4
* the secure real-time transport protocol
11
* Copyright (c) 2001-2006, Cisco Systems, Inc.
12
* All rights reserved.
14
* Redistribution and use in source and binary forms, with or without
15
* modification, are permitted provided that the following conditions
18
* Redistributions of source code must retain the above copyright
19
* notice, this list of conditions and the following disclaimer.
21
* Redistributions in binary form must reproduce the above
22
* copyright notice, this list of conditions and the following
23
* disclaimer in the documentation and/or other materials provided
24
* with the distribution.
26
* Neither the name of the Cisco Systems, Inc. nor the names of its
27
* contributors may be used to endorse or promote products derived
28
* from this software without specific prior written permission.
30
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34
* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41
* OF THE POSSIBILITY OF SUCH DAMAGE.
46
#include "srtp_priv.h"
47
#include "aes_icm.h" /* aes_icm is used in the KDF */
48
#include "alloc.h" /* for crypto_alloc() */
52
# ifdef HAVE_NETINET_IN_H
53
# include <netinet/in.h>
54
# elif defined(HAVE_WINSOCK2_H)
55
# include <winsock2.h>
57
#endif /* ! SRTP_KERNEL */
60
extern cipher_type_t aes_icm;
61
extern auth_type_t tmmhv2;
63
/* the debug module for srtp */
65
debug_module_t mod_srtp = {
66
0, /* debugging is off by default */
67
"srtp" /* printable name for module */
70
#define octets_in_rtp_header 12
71
#define uint32s_in_rtp_header 3
72
#define octets_in_rtcp_header 8
73
#define uint32s_in_rtcp_header 2
77
srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
78
const srtp_policy_t *p) {
79
srtp_stream_ctx_t *str;
83
* This function allocates the stream context, rtp and rtcp ciphers
84
* and auth functions, and key limit structure. If there is a
85
* failure during allocation, we free all previously allocated
86
* memory and return a failure code. The code could probably
87
* be improved, but it works and should be clear.
90
/* allocate srtp stream and set str_ptr */
91
str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
93
return err_status_alloc_fail;
97
stat = crypto_kernel_alloc_cipher(p->rtp.cipher_type,
99
p->rtp.cipher_key_len);
105
/* allocate auth function */
106
stat = crypto_kernel_alloc_auth(p->rtp.auth_type,
109
p->rtp.auth_tag_len);
111
cipher_dealloc(str->rtp_cipher);
116
/* allocate key limit structure */
117
str->limit = (key_limit_ctx_t*) crypto_alloc(sizeof(key_limit_ctx_t));
118
if (str->limit == NULL) {
119
auth_dealloc(str->rtp_auth);
120
cipher_dealloc(str->rtp_cipher);
122
return err_status_alloc_fail;
126
* ...and now the RTCP-specific initialization - first, allocate
129
stat = crypto_kernel_alloc_cipher(p->rtcp.cipher_type,
131
p->rtcp.cipher_key_len);
133
auth_dealloc(str->rtp_auth);
134
cipher_dealloc(str->rtp_cipher);
135
crypto_free(str->limit);
140
/* allocate auth function */
141
stat = crypto_kernel_alloc_auth(p->rtcp.auth_type,
143
p->rtcp.auth_key_len,
144
p->rtcp.auth_tag_len);
146
cipher_dealloc(str->rtcp_cipher);
147
auth_dealloc(str->rtp_auth);
148
cipher_dealloc(str->rtp_cipher);
149
crypto_free(str->limit);
154
return err_status_ok;
158
srtp_stream_dealloc(srtp_t session, srtp_stream_ctx_t *stream) {
162
* we use a conservative deallocation strategy - if any deallocation
163
* fails, then we report that fact without trying to deallocate
167
/* deallocate cipher, if it is not the same as that in template */
168
if (session->stream_template
169
&& stream->rtp_cipher == session->stream_template->rtp_cipher) {
172
status = cipher_dealloc(stream->rtp_cipher);
177
/* deallocate auth function, if it is not the same as that in template */
178
if (session->stream_template
179
&& stream->rtp_auth == session->stream_template->rtp_auth) {
182
status = auth_dealloc(stream->rtp_auth);
187
/* deallocate key usage limit, if it is not the same as that in template */
188
if (session->stream_template
189
&& stream->limit == session->stream_template->limit) {
192
crypto_free(stream->limit);
196
* deallocate rtcp cipher, if it is not the same as that in
199
if (session->stream_template
200
&& stream->rtcp_cipher == session->stream_template->rtcp_cipher) {
203
status = cipher_dealloc(stream->rtcp_cipher);
209
* deallocate rtcp auth function, if it is not the same as that in
212
if (session->stream_template
213
&& stream->rtcp_auth == session->stream_template->rtcp_auth) {
216
status = auth_dealloc(stream->rtcp_auth);
221
/* deallocate srtp stream context */
224
return err_status_ok;
229
* srtp_stream_clone(stream_template, new) allocates a new stream and
230
* initializes it using the cipher and auth of the stream_template
232
* the only unique data in a cloned stream is the replay database and
237
srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
239
srtp_stream_ctx_t **str_ptr) {
241
srtp_stream_ctx_t *str;
243
debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
245
/* allocate srtp stream and set str_ptr */
246
str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
248
return err_status_alloc_fail;
251
/* set cipher and auth pointers to those of the template */
252
str->rtp_cipher = stream_template->rtp_cipher;
253
str->rtp_auth = stream_template->rtp_auth;
254
str->rtcp_cipher = stream_template->rtcp_cipher;
255
str->rtcp_auth = stream_template->rtcp_auth;
257
/* set key limit to point to that of the template */
258
status = key_limit_clone(stream_template->limit, &str->limit);
262
/* initialize replay databases */
263
rdbx_init(&str->rtp_rdbx);
264
rdb_init(&str->rtcp_rdb);
266
/* set ssrc to that provided */
269
/* set direction and security services */
270
str->direction = stream_template->direction;
271
str->rtp_services = stream_template->rtp_services;
272
str->rtcp_services = stream_template->rtcp_services;
274
/* defensive coding */
277
return err_status_ok;
282
* key derivation functions, internal to libSRTP
284
* srtp_kdf_t is a key derivation context
286
* srtp_kdf_init(&kdf, k) initializes kdf with the key k
288
* srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
289
* corresponding to label l and puts it into kl; the length
290
* of the key in octets is provided as keylen. this function
291
* should be called once for each subkey that is derived.
