1 /*
2 * srtp.c
3 *
4 * the secure real-time transport protocol
5 *
6 * David A. McGrew
7 * Cisco Systems, Inc.
8 */
9 /*
10 *
11 * Copyright (c) 2001-2006, Cisco Systems, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 *
18 * Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 *
21 * Redistributions in binary form must reproduce the above
22 * copyright notice, this list of conditions and the following
23 * disclaimer in the documentation and/or other materials provided
24 * with the distribution.
25 *
26 * Neither the name of the Cisco Systems, Inc. nor the names of its
27 * contributors may be used to endorse or promote products derived
28 * from this software without specific prior written permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 *
43 */
44
45
46 #include "srtp.h"
47 #include "ekt.h" /* for SRTP Encrypted Key Transport */
48 #include "aes_icm.h" /* aes_icm is used in the KDF */
49 #include "alloc.h" /* for crypto_alloc() */
50
51 #ifndef SRTP_KERNEL
52 # include <limits.h>
53 # ifdef HAVE_NETINET_IN_H
54 # include <netinet/in.h>
55 # elif defined(HAVE_WINSOCK2_H)
56 # include <winsock2.h>
57 # endif
58 #endif /* ! SRTP_KERNEL */
59
60
61 extern cipher_type_t aes_icm;
62 extern auth_type_t tmmhv2;
63
64 /* the debug module for srtp */
65
66 debug_module_t mod_srtp = {
67 0, /* debugging is off by default */
68 "srtp" /* printable name for module */
69 };
70
71 #define octets_in_rtp_header 12
72 #define uint32s_in_rtp_header 3
73 #define octets_in_rtcp_header 8
74 #define uint32s_in_rtcp_header 2
75
76
77 err_status_t
srtp_stream_alloc(srtp_stream_ctx_t ** str_ptr,const srtp_policy_t * p)78 srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
79 const srtp_policy_t *p) {
80 srtp_stream_ctx_t *str;
81 err_status_t stat;
82
83 /*
84 * This function allocates the stream context, rtp and rtcp ciphers
85 * and auth functions, and key limit structure. If there is a
86 * failure during allocation, we free all previously allocated
87 * memory and return a failure code. The code could probably
88 * be improved, but it works and should be clear.
89 */
90
91 /* allocate srtp stream and set str_ptr */
92 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
93 if (str == NULL)
94 return err_status_alloc_fail;
95 *str_ptr = str;
96
97 /* allocate cipher */
98 stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
99 &str->rtp_cipher,
100 p->rtp.cipher_key_len);
101 if (stat) {
102 goto err_rtp_cipher_alloc;
103 }
104
105 /* allocate auth function */
106 stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
107 &str->rtp_auth,
108 p->rtp.auth_key_len,
109 p->rtp.auth_tag_len);
110
111 if (stat) {
112 goto err_rtp_auth_alloc;
113 }
114
115 /* allocate key limit structure */
116 str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t));
117 if (str->limit == NULL) {
118 stat = err_status_alloc_fail;
119 goto err_limit_alloc;
120 }
121
122 /*
123 * ...and now the RTCP-specific initialization - first, allocate
124 * the cipher
125 */
126 stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
127 &str->rtcp_cipher,
128 p->rtcp.cipher_key_len);
129 if (stat) {
130 goto err_rtcp_cipher_alloc;
131 }
132
133 /* allocate auth function */
134 stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
135 &str->rtcp_auth,
136 p->rtcp.auth_key_len,
137 p->rtcp.auth_tag_len);
138 if (stat) {
139 goto err_rtcp_auth_alloc;
140 }
141
142 /* allocate ekt data associated with stream */
143 stat = ekt_alloc(&str->ekt, p->ekt);
144 if (stat) {
145 goto err_ekt_alloc;
146 }
147
148 return err_status_ok;
149
150 err_ekt_alloc:
151 auth_dealloc(str->rtcp_auth);
152 err_rtcp_auth_alloc:
153 cipher_dealloc(str->rtcp_cipher);
154 err_rtcp_cipher_alloc:
155 crypto_free(str->limit);
156 err_limit_alloc:
157 auth_dealloc(str->rtp_auth);
158 err_rtp_auth_alloc:
159 cipher_dealloc(str->rtp_cipher);
160 err_rtp_cipher_alloc:
161 crypto_free(str);
162 return stat;
163 }
164
165 err_status_t
srtp_stream_dealloc(srtp_stream_ctx_t * stream,srtp_stream_ctx_t * stream_template)166 srtp_stream_dealloc(srtp_stream_ctx_t *stream,
167 srtp_stream_ctx_t *stream_template) {
168 err_status_t status;
169
170 /*
171 * we use a conservative deallocation strategy - if any deallocation
172 * fails, then we report that fact without trying to deallocate
173 * anything else
174 */
175
176 /* deallocate cipher, if it is not the same as that in template */
177 if (!stream_template || stream->rtp_cipher != stream_template->rtp_cipher) {
178 status = cipher_dealloc(stream->rtp_cipher);
179 if (status)
180 return status;
181 }
182
183 /* deallocate auth function, if it is not the same as that in template */
184 if (!stream_template || stream->rtp_auth != stream_template->rtp_auth) {
185 status = auth_dealloc(stream->rtp_auth);
186 if (status)
187 return status;
188 }
189
190 /* deallocate key usage limit, if it is not the same as that in template */
191 if (!stream_template || stream->limit != stream_template->limit) {
192 crypto_free(stream->limit);
193 }
194
195 /*
196 * deallocate rtcp cipher, if it is not the same as that in
197 * template
198 */
199 if (!stream_template || stream->rtcp_cipher != stream_template->rtcp_cipher) {
200 status = cipher_dealloc(stream->rtcp_cipher);
201 if (status)
202 return status;
203 }
204
205 /*
206 * deallocate rtcp auth function, if it is not the same as that in
207 * template
208 */
209 if (!stream_template || stream->rtcp_auth != stream_template->rtcp_auth) {
210 status = auth_dealloc(stream->rtcp_auth);
211 if (status)
212 return status;
213 }
214
215 /* DAM - need to deallocate EKT here */
216
217 /* deallocate srtp stream context */
218 crypto_free(stream);
219
220 return err_status_ok;
221 }
222
223
224 /*
225 * srtp_stream_clone(stream_template, new) allocates a new stream and
226 * initializes it using the cipher and auth of the stream_template
227 *
228 * the only unique data in a cloned stream is the replay database and
229 * the SSRC
230 */
231
232 err_status_t
srtp_stream_clone(const srtp_stream_ctx_t * stream_template,uint32_t ssrc,srtp_stream_ctx_t ** str_ptr)233 srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
234 uint32_t ssrc,
235 srtp_stream_ctx_t **str_ptr) {
236 err_status_t status;
237 srtp_stream_ctx_t *str;
238
239 debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
240
241 /* allocate srtp stream and set str_ptr */
242 str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
243 if (str == NULL)
244 return err_status_alloc_fail;
245 *str_ptr = str;
246
247 /* set cipher and auth pointers to those of the template */
248 str->rtp_cipher = stream_template->rtp_cipher;
249 str->rtp_auth = stream_template->rtp_auth;
250 str->rtcp_cipher = stream_template->rtcp_cipher;
251 str->rtcp_auth = stream_template->rtcp_auth;
252
253 /* set key limit to point to that of the template */
254 status = key_limit_clone(stream_template->limit, &str->limit);
255 if (status)
256 return status;
257
258 /* initialize replay databases */
259 status = rdbx_init(&str->rtp_rdbx,
260 rdbx_get_window_size(&stream_template->rtp_rdbx));
261 if (status)
262 return status;
263 rdb_init(&str->rtcp_rdb);
264 str->allow_repeat_tx = stream_template->allow_repeat_tx;
265
266 /* set ssrc to that provided */
267 str->ssrc = ssrc;
268
269 /* set direction and security services */
270 str->direction = stream_template->direction;
271 str->rtp_services = stream_template->rtp_services;
272 str->rtcp_services = stream_template->rtcp_services;
273
274 /* set pointer to EKT data associated with stream */
275 str->ekt = stream_template->ekt;
276
277 /* defensive coding */
278 str->next = NULL;
279
280 return err_status_ok;
281 }
282
283
284 /*
285 * key derivation functions, internal to libSRTP
286 *
287 * srtp_kdf_t is a key derivation context
288 *
289 * srtp_kdf_init(&kdf, k) initializes kdf with the key k
290 *
291 * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
292 * corresponding to label l and puts it into kl; the length
293 * of the key in octets is provided as keylen. this function
294 * should be called once for each subkey that is derived.
