Line data Source code
1 : /*
2 : * SRTP encryption/decryption
3 : * Copyright (c) 2012 Martin Storsjo
4 : *
5 : * This file is part of Libav.
6 : *
7 : * Libav is free software; you can redistribute it and/or
8 : * modify it under the terms of the GNU Lesser General Public
9 : * License as published by the Free Software Foundation; either
10 : * version 2.1 of the License, or (at your option) any later version.
11 : *
12 : * Libav is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 : * Lesser General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU Lesser General Public
18 : * License along with Libav; if not, write to the Free Software
19 : * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 : */
21 :
22 : #include <stdlib.h>
23 : #include <assert.h>
24 : #include <libavutil/common.h>
25 : #include <libavutil/base64.h>
26 : #include <libavutil/aes.h>
27 : #include <libavutil/hmac.h>
28 : #include <libavutil/intreadwrite.h>
29 : #include <libavutil/log.h>
30 : #include "srtp.h"
31 :
32 : #include "connectivity/security/memory.h"
33 :
34 1695 : void ff_srtp_free(struct SRTPContext *s)
35 : {
36 1695 : uint8_t zero_buffer[32] = {0}; // WARNING: must be long enough to handle any key length
37 : assert(sizeof(zero_buffer) >= sizeof(s->master_key));
38 : assert(sizeof(zero_buffer) >= sizeof(s->rtp_key));
39 : assert(sizeof(zero_buffer) >= sizeof(s->rtp_auth));
40 :
41 1695 : if (!s)
42 0 : return;
43 : // aes and hmac have an opaque pointer type.
44 : // No API to safely erase them, so just re-init with "dummy keys" to sanitize them
45 1695 : if (s->aes) {
46 680 : av_aes_init(s->aes, zero_buffer, 128, 0);
47 680 : av_freep(&s->aes);
48 : }
49 1695 : if (s->hmac) {
50 680 : av_hmac_init(s->hmac, zero_buffer, sizeof(s->rtp_auth));
51 680 : av_hmac_free(s->hmac);
52 : }
53 1695 : ring_secure_memzero(s, sizeof(*s));
54 : }
55 :
56 15801 : static void encrypt_counter(struct AVAES *aes, uint8_t *iv, uint8_t *outbuf,
57 : int outlen)
58 : {
59 : int i, j, outpos;
60 171161 : for (i = 0, outpos = 0; outpos < outlen; i++) {
61 : uint8_t keystream[16];
62 155360 : AV_WB16(&iv[14], i);
63 155360 : av_aes_crypt(aes, keystream, iv, 1, NULL, 0);
64 2548711 : for (j = 0; j < 16 && outpos < outlen; j++, outpos++)
65 2393351 : outbuf[outpos] ^= keystream[j];
66 : }
67 15801 : }
68 :
69 4080 : static void derive_key(struct AVAES *aes, const uint8_t *salt, int label,
70 : uint8_t *out, int outlen)
71 : {
72 4080 : uint8_t input[16] = { 0 };
73 4080 : memcpy(input, salt, 14);
74 : // Key derivation rate assumed to be zero
75 4080 : input[14 - 7] ^= label;
76 4080 : memset(out, 0, outlen);
77 4080 : encrypt_counter(aes, input, out, outlen);
78 4080 : }
79 :
80 680 : int ff_srtp_set_crypto(struct SRTPContext *s, const char *suite,
81 : const char *params)
82 : {
83 : uint8_t buf[30];
84 :
85 680 : ff_srtp_free(s);
86 :
87 : // RFC 4568
88 680 : if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80") ||
89 0 : !strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_80")) {
90 680 : s->rtp_hmac_size = s->rtcp_hmac_size = 10;
91 0 : } else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {
92 0 : s->rtp_hmac_size = s->rtcp_hmac_size = 4;
93 0 : } else if (!strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_32")) {
94 : // RFC 5764 section 4.1.2
95 0 : s->rtp_hmac_size = 4;
96 0 : s->rtcp_hmac_size = 10;
97 : } else {
98 0 : av_log(NULL, AV_LOG_WARNING, "SRTP Crypto suite %s not supported\n",
99 : suite);
100 0 : return AVERROR(EINVAL);
101 : }
102 680 : if (av_base64_decode(buf, params, sizeof(buf)) != sizeof(buf)) {
103 0 : av_log(NULL, AV_LOG_WARNING, "Incorrect amount of SRTP params\n");