293
* srtp_kdf_clear(&kdf) zeroizes the kdf state
297
label_rtp_encryption = 0x00,
298
label_rtp_msg_auth = 0x01,
299
label_rtp_salt = 0x02,
300
label_rtcp_encryption = 0x03,
301
label_rtcp_msg_auth = 0x04,
302
label_rtcp_salt = 0x05
307
* srtp_kdf_t represents a key derivation function. The SRTP
308
* default KDF is the only one implemented at present.
312
aes_icm_ctx_t c; /* cipher used for key derivation */
316
srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t key[30]) {
318
aes_icm_context_init(&kdf->c, key);
320
return err_status_ok;
324
srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label,
325
uint8_t *key, int length) {
329
/* set eigth octet of nonce to <label>, set the rest of it to zero */
330
v128_set_to_zero(&nonce);
333
aes_icm_set_iv(&kdf->c, &nonce);
335
/* generate keystream output */
336
aes_icm_output(&kdf->c, key, length);
338
return err_status_ok;
342
srtp_kdf_clear(srtp_kdf_t *kdf) {
344
/* zeroize aes context */
345
octet_string_set_to_zero((uint8_t *)kdf, sizeof(srtp_kdf_t));
347
return err_status_ok;
351
* end of key derivation functions
354
#define MAX_SRTP_KEY_LEN 256
358
srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const void *key) {
361
uint8_t tmp_key[MAX_SRTP_KEY_LEN];
363
/* initialize KDF state */
364
srtp_kdf_init(&kdf, (const uint8_t *)key);
366
/* generate encryption key */
367
srtp_kdf_generate(&kdf, label_rtp_encryption,
368
tmp_key, cipher_get_key_length(srtp->rtp_cipher));
370
* if the cipher in the srtp context is aes_icm, then we need
371
* to generate the salt value
373
if (srtp->rtp_cipher->type == &aes_icm) {
374
/* FIX!!! this is really the cipher key length; rest is salt */
375
int base_key_len = 16;
376
int salt_len = cipher_get_key_length(srtp->rtp_cipher) - base_key_len;
378
debug_print(mod_srtp, "found aes_icm, generating salt", NULL);
380
/* generate encryption salt, put after encryption key */
381
srtp_kdf_generate(&kdf, label_rtp_salt,
382
tmp_key + base_key_len, salt_len);
384
debug_print(mod_srtp, "cipher key: %s",
385
octet_string_hex_string(tmp_key,
386
cipher_get_key_length(srtp->rtp_cipher)));
388
/* initialize cipher */
389
stat = cipher_init(srtp->rtp_cipher, tmp_key, direction_any);
391
/* zeroize temp buffer */
392
octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
393
return err_status_init_fail;
396
/* generate authentication key */
397
srtp_kdf_generate(&kdf, label_rtp_msg_auth,
398
tmp_key, auth_get_key_length(srtp->rtp_auth));
399
debug_print(mod_srtp, "auth key: %s",
400
octet_string_hex_string(tmp_key,
401
auth_get_key_length(srtp->rtp_auth)));
403
/* initialize auth function */
404
stat = auth_init(srtp->rtp_auth, tmp_key);
406
/* zeroize temp buffer */
407
octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
408
return err_status_init_fail;
412
* ...now initialize SRTCP keys
415
/* generate encryption key */
416
srtp_kdf_generate(&kdf, label_rtcp_encryption,
417
tmp_key, cipher_get_key_length(srtp->rtcp_cipher));
419
* if the cipher in the srtp context is aes_icm, then we need
420
* to generate the salt value
422
if (srtp->rtcp_cipher->type == &aes_icm) {
423
/* FIX!!! this is really the cipher key length; rest is salt */
424
int base_key_len = 16;
425
int salt_len = cipher_get_key_length(srtp->rtcp_cipher) - base_key_len;
427
debug_print(mod_srtp, "found aes_icm, generating rtcp salt", NULL);
429
/* generate encryption salt, put after encryption key */
430
srtp_kdf_generate(&kdf, label_rtcp_salt,
431
tmp_key + base_key_len, salt_len);
433
debug_print(mod_srtp, "rtcp cipher key: %s",
434
octet_string_hex_string(tmp_key,
435
cipher_get_key_length(srtp->rtcp_cipher)));
437
/* initialize cipher */
438
stat = cipher_init(srtp->rtcp_cipher, tmp_key, direction_any);
440
/* zeroize temp buffer */
441
octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
442
return err_status_init_fail;
445
/* generate authentication key */
446
srtp_kdf_generate(&kdf, label_rtcp_msg_auth,
447
tmp_key, auth_get_key_length(srtp->rtcp_auth));
448
debug_print(mod_srtp, "rtcp auth key: %s",
449
octet_string_hex_string(tmp_key,
450
auth_get_key_length(srtp->rtcp_auth)));
452
/* initialize auth function */
453
stat = auth_init(srtp->rtcp_auth, tmp_key);
455
/* zeroize temp buffer */
456
octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
457
return err_status_init_fail;
460
/* clear memory then return */
461
srtp_kdf_clear(&kdf);
462
octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
464
return err_status_ok;
468
srtp_stream_init(srtp_stream_ctx_t *srtp,
469
const srtp_policy_t *p) {
472
debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)",
475
/* initialize replay database */
476
rdbx_init(&srtp->rtp_rdbx);
478
/* initialize key limit to maximum value */
482
temp = make64(UINT_MAX,UINT_MAX);
483
key_limit_set(srtp->limit, temp);
486
key_limit_set(srtp->limit, PJ_UINT64(0xffffffffffff));
489
/* set the SSRC value */
490
srtp->ssrc = htonl(p->ssrc.value);
492
/* set the security service flags */
493
srtp->rtp_services = p->rtp.sec_serv;
494
srtp->rtcp_services = p->rtcp.sec_serv;
497
* set direction to unknown - this flag gets checked in srtp_protect(),
498
* srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
499
* gets set appropriately if it is set to unknown.