295 *
296 * srtp_kdf_clear(&kdf) zeroizes the kdf state
297 */
298
299 typedef enum {
300 label_rtp_encryption = 0x00,
301 label_rtp_msg_auth = 0x01,
302 label_rtp_salt = 0x02,
303 label_rtcp_encryption = 0x03,
304 label_rtcp_msg_auth = 0x04,
305 label_rtcp_salt = 0x05
306 } srtp_prf_label;
307
308
309 /*
310 * srtp_kdf_t represents a key derivation function. The SRTP
311 * default KDF is the only one implemented at present.
312 */
313
314 typedef struct {
315 aes_icm_ctx_t c; /* cipher used for key derivation */
316 } srtp_kdf_t;
317
318 err_status_t
srtp_kdf_init(srtp_kdf_t * kdf,const uint8_t key[30])319 srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t key[30]) {
320
321 aes_icm_context_init(&kdf->c, key);
322
323 return err_status_ok;
324 }
325
326 err_status_t
srtp_kdf_generate(srtp_kdf_t * kdf,srtp_prf_label label,uint8_t * key,int length)327 srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
328 uint8_t *key, int length) {
329
330 v128_t nonce;
331
332 /* set eigth octet of nonce to <label>, set the rest of it to zero */
333 v128_set_to_zero(&nonce);
334 nonce.v8[7] = label;
335
336 aes_icm_set_iv(&kdf->c, &nonce);
337
338 /* generate keystream output */
339 aes_icm_output(&kdf->c, key, length);
340
341 return err_status_ok;
342 }
343
344 err_status_t
srtp_kdf_clear(srtp_kdf_t * kdf)345 srtp_kdf_clear(srtp_kdf_t *kdf) {
346
347 /* zeroize aes context */
348 octet_string_set_to_zero((uint8_t *)kdf, sizeof(srtp_kdf_t));
349
350 return err_status_ok;
351 }
352
353 /*
354 * end of key derivation functions
355 */
356
357 #define MAX_SRTP_KEY_LEN 256
358
359
360 err_status_t
srtp_stream_init_keys(srtp_stream_ctx_t * srtp,const void * key)361 srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
362 err_status_t stat;
363 srtp_kdf_t kdf;
364 uint8_t tmp_key[MAX_SRTP_KEY_LEN];
365
366 /* initialize KDF state */
367 srtp_kdf_init(&kdf, (const uint8_t *)key);
368
369 /* generate encryption key */
370 srtp_kdf_generate(&kdf, label_rtp_encryption,
371 tmp_key, cipher_get_key_length(srtp->rtp_cipher));
372 /*
373 * if the cipher in the srtp context is aes_icm, then we need
374 * to generate the salt value
375 */
376 if (srtp->rtp_cipher->type == &aes_icm) {
377 /* FIX!!! this is really the cipher key length; rest is salt */
378 int base_key_len = 16;
379 int salt_len = cipher_get_key_length(srtp->rtp_cipher) - base_key_len;
380
381 debug_print(mod_srtp, "found aes_icm, generating salt", NULL);
382
383 /* generate encryption salt, put after encryption key */
384 srtp_kdf_generate(&kdf, label_rtp_salt,
385 tmp_key + base_key_len, salt_len);
386 }
387 debug_print(mod_srtp, "cipher key: %s",
388 octet_string_hex_string(tmp_key,
389 cipher_get_key_length(srtp->rtp_cipher)));
390
391 /* initialize cipher */
392 stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any);
393 if (stat) {
394 /* zeroize temp buffer */
395 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
396 return err_status_init_fail;
397 }
398
399 /* generate authentication key */
400 srtp_kdf_generate(&kdf, label_rtp_msg_auth,
401 tmp_key, auth_get_key_length(srtp->rtp_auth));
402 debug_print(mod_srtp, "auth key: %s",
403 octet_string_hex_string(tmp_key,
404 auth_get_key_length(srtp->rtp_auth)));
405
406 /* initialize auth function */
407 stat = auth_init(srtp->rtp_auth, tmp_key);
408 if (stat) {
409 /* zeroize temp buffer */
410 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
411 return err_status_init_fail;
412 }
413
414 /*
415 * ...now initialize SRTCP keys
416 */
417
418 /* generate encryption key */
419 srtp_kdf_generate(&kdf, label_rtcp_encryption,
420 tmp_key, cipher_get_key_length(srtp->rtcp_cipher));
421 /*
422 * if the cipher in the srtp context is aes_icm, then we need
423 * to generate the salt value
424 */
425 if (srtp->rtcp_cipher->type == &aes_icm) {
426 /* FIX!!! this is really the cipher key length; rest is salt */
427 int base_key_len = 16;
428 int salt_len = cipher_get_key_length(srtp->rtcp_cipher) - base_key_len;
429
430 debug_print(mod_srtp, "found aes_icm, generating rtcp salt", NULL);
431
432 /* generate encryption salt, put after encryption key */
433 srtp_kdf_generate(&kdf, label_rtcp_salt,
434 tmp_key + base_key_len, salt_len);
435 }
436 debug_print(mod_srtp, "rtcp cipher key: %s",
437 octet_string_hex_string(tmp_key,
438 cipher_get_key_length(srtp->rtcp_cipher)));
439
440 /* initialize cipher */
441 stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any);
442 if (stat) {
443 /* zeroize temp buffer */
444 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
445 return err_status_init_fail;
446 }
447
448 /* generate authentication key */
449 srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
450 tmp_key, auth_get_key_length(srtp->rtcp_auth));
451 debug_print(mod_srtp, "rtcp auth key: %s",
452 octet_string_hex_string(tmp_key,
453 auth_get_key_length(srtp->rtcp_auth)));
454
455 /* initialize auth function */
456 stat = auth_init(srtp->rtcp_auth, tmp_key);
457 if (stat) {
458 /* zeroize temp buffer */
459 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
460 return err_status_init_fail;
461 }
462
463 /* clear memory then return */
464 srtp_kdf_clear(&kdf);
465 octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
466
467 return err_status_ok;
468 }
469
470 err_status_t
srtp_stream_init(srtp_stream_ctx_t * srtp,const srtp_policy_t * p)471 srtp_stream_init(srtp_stream_ctx_t *srtp,
472 const srtp_policy_t *p) {
473 err_status_t err;
474
475 debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)",
476 p->ssrc.value);
477
478 /* initialize replay database */
479 err = rdbx_init(&srtp->rtp_rdbx, p->window_size);
480 if (err) return err;
481
482 /* initialize key limit to maximum value */
483 #ifdef NO_64BIT_MATH
484 {
485 uint64_t temp;
486 temp = make64(UINT_MAX,UINT_MAX);
487 key_limit_set(srtp->limit, temp);
488 }
489 #else
490 key_limit_set(srtp->limit, 0xffffffffffffLL);
491 #endif
492
493 /* set the SSRC value */
494 srtp->ssrc = htonl(p->ssrc.value);
495
496 /* set the security service flags */
497 srtp->rtp_services = p->rtp.sec_serv;
498 srtp->rtcp_services = p->rtcp.sec_serv;
499
500 /*
501 * set direction to unknown - this flag gets checked in srtp_protect(),
502 * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
503 * gets set appropriately if it is set to unknown.