104 0 : ring_secure_memzero(buf, sizeof(buf));
105 0 : return AVERROR(EINVAL);
106 : }
107 : // MKI and lifetime not handled yet
108 680 : s->aes = av_aes_alloc();
109 680 : s->hmac = av_hmac_alloc(AV_HMAC_SHA1);
110 680 : if (!s->aes || !s->hmac)
111 0 : return AVERROR(ENOMEM);
112 680 : memcpy(s->master_key, buf, 16);
113 680 : memcpy(s->master_salt, buf + 16, 14);
114 680 : ring_secure_memzero(buf, sizeof(buf));
115 :
116 : // RFC 3711
117 680 : av_aes_init(s->aes, s->master_key, 128, 0);
118 :
119 680 : derive_key(s->aes, s->master_salt, 0x00, s->rtp_key, sizeof(s->rtp_key));
120 680 : derive_key(s->aes, s->master_salt, 0x02, s->rtp_salt, sizeof(s->rtp_salt));
121 680 : derive_key(s->aes, s->master_salt, 0x01, s->rtp_auth, sizeof(s->rtp_auth));
122 :
123 680 : derive_key(s->aes, s->master_salt, 0x03, s->rtcp_key, sizeof(s->rtcp_key));
124 680 : derive_key(s->aes, s->master_salt, 0x05, s->rtcp_salt, sizeof(s->rtcp_salt));
125 680 : derive_key(s->aes, s->master_salt, 0x04, s->rtcp_auth, sizeof(s->rtcp_auth));
126 680 : return 0;
127 : }
128 :
129 11721 : static void create_iv(uint8_t *iv, const uint8_t *salt, uint64_t index,
130 : uint32_t ssrc)
131 : {
132 : uint8_t indexbuf[8];
133 : int i;
134 11721 : memset(iv, 0, 16);
135 11721 : AV_WB32(&iv[4], ssrc);
136 11721 : AV_WB64(indexbuf, index);
137 105489 : for (i = 0; i < 8; i++) // index << 16
138 93768 : iv[6 + i] ^= indexbuf[i];
139 175815 : for (i = 0; i < 14; i++)
140 164094 : iv[i] ^= salt[i];
141 11721 : ring_secure_memzero(indexbuf, sizeof(indexbuf));
142 11721 : }
143 :
144 5856 : int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr)
145 : {
146 5856 : uint8_t iv[16] = { 0 }, hmac[20];
147 5856 : int len = *lenptr;
148 : #ifdef _MSC_VER
149 : #pragma message (__FILE__ "(" STR2(__LINE__) ") : -NOTE- " seq_largest and roc may be unitialized)
150 : #else
151 : #warning seq_largest and roc may be unitialized
152 : #endif
153 5856 : int av_uninit(seq_largest);
154 5856 : uint32_t ssrc, av_uninit(roc);
155 : uint64_t index;
156 : int rtcp, hmac_size;
157 :
158 : // TODO: Missing replay protection
159 :
160 5856 : if (len < 2)
161 0 : return AVERROR_INVALIDDATA;
162 :
163 5856 : rtcp = RTP_PT_IS_RTCP(buf[1]);
164 5856 : hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;
165 :
166 5856 : if (len < hmac_size)
167 0 : return AVERROR_INVALIDDATA;
168 :
169 : // Authentication HMAC
170 5856 : av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));
171 : // If MKI is used, this should exclude the MKI as well
172 5856 : av_hmac_update(s->hmac, buf, len - hmac_size);
173 :
174 5856 : if (!rtcp) {
175 5856 : int seq = AV_RB16(buf + 2);
176 : uint32_t v;
177 : uint8_t rocbuf[4];
178 :
179 : // RFC 3711 section 3.3.1, appendix A
180 5856 : seq_largest = s->seq_initialized ? s->seq_largest : seq;
181 5856 : v = roc = s->roc;
182 5856 : if (seq_largest < 32768) {
183 5856 : if (seq - seq_largest > 32768)
184 0 : v = roc - 1;
185 : } else {
186 0 : if (seq_largest - 32768 > seq)
187 0 : v = roc + 1;
188 : }
189 5856 : if (v == roc) {
190 5856 : seq_largest = FFMAX(seq_largest, seq);
191 0 : } else if (v == roc + 1) {
192 0 : seq_largest = seq;
193 0 : roc = v;
194 : }
195 5856 : index = seq + (((uint64_t)v) << 16);
196 :
197 5856 : AV_WB32(rocbuf, roc);
198 5856 : av_hmac_update(s->hmac, rocbuf, 4);
199 : }
200 :
201 5856 : av_hmac_final(s->hmac, hmac, sizeof(hmac));
202 5856 : if (memcmp(hmac, buf + len - hmac_size, hmac_size)) {
203 0 : av_log(NULL, AV_LOG_WARNING, "HMAC mismatch\n");
204 0 : return AVERROR_INVALIDDATA;
205 : }
206 :
207 5856 : len -= hmac_size;
208 5856 : *lenptr = len;
209 :
210 5856 : if (len < 12)
