SRTP/SRTCP receive window for replay attack protection

[vlc] / libs / srtp / srtp.c

diff --git a/libs/srtp/srtp.c b/libs/srtp/srtp.c
index f60147bfa6c0dcdabda9b5ea160787ff83168c82..8643b8163c47b200b2c63d4574e4975ff4cfa441 100644 (file)
--- a/libs/srtp/srtp.c
+++ b/libs/srtp/srtp.c
@@ -38,7 +38,6 @@
 /* TODO:
  * Useful stuff:
  * - ROC profile thingy (multicast really needs this)
- * - replay protection
  *
  * Useless stuff (because nothing depends on it):
  * - non-nul key derivation rate
@@ -440,6 +439,7 @@ rtp_digest (srtp_session_t *s, const uint8_t *data, size_t len)
  *
  * @return 0 on success, in case of error:
  *  EINVAL  malformatted RTP packet
+ *  EACCES  replayed packet or out-of-window or sync lost
  */
 static int srtp_crypt (srtp_session_t *s, uint8_t *buf, size_t len)
 {
@@ -473,11 +473,22 @@ static int srtp_crypt (srtp_session_t *s, uint8_t *buf, size_t len)
     memcpy (&ssrc, buf + 8, 4);
 
     /* Updates ROC and sequence (it's safe now) */
-    if (roc > s->rtp_roc)
+    int16_t diff = seq - s->rtp_seq;
+    if (diff > 0)
+    {
+        /* Sequence in the future, good */
+        s->rtp.window = s->rtp.window << diff;
+        s->rtp.window |= 1;
         s->rtp_seq = seq, s->rtp_roc = roc;
+    }
     else
-    if (seq > s->rtp_seq)
-        s->rtp_seq = seq;
+    {
+        /* Sequence in the past/present, bad */
+        diff = -diff;
+        if ((diff >= 64) || ((s->rtp.window >> diff) & 1))
+            return EACCES; /* Replay attack */
+        s->rtp.window |= 1 << diff;
+    }
 
     /* Encrypt/Decrypt */
     if (s->flags & SRTP_UNENCRYPTED)
@@ -504,6 +515,7 @@ static int srtp_crypt (srtp_session_t *s, uint8_t *buf, size_t len)
  * @return 0 on success, in case of error:
  *  EINVAL  malformatted RTP packet or internal error
  *  ENOSPC  bufsize is too small (to add authentication tag)
+ *  EACCES  packet would trigger a replay error on receiver
  */
 int
 srtp_send (srtp_session_t *s, uint8_t *buf, size_t *lenp, size_t bufsize)
@@ -543,7 +555,6 @@ int
 srtp_recv (srtp_session_t *s, uint8_t *buf, size_t *lenp)
 {
     size_t len = *lenp;
-    /* FIXME: anti-replay */
 
     if (!(s->flags & SRTP_UNAUTHENTICATED))
     {
@@ -600,10 +611,33 @@ static int srtcp_crypt (srtp_session_t *s, uint8_t *buf, size_t len)
     if ((len < 12) || ((buf[0] >> 6) != 2))
         return EINVAL;
 
-    uint32_t index = s->rtcp_index++;
-    if (index == 0x7fffffff)
-        s->rtcp_index = 0; /* 31-bit wrap */
+    uint32_t index;
+    memcpy (&index, buf + len, 4);
+    index = ntohl (index);
+    if (((index >> 31) != 0) != ((s->flags & SRTCP_UNENCRYPTED) == 0))
+        return EINVAL; // E-bit mismatch
 
+    index &= ~(1 << 31); // clear E-bit for counter
+
+    /* Updates SRTCP index (safe here) */
+    int32_t diff = index - s->rtcp_index;
+    if (diff > 0)
+    {
+        /* Packet in the future, good */
+        s->rtcp.window = s->rtcp.window << diff;
+        s->rtcp.window |= 1;
+        s->rtcp_index = index;
+    }
+    else
+    {
+        /* Packet in the past/present, bad */
+        diff = -diff;
+        if ((diff >= 64) || ((s->rtcp.window >> diff) & 1))
+            return EACCES; // replay attack!
+        s->rtp.window |= 1 << diff;
+    }
+
+    /* Crypts SRTCP */
     if (s->flags & SRTCP_UNENCRYPTED)
         return 0;
 
@@ -637,7 +671,10 @@ srtcp_send (srtp_session_t *s, uint8_t *buf, size_t *lenp, size_t bufsize)
     if (bufsize < (len + 4 + s->tag_len))
         return ENOSPC;
 
-    uint32_t index = s->rtcp_index;
+    uint32_t index = ++s->rtcp_index;
+    if (index >> 31)
+        s->rtcp_index = index = 0; /* 31-bit wrap */
+
     if ((s->flags & SRTCP_UNENCRYPTED) == 0)
         index |= 0x80000000; /* Set Encrypted bit */
     memcpy (buf + len, &(uint32_t){ htonl (index) }, 4);
@@ -646,7 +683,7 @@ srtcp_send (srtp_session_t *s, uint8_t *buf, size_t *lenp, size_t bufsize)
     if (val)
         return val;
 
-    len += 4; /* Digest SRTCP index too */
+    len += 4; /* Digests SRTCP index too */
 
     const uint8_t *tag = rtcp_digest (s->rtp.mac, buf, len);
     memcpy (buf + len, tag, s->tag_len);
@@ -671,7 +708,6 @@ int
 srtcp_recv (srtp_session_t *s, uint8_t *buf, size_t *lenp)
 {
     size_t len = *lenp;
-    /* FIXME: anti-replay ?? */
 
     if (len < (4u + s->tag_len))
         return EINVAL;
@@ -683,7 +719,6 @@ srtcp_recv (srtp_session_t *s, uint8_t *buf, size_t *lenp)
 
     len -= 4; /* Remove SRTCP index before decryption */
     *lenp = len;
-
     return srtp_crypt (s, buf, len);
 }