504 */
505 srtp->direction = dir_unknown;
506
507 /* initialize SRTCP replay database */
508 rdb_init(&srtp->rtcp_rdb);
509
510 /* initialize allow_repeat_tx */
511 srtp->allow_repeat_tx = p->allow_repeat_tx;
512
513 /* DAM - no RTCP key limit at present */
514
515 /* initialize keys */
516 err = srtp_stream_init_keys(srtp, p->key);
517 if (err) {
518 rdbx_uninit(&srtp->rtp_rdbx);
519 return err;
520 }
521
522 /*
523 * if EKT is in use, then initialize the EKT data associated with
524 * the stream
525 */
526 err = ekt_stream_init_from_policy(srtp->ekt, p->ekt);
527 if (err) {
528 rdbx_uninit(&srtp->rtp_rdbx);
529 return err;
530 }
531
532 return err_status_ok;
533 }
534
535 err_status_t
srtp_stream_uninit(srtp_stream_ctx_t * srtp)536 srtp_stream_uninit(srtp_stream_ctx_t *srtp) {
537 return rdbx_uninit(&srtp->rtp_rdbx);
538 }
539
540
541 /*
542 * srtp_event_reporter is an event handler function that merely
543 * reports the events that are reported by the callbacks
544 */
545
546 void
srtp_event_reporter(srtp_event_data_t * data)547 srtp_event_reporter(srtp_event_data_t *data) {
548
549 err_report(err_level_warning, "srtp: in stream 0x%x: ",
550 data->stream->ssrc);
551
552 switch(data->event) {
553 case event_ssrc_collision:
554 err_report(err_level_warning, "\tSSRC collision\n");
555 break;
556 case event_key_soft_limit:
557 err_report(err_level_warning, "\tkey usage soft limit reached\n");
558 break;
559 case event_key_hard_limit:
560 err_report(err_level_warning, "\tkey usage hard limit reached\n");
561 break;
562 case event_packet_index_limit:
563 err_report(err_level_warning, "\tpacket index limit reached\n");
564 break;
565 default:
566 err_report(err_level_warning, "\tunknown event reported to handler\n");
567 }
568 }
569
570 /*
571 * srtp_event_handler is a global variable holding a pointer to the
572 * event handler function; this function is called for any unexpected
573 * event that needs to be handled out of the SRTP data path. see
574 * srtp_event_t in srtp.h for more info
575 *
576 * it is okay to set srtp_event_handler to NULL, but we set
577 * it to the srtp_event_reporter.
578 */
579
580 static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
581
582 err_status_t
srtp_install_event_handler(srtp_event_handler_func_t func)583 srtp_install_event_handler(srtp_event_handler_func_t func) {
584
585 /*
586 * note that we accept NULL arguments intentionally - calling this
587 * function with a NULL arguments removes an event handler that's
588 * been previously installed
589 */
590
591 /* set global event handling function */
592 srtp_event_handler = func;
593 return err_status_ok;
594 }
595
596 err_status_t
srtp_protect(srtp_ctx_t * ctx,void * rtp_hdr,int * pkt_octet_len)597 srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
598 srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
599 uint32_t *enc_start; /* pointer to start of encrypted portion */
600 uint32_t *auth_start; /* pointer to start of auth. portion */
601 unsigned enc_octet_len = 0; /* number of octets in encrypted portion */
602 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
603 int delta; /* delta of local pkt idx and that in hdr */
604 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
605 err_status_t status;
606 int tag_len;
607 srtp_stream_ctx_t *stream;
608 int prefix_len;
609
610 debug_print(mod_srtp, "function srtp_protect", NULL);
611
612 /* we assume the hdr is 32-bit aligned to start */
613
614 /* check the packet length - it must at least contain a full header */
615 if (*pkt_octet_len < octets_in_rtp_header)
616 return err_status_bad_param;
617
618 /*
619 * look up ssrc in srtp_stream list, and process the packet with
620 * the appropriate stream. if we haven't seen this stream before,
621 * there's a template key for this srtp_session, and the cipher
622 * supports key-sharing, then we assume that a new stream using
623 * that key has just started up
624 */
625 stream = srtp_get_stream(ctx, hdr->ssrc);
626 if (stream == NULL) {
627 if (ctx->stream_template != NULL) {
628 srtp_stream_ctx_t *new_stream;
629
630 /* allocate and initialize a new stream */
631 status = srtp_stream_clone(ctx->stream_template,
632 hdr->ssrc, &new_stream);
633 if (status)
634 return status;
635
636 /* add new stream to the head of the stream_list */
637 new_stream->next = ctx->stream_list;
638 ctx->stream_list = new_stream;
639
640 /* set direction to outbound */
641 new_stream->direction = dir_srtp_sender;
642
643 /* set stream (the pointer used in this function) */
644 stream = new_stream;
645 } else {
646 /* no template stream, so we return an error */
647 return err_status_no_ctx;
648 }
649 }
650
651 /*
652 * verify that stream is for sending traffic - this check will
653 * detect SSRC collisions, since a stream that appears in both
654 * srtp_protect() and srtp_unprotect() will fail this test in one of
655 * those functions.
656 */
657 if (stream->direction != dir_srtp_sender) {
658 if (stream->direction == dir_unknown) {
659 stream->direction = dir_srtp_sender;
660 } else {
661 srtp_handle_event(ctx, stream, event_ssrc_collision);
662 }
663 }
664
665 /*
666 * update the key usage limit, and check it to make sure that we
667 * didn't just hit either the soft limit or the hard limit, and call
668 * the event handler if we hit either.
669 */
670 switch(key_limit_update(stream->limit)) {
671 case key_event_normal:
672 break;
673 case key_event_soft_limit:
674 srtp_handle_event(ctx, stream, event_key_soft_limit);
675 break;
676 case key_event_hard_limit:
677 srtp_handle_event(ctx, stream, event_key_hard_limit);
678 return err_status_key_expired;
679 default:
680 break;
681 }
682
683 /* get tag length from stream */
684 tag_len = auth_get_tag_length(stream->rtp_auth);
685
686 /*
687 * find starting point for encryption and length of data to be
688 * encrypted - the encrypted portion starts after the rtp header
689 * extension, if present; otherwise, it starts after the last csrc,
690 * if any are present
691 *
692 * if we're not providing confidentiality, set enc_start to NULL
693 */
694 if (stream->rtp_services & sec_serv_conf) {
695 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
696 if (hdr->x == 1) {
697 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
698 enc_start += (ntohs(xtn_hdr->length) + 1);
699 }
700 enc_octet_len = (unsigned int)(*pkt_octet_len
701 - ((enc_start - (uint32_t *)hdr) << 2));
702 } else {
703 enc_start = NULL;
704 }
705
706 /*
707 * if we're providing authentication, set the auth_start and auth_tag
708 * pointers to the proper locations; otherwise, set auth_start to NULL
709 * to indicate that no authentication is needed
710 */
711 if (stream->rtp_services & sec_serv_auth) {
712 auth_start = (uint32_t *)hdr;
713 auth_tag = (uint8_t *)hdr + *pkt_octet_len;
714 } else {
715 auth_start = NULL;
716 auth_tag = NULL;
717 }
718
719 /*
720 * estimate the packet index using the start of the replay window
721 * and the sequence number from the header
722 */
723 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
724 status = rdbx_check(&stream->rtp_rdbx, delta);
725 if (status) {
726 if (status != err_status_replay_fail || !stream->allow_repeat_tx)
727 return status; /* we've been asked to reuse an index */
728 }
729 else
730 rdbx_add_index(&stream->rtp_rdbx, delta);
731
732 #ifdef NO_64BIT_MATH
733 debug_print2(mod_srtp, "estimated packet index: %08x%08x",
734 high32(est),low32(est));
735 #else
736 debug_print(mod_srtp, "estimated packet index: %016llx", est);
737 #endif
738
739 /*
740 * if we're using rindael counter mode, set nonce and seq
741 */
742 if (stream->rtp_cipher->type == &aes_icm) {
743 v128_t iv;
744
745 iv.v32[0] = 0;
746 iv.v32[1] = hdr->ssrc;
747 #ifdef NO_64BIT_MATH
748 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
749 low32(est) << 16));
750 #else
751 iv.v64[1] = be64_to_cpu(est << 16);
752 #endif
753 status = cipher_set_iv(stream->rtp_cipher, &iv);
754
755 } else {
756 v128_t iv;
757
758 /* otherwise, set the index to est */
759 #ifdef NO_64BIT_MATH
760 iv.v32[0] = 0;
761 iv.v32[1] = 0;
762 #else
763 iv.v64[0] = 0;
764 #endif
765 iv.v64[1] = be64_to_cpu(est);
766 status = cipher_set_iv(stream->rtp_cipher, &iv);
767 }
768 if (status)
769 return err_status_cipher_fail;
770
771 /* shift est, put into network byte order */
772 #ifdef NO_64BIT_MATH
