From: Rémi Denis-Courmont Date: Sat, 10 Mar 2007 14:49:39 +0000 (+0000) Subject: Initial support for Secure Real-Time Protocol (RFC3711) - refs #321 X-Git-Tag: 0.9.0-test0~8187 X-Git-Url: https://git.sesse.net/?p=vlc;a=commitdiff_plain;h=10ee356e2279fb0526b980927fe563a2cccea749 Initial support for Secure Real-Time Protocol (RFC3711) - refs #321 Uses libgcrypt, as we have it in our deps/contrib already for GnuTLS. This could be used in both "UDP"[1] access and access output plugins, though they should really be called "RTP" instead nowadays. Done: - AES(-128) Counter Mode key derivation and RTP en-/decryption - test vectors for AES-CM - NULL cipher (with the *_UNENCRYPTED flags) - untested To do (missing mandatory features): - RTCP en-/decryption - HMAC-SHA1 authentication - replay attack protection Also to probably do: - integrate with udp access and access output plugins - integrate with RTSP server (err, I won't do that myself) - support for Transform Carrying ROC for SRTP (RFC4771) so we can use it easily for multicast streaming --- diff --git a/configure.ac b/configure.ac index 69bd5c91d3..a55d546c25 100644 --- a/configure.ac +++ b/configure.ac @@ -5235,6 +5235,9 @@ AS_IF([test "${enable_gnutls}" != "no"], [ ]) ]) +AM_PATH_LIBGCRYPT([1:1.1.94], [have_libgcrypt="yes"], [have_libgcrypt="no"]) +AM_CONDITIONAL([HAVE_LIBGCRYPT], [test "${have_libgcrypt}" = "yes"]) + dnl dnl Endianness check, AC_C_BIGENDIAN doesn't work if we are cross-compiling @@ -5773,6 +5776,7 @@ AC_CONFIG_FILES([ ipkg/Makefile libs/Makefile libs/loader/Makefile + libs/srtp/Makefile modules/Makefile mozilla/Makefile m4/Makefile diff --git a/libs/Makefile.am b/libs/Makefile.am index d889c232d9..8c829b8acb 100644 --- a/libs/Makefile.am +++ b/libs/Makefile.am @@ -1,2 +1 @@ -SUBDIRS = loader - +SUBDIRS = loader srtp diff --git a/libs/srtp/Makefile.am b/libs/srtp/Makefile.am new file mode 100644 index 0000000000..74c4bafe04 --- /dev/null +++ b/libs/srtp/Makefile.am @@ -0,0 +1,38 @@ +# Secure RTP with libgcrypt +# Copyright (C) 2007 Rémi Denis-Courmont +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +AM_CPPFLAGS = @LIBGCRYPT_CFLAGS@ +AM_LDFLAGS = @LIBGCRYPT_LIBS@ + +if !HAVE_WIN32 +AM_LDFLAGS += -lpthread +endif + +noinst_HEADERS = srtp.h + +EXTRA_PROGRAMS = srtp +if HAVE_LIBGCRYPT +noinst_LTLIBRARIES = libvlc_srtp.la +check_PROGRAMS = test-aes +TESTS = test-aes +endif + +libvlc_srtp_la_SOURCES = srtp.c +test_aes_SOURCES = test-aes.c +srtp_SOURCES = recv.c +srtp_LDADD = libvlc_srtp.la + diff --git a/libs/srtp/recv.c b/libs/srtp/recv.c new file mode 100644 index 0000000000..5fc32446ce --- /dev/null +++ b/libs/srtp/recv.c @@ -0,0 +1,87 @@ +/* + * Secure RTP with libgcrypt + * Copyright (C) 2007 Rémi Denis-Courmont + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include +#include +#include "srtp.h" + +#include +#include + +#include +#include + +int main (void) +{ + int fd = socket (AF_INET, SOCK_DGRAM, 0); + struct sockaddr_in addr; + memset (&addr, 0, sizeof (addr)); + addr.sin_family = AF_INET; +#ifdef HAVE_SA_LEN + addr.sin_len = sizeof (addr); +#endif + addr.sin_port = htons (10000); + addr.sin_addr.s_addr = htonl (0x7f000001); + if (bind (fd, (struct sockaddr *)&addr, sizeof (addr))) + return 1; + + static const uint8_t key[16] = + "\x12\x34\x56\x78\x9A\xBC\xDE\xF0" + "\x12\x34\x56\x78\x9A\xBC\xDE\xF0"; + static const uint8_t salt[14] = + "\x12\x34\x56\x78\x90" "\x12\x34\x56\x78\x90" "\x12\x34\x56\x78"; + + srtp_session_t *s = srtp_create ("AES_CM_128_HMAC_SHA1_80", 0, 0, 0); + if (s == NULL) + return 1; + if (srtp_setkey (s, key, 16, salt, 14)) + goto error; + + uint8_t buf[1500]; + size_t len; +#if 0 + memset (buf, 0, sizeof (buf)); + buf[0] = 2 << 6; + buf[1] = 1; + memcpy (buf + 2, &(uint16_t){ htons (9527) }, 2); + memcpy (buf + 8, "\xde\xad\xbe\xef", 4); + memcpy (buf + 4, &(uint32_t){ htonl (1) }, 4); + strcpy ((char *)buf + 12, "a\n"); + len = 12 + strlen ((char *)buf + 12) + 1; +#endif + for (;;) + { + len = read (fd, buf, sizeof (buf)); + if (srtp_recv (s, buf, &len)) + fputs ("Cannot decrypt!\n", stderr); + puts ((char *)buf + 12); + if (srtp_send (s, buf, &len, sizeof (buf)) || srtp_recv (s, buf, &len)) + break; + puts ((char *)buf + 12); + } + +error: + srtp_destroy (s); + close (fd); + return 0; +} diff --git a/libs/srtp/srtp.c b/libs/srtp/srtp.c new file mode 100644 index 0000000000..bbe1b404ef --- /dev/null +++ b/libs/srtp/srtp.c @@ -0,0 +1,510 @@ +/* + * Secure RTP with libgcrypt + * Copyright (C) 2007 Rémi Denis-Courmont + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include +#include + +#include "srtp.h" + +#include +#include +#include +#include + +#include + +#include +#include + +/* TODO: + * Useful stuff: + * - ROC profil thingy (multicast really needs this) + * - replay protection + * + * Requirements for conformance: + * - suites with NULL cipher + * - SRTCP + * + * Useless stuff (because nothing depends on it): + * - non-nul key derivation rate + * - MKI payload + */ + +typedef struct srtp_proto_t +{ + gcry_cipher_hd_t cipher; + gcry_md_hd_t mac; + uint32_t salt[4]; + uint8_t mac_len; +} srtp_proto_t; + +struct srtp_session_t +{ + srtp_proto_t rtp; + srtp_proto_t rtcp; + unsigned flags; + unsigned kdr; + uint32_t rtcp_index; + uint32_t rtp_roc; + uint16_t rtp_seq; +}; + +enum +{ + SRTP_CRYPT, + SRTP_AUTH, + SRTP_SALT, + SRTCP_CRYPT, + SRTCP_AUTH, + SRTCP_SALT +}; + +#ifndef WIN32 +GCRY_THREAD_OPTION_PTHREAD_IMPL; +#endif + +static bool libgcrypt_usable = false; + +static