501
srtp->direction = dir_unknown;
503
/* initialize SRTCP replay database */
504
rdb_init(&srtp->rtcp_rdb);
506
/* DAM - no RTCP key limit at present */
508
/* initialize keys */
509
err = srtp_stream_init_keys(srtp, p->key);
512
return err_status_ok;
517
* srtp_event_reporter is an event handler function that merely
518
* reports the events that are reported by the callbacks
522
srtp_event_reporter(srtp_event_data_t *data) {
524
err_report(err_level_warning, "srtp: in stream 0x%x: ",
527
switch(data->event) {
528
case event_ssrc_collision:
529
err_report(err_level_warning, "\tSSRC collision\n");
531
case event_key_soft_limit:
532
err_report(err_level_warning, "\tkey usage soft limit reached\n");
534
case event_key_hard_limit:
535
err_report(err_level_warning, "\tkey usage hard limit reached\n");
537
case event_packet_index_limit:
538
err_report(err_level_warning, "\tpacket index limit reached\n");
541
err_report(err_level_warning, "\tunknown event reported to handler\n");
546
* srtp_event_handler is a global variable holding a pointer to the
547
* event handler function; this function is called for any unexpected
548
* event that needs to be handled out of the SRTP data path. see
549
* srtp_event_t in srtp.h for more info
551
* it is okay to set srtp_event_handler to NULL, but we set
552
* it to the srtp_event_reporter.
555
static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
558
srtp_install_event_handler(srtp_event_handler_func_t func) {
561
* note that we accept NULL arguments intentionally - calling this
562
* function with a NULL arguments removes an event handler that's
563
* been previously installed
566
/* set global event handling function */
567
srtp_event_handler = func;
568
return err_status_ok;
572
srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
573
srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
574
uint32_t *enc_start; /* pointer to start of encrypted portion */
575
uint32_t *auth_start; /* pointer to start of auth. portion */
576
unsigned enc_octet_len = 0; /* number of octets in encrypted portion */
577
xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
578
int delta; /* delta of local pkt idx and that in hdr */
579
uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
582
srtp_stream_ctx_t *stream;
585
debug_print(mod_srtp, "function srtp_protect", NULL);
587
/* we assume the hdr is 32-bit aligned to start */
589
/* check the packet length - it must at least contain a full header */
590
if (*pkt_octet_len < octets_in_rtp_header)
591
return err_status_bad_param;
594
* look up ssrc in srtp_stream list, and process the packet with
595
* the appropriate stream. if we haven't seen this stream before,
596
* there's a template key for this srtp_session, and the cipher
597
* supports key-sharing, then we assume that a new stream using
598
* that key has just started up
600
stream = srtp_get_stream(ctx, hdr->ssrc);
601
if (stream == NULL) {
602
if (ctx->stream_template != NULL) {
603
srtp_stream_ctx_t *new_stream;
605
/* allocate and initialize a new stream */
606
status = srtp_stream_clone(ctx->stream_template,
607
hdr->ssrc, &new_stream);
611
/* add new stream to the head of the stream_list */
612
new_stream->next = ctx->stream_list;
613
ctx->stream_list = new_stream;
615
/* set direction to outbound */
616
new_stream->direction = dir_srtp_sender;
618
/* set stream (the pointer used in this function) */
621
/* no template stream, so we return an error */
622
return err_status_no_ctx;
627
* verify that stream is for sending traffic - this check will
628
* detect SSRC collisions, since a stream that appears in both
629
* srtp_protect() and srtp_unprotect() will fail this test in one of
632
if (stream->direction != dir_srtp_sender) {
633
if (stream->direction == dir_unknown) {
634
stream->direction = dir_srtp_sender;
636
srtp_handle_event(ctx, stream, event_ssrc_collision);
641
* update the key usage limit, and check it to make sure that we
642
* didn't just hit either the soft limit or the hard limit, and call
643
* the event handler if we hit either.
645
switch(key_limit_update(stream->limit)) {
646
case key_event_normal:
648
case key_event_soft_limit:
649
srtp_handle_event(ctx, stream, event_key_soft_limit);
651
case key_event_hard_limit:
652
srtp_handle_event(ctx, stream, event_key_hard_limit);
653
return err_status_key_expired;
658
/* get tag length from stream */
659
tag_len = auth_get_tag_length(stream->rtp_auth);
662
* find starting point for encryption and length of data to be
663
* encrypted - the encrypted portion starts after the rtp header
664
* extension, if present; otherwise, it starts after the last csrc,
667
* if we're not providing confidentiality, set enc_start to NULL
669
if (stream->rtp_services & sec_serv_conf) {
670
enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
672
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
673
enc_start += (ntohs(xtn_hdr->length) + 1);
675
enc_octet_len = (unsigned int)(*pkt_octet_len
676
- ((enc_start - (uint32_t *)hdr) << 2));
682
* if we're providing authentication, set the auth_start and auth_tag
683
* pointers to the proper locations; otherwise, set auth_start to NULL
684
* to indicate that no authentication is needed
686
if (stream->rtp_services & sec_serv_auth) {
687
auth_start = (uint32_t *)hdr;
688
auth_tag = (uint8_t *)hdr + *pkt_octet_len;
695
* estimate the packet index using the start of the replay window
696
* and the sequence number from the header
698
delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
699
status = rdbx_check(&stream->rtp_rdbx, delta);
701
return status; /* we've been asked to reuse an index */
702
rdbx_add_index(&stream->rtp_rdbx, delta);
705
debug_print2(mod_srtp, "estimated packet index: %08x%08x",
706
high32(est),low32(est));
708
debug_print(mod_srtp, "estimated packet index: %016llx", est);
712
* if we're using rindael counter mode, set nonce and seq
714
if (stream->rtp_cipher->type == &aes_icm) {
718
iv.v32[1] = hdr->ssrc;
720
iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
723
iv.v64[1] = be64_to_cpu(est << 16);
725
status = cipher_set_iv(stream->rtp_cipher, &iv);
730
/* otherwise, set the index to est */
737
iv.v64[1] = be64_to_cpu(est);
738
status = cipher_set_iv(stream->rtp_cipher, &iv);
741
return err_status_cipher_fail;
743
/* shift est, put into network byte order */
745
est = be64_to_cpu(make64((high32(est) << 16) |
749
est = be64_to_cpu(est << 16);
753
* if we're authenticating using a universal hash, put the keystream
754
* prefix into the authentication tag
758
prefix_len = auth_get_prefix_length(stream->rtp_auth);