773 est = be64_to_cpu(make64((high32(est) << 16) |
774 (low32(est) >> 16),
775 low32(est) << 16));
776 #else
777 est = be64_to_cpu(est << 16);
778 #endif
779
780 /*
781 * if we're authenticating using a universal hash, put the keystream
782 * prefix into the authentication tag
783 */
784 if (auth_start) {
785
786 prefix_len = auth_get_prefix_length(stream->rtp_auth);
787 if (prefix_len) {
788 status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len);
789 if (status)
790 return err_status_cipher_fail;
791 debug_print(mod_srtp, "keystream prefix: %s",
792 octet_string_hex_string(auth_tag, prefix_len));
793 }
794 }
795
796 /* if we're encrypting, exor keystream into the message */
797 if (enc_start) {
798 status = cipher_encrypt(stream->rtp_cipher,
799 (uint8_t *)enc_start, &enc_octet_len);
800 if (status)
801 return err_status_cipher_fail;
802 }
803
804 /*
805 * if we're authenticating, run authentication function and put result
806 * into the auth_tag
807 */
808 if (auth_start) {
809
810 /* initialize auth func context */
811 status = auth_start(stream->rtp_auth);
812 if (status) return status;
813
814 /* run auth func over packet */
815 status = auth_update(stream->rtp_auth,
816 (uint8_t *)auth_start, *pkt_octet_len);
817 if (status) return status;
818
819 /* run auth func over ROC, put result into auth_tag */
820 debug_print(mod_srtp, "estimated packet index: %016llx", est);
821 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);
822 debug_print(mod_srtp, "srtp auth tag: %s",
823 octet_string_hex_string(auth_tag, tag_len));
824 if (status)
825 return err_status_auth_fail;
826
827 }
828
829 if (auth_tag) {
830
831 /* increase the packet length by the length of the auth tag */
832 *pkt_octet_len += tag_len;
833 }
834
835 return err_status_ok;
836 }
837
838
839 err_status_t
srtp_unprotect(srtp_ctx_t * ctx,void * srtp_hdr,int * pkt_octet_len)840 srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
841 srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
842 uint32_t *enc_start; /* pointer to start of encrypted portion */
843 uint32_t *auth_start; /* pointer to start of auth. portion */
844 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
845 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
846 xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
847 int delta; /* delta of local pkt idx and that in hdr */
848 v128_t iv;
849 err_status_t status;
850 srtp_stream_ctx_t *stream;
851 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
852 int tag_len, prefix_len;
853
854 debug_print(mod_srtp, "function srtp_unprotect", NULL);
855
856 /* we assume the hdr is 32-bit aligned to start */
857
858 /* check the packet length - it must at least contain a full header */
859 if (*pkt_octet_len < octets_in_rtp_header)
860 return err_status_bad_param;
861
862 /*
863 * look up ssrc in srtp_stream list, and process the packet with
864 * the appropriate stream. if we haven't seen this stream before,
865 * there's only one key for this srtp_session, and the cipher
866 * supports key-sharing, then we assume that a new stream using
867 * that key has just started up
868 */
869 stream = srtp_get_stream(ctx, hdr->ssrc);
870 if (stream == NULL) {
871 if (ctx->stream_template != NULL) {
872 stream = ctx->stream_template;
873 debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
874 hdr->ssrc);
875
876 /*
877 * set estimated packet index to sequence number from header,
878 * and set delta equal to the same value
879 */
880 #ifdef NO_64BIT_MATH
881 est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq));
882 delta = low32(est);
883 #else
884 est = (xtd_seq_num_t) ntohs(hdr->seq);
885 delta = (int)est;
886 #endif
887 } else {
888
889 /*
890 * no stream corresponding to SSRC found, and we don't do
891 * key-sharing, so return an error
892 */
893 return err_status_no_ctx;
894 }
895 } else {
896
897 /* estimate packet index from seq. num. in header */
898 delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
899
900 /* check replay database */
901 status = rdbx_check(&stream->rtp_rdbx, delta);
902 if (status)
903 return status;
904 }
905
906 #ifdef NO_64BIT_MATH
907 debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32(est));
908 #else
909 debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
910 #endif
911
912 /* get tag length from stream */
913 tag_len = auth_get_tag_length(stream->rtp_auth);
914
915 /*
916 * set the cipher's IV properly, depending on whatever cipher we
917 * happen to be using
918 */
919 if (stream->rtp_cipher->type == &aes_icm) {
920
921 /* aes counter mode */
922 iv.v32[0] = 0;
923 iv.v32[1] = hdr->ssrc; /* still in network order */
924 #ifdef NO_64BIT_MATH
925 iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
926 low32(est) << 16));
927 #else
928 iv.v64[1] = be64_to_cpu(est << 16);
929 #endif
930 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtp_cipher->state, &iv);
931 } else {
932
933 /* no particular format - set the iv to the pakcet index */
934 #ifdef NO_64BIT_MATH
935 iv.v32[0] = 0;
936 iv.v32[1] = 0;
937 #else
938 iv.v64[0] = 0;
939 #endif
940 iv.v64[1] = be64_to_cpu(est);
941 status = cipher_set_iv(stream->rtp_cipher, &iv);
942 }
943 if (status)
944 return err_status_cipher_fail;
945
946 /* shift est, put into network byte order */
947 #ifdef NO_64BIT_MATH
948 est = be64_to_cpu(make64((high32(est) << 16) |
949 (low32(est) >> 16),
950 low32(est) << 16));
951 #else
952 est = be64_to_cpu(est << 16);
953 #endif
954
955 /*
956 * find starting point for decryption and length of data to be
957 * decrypted - the encrypted portion starts after the rtp header
958 * extension, if present; otherwise, it starts after the last csrc,
959 * if any are present
960 *
961 * if we're not providing confidentiality, set enc_start to NULL
962 */
963 if (stream->rtp_services & sec_serv_conf) {
964 enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
965 if (hdr->x == 1) {
966 srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
967 enc_start += (ntohs(xtn_hdr->length) + 1);
968 }
969 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
970 - ((enc_start - (uint32_t *)hdr) << 2));
971 } else {
972 enc_start = NULL;
973 }
974
975 /*
976 * if we're providing authentication, set the auth_start and auth_tag
977 * pointers to the proper locations; otherwise, set auth_start to NULL
978 * to indicate that no authentication is needed
979 */
980 if (stream->rtp_services & sec_serv_auth) {
981 auth_start = (uint32_t *)hdr;
982 auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
983 } else {
984 auth_start = NULL;
985 auth_tag = NULL;
986 }
987
988 /*
989 * if we expect message authentication, run the authentication
990 * function and compare the result with the value of the auth_tag
991 */
992 if (auth_start) {
993
994 /*
995 * if we're using a universal hash, then we need to compute the
996 * keystream prefix for encrypting the universal hash output
997 *
998 * if the keystream prefix length is zero, then we know that
999 * the authenticator isn't using a universal hash function
1000 */
1001 if (stream->rtp_auth->prefix_len != 0) {
1002
1003 prefix_len = auth_get_prefix_length(stream->rtp_auth);
1004 status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len);
1005 debug_print(mod_srtp, "keystream prefix: %s",
1006 octet_string_hex_string(tmp_tag, prefix_len));
1007 if (status)
1008 return err_status_cipher_fail;
1009 }
1010
1011 /* initialize auth func context */
1012 status = auth_start(stream->rtp_auth);
1013 if (status) return status;
1014
1015 /* now compute auth function over packet */
1016 status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,
1017 *pkt_octet_len - tag_len);
1018
1019 /* run auth func over ROC, then write tmp tag */
1020 status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);
1021
1022 debug_print(mod_srtp, "computed auth tag: %s",
1023 octet_string_hex_string(tmp_tag, tag_len));
1024 debug_print(mod_srtp, "packet auth tag: %s",
1025 octet_string_hex_string(auth_tag, tag_len));
1026 if (status)
1027 return err_status_auth_fail;
1028
1029 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1030 return err_status_auth_fail;
1031 }
1032
1033 /*
1034 * update the key usage limit, and check it to make sure that we
1035 * didn't just hit either the soft limit or the hard limit, and call
1036 * the event handler if we hit either.