211 0 : return AVERROR_INVALIDDATA;
212 :
213 5856 : if (rtcp) {
214 0 : uint32_t srtcp_index = AV_RB32(buf + len - 4);
215 0 : len -= 4;
216 0 : *lenptr = len;
217 :
218 0 : ssrc = AV_RB32(buf + 4);
219 0 : index = srtcp_index & 0x7fffffff;
220 :
221 0 : buf += 8;
222 0 : len -= 8;
223 0 : if (!(srtcp_index & 0x80000000))
224 0 : return 0;
225 : } else {
226 : int ext, csrc;
227 5856 : s->seq_initialized = 1;
228 5856 : s->seq_largest = seq_largest;
229 5856 : s->roc = roc;
230 :
231 5856 : csrc = buf[0] & 0x0f;
232 5856 : ext = buf[0] & 0x10;
233 5856 : ssrc = AV_RB32(buf + 8);
234 :
235 5856 : buf += 12;
236 5856 : len -= 12;
237 :
238 5856 : buf += 4 * csrc;
239 5856 : len -= 4 * csrc;
240 5856 : if (len < 0)
241 0 : return AVERROR_INVALIDDATA;
242 :
243 5856 : if (ext) {
244 5856 : if (len < 4)
245 0 : return AVERROR_INVALIDDATA;
246 5856 : ext = (AV_RB16(buf + 2) + 1) * 4;
247 5856 : if (len < ext)
248 0 : return AVERROR_INVALIDDATA;
249 5856 : len -= ext;
250 5856 : buf += ext;
251 : }
252 : }
253 :
254 5856 : create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);
255 5856 : av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);
256 5856 : encrypt_counter(s->aes, iv, buf, len);
257 :
258 5856 : return 0;
259 : }
260 :
261 5865 : int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,
262 : uint8_t *out, int outlen)
263 : {
264 5865 : uint8_t iv[16] = { 0 }, hmac[20];
265 : uint64_t index;
266 : uint32_t ssrc;
267 : int rtcp, hmac_size, padding;
268 : uint8_t *buf;
269 :
270 5865 : if (len < 8)
271 0 : return AVERROR_INVALIDDATA;
272 :
273 5865 : rtcp = RTP_PT_IS_RTCP(in[1]);
274 5865 : hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;
275 5865 : padding = hmac_size;
276 5865 : if (rtcp)
277 0 : padding += 4; // For the RTCP index
278 :
279 5865 : if (len + padding > outlen)
280 0 : return 0;
281 :
282 5865 : memcpy(out, in, len);
283 5865 : buf = out;
284 :
285 5865 : if (rtcp) {
286 0 : ssrc = AV_RB32(buf + 4);
287 0 : index = s->rtcp_index++;
288 :
289 0 : buf += 8;
290 0 : len -= 8;
291 : } else {
292 : int ext, csrc;
293 5865 : int seq = AV_RB16(buf + 2);
294 :
295 5865 : if (len < 12)
296 0 : return AVERROR_INVALIDDATA;
297 :
298 5865 : ssrc = AV_RB32(buf + 8);
299 :
300 5865 : if (seq < s->seq_largest)
301 0 : s->roc++;
302 5865 : s->seq_largest = seq;
303 5865 : index = seq + (((uint64_t)s->roc) << 16);
304 :
305 5865 : csrc = buf[0] & 0x0f;
306 5865 : ext = buf[0] & 0x10;
307 :
308 5865 : buf += 12;
309 5865 : len -= 12;
310 :
311 5865 : buf += 4 * csrc;
312 5865 : len -= 4 * csrc;
313 5865 : if (len < 0)
314 0 : return AVERROR_INVALIDDATA;
315 :
316 5865 : if (ext) {
317 5865 : if (len < 4)
318 0 : return AVERROR_INVALIDDATA;
319 5865 : ext = (AV_RB16(buf + 2) + 1) * 4;
320 5865 : if (len < ext)
321 0 : return AVERROR_INVALIDDATA;
322 5865 : len -= ext;
323 5865 : buf += ext;
324 : }
325 : }
326 :
327 5865 : create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);
328 5865 : av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);
329 5865 : encrypt_counter(s->aes, iv, buf, len);
330 :
331 5865 : if (rtcp) {
332 0 : AV_WB32(buf + len, 0x80000000 | index);
333 0 : len += 4;
334 : }
335 :
336 5865 : av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));
337 5865 : av_hmac_update(s->hmac, out, buf + len - out);
338 5865 : if (!rtcp) {
339 : uint8_t rocbuf[4];
340 5865 : AV_WB32(rocbuf, s->roc);
341 5865 : av_hmac_update(s->hmac, rocbuf, 4);
342 : }
343 5865 : av_hmac_final(s->hmac, hmac, sizeof(hmac));
344 :
345 5865 : memcpy(buf + len, hmac, hmac_size);
346 5865 : len += hmac_size;
347 5865 : return buf + len - out;
348 : }
|