760
status = cipher_output(stream->rtp_cipher, auth_tag, prefix_len);
762
return err_status_cipher_fail;
763
debug_print(mod_srtp, "keystream prefix: %s",
764
octet_string_hex_string(auth_tag, prefix_len));
768
/* if we're encrypting, exor keystream into the message */
770
status = cipher_encrypt(stream->rtp_cipher,
771
(uint8_t *)enc_start, &enc_octet_len);
773
return err_status_cipher_fail;
777
* if we're authenticating, run authentication function and put result
782
/* initialize auth func context */
783
status = auth_start(stream->rtp_auth);
784
if (status) return status;
786
/* run auth func over packet */
787
status = auth_update(stream->rtp_auth,
788
(uint8_t *)auth_start, *pkt_octet_len);
789
if (status) return status;
791
/* run auth func over ROC, put result into auth_tag */
792
debug_print(mod_srtp, "estimated packet index: %016llx", est);
793
status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, auth_tag);
794
debug_print(mod_srtp, "srtp auth tag: %s",
795
octet_string_hex_string(auth_tag, tag_len));
797
return err_status_auth_fail;
803
/* increase the packet length by the length of the auth tag */
804
*pkt_octet_len += tag_len;
807
return err_status_ok;
812
srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
813
srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
814
uint32_t *enc_start; /* pointer to start of encrypted portion */
815
uint32_t *auth_start; /* pointer to start of auth. portion */
816
unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
817
uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
818
xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */
819
int delta; /* delta of local pkt idx and that in hdr */
822
srtp_stream_ctx_t *stream;
823
uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
824
int tag_len, prefix_len;
826
debug_print(mod_srtp, "function srtp_unprotect", NULL);
828
/* we assume the hdr is 32-bit aligned to start */
830
/* check the packet length - it must at least contain a full header */
831
if (*pkt_octet_len < octets_in_rtp_header)
832
return err_status_bad_param;
835
* look up ssrc in srtp_stream list, and process the packet with
836
* the appropriate stream. if we haven't seen this stream before,
837
* there's only one key for this srtp_session, and the cipher
838
* supports key-sharing, then we assume that a new stream using
839
* that key has just started up
841
stream = srtp_get_stream(ctx, hdr->ssrc);
842
if (stream == NULL) {
843
if (ctx->stream_template != NULL) {
844
stream = ctx->stream_template;
845
debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
849
* set estimated packet index to sequence number from header,
850
* and set delta equal to the same value
853
est = (xtd_seq_num_t) make64(0,ntohs(hdr->seq));
856
est = (xtd_seq_num_t) ntohs(hdr->seq);
862
* no stream corresponding to SSRC found, and we don't do
863
* key-sharing, so return an error
865
return err_status_no_ctx;
869
/* estimate packet index from seq. num. in header */
870
delta = rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
872
/* check replay database */
873
status = rdbx_check(&stream->rtp_rdbx, delta);
879
debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32(est));
881
debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
884
/* get tag length from stream */
885
tag_len = auth_get_tag_length(stream->rtp_auth);
888
* set the cipher's IV properly, depending on whatever cipher we
891
if (stream->rtp_cipher->type == &aes_icm) {
893
/* aes counter mode */
895
iv.v32[1] = hdr->ssrc; /* still in network order */
897
iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16),
900
iv.v64[1] = be64_to_cpu(est << 16);
902
status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtp_cipher->state, &iv);
905
/* no particular format - set the iv to the pakcet index */
912
iv.v64[1] = be64_to_cpu(est);
913
status = cipher_set_iv(stream->rtp_cipher, &iv);
916
return err_status_cipher_fail;
918
/* shift est, put into network byte order */
920
est = be64_to_cpu(make64((high32(est) << 16) |
924
est = be64_to_cpu(est << 16);
928
* find starting point for decryption and length of data to be
929
* decrypted - the encrypted portion starts after the rtp header
930
* extension, if present; otherwise, it starts after the last csrc,
933
* if we're not providing confidentiality, set enc_start to NULL
935
if (stream->rtp_services & sec_serv_conf) {
936
enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
938
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
939
enc_start += (ntohs(xtn_hdr->length) + 1);
941
enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
942
- ((enc_start - (uint32_t *)hdr) << 2));
948
* if we're providing authentication, set the auth_start and auth_tag
949
* pointers to the proper locations; otherwise, set auth_start to NULL
950
* to indicate that no authentication is needed
952
if (stream->rtp_services & sec_serv_auth) {
953
auth_start = (uint32_t *)hdr;
954
auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
961
* if we expect message authentication, run the authentication
962
* function and compare the result with the value of the auth_tag
967
* if we're using a universal hash, then we need to compute the
968
* keystream prefix for encrypting the universal hash output
970
* if the keystream prefix length is zero, then we know that
971
* the authenticator isn't using a universal hash function
973
if (stream->rtp_auth->prefix_len != 0) {
975
prefix_len = auth_get_prefix_length(stream->rtp_auth);
976
status = cipher_output(stream->rtp_cipher, tmp_tag, prefix_len);
977
debug_print(mod_srtp, "keystream prefix: %s",
978
octet_string_hex_string(tmp_tag, prefix_len));
980
return err_status_cipher_fail;
983
/* initialize auth func context */
984
status = auth_start(stream->rtp_auth);
985
if (status) return status;
987
/* now compute auth function over packet */
988
status = auth_update(stream->rtp_auth, (uint8_t *)auth_start,
989
*pkt_octet_len - tag_len);
991
/* run auth func over ROC, then write tmp tag */
992
status = auth_compute(stream->rtp_auth, (uint8_t *)&est, 4, tmp_tag);
994
debug_print(mod_srtp, "computed auth tag: %s",
995
octet_string_hex_string(tmp_tag, tag_len));
996
debug_print(mod_srtp, "packet auth tag: %s",
997
octet_string_hex_string(auth_tag, tag_len));
999
return err_status_auth_fail;
1001
if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1002
return err_status_auth_fail;
1006
* update the key usage limit, and check it to make sure that we
1007
* didn't just hit either the soft limit or the hard limit, and call
1008
* the event handler if we hit either.