1037 */
1038 switch(key_limit_update(stream->limit)) {
1039 case key_event_normal:
1040 break;
1041 case key_event_soft_limit:
1042 srtp_handle_event(ctx, stream, event_key_soft_limit);
1043 break;
1044 case key_event_hard_limit:
1045 srtp_handle_event(ctx, stream, event_key_hard_limit);
1046 return err_status_key_expired;
1047 default:
1048 break;
1049 }
1050
1051 /* if we're encrypting, add keystream into ciphertext */
1052 if (enc_start) {
1053 status = cipher_encrypt(stream->rtp_cipher,
1054 (uint8_t *)enc_start, &enc_octet_len);
1055 if (status)
1056 return err_status_cipher_fail;
1057 }
1058
1059 /*
1060 * verify that stream is for received traffic - this check will
1061 * detect SSRC collisions, since a stream that appears in both
1062 * srtp_protect() and srtp_unprotect() will fail this test in one of
1063 * those functions.
1064 *
1065 * we do this check *after* the authentication check, so that the
1066 * latter check will catch any attempts to fool us into thinking
1067 * that we've got a collision
1068 */
1069 if (stream->direction != dir_srtp_receiver) {
1070 if (stream->direction == dir_unknown) {
1071 stream->direction = dir_srtp_receiver;
1072 } else {
1073 srtp_handle_event(ctx, stream, event_ssrc_collision);
1074 }
1075 }
1076
1077 /*
1078 * if the stream is a 'provisional' one, in which the template context
1079 * is used, then we need to allocate a new stream at this point, since
1080 * the authentication passed
1081 */
1082 if (stream == ctx->stream_template) {
1083 srtp_stream_ctx_t *new_stream;
1084
1085 /*
1086 * allocate and initialize a new stream
1087 *
1088 * note that we indicate failure if we can't allocate the new
1089 * stream, and some implementations will want to not return
1090 * failure here
1091 */
1092 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1093 if (status)
1094 return status;
1095
1096 /* add new stream to the head of the stream_list */
1097 new_stream->next = ctx->stream_list;
1098 ctx->stream_list = new_stream;
1099
1100 /* set stream (the pointer used in this function) */
1101 stream = new_stream;
1102 }
1103
1104 /*
1105 * the message authentication function passed, so add the packet
1106 * index into the replay database
1107 */
1108 rdbx_add_index(&stream->rtp_rdbx, delta);
1109
1110 /* decrease the packet length by the length of the auth tag */
1111 *pkt_octet_len -= tag_len;
1112
1113 return err_status_ok;
1114 }
1115
1116 err_status_t
srtp_init()1117 srtp_init() {
1118 err_status_t status;
1119
1120 /* initialize crypto kernel */
1121 status = crypto_kernel_init();
1122 if (status)
1123 return status;
1124
1125 /* load srtp debug module into the kernel */
1126 status = crypto_kernel_load_debug_module(&mod_srtp);
1127 if (status)
1128 return status;
1129
1130 return err_status_ok;
1131 }
1132
1133 /*
1134 * The following code is under consideration for removal. See
1135 * SRTP_MAX_TRAILER_LEN
1136 */
1137 #if 0
1138
1139 /*
1140 * srtp_get_trailer_length(&a) returns the number of octets that will
1141 * be added to an RTP packet by the SRTP processing. This value
1142 * is constant for a given srtp_stream_t (i.e. between initializations).
1143 */
1144
1145 int
1146 srtp_get_trailer_length(const srtp_stream_t s) {
1147 return auth_get_tag_length(s->rtp_auth);
1148 }
1149
1150 #endif
1151
1152 /*
1153 * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
1154 * to ssrc, or NULL if no stream exists for that ssrc
1155 *
1156 * this is an internal function
1157 */
1158
1159 srtp_stream_ctx_t *
srtp_get_stream(srtp_t srtp,uint32_t ssrc)1160 srtp_get_stream(srtp_t srtp, uint32_t ssrc) {
1161 srtp_stream_ctx_t *stream;
1162
1163 /* walk down list until ssrc is found */
1164 stream = srtp->stream_list;
1165 while (stream != NULL) {
1166 if (stream->ssrc == ssrc)
1167 return stream;
1168 stream = stream->next;
1169 }
1170
1171 /* we haven't found our ssrc, so return a null */
1172 return NULL;
1173 }
1174
1175 err_status_t
srtp_dealloc(srtp_t session)1176 srtp_dealloc(srtp_t session) {
1177 srtp_stream_ctx_t *stream;
1178 err_status_t status;
1179
1180 /*
1181 * we take a conservative deallocation strategy - if we encounter an
1182 * error deallocating a stream, then we stop trying to deallocate
1183 * memory and just return an error
1184 */
1185
1186 /* walk list of streams, deallocating as we go */
1187 stream = session->stream_list;
1188 while (stream != NULL) {
1189 srtp_stream_t next = stream->next;
1190 status = srtp_stream_uninit_and_dealloc(stream, session->stream_template);
1191 if (status) {
1192 return status;
1193 }
1194 stream = next;
1195 }
1196
1197 /* deallocate stream template, if there is one */
1198 if (session->stream_template != NULL) {
1199 status = srtp_stream_uninit_and_dealloc(session->stream_template, NULL);
1200 }
1201
1202 /* deallocate session context */
1203 crypto_free(session);
1204
1205 return err_status_ok;
1206 }
1207
1208
1209 err_status_t
srtp_add_stream(srtp_t session,const srtp_policy_t * policy)1210 srtp_add_stream(srtp_t session,
1211 const srtp_policy_t *policy) {
1212 err_status_t status;
1213 srtp_stream_t tmp;
1214
1215 /* sanity check arguments */
1216 if ((session == NULL) || (policy == NULL) || (policy->key == NULL))
1217 return err_status_bad_param;
1218
1219 /* allocate stream */
1220 status = srtp_stream_alloc(&tmp, policy);
1221 if (status) {
1222 return status;
1223 }
1224
1225 /* initialize stream */
1226 status = srtp_stream_init(tmp, policy);
1227 if (status) {
1228 crypto_free(tmp);
1229 return status;
1230 }
1231
1232 /*
1233 * set the head of the stream list or the template to point to the
1234 * stream that we've just alloced and init'ed, depending on whether
1235 * or not it has a wildcard SSRC value or not
1236 *
1237 * if the template stream has already been set, then the policy is
1238 * inconsistent, so we return a bad_param error code
1239 */
1240 switch (policy->ssrc.type) {
1241 case (ssrc_any_outbound):
1242 if (session->stream_template) {
1243 return err_status_bad_param;
1244 }
1245 session->stream_template = tmp;
1246 session->stream_template->direction = dir_srtp_sender;
1247 break;
1248 case (ssrc_any_inbound):
1249 if (session->stream_template) {
1250 return err_status_bad_param;
1251 }
1252 session->stream_template = tmp;
1253 session->stream_template->direction = dir_srtp_receiver;
1254 break;
1255 case (ssrc_specific):
1256 tmp->next = session->stream_list;
1257 session->stream_list = tmp;
1258 break;
1259 case (ssrc_undefined):
1260 default:
1261 crypto_free(tmp);
1262 return err_status_bad_param;
1263 }
1264 return err_status_ok;
1265 }
1266
1267
1268 err_status_t
srtp_create(srtp_t * session,const srtp_policy_t * policy)1269 srtp_create(srtp_t *session, /* handle for session */
1270 const srtp_policy_t *policy) { /* SRTP policy (list) */
1271 err_status_t stat;
1272 srtp_ctx_t *ctx;
