRTP_AEAD_SALT_LEN;
4539         break;
4540     /* the following profiles are not (yet) supported */
4541     case srtp_profile_null_sha1_32:
4542     default:
4543         return 0; /* indicate error by returning a zero */
4544     }
4545 }
4546 
stream_get_protect_trailer_length(srtp_stream_ctx_t * stream,uint32_t is_rtp,uint32_t use_mki,uint32_t mki_index,uint32_t * length)4547 srtp_err_status_t stream_get_protect_trailer_length(srtp_stream_ctx_t *stream,
4548                                                     uint32_t is_rtp,
4549                                                     uint32_t use_mki,
4550                                                     uint32_t mki_index,
4551                                                     uint32_t *length)
4552 {
4553     srtp_session_keys_t *session_key;
4554 
4555     *length = 0;
4556 
4557     if (use_mki) {
4558         if (mki_index >= stream->num_master_keys) {
4559             return srtp_err_status_bad_mki;
4560         }
4561         session_key = &stream->session_keys[mki_index];
4562 
4563         *length += session_key->mki_size;
4564 
4565     } else {
4566         session_key = &stream->session_keys[0];
4567     }
4568     if (is_rtp) {
4569         *length += srtp_auth_get_tag_length(session_key->rtp_auth);
4570     } else {
4571         *length += srtp_auth_get_tag_length(session_key->rtcp_auth);
4572         *length += sizeof(srtcp_trailer_t);
4573     }
4574 
4575     return srtp_err_status_ok;
4576 }
4577 
get_protect_trailer_length(srtp_t session,uint32_t is_rtp,uint32_t use_mki,uint32_t mki_index,uint32_t * length)4578 srtp_err_status_t get_protect_trailer_length(srtp_t session,
4579                                              uint32_t is_rtp,
4580                                              uint32_t use_mki,
4581                                              uint32_t mki_index,
4582                                              uint32_t *length)
4583 {
4584     srtp_stream_ctx_t *stream;
4585 
4586     if (session == NULL) {
4587         return srtp_err_status_bad_param;
4588     }
4589 
4590     if (session->stream_template == NULL && session->stream_list == NULL) {
4591         return srtp_err_status_bad_param;
4592     }
4593 
4594     *length = 0;
4595 
4596     stream = session->stream_template;
4597 
4598     if (stream != NULL) {
4599         stream_get_protect_trailer_length(stream, is_rtp, use_mki, mki_index,
4600                                           length);
4601     }
4602 
4603     stream = session->stream_list;
4604 
4605     while (stream != NULL) {
4606         uint32_t temp_length;
4607         if (stream_get_protect_trailer_length(stream, is_rtp, use_mki,
4608                                               mki_index, &temp_length) ==
4609             srtp_err_status_ok) {
4610             if (temp_length > *length) {
4611                 *length = temp_length;
4612             }
4613         }
4614         stream = stream->next;
4615     }
4616 
4617     return srtp_err_status_ok;
4618 }
4619 
srtp_get_protect_trailer_length(srtp_t session,uint32_t use_mki,uint32_t mki_index,uint32_t * length)4620 srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session,
4621                                                   uint32_t use_mki,
4622                                                   uint32_t mki_index,
4623                                                   uint32_t *length)
4624 {
4625     return get_protect_trailer_length(session, 1, use_mki, mki_index, length);
4626 }
4627 
srtp_get_protect_rtcp_trailer_length(srtp_t session,uint32_t use_mki,uint32_t mki_index,uint32_t * length)4628 srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session,
4629                                                        uint32_t use_mki,
4630                                                        uint32_t mki_index,
4631                                                        uint32_t *length)
4632 {
4633     return get_protect_trailer_length(session, 0, use_mki, mki_index, length);
4634 }
4635 
4636 /*
4637  * SRTP debug interface
4638  */
srtp_set_debug_module(const char * mod_name,int v)4639 srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v)
4640 {
4641     return srtp_crypto_kernel_set_debug_module(mod_name, v);
4642 }
4643 
srtp_list_debug_modules(void)4644 srtp_err_status_t srtp_list_debug_modules(void)
4645 {
4646     return srtp_crypto_kernel_list_debug_modules();
4647 }
4648 
4649 /*
4650  * srtp_log_handler is a global variable holding a pointer to the
4651  * log handler function; this function is called for any log
4652  * output.
4653  */
4654 
4655 static srtp_log_handler_func_t *srtp_log_handler = NULL;
4656 static void *srtp_log_handler_data = NULL;
4657 
srtp_err_handler(srtp_err_reporting_level_t level,const char * msg)4658 void srtp_err_handler(srtp_err_reporting_level_t level, const char *msg)
4659 {
4660     if (srtp_log_handler) {
4661         srtp_log_level_t log_level = srtp_log_level_error;
4662         switch (level) {
4663         case srtp_err_level_error:
4664             log_level = srtp_log_level_error;
4665             break;
4666         case srtp_err_level_warning:
4667             log_level = srtp_log_level_warning;
4668             break;
4669         case srtp_err_level_info:
4670             log_level = srtp_log_level_info;
4671             break;
4672         case srtp_err_level_debug:
4673             log_level = srtp_log_level_debug;
4674             break;
4675         }
4676 
4677         srtp_log_handler(log_level, msg, srtp_log_handler_data);
4678     }
4679 }
4680 
srtp_install_log_handler(srtp_log_handler_func_t func,void * data)4681 srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func,
4682                                            void *data)
4683 {
4684     /*
4685      * note that we accept NULL arguments intentionally - calling this
4686      * function with a NULL arguments removes a log handler that's
4687      * been previously installed
4688      */
4689 
4690     if (srtp_log_handler) {
4691         srtp_install_err_report_handler(NULL);
4692     }
4693     srtp_log_handler = func;
4694     srtp_log_handler_data = data;
4695     if (srtp_log_handler) {
4696         srtp_install_err_report_handler(srtp_err_handler);
4697     }
4698     return srtp_err_status_ok;
4699 }
4700 
srtp_set_stream_roc(srtp_t session,uint32_t ssrc,uint32_t roc)4701 srtp_err_status_t srtp_set_stream_roc(srtp_t session,
4702                                       uint32_t ssrc,
4703                                       uint32_t roc)
4704 {
4705     srtp_stream_t stream;
4706 
4707     stream = srtp_get_stream(session, htonl(ssrc));
4708     if (stream == NULL)
4709         return srtp_err_status_bad_param;
4710 
4711     stream->pending_roc = roc;
4712 
4713     return srtp_err_status_ok;
4714 }
4715 
srtp_get_stream_roc(srtp_t session,uint32_t ssrc,uint32_t * roc)4716 srtp_err_status_t srtp_get_stream_roc(srtp_t session,
4717                                       uint32_t ssrc,
4718                                       uint32_t *roc)
4719 {
4720     srtp_stream_t stream;
4721 
4722     stream = srtp_get_stream(session, htonl(ssrc));
4723     if (stream == NULL)
4724         return srtp_err_status_bad_param;
4725 
4726     *roc = srtp_rdbx_get_roc(&stream->rtp_rdbx);
4727 
4728     return srtp_err_status_ok;
4729 }
4730