1010
switch(key_limit_update(stream->limit)) {
1011
case key_event_normal:
1013
case key_event_soft_limit:
1014
srtp_handle_event(ctx, stream, event_key_soft_limit);
1016
case key_event_hard_limit:
1017
srtp_handle_event(ctx, stream, event_key_hard_limit);
1018
return err_status_key_expired;
1023
/* if we're encrypting, add keystream into ciphertext */
1025
status = cipher_encrypt(stream->rtp_cipher,
1026
(uint8_t *)enc_start, &enc_octet_len);
1028
return err_status_cipher_fail;
1032
* verify that stream is for received traffic - this check will
1033
* detect SSRC collisions, since a stream that appears in both
1034
* srtp_protect() and srtp_unprotect() will fail this test in one of
1037
* we do this check *after* the authentication check, so that the
1038
* latter check will catch any attempts to fool us into thinking
1039
* that we've got a collision
1041
if (stream->direction != dir_srtp_receiver) {
1042
if (stream->direction == dir_unknown) {
1043
stream->direction = dir_srtp_receiver;
1045
srtp_handle_event(ctx, stream, event_ssrc_collision);
1050
* if the stream is a 'provisional' one, in which the template context
1051
* is used, then we need to allocate a new stream at this point, since
1052
* the authentication passed
1054
if (stream == ctx->stream_template) {
1055
srtp_stream_ctx_t *new_stream;
1058
* allocate and initialize a new stream
1060
* note that we indicate failure if we can't allocate the new
1061
* stream, and some implementations will want to not return
1064
status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1068
/* add new stream to the head of the stream_list */
1069
new_stream->next = ctx->stream_list;
1070
ctx->stream_list = new_stream;
1072
/* set stream (the pointer used in this function) */
1073
stream = new_stream;
1077
* the message authentication function passed, so add the packet
1078
* index into the replay database
1080
rdbx_add_index(&stream->rtp_rdbx, delta);
1082
/* decrease the packet length by the length of the auth tag */
1083
*pkt_octet_len -= tag_len;
1085
return err_status_ok;
1090
err_status_t status;
1092
/* initialize crypto kernel */
1093
status = crypto_kernel_init();
1097
/* load srtp debug module into the kernel */
1098
status = crypto_kernel_load_debug_module(&mod_srtp);
1102
return err_status_ok;
1107
err_status_t status;
1109
status = crypto_kernel_shutdown();
1115
* The following code is under consideration for removal. See
1116
* SRTP_MAX_TRAILER_LEN
1121
* srtp_get_trailer_length(&a) returns the number of octets that will
1122
* be added to an RTP packet by the SRTP processing. This value
1123
* is constant for a given srtp_stream_t (i.e. between initializations).
1127
srtp_get_trailer_length(const srtp_stream_t s) {
1128
return auth_get_tag_length(s->rtp_auth);
1134
* srtp_get_stream(ssrc) returns a pointer to the stream corresponding
1135
* to ssrc, or NULL if no stream exists for that ssrc
1137
* this is an internal function
1141
srtp_get_stream(srtp_t srtp, uint32_t ssrc) {
1142
srtp_stream_ctx_t *stream;
1144
/* walk down list until ssrc is found */
1145
stream = srtp->stream_list;
1146
while (stream != NULL) {
1147
if (stream->ssrc == ssrc)
1149
stream = stream->next;
1152
/* we haven't found our ssrc, so return a null */
1157
srtp_dealloc(srtp_t session) {
1158
srtp_stream_ctx_t *stream;
1159
err_status_t status;
1162
* we take a conservative deallocation strategy - if we encounter an
1163
* error deallocating a stream, then we stop trying to deallocate
1164
* memory and just return an error
1167
/* walk list of streams, deallocating as we go */
1168
stream = session->stream_list;
1169
while (stream != NULL) {
1170
srtp_stream_t next = stream->next;
1171
status = srtp_stream_dealloc(session, stream);
1177
/* deallocate stream template, if there is one */
1178
if (session->stream_template != NULL) {
1179
status = auth_dealloc(session->stream_template->rtcp_auth);
1182
status = cipher_dealloc(session->stream_template->rtcp_cipher);
1185
crypto_free(session->stream_template->limit);
1186
status = cipher_dealloc(session->stream_template->rtp_cipher);
1189
status = auth_dealloc(session->stream_template->rtp_auth);
1192
crypto_free(session->stream_template);
1195
/* deallocate session context */
1196
crypto_free(session);
1198
return err_status_ok;
1203
srtp_add_stream(srtp_t session,
1204
const srtp_policy_t *policy) {
1205
err_status_t status;
1208
/* sanity check arguments */
1209
if ((session == NULL) || (policy == NULL) || (policy->key == NULL))
1210
return err_status_bad_param;
1212
/* allocate stream */
1213
status = srtp_stream_alloc(&tmp, policy);
1218
/* initialize stream */
1219
status = srtp_stream_init(tmp, policy);
1226
* set the head of the stream list or the template to point to the
1227
* stream that we've just alloced and init'ed, depending on whether
1228
* or not it has a wildcard SSRC value or not
1230
* if the template stream has already been set, then the policy is
1231
* inconsistent, so we return a bad_param error code
1233
switch (policy->ssrc.type) {
1234
case (ssrc_any_outbound):
1235
if (session->stream_template) {
1236
return err_status_bad_param;
1238
session->stream_template = tmp;
1239
session->stream_template->direction = dir_srtp_sender;
1241
case (ssrc_any_inbound):
1242
if (session->stream_template) {
1243
return err_status_bad_param;
1245
session->stream_template = tmp;
1246
session->stream_template->direction = dir_srtp_receiver;
1248
case (ssrc_specific):
1249
tmp->next = session->stream_list;
1250
session->stream_list = tmp;
1252
case (ssrc_undefined):
1255
return err_status_bad_param;
1258
return err_status_ok;
1263
srtp_create(srtp_t *session, /* handle for session */
1264
const srtp_policy_t *policy) { /* SRTP policy (list) */