1273
1274 /* sanity check arguments */
1275 if (session == NULL)
1276 return err_status_bad_param;
1277
1278 /* allocate srtp context and set ctx_ptr */
1279 ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));
1280 if (ctx == NULL)
1281 return err_status_alloc_fail;
1282 *session = ctx;
1283
1284 /*
1285 * loop over elements in the policy list, allocating and
1286 * initializing a stream for each element
1287 */
1288 ctx->stream_template = NULL;
1289 ctx->stream_list = NULL;
1290 while (policy != NULL) {
1291
1292 stat = srtp_add_stream(ctx, policy);
1293 if (stat) {
1294 /* clean up everything */
1295 srtp_dealloc(*session);
1296 return stat;
1297 }
1298
1299 /* set policy to next item in list */
1300 policy = policy->next;
1301 }
1302
1303 return err_status_ok;
1304 }
1305
1306
1307 err_status_t
srtp_remove_stream(srtp_t session,uint32_t ssrc)1308 srtp_remove_stream(srtp_t session, uint32_t ssrc) {
1309 srtp_stream_ctx_t *stream, *last_stream;
1310
1311 /* sanity check arguments */
1312 if (session == NULL)
1313 return err_status_bad_param;
1314
1315 /* find stream in list; complain if not found */
1316 last_stream = stream = session->stream_list;
1317 while ((stream != NULL) && (ssrc != stream->ssrc)) {
1318 last_stream = stream;
1319 stream = stream->next;
1320 }
1321 if (stream == NULL)
1322 return err_status_no_ctx;
1323
1324 /* remove stream from the list */
1325 last_stream->next = stream->next;
1326
1327 return srtp_stream_uninit_and_dealloc(stream, session->stream_template);
1328 }
1329
1330 err_status_t
srtp_stream_uninit_and_dealloc(srtp_stream_ctx_t * stream,srtp_stream_ctx_t * stream_template)1331 srtp_stream_uninit_and_dealloc(srtp_stream_ctx_t *stream,
1332 srtp_stream_ctx_t *stream_template) {
1333 err_status_t status;
1334 /* deallocate rdbx data */
1335 status = srtp_stream_uninit(stream);
1336 if (status)
1337 return status;
1338
1339 /* deallocate the stream */
1340 status = srtp_stream_dealloc(stream, stream_template);
1341 if (status)
1342 return status;
1343
1344 return err_status_ok;
1345 }
1346
1347
1348 /*
1349 * the default policy - provides a convenient way for callers to use
1350 * the default security policy
1351 *
1352 * this policy is that defined in the current SRTP internet draft.
1353 *
1354 */
1355
1356 /*
1357 * NOTE: cipher_key_len is really key len (128 bits) plus salt len
1358 * (112 bits)
1359 */
1360 /* There are hard-coded 16's for base_key_len in the key generation code */
1361
1362 void
crypto_policy_set_rtp_default(crypto_policy_t * p)1363 crypto_policy_set_rtp_default(crypto_policy_t *p) {
1364
1365 p->cipher_type = AES_128_ICM;
1366 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1367 p->auth_type = HMAC_SHA1;
1368 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1369 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1370 p->sec_serv = sec_serv_conf_and_auth;
1371
1372 }
1373
1374 void
crypto_policy_set_rtcp_default(crypto_policy_t * p)1375 crypto_policy_set_rtcp_default(crypto_policy_t *p) {
1376
1377 p->cipher_type = AES_128_ICM;
1378 p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1379 p->auth_type = HMAC_SHA1;
1380 p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1381 p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1382 p->sec_serv = sec_serv_conf_and_auth;
1383
1384 }
1385
1386 void
crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t * p)1387 crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {
1388
1389 /*
1390 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1391 *
1392 * note that this crypto policy is intended for SRTP, but not SRTCP
1393 */
1394
1395 p->cipher_type = AES_128_ICM;
1396 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1397 p->auth_type = HMAC_SHA1;
1398 p->auth_key_len = 20; /* 160 bit key */
1399 p->auth_tag_len = 4; /* 32 bit tag */
1400 p->sec_serv = sec_serv_conf_and_auth;
1401
1402 }
1403
1404
1405 void
crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t * p)1406 crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {
1407
1408 /*
1409 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1410 *
1411 * note that this crypto policy is intended for SRTP, but not SRTCP
1412 */
1413
1414 p->cipher_type = AES_128_ICM;
1415 p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1416 p->auth_type = NULL_AUTH;
1417 p->auth_key_len = 0;
1418 p->auth_tag_len = 0;
1419 p->sec_serv = sec_serv_conf;
1420
1421 }
1422
1423
1424 void
crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t * p)1425 crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {
1426
1427 /*
1428 * corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1429 */
1430
1431 p->cipher_type = NULL_CIPHER;
1432 p->cipher_key_len = 0;
1433 p->auth_type = HMAC_SHA1;
1434 p->auth_key_len = 20;
1435 p->auth_tag_len = 10;
1436 p->sec_serv = sec_serv_auth;
1437
1438 }
1439
1440
1441 /*
1442 * secure rtcp functions
1443 */
1444
1445 err_status_t
srtp_protect_rtcp(srtp_t ctx,void * rtcp_hdr,int * pkt_octet_len)1446 srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
1447 srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
1448 uint32_t *enc_start; /* pointer to start of encrypted portion */
1449 uint32_t *auth_start; /* pointer to start of auth. portion */
1450 uint32_t *trailer; /* pointer to start of trailer */
1451 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1452 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1453 err_status_t status;
1454 int tag_len;
1455 srtp_stream_ctx_t *stream;
1456 int prefix_len;
1457 uint32_t seq_num;
1458
1459 /* we assume the hdr is 32-bit aligned to start */
1460 /*
1461 * look up ssrc in srtp_stream list, and process the packet with
1462 * the appropriate stream. if we haven't seen this stream before,
1463 * there's only one key for this srtp_session, and the cipher
1464 * supports key-sharing, then we assume that a new stream using
1465 * that key has just started up
1466 */
1467 stream = srtp_get_stream(ctx, hdr->ssrc);
1468 if (stream == NULL) {
1469 if (ctx->stream_template != NULL) {
1470 srtp_stream_ctx_t *new_stream;
1471
1472 /* allocate and initialize a new stream */
1473 status = srtp_stream_clone(ctx->stream_template,
1474 hdr->ssrc, &new_stream);
1475 if (status)
1476 return status;
1477
1478 /* add new stream to the head of the stream_list */
1479 new_stream->next = ctx->stream_list;
1480 ctx->stream_list = new_stream;
1481
1482 /* set stream (the pointer used in this function) */
1483 stream = new_stream;
1484 } else {
1485 /* no template stream, so we return an error */
1486 return err_status_no_ctx;
1487 }
1488 }
1489
1490 /*
1491 * verify that stream is for sending traffic - this check will
1492 * detect SSRC collisions, since a stream that appears in both
1493 * srtp_protect() and srtp_unprotect() will fail this test in one of
1494 * those functions.
