/* * srtp.c * * the secure real-time transport protocol * * David A. McGrew * Cisco Systems, Inc. */ /* * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * */ // Leave this as the top level import. Ensures the existence of defines #include "config.h" #include "srtp_priv.h" #include "crypto_types.h" #include "err.h" #include "ekt.h" /* for SRTP Encrypted Key Transport */ #include "alloc.h" /* for srtp_crypto_alloc() */ #ifdef GCM #include "aes_gcm.h" /* for AES GCM mode */ #endif #ifdef OPENSSL_KDF #include <openssl/kdf.h> #include "aes_icm_ext.h" #endif #include <limits.h> #ifdef HAVE_NETINET_IN_H #include <netinet/in.h> #elif defined(HAVE_WINSOCK2_H) #include <winsock2.h> #endif /* the debug module for srtp */ srtp_debug_module_t mod_srtp = …; #define octets_in_rtp_header … #define uint32s_in_rtp_header … #define octets_in_rtcp_header … #define uint32s_in_rtcp_header … #define octets_in_rtp_extn_hdr … static srtp_err_status_t srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) { … } const char *srtp_get_version_string() { … } unsigned int srtp_get_version() { … } srtp_err_status_t srtp_stream_dealloc(srtp_stream_ctx_t *stream, const srtp_stream_ctx_t *stream_template) { … } srtp_err_status_t srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, const srtp_policy_t *p) { … } /* * srtp_stream_clone(stream_template, new) allocates a new stream and * initializes it using the cipher and auth of the stream_template * * the only unique data in a cloned stream is the replay database and * the SSRC */ srtp_err_status_t srtp_stream_clone(const srtp_stream_ctx_t *stream_template, uint32_t ssrc, srtp_stream_ctx_t **str_ptr) { … } /* * key derivation functions, internal to libSRTP * * srtp_kdf_t is a key derivation context * * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher * described by cipher_id, with the master key k with length in octets keylen. * * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key * corresponding to label l and puts it into kl; the length * of the key in octets is provided as keylen. this function * should be called once for each subkey that is derived. * * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state */ srtp_prf_label; #define MAX_SRTP_KEY_LEN … #if defined(OPENSSL) && defined(OPENSSL_KDF) #define MAX_SRTP_AESKEY_LEN … #define MAX_SRTP_SALT_LEN … /* * srtp_kdf_t represents a key derivation function. The SRTP * default KDF is the only one implemented at present. */ typedef struct { uint8_t master_key[MAX_SRTP_AESKEY_LEN]; uint8_t master_salt[MAX_SRTP_SALT_LEN]; const EVP_CIPHER *evp; } srtp_kdf_t; static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int key_len, int salt_len) { memset(kdf, 0x0, sizeof(srtp_kdf_t)); /* The NULL cipher has zero key length */ if (key_len == 0) return srtp_err_status_ok; if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) { return srtp_err_status_bad_param; } switch (key_len) { case SRTP_AES_256_KEYSIZE: kdf->evp = EVP_aes_256_ctr(); break; case SRTP_AES_192_KEYSIZE: kdf->evp = EVP_aes_192_ctr(); break; case SRTP_AES_128_KEYSIZE: kdf->evp = EVP_aes_128_ctr(); break; default: return srtp_err_status_bad_param; break; } memcpy(kdf->master_key, key, key_len); memcpy(kdf->master_salt, key + key_len, salt_len); return srtp_err_status_ok; } static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, uint8_t *key, unsigned int length) { int ret; /* The NULL cipher will not have an EVP */ if (!kdf->evp) return srtp_err_status_ok; octet_string_set_to_zero(key, length); /* * Invoke the OpenSSL SRTP KDF function * This is useful if OpenSSL is in FIPS mode and FIP * compliance is required for SRTP. */ ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key, (char *)&kdf->master_salt, NULL, NULL, label, (char *)key); if (ret == -1) { return (srtp_err_status_algo_fail); } return srtp_err_status_ok; } static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) { octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN); octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN); kdf->evp = NULL; return