1268
/* sanity check arguments */
1269
if (session == NULL)
1270
return err_status_bad_param;
1272
/* allocate srtp context and set ctx_ptr */
1273
ctx = (srtp_ctx_t *) crypto_alloc(sizeof(srtp_ctx_t));
1275
return err_status_alloc_fail;
1279
* loop over elements in the policy list, allocating and
1280
* initializing a stream for each element
1282
ctx->stream_template = NULL;
1283
ctx->stream_list = NULL;
1284
while (policy != NULL) {
1286
stat = srtp_add_stream(ctx, policy);
1288
/* clean up everything */
1289
srtp_dealloc(*session);
1293
/* set policy to next item in list */
1294
policy = policy->next;
1297
return err_status_ok;
1302
srtp_remove_stream(srtp_t session, uint32_t ssrc) {
1303
srtp_stream_ctx_t *stream, *last_stream;
1304
err_status_t status;
1306
/* sanity check arguments */
1307
if (session == NULL)
1308
return err_status_bad_param;
1310
/* find stream in list; complain if not found */
1311
last_stream = stream = session->stream_list;
1312
while ((stream != NULL) && (ssrc != stream->ssrc)) {
1313
last_stream = stream;
1314
stream = stream->next;
1317
return err_status_no_ctx;
1319
/* remove stream from the list */
1320
last_stream->next = stream->next;
1322
/* deallocate the stream */
1323
status = srtp_stream_dealloc(session, stream);
1327
return err_status_ok;
1332
* the default policy - provides a convenient way for callers to use
1333
* the default security policy
1335
* this policy is that defined in the current SRTP internet draft.
1340
* NOTE: cipher_key_len is really key len (128 bits) plus salt len
1343
/* There are hard-coded 16's for base_key_len in the key generation code */
1346
crypto_policy_set_rtp_default(crypto_policy_t *p) {
1348
p->cipher_type = AES_128_ICM;
1349
p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1350
p->auth_type = HMAC_SHA1;
1351
p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1352
p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1353
p->sec_serv = sec_serv_conf_and_auth;
1358
crypto_policy_set_rtcp_default(crypto_policy_t *p) {
1360
p->cipher_type = AES_128_ICM;
1361
p->cipher_key_len = 30; /* default 128 bits per RFC 3711 */
1362
p->auth_type = HMAC_SHA1;
1363
p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
1364
p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
1365
p->sec_serv = sec_serv_conf_and_auth;
1370
crypto_policy_set_aes_cm_128_hmac_sha1_32(crypto_policy_t *p) {
1373
* corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1375
* note that this crypto policy is intended for SRTP, but not SRTCP
1378
p->cipher_type = AES_128_ICM;
1379
p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1380
p->auth_type = HMAC_SHA1;
1381
p->auth_key_len = 20; /* 160 bit key */
1382
p->auth_tag_len = 4; /* 32 bit tag */
1383
p->sec_serv = sec_serv_conf_and_auth;
1389
crypto_policy_set_aes_cm_128_null_auth(crypto_policy_t *p) {
1392
* corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1394
* note that this crypto policy is intended for SRTP, but not SRTCP
1397
p->cipher_type = AES_128_ICM;
1398
p->cipher_key_len = 30; /* 128 bit key, 112 bit salt */
1399
p->auth_type = NULL_AUTH;
1400
p->auth_key_len = 0;
1401
p->auth_tag_len = 0;
1402
p->sec_serv = sec_serv_conf;
1408
crypto_policy_set_null_cipher_hmac_sha1_80(crypto_policy_t *p) {
1411
* corresponds to draft-ietf-mmusic-sdescriptions-12.txt
1414
p->cipher_type = NULL_CIPHER;
1415
p->cipher_key_len = 0;
1416
p->auth_type = HMAC_SHA1;
1417
p->auth_key_len = 20;
1418
p->auth_tag_len = 10;
1419
p->sec_serv = sec_serv_auth;
1425
* secure rtcp functions
1429
srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) {
1430
srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
1431
uint32_t *enc_start; /* pointer to start of encrypted portion */
1432
uint32_t *auth_start; /* pointer to start of auth. portion */
1433
uint32_t *trailer; /* pointer to start of trailer */
1434
unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1435
uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1436
err_status_t status;
1438
srtp_stream_ctx_t *stream;
1442
/* we assume the hdr is 32-bit aligned to start */
1444
* look up ssrc in srtp_stream list, and process the packet with
1445
* the appropriate stream. if we haven't seen this stream before,
1446
* there's only one key for this srtp_session, and the cipher
1447
* supports key-sharing, then we assume that a new stream using
1448
* that key has just started up
1450
stream = srtp_get_stream(ctx, hdr->ssrc);
1451
if (stream == NULL) {
1452
if (ctx->stream_template != NULL) {
1453
srtp_stream_ctx_t *new_stream;
1455
/* allocate and initialize a new stream */
1456
status = srtp_stream_clone(ctx->stream_template,
1457
hdr->ssrc, &new_stream);
1461
/* add new stream to the head of the stream_list */
1462
new_stream->next = ctx->stream_list;
1463
ctx->stream_list = new_stream;
1465
/* set stream (the pointer used in this function) */
1466
stream = new_stream;
1468
/* no template stream, so we return an error */
1469
return err_status_no_ctx;
1474
* verify that stream is for sending traffic - this check will
1475
* detect SSRC collisions, since a stream that appears in both
1476
* srtp_protect() and srtp_unprotect() will fail this test in one of
1479
if (stream->direction != dir_srtp_sender) {
1480
if (stream->direction == dir_unknown) {
1481
stream->direction = dir_srtp_sender;
1483
srtp_handle_event(ctx, stream, event_ssrc_collision);
1487
/* get tag length from stream context */
1488
tag_len = auth_get_tag_length(stream->rtcp_auth);
1491
* set encryption start and encryption length - if we're not
1492
* providing confidentiality, set enc_start to NULL
1494
enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1495
enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
1497
/* all of the packet, except the header, gets encrypted */
1498
/* NOTE: hdr->length is not usable - it refers to only the first
1499
RTCP report in the compound packet! */
1500
/* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1501
multiples of 32-bits (RFC 3550 6.1) */
1502
trailer = (uint32_t *) ((char *)enc_start + enc_octet_len);
1504
if (stream->rtcp_services & sec_serv_conf) {
1505
*trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
1509
/* 0 is network-order independant */
1510
*trailer = 0x00000000; /* set encrypt bit */
1514
* set the auth_start and auth_tag pointers to the proper locations
1515
* (note that srtpc *always* provides authentication, unlike srtp)
1517
/* Note: This would need to change for optional mikey data */
1518
auth_start = (uint32_t *)hdr;
1519
auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t);
1522
* check sequence number for overruns, and copy it into the packet
1523
* if its value isn't too big
1525
status = rdb_increment(&stream->rtcp_rdb);
1528
seq_num = rdb_get_value(&stream->rtcp_rdb);
1529
*trailer |= htonl(seq_num);
1530
debug_print(mod_srtp, "srtcp index: %x", seq_num);
1533
* if we're using rindael counter mode, set nonce and seq
1535
if (stream->rtcp_cipher->type == &aes_icm) {
1539
iv.v32[1] = hdr->ssrc; /* still in network order! */
1540
iv.v32[2] = htonl(seq_num >> 16);
1541
iv.v32[3] = htonl(seq_num << 16);
1542
status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtcp_cipher->state, &iv);
1547
/* otherwise, just set the index to seq_num */
1551
iv.v32[3] = htonl(seq_num);
1552
status = cipher_set_iv(stream->rtcp_cipher, &iv);
1555
return err_status_cipher_fail;
1558
* if we're authenticating using a universal hash, put the keystream
1559
* prefix into the authentication tag
1562
/* if auth_start is non-null, then put keystream into tag */
1565
/* put keystream prefix into auth_tag */
1566
prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1567
status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1569
debug_print(mod_srtp, "keystream prefix: %s",
1570
octet_string_hex_string(auth_tag, prefix_len));
1573
return err_status_cipher_fail;
1576
/* if we're encrypting, exor keystream into the message */
1578
status = cipher_encrypt(stream->rtcp_cipher,
1579
(uint8_t *)enc_start, &enc_octet_len);
1581
return err_status_cipher_fail;
1584
/* initialize auth func context */
1585
auth_start(stream->rtcp_auth);
1588
* run auth func over packet (including trailer), and write the
1589
* result at auth_tag
1591
status = auth_compute(stream->rtcp_auth,
1592
(uint8_t *)auth_start,
1593
(*pkt_octet_len) + sizeof(srtcp_trailer_t),
1595
debug_print(mod_srtp, "srtcp auth tag: %s",
1596
octet_string_hex_string(auth_tag, tag_len));
1598
return err_status_auth_fail;
1600
/* increase the packet length by the length of the auth tag and seq_num*/
1601
*pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
1603
return err_status_ok;
1608
srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
1609
srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
1610
uint32_t *enc_start; /* pointer to start of encrypted portion */
1611
uint32_t *auth_start; /* pointer to start of auth. portion */
1612
uint32_t *trailer; /* pointer to start of trailer */
1613
unsigned enc_octet_len = 0;/* number of octets in encrypted portion */
1614
uint8_t *auth_tag = NULL; /* location of auth_tag within packet */
1615
uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
1616
err_status_t status;
1618
srtp_stream_ctx_t *stream;
1622
/* we assume the hdr is 32-bit aligned to start */
1624
* look up ssrc in srtp_stream list, and process the packet with
1625
* the appropriate stream. if we haven't seen this stream before,
1626
* there's only one key for this srtp_session, and the cipher
1627
* supports key-sharing, then we assume that a new stream using
1628
* that key has just started up
1630
stream = srtp_get_stream(ctx, hdr->ssrc);
1631
if (stream == NULL) {
1632
if (ctx->stream_template != NULL) {
1633
stream = ctx->stream_template;
1634
debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)",
1637
/* no template stream, so we return an error */
1638
return err_status_no_ctx;
1642
/* get tag length from stream context */
1643
tag_len = auth_get_tag_length(stream->rtcp_auth);
1646
* set encryption start, encryption length, and trailer
1648
enc_octet_len = *pkt_octet_len -
1649
(octets_in_rtcp_header + tag_len + sizeof(srtcp_trailer_t));
1650
/* index & E (encryption) bit follow normal data. hdr->len
1651
is the number of words (32-bit) in the normal packet minus 1 */
1652
/* This should point trailer to the word past the end of the
1654
/* This would need to be modified for optional mikey data */
1656
* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always
1657
* multiples of 32-bits (RFC 3550 6.1)
1659
trailer = (uint32_t *) ((char *) hdr +
1660
*pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
1661
if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) {
1662
enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
1665
enc_start = NULL; /* this indicates that there's no encryption */
1669
* set the auth_start and auth_tag pointers to the proper locations
1670
* (note that srtcp *always* uses authentication, unlike srtp)
1672
auth_start = (uint32_t *)hdr;
1673
auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
1676
* check the sequence number for replays
1678
/* this is easier than dealing with bitfield access */
1679
seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK;
1680
debug_print(mod_srtp, "srtcp index: %x", seq_num);
1681
status = rdb_check(&stream->rtcp_rdb, seq_num);
1686