1495 */
1496 if (stream->direction != dir_srtp_sender) {
1497 if (stream->direction == dir_unknown) {
1498 stream->direction = dir_srtp_sender;
1499 } else {
1500 srtp_handle_event(ctx, stream, event_ssrc_collision);
1501 }
1502 }
1503
1504 /* get tag length from stream context */
1505 tag_len = auth_get_tag_length(stream->rtcp_auth);
1506
1507 /*
1508 * set encryption start and encryption length - if we're not
1509 * providing confidentiality, set enc_start to NULL
1510 */
1511 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1512 enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
1513
1514 /* all of the packet, except the header, gets encrypted */
1515 /* NOTE: hdr->length is not usable - it refers to only the first
1516 RTCP report in the compound packet! */
1517 /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1518 multiples of 32-bits (RFC 3550 6.1) */
1519 trailer = (uint32_t *) ((char *)enc_start + enc_octet_len);
1520
1521 if (stream->rtcp_services & sec_serv_conf) {
1522 *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
1523 } else {
1524 enc_start = NULL;
1525 enc_octet_len = 0;
1526 /* 0 is network-order independant */
1527 *trailer = 0x00000000; /* set encrypt bit */
1528 }
1529
1530 /*
1531 * set the auth_start and auth_tag pointers to the proper locations
1532 * (note that srtpc *always* provides authentication, unlike srtp)
1533 */
1534 /* Note: This would need to change for optional mikey data */
1535 auth_start = (uint32_t *)hdr;
1536 auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t);
1537
1538 /* perform EKT processing if needed */
1539 ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
1540 rdbx_get_packet_index(&stream->rtp_rdbx));
1541
1542 /*
1543 * check sequence number for overruns, and copy it into the packet
1544 * if its value isn't too big
1545 */
1546 status = rdb_increment(&stream->rtcp_rdb);
1547 if (status)
1548 return status;
1549 seq_num = rdb_get_value(&stream->rtcp_rdb);
1550 *trailer |= htonl(seq_num);
1551 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1552
1553 /*
1554 * if we're using rindael counter mode, set nonce and seq
1555 */
1556 if (stream->rtcp_cipher->type == &aes_icm) {
1557 v128_t iv;
1558
1559 iv.v32[0] = 0;
1560 iv.v32[1] = hdr->ssrc; /* still in network order! */
1561 iv.v32[2] = htonl(seq_num >> 16);
1562 iv.v32[3] = htonl(seq_num << 16);
1563 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtcp_cipher->state, &iv);
1564
1565 } else {
1566 v128_t iv;
1567
1568 /* otherwise, just set the index to seq_num */
1569 iv.v32[0] = 0;
1570 iv.v32[1] = 0;
1571 iv.v32[2] = 0;
1572 iv.v32[3] = htonl(seq_num);
1573 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1574 }
1575 if (status)
1576 return err_status_cipher_fail;
1577
1578 /*
1579 * if we're authenticating using a universal hash, put the keystream
1580 * prefix into the authentication tag
1581 */
1582
1583 /* if auth_start is non-null, then put keystream into tag */
1584 if (auth_start) {
1585
1586 /* put keystream prefix into auth_tag */
1587 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1588 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1589
1590 debug_print(mod_srtp, "keystream prefix: %s",
1591 octet_string_hex_string(auth_tag, prefix_len));
1592
1593 if (status)
1594 return err_status_cipher_fail;
1595 }
1596
1597 /* if we're encrypting, exor keystream into the message */
1598 if (enc_start) {
1599 status = cipher_encrypt(stream->rtcp_cipher,
1600 (uint8_t *)enc_start, &enc_octet_len);
1601 if (status)
1602 return err_status_cipher_fail;
1603 }
1604
1605 /* initialize auth func context */
1606 auth_start(stream->rtcp_auth);
1607
1608 /*
1609 * run auth func over packet (including trailer), and write the
1610 * result at auth_tag
1611 */
1612 status = auth_compute(stream->rtcp_auth,
1613 (uint8_t *)auth_start,
1614 (*pkt_octet_len) + sizeof(srtcp_trailer_t),
1615 auth_tag);
1616 debug_print(mod_srtp, "srtcp auth tag: %s",
1617 octet_string_hex_string(auth_tag, tag_len));
1618 if (status)
1619 return err_status_auth_fail;
1620
1621 /* increase the packet length by the length of the auth tag and seq_num*/
1622 *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
1623
1624 return err_status_ok;
1625 }
1626
1627
1628 err_status_t
srtp_unprotect_rtcp(srtp_t ctx,void * srtcp_hdr,int * pkt_octet_len)1629 srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
1630 srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
1631 uint32_t *enc_start; /* pointer to start of encrypted portion */
1632 uint32_t *auth_start; /* pointer to start of auth. portion */
1633 uint32_t *trailer; /* pointer to start of trailer */
1634 unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1635 uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1636 uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
1637 uint8_t tag_copy[SRTP_MAX_TAG_LEN];
1638 err_status_t status;
1639 unsigned auth_len;
1640 int tag_len;
1641 srtp_stream_ctx_t *stream;
1642 int prefix_len;
1643 uint32_t seq_num;
1644 int e_bit_in_packet; /* whether the E-bit was found in the packet */
1645 int sec_serv_confidentiality; /* whether confidentiality was requested */
1646
1647 /* we assume the hdr is 32-bit aligned to start */
1648 /*
1649 * look up ssrc in srtp_stream list, and process the packet with
1650 * the appropriate stream. if we haven't seen this stream before,
1651 * there's only one key for this srtp_session, and the cipher
1652 * supports key-sharing, then we assume that a new stream using
1653 * that key has just started up
1654 */
1655 stream = srtp_get_stream(ctx, hdr->ssrc);
1656 if (stream == NULL) {
1657 if (ctx->stream_template != NULL) {
1658 stream = ctx->stream_template;
1659
1660 /*
1661 * check to see if stream_template has an EKT data structure, in
1662 * which case we initialize the template using the EKT policy
1663 * referenced by that data (which consists of decrypting the
1664 * master key from the EKT field)
1665 *
1666 * this function initializes a *provisional* stream, and this
1667 * stream should not be accepted until and unless the packet
1668 * passes its authentication check
1669 */
1670 if (stream->ekt != NULL) {
1671 status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len);
1672 if (status)
1673 return status;
1674 }
1675
1676 debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
1677 hdr->ssrc);
1678 } else {
1679 /* no template stream, so we return an error */
1680 return err_status_no_ctx;
1681 }
1682 }
1683
1684 sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf ||
1685 stream->rtcp_services == sec_serv_conf_and_auth;
1686
1687 /* get tag length from stream context */
1688 tag_len = auth_get_tag_length(stream->rtcp_auth);
1689
1690 /*
1691 * set encryption start, encryption length, and trailer
1692 */
1693 enc_octet_len = *pkt_octet_len -
1694 (octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
1695 /* index & E (encryption) bit follow normal data. hdr->len
1696 is the number of words (32-bit) in the normal packet minus 1 */
1697 /* This should point trailer to the word past the end of the
1698 normal data. */
1699 /* This would need to be modified for optional mikey data */
1700 /*
1701 * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1702 * multiples of 32-bits (RFC 3550 6.1)
1703 */
1704 trailer = (uint32_t *) ((char *) hdr +
1705 *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
1706 e_bit_in_packet = (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT;
1707 if (e_bit_in_packet != sec_serv_confidentiality) {
1708 return err_status_cant_check;
1709 }
1710 if (sec_serv_confidentiality) {
1711 enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1712 } else {
1713 enc_octet_len = 0;
1714 enc_start = NULL; /* this indicates that there's no encryption */
1715 }
1716
1717 /*
1718 * set the auth_start and auth_tag pointers to the proper locations
1719 * (note that srtcp *always* uses authentication, unlike srtp)
1720 */
1721 auth_start = (uint32_t *)hdr;
1722 auth_len = *pkt_octet_len - tag_len;
1723 auth_tag = (uint8_t *)hdr + auth_len;
1724
1725 /*
1726 * if EKT is in use, then we make a copy of the tag from the packet,
1727 * and then zeroize the location of the base tag
1728 *
1729 * we first re-position the auth_tag pointer so that it points to