srtp_err_status_ok; } #else /* if OPENSSL_KDF */ /* * srtp_kdf_t represents a key derivation function. The SRTP * default KDF is the only one implemented at present. */ srtp_kdf_t; static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int key_len) { … } static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, uint8_t *key, unsigned int length) { … } static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) { … } #endif /* else OPENSSL_KDF */ /* * end of key derivation functions */ /* Get the base key length corresponding to a given combined key+salt * length for the given cipher. * TODO: key and salt lengths should be separate fields in the policy. */ static inline int base_key_length(const srtp_cipher_type_t *cipher, int key_length) { … } unsigned int srtp_validate_policy_master_keys(const srtp_policy_t *policy) { … } srtp_session_keys_t *srtp_get_session_keys_with_mki_index( srtp_stream_ctx_t *stream, unsigned int use_mki, unsigned int mki_index) { … } unsigned int srtp_inject_mki(uint8_t *mki_tag_location, srtp_session_keys_t *session_keys, unsigned int use_mki) { … } srtp_err_status_t srtp_stream_init_all_master_keys( srtp_stream_ctx_t *srtp, unsigned char *key, srtp_master_key_t **keys, const unsigned int max_master_keys) { … } srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp, srtp_master_key_t *master_key, const unsigned int current_mki_index) { … } srtp_err_status_t srtp_stream_init(srtp_stream_ctx_t *srtp, const srtp_policy_t *p) { … } /* * srtp_event_reporter is an event handler function that merely * reports the events that are reported by the callbacks */ void srtp_event_reporter(srtp_event_data_t *data) { … } /* * srtp_event_handler is a global variable holding a pointer to the * event handler function; this function is called for any unexpected * event that needs to be handled out of the SRTP data path. see * srtp_event_t in srtp.h for more info * * it is okay to set srtp_event_handler to NULL, but we set * it to the srtp_event_reporter. */ static srtp_event_handler_func_t *srtp_event_handler = …; srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func) { … } /* * Check if the given extension header id is / should be encrypted. * Returns 1 if yes, otherwise 0. */ static int srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id) { … } /* * extensions header encryption RFC 6904 */ static srtp_err_status_t srtp_process_header_encryption( srtp_stream_ctx_t *stream, srtp_hdr_xtnd_t *xtn_hdr, srtp_session_keys_t *session_keys) { … } /* * AEAD uses a new IV formation method. This function implements * section 8.1. (SRTP IV Formation for AES-GCM) of RFC7714. * The calculation is defined as, where (+) is the xor operation: * * * 0 0 0 0 0 0 0 0 0 0 1 1 * 0 1 2 3 4 5 6 7 8 9 0 1 * +--+--+--+--+--+--+--+--+--+--+--+--+ * |00|00| SSRC | ROC | SEQ |---+ * +--+--+--+--+--+--+--+--+--+--+--+--+ | * | * +--+--+--+--+--+--+--+--+--+--+--+--+ | * | Encryption Salt |->(+) * +--+--+--+--+--+--+--+--+--+--+--+--+ | * | * +--+--+--+--+--+--+--+--+--+--+--+--+ | * | Initialization Vector |<--+ * +--+--+--+--+--+--+--+--+--+--+--+--+* * * Input: *session_keys - pointer to SRTP stream context session keys, * used to retrieve the SALT * *iv - Pointer to receive the calculated IV * *seq - The ROC and SEQ value to use for the * IV calculation. * *hdr - The RTP header, used to get the SSRC value * */ static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys, v128_t *iv, srtp_xtd_seq_num_t *seq, srtp_hdr_t *hdr) { … } srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream, uint8_t *hdr, const unsigned int *pkt_octet_len, unsigned int *mki_size) { … } static srtp_err_status_t srtp_estimate_index(srtp_rdbx_t *rdbx, uint32_t roc, srtp_xtd_seq_num_t *est, srtp_sequence_number_t seq, int *delta) { … } static srtp_err_status_t srtp_get_est_pkt_index(srtp_hdr_t *hdr, srtp_stream_ctx_t *stream, srtp_xtd_seq_num_t *est, int *delta) { … } /* * This function handles outgoing SRTP packets while in AEAD mode, * which currently supports AES-GCM encryption. All packets are * encrypted and authenticated. */ static srtp_err_status_t srtp_protect_aead(srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, void *rtp_hdr, unsigned int *pkt_octet_len, srtp_session_keys_t *session_keys, unsigned int use_mki) { … } /* * This function handles incoming SRTP packets while in AEAD mode, * which currently supports AES-GCM encryption. All packets are * encrypted and authenticated. Note, the auth tag is at the end * of the packet stream and is automatically checked by GCM * when decrypting the payload. */ static srtp_err_status_t srtp_unprotect_aead(srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, srtp_xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_len, srtp_session_keys_t *session_keys, unsigned int mki_size) { … } srtp_err_status_t srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { … } srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len, unsigned int use_mki, unsigned int mki_index) { … } srtp_err_status_t srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) { … } srtp_err_status_t srtp_unprotect_mki(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len, unsigned int use_mki) { … } srtp_err_status_t srtp_init() { … } srtp_err_status_t srtp_shutdown() { … } /* * The following code is under consideration for removal. See * SRTP_MAX_TRAILER_LEN */ #if 0 /* * srtp_get_trailer_length(&a) returns the number of octets that will * be added to an RTP packet by the SRTP processing. This value * is constant for a given srtp_stream_t (i.e. between initializations). */ int srtp_get_trailer_length(const srtp_stream_t s) { return srtp_auth_get_tag_length(s->rtp_auth); } #endif /* * srtp_get_stream(ssrc) returns a pointer to the stream corresponding * to ssrc, or NULL if no stream exists for that ssrc * * this is an internal function */ srtp_stream_ctx_t *srtp_get_stream(srtp_t srtp, uint32_t ssrc) { … } srtp_err_status_t srtp_dealloc(srtp_t session) { … } srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy) { … } srtp_err_status_t srtp_create(srtp_t *session, /* handle for session */ const srtp_policy_t *policy) { … } srtp_err_status_t srtp_remove_stream(srtp_t session, uint32_t ssrc) { … } srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy) { … } static srtp_err_status_t update_template_streams(srtp_t session, const srtp_policy_t *policy) { … } static srtp_err_status_t update_stream(srtp_t session, const srtp_policy_t *policy) { … } srtp_err_status_t srtp_update_stream(srtp_t session, const srtp_policy_t *policy) { … } /* * The default policy - provides a convenient way for callers to use * the default security policy * * The default policy is defined in RFC 3711 * (Section 5. Default and mandatory-to-implement Transforms) * */ /* * NOTE: cipher_key_len is really key len (128 bits) plus salt len * (112 bits) */ /* There are hard-coded 16's for base_key_len in the key generation code */ void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p) { … } /* * AES-256 with no authentication. */ void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p) { … } void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p) { … } /* * AES-192 with no authentication. */ void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p) { … } /* * AES-128 GCM mode with 8 octet auth tag. */ void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p) { … } /* * AES-256 GCM mode with 8 octet auth tag. */ void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p) { … } /* * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption. */ void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p) { … } /* * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption. */ void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p) { … } /* * AES-128 GCM mode with 16 octet auth tag. */ void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p) { … } /* * AES-256 GCM mode with 16 octet auth tag. */ void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p) { … } /* * secure rtcp functions */ /* * AEAD uses a new IV formation method. This function implements * section 9.1 (SRTCP IV Formation for AES-GCM) from RFC7714. * The calculation is defined as, where (+) is the xor operation: * * 0 1 2 3 4 5 6 7 8 9 10 11 * +--+--+--+--+--+--+--+--+--+--+--+--+ * |00|00| SSRC |00|00|0+SRTCP Idx|---+ * +--+--+--+--+--+--+--+--+--+--+--+--+ | * | * +--+--+--+--+--+--+--+--+--+--+--+--+ | * | Encryption Salt |->(+) * +--+--+--+--+--+--+--+--+--+--+--+--+ | * | * +--+--+--+--+--+--+--+--+--+--+--+--+ | * | Initialization Vector |<--+ * +--+--+--+--+--+--+--+--+--+--+--+--+* * * Input: *session_keys - pointer to SRTP stream context session keys, * used to retrieve the SALT * *iv - Pointer to recieve the calculated IV * seq_num - The SEQ value to use for the IV calculation. * *hdr - The RTP header, used to get the SSRC value * * Returns: srtp_err_status_ok if no error or srtp_err_status_bad_param * if seq_num is invalid * */ static srtp_err_status_t srtp_calc_aead_iv_srtcp( srtp_session_keys_t *session_keys, v128_t *iv, uint32_t seq_num, srtcp_hdr_t *hdr) { … } /* * This code handles AEAD ciphers for outgoing RTCP. We currently support * AES-GCM mode with 128 or 256 bit keys. */ static srtp_err_status_t srtp_protect_rtcp_aead( srtp_t ctx, srtp_stream_ctx_t *stream, void *rtcp_hdr, unsigned int *pkt_octet_len, srtp_session_keys_t *session_keys, unsigned int use_mki) { … } /* * This function handles incoming SRTCP packets while in AEAD mode, * which currently supports AES-GCM encryption. Note, the auth tag is * at the end of the packet stream and is automatically checked by GCM * when decrypting the payload. */ static srtp_err_status_t srtp_unprotect_rtcp_aead( srtp_t ctx, srtp_stream_ctx_t *stream, void *srtcp_hdr, unsigned int *pkt_octet_len, srtp_session_keys_t *session_keys, unsigned int use_mki) { … } srtp_err_status_t srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) { … } srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len, unsigned int use_mki, unsigned int mki_index) { … } srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) { … } srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len, unsigned int use_mki) { … } /* * user data within srtp_t context */ void srtp_set_user_data(srtp_t ctx, void *data) { … } void *srtp_get_user_data(srtp_t ctx) { … } /* * dtls keying for srtp */ srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp( srtp_crypto_policy_t *policy, srtp_profile_t profile) { … } srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp( srtp_crypto_policy_t *policy, srtp_profile_t profile) { … } void srtp_append_salt_to_key(uint8_t *key, unsigned int bytes_in_key, uint8_t *salt, unsigned int bytes_in_salt) { … } unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile) { … } unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile) { … } srtp_err_status_t stream_get_protect_trailer_length(srtp_stream_ctx_t *stream, uint32_t is_rtp, uint32_t use_mki, uint32_t mki_index, uint32_t *length) { … } srtp_err_status_t get_protect_trailer_length(srtp_t session, uint32_t is_rtp, uint32_t use_mki, uint32_t mki_index, uint32_t *length) { … } srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session, uint32_t use_mki, uint32_t mki_index, uint32_t *length) { … } srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session, uint32_t use_mki, uint32_t mki_index, uint32_t *length) { … } /* * SRTP debug interface */ srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v) { … } srtp_err_status_t srtp_list_debug_modules(void) { … } /* * srtp_log_handler is a global variable holding a pointer to the * log handler function; this function is called for any log * output. */ static srtp_log_handler_func_t *srtp_log_handler = …; static void *srtp_log_handler_data = …; void srtp_err_handler(srtp_err_reporting_level_t level, const char *msg) { … } srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, void *data) { … } srtp_err_status_t srtp_set_stream_roc(srtp_t session, uint32_t ssrc, uint32_t roc) { … } srtp_err_status_t srtp_get_stream_roc(srtp_t session, uint32_t ssrc, uint32_t *roc) { … }
Codebase Browser
chromium