* if we're using aes counter mode, set nonce and seq
1688
if (stream->rtcp_cipher->type == &aes_icm) {
1692
iv.v32[1] = hdr->ssrc; /* still in network order! */
1693
iv.v32[2] = htonl(seq_num >> 16);
1694
iv.v32[3] = htonl(seq_num << 16);
1695
status = aes_icm_set_iv((aes_icm_ctx_t*)stream->rtcp_cipher->state, &iv);
1700
/* otherwise, just set the index to seq_num */
1704
iv.v32[3] = htonl(seq_num);
1705
status = cipher_set_iv(stream->rtcp_cipher, &iv);
1709
return err_status_cipher_fail;
1711
/* initialize auth func context */
1712
auth_start(stream->rtcp_auth);
1714
/* run auth func over packet, put result into tmp_tag */
1715
status = auth_compute(stream->rtcp_auth, (uint8_t *)auth_start,
1716
*pkt_octet_len - tag_len,
1718
debug_print(mod_srtp, "srtcp computed tag: %s",
1719
octet_string_hex_string(tmp_tag, tag_len));
1721
return err_status_auth_fail;
1723
/* compare the tag just computed with the one in the packet */
1724
debug_print(mod_srtp, "srtcp tag from packet: %s",
1725
octet_string_hex_string(auth_tag, tag_len));
1726
if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
1727
return err_status_auth_fail;
1730
* if we're authenticating using a universal hash, put the keystream
1731
* prefix into the authentication tag
1733
prefix_len = auth_get_prefix_length(stream->rtcp_auth);
1735
status = cipher_output(stream->rtcp_cipher, auth_tag, prefix_len);
1736
debug_print(mod_srtp, "keystream prefix: %s",
1737
octet_string_hex_string(auth_tag, prefix_len));
1739
return err_status_cipher_fail;
1742
/* if we're decrypting, exor keystream into the message */
1744
status = cipher_encrypt(stream->rtcp_cipher,
1745
(uint8_t *)enc_start, &enc_octet_len);
1747
return err_status_cipher_fail;
1750
/* decrease the packet length by the length of the auth tag and seq_num*/
1751
*pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
1754
* verify that stream is for received traffic - this check will
1755
* detect SSRC collisions, since a stream that appears in both
1756
* srtp_protect() and srtp_unprotect() will fail this test in one of
1759
* we do this check *after* the authentication check, so that the
1760
* latter check will catch any attempts to fool us into thinking
1761
* that we've got a collision
1763
if (stream->direction != dir_srtp_receiver) {
1764
if (stream->direction == dir_unknown) {
1765
stream->direction = dir_srtp_receiver;
1767
srtp_handle_event(ctx, stream, event_ssrc_collision);
1772
* if the stream is a 'provisional' one, in which the template context
1773
* is used, then we need to allocate a new stream at this point, since
1774
* the authentication passed
1776
if (stream == ctx->stream_template) {
1777
srtp_stream_ctx_t *new_stream;
1780
* allocate and initialize a new stream
1782
* note that we indicate failure if we can't allocate the new
1783
* stream, and some implementations will want to not return
1786
status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
1790
/* add new stream to the head of the stream_list */
1791
new_stream->next = ctx->stream_list;
1792
ctx->stream_list = new_stream;
1794
/* set stream (the pointer used in this function) */
1795
stream = new_stream;
1798
/* we've passed the authentication check, so add seq_num to the rdb */
1799
rdb_add_index(&stream->rtcp_rdb, seq_num);
1802
return err_status_ok;
1808
* dtls keying for srtp
1812
crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
1813
srtp_profile_t profile) {
1815
/* set SRTP policy from the SRTP profile in the key set */
1817
case srtp_profile_aes128_cm_sha1_80:
1818
crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1820
case srtp_profile_aes128_cm_sha1_32:
1821
crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
1823
case srtp_profile_null_sha1_80:
1824
crypto_policy_set_null_cipher_hmac_sha1_80(policy);
1826
/* the following profiles are not (yet) supported */
1827
case srtp_profile_null_sha1_32:
1828
case srtp_profile_aes256_cm_sha1_80:
1829
case srtp_profile_aes256_cm_sha1_32:
1831
return err_status_bad_param;
1834
return err_status_ok;
1838
crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
1839
srtp_profile_t profile) {
1841
/* set SRTP policy from the SRTP profile in the key set */
1843
case srtp_profile_aes128_cm_sha1_80:
1844
crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
1846
case srtp_profile_aes128_cm_sha1_32:
1847
crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
1849
case srtp_profile_null_sha1_80:
1850
crypto_policy_set_null_cipher_hmac_sha1_80(policy);
1852
/* the following profiles are not (yet) supported */
1853
case srtp_profile_null_sha1_32:
1854
case srtp_profile_aes256_cm_sha1_80:
1855
case srtp_profile_aes256_cm_sha1_32:
1857
return err_status_bad_param;
1860
return err_status_ok;
1864
append_salt_to_key(uint8_t *key, unsigned int bytes_in_key,
1865
uint8_t *salt, unsigned int bytes_in_salt) {
1867
memcpy(key + bytes_in_key, salt, bytes_in_salt);
1872
srtp_profile_get_master_key_length(srtp_profile_t profile) {
1875
case srtp_profile_aes128_cm_sha1_80:
1878
case srtp_profile_aes128_cm_sha1_32:
1881
case srtp_profile_null_sha1_80:
1884
/* the following profiles are not (yet) supported */
1885
case srtp_profile_null_sha1_32:
1886
case srtp_profile_aes256_cm_sha1_80:
1887
case srtp_profile_aes256_cm_sha1_32:
1889
return 0; /* indicate error by returning a zero */
1894
srtp_profile_get_master_salt_length(srtp_profile_t profile) {
1897
case srtp_profile_aes128_cm_sha1_80:
1900
case srtp_profile_aes128_cm_sha1_32:
1903
case srtp_profile_null_sha1_80:
1906
/* the following profiles are not (yet) supported */
1907
case srtp_profile_null_sha1_32:
1908
case srtp_profile_aes256_cm_sha1_80:
1909
case srtp_profile_aes256_cm_sha1_32:
1911
return 0; /* indicate error by returning a zero */