1730 * the base tag
1731 */
1732 if (stream->ekt) {
1733 auth_tag -= ekt_octets_after_base_tag(stream->ekt);
1734 memcpy(tag_copy, auth_tag, tag_len);
1735 octet_string_set_to_zero(auth_tag, tag_len);
1736 auth_tag = tag_copy;
1737 auth_len += tag_len;
1738 }
1739
1740 /*
1741 * check the sequence number for replays
1742 */
1743 /* this is easier than dealing with bitfield access */
1744 seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
1745 debug_print(mod_srtp, "srtcp index: %x", seq_num);
1746 status = rdb_check(&stream->rtcp_rdb, seq_num);
1747 if (status)
1748 return status;
1749
1750 /*
1751 * if we're using aes counter mode, set nonce and seq
1752 */
1753 if (stream->rtcp_cipher->type == &aes_icm) {
1754 v128_t iv;
1755
1756 iv.v32[0] = 0;
1757 iv.v32[1] = hdr->ssrc; /* still in network order! */
1758 iv.v32[2] = htonl(seq_num >> 16);
1759 iv.v32[3] = htonl(seq_num << 16);
1760 status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtcp_cipher->state, &iv);
1761
1762 } else {
1763 v128_t iv;
1764
1765 /* otherwise, just set the index to seq_num */
1766 iv.v32[0] = 0;
1767 iv.v32[1] = 0;
1768 iv.v32[2] = 0;
1769 iv.v32[3] = htonl(seq_num);
1770 status = cipher_set_iv(stream->rtcp_cipher, &iv);
1771
1772 }
1773 if (status)
1774 return err_status_cipher_fail;
1775
1776 /* initialize auth func context */
1777 auth_start(stream->rtcp_auth);
1778
1779 /* run auth func over packet, put result into tmp_tag */
1780 status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
1781 auth_len, tmp_tag);
1782 debug_print(mod_srtp, "srtcp computed tag: %s",
1783 octet_string_hex_string(tmp_tag, tag_len));
1784 if (status)
1785 return err_status_auth_fail;
1786
1787 /* compare the tag just computed with the one in the packet */
1788 debug_print(mod_srtp, "srtcp tag from packet: %s",
1789 octet_string_hex_string(auth_tag, tag_len));
1790 if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1791 return err_status_auth_fail;
1792
1793 /*
1794 * if we're authenticating using a universal hash, put the keystream
1795 * prefix into the authentication tag
1796 */
1797 prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1798 if (prefix_len) {
1799 status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1800 debug_print(mod_srtp, "keystream prefix: %s",
1801 octet_string_hex_string(auth_tag, prefix_len));
1802 if (status)
1803 return err_status_cipher_fail;
1804 }
1805
1806 /* if we're decrypting, exor keystream into the message */
1807 if (enc_start) {
1808 status = cipher_encrypt(stream->rtcp_cipher,
1809 (uint8_t *)enc_start, &enc_octet_len);
1810 if (status)
1811 return err_status_cipher_fail;
1812 }
1813
1814 /* decrease the packet length by the length of the auth tag and seq_num */
1815 *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
1816
1817 /*
1818 * if EKT is in effect, subtract the EKT data out of the packet
1819 * length
1820 */
1821 *pkt_octet_len -= ekt_octets_after_base_tag(stream->ekt);
1822
1823 /*
1824 * verify that stream is for received traffic - this check will
1825 * detect SSRC collisions, since a stream that appears in both
1826 * srtp_protect() and srtp_unprotect() will fail this test in one of
1827 * those functions.
1828 *
1829 * we do this check *after* the authentication check, so that the
1830 * latter check will catch any attempts to fool us into thinking
1831 * that we've got a collision
1832 */
1833 if (stream->direction != dir_srtp_receiver) {
1834 if (stream->direction == dir_unknown) {
1835 stream->direction = dir_srtp_receiver;
1836 } else {
1837 srtp_handle_event(ctx, stream, event_ssrc_collision);
1838 }
1839 }
1840
1841 /*
1842 * if the stream is a 'provisional' one, in which the template context
1843 * is used, then we need to allocate a new stream at this point, since
1844 * the authentication passed
1845 */
1846 if (stream == ctx->stream_template) {
1847 srtp_stream_ctx_t *new_stream;
1848
1849 /*
1850 * allocate and initialize a new stream
1851 *
1852 * note that we indicate failure if we can't allocate the new
1853 * stream, and some implementations will want to not return
1854 * failure here
1855 */
1856 status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1857 if (status)
1858 return status;
1859
1860 /* add new stream to the head of the stream_list */
1861 new_stream->next = ctx->stream_list;
1862 ctx->stream_list = new_stream;
1863
1864 /* set stream (the pointer used in this function) */
1865 stream = new_stream;
1866 }
1867
1868 /* we've passed the authentication check, so add seq_num to the rdb */
1869 rdb_add_index(&stream->rtcp_rdb, seq_num);
1870
1871
1872 return err_status_ok;
1873 }
1874
1875
1876
1877 /*
1878 * dtls keying for srtp
1879 */
1880
1881 err_status_t
crypto_policy_set_from_profile_for_rtp(crypto_policy_t * policy,srtp_profile_t profile)1882 crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
1883 srtp_profile_t profile) {
1884
1885 /* set SRTP policy from the SRTP profile in the key set */
1886 switch(profile) {
1887 case srtp_profile_aes128_cm_sha1_80:
1888 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1889 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1890 break;
1891 case srtp_profile_aes128_cm_sha1_32:
1892 crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
1893 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1894 break;
1895 case srtp_profile_null_sha1_80:
1896 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
1897 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
1898 break;
1899 /* the following profiles are not (yet) supported */
1900 case srtp_profile_null_sha1_32:
1901 case srtp_profile_aes256_cm_sha1_80:
1902 case srtp_profile_aes256_cm_sha1_32:
1903 default:
1904 return err_status_bad_param;
1905 }
1906
1907 return err_status_ok;
1908 }
1909
1910 err_status_t
crypto_policy_set_from_profile_for_rtcp(crypto_policy_t * policy,srtp_profile_t profile)1911 crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
1912 srtp_profile_t profile) {
1913
1914 /* set SRTP policy from the SRTP profile in the key set */
1915 switch(profile) {
1916 case srtp_profile_aes128_cm_sha1_80:
1917 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1918 break;
1919 case srtp_profile_aes128_cm_sha1_32:
1920 crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1921 break;
1922 case srtp_profile_null_sha1_80:
1923 crypto_policy_set_null_cipher_hmac_sha1_80(policy);
1924 break;
1925 /* the following profiles are not (yet) supported */
1926 case srtp_profile_null_sha1_32:
1927 case srtp_profile_aes256_cm_sha1_80:
1928 case srtp_profile_aes256_cm_sha1_32:
1929 default:
1930 return err_status_bad_param;
1931 }
1932
1933 return err_status_ok;
1934 }
1935
1936 void
append_salt_to_key(uint8_t * key,unsigned int bytes_in_key,uint8_t * salt,unsigned int bytes_in_salt)1937 append_salt_to_key(uint8_t *key, unsigned int bytes_in_key,
1938 uint8_t *salt, unsigned int bytes_in_salt) {
1939
1940 memcpy(key + bytes_in_key, salt, bytes_in_salt);
1941
1942 }
1943
1944 unsigned int
srtp_profile_get_master_key_length(srtp_profile_t profile)1945 srtp_profile_get_master_key_length(srtp_profile_t profile) {
1946
1947 switch(profile) {
1948 case srtp_profile_aes128_cm_sha1_80:
1949 return 16;
1950 break;
1951 case srtp_profile_aes128_cm_sha1_32:
1952 return 16;
1953 break;
1954 case srtp_profile_null_sha1_80:
1955 return 16;
1956 break;
1957 /* the following profiles are not (yet) supported */
1958 case srtp_profile_null_sha1_32:
1959 case srtp_profile_aes256_cm_sha1_80:
1960 case srtp_profile_aes256_cm_sha1_32:
1961 default:
1962 return 0; /* indicate error by returning a zero */
1963 }
1964 }
1965
1966 unsigned int
srtp_profile_get_master_salt_length(srtp_profile_t profile)1967 srtp_profile_get_master_salt_length(srtp_profile_t profile) {
1968
1969 switch(profile) {
1970 case srtp_profile_aes128_cm_sha1_80:
1971 return 14;
1972 break;
1973 case srtp_profile_aes128_cm_sha1_32:
1974 return 14;
1975 break;
1976 case srtp_profile_null_sha1_80:
1977 return 14;
1978 break;
1979 /* the following profiles are not (yet) supported */
1980 case srtp_profile_null_sha1_32:
1981 case srtp_profile_aes256_cm_sha1_80:
1982 case srtp_profile_aes256_cm_sha1_32:
1983 default:
1984 return 0; /* indicate error by returning a zero */
1985 }
1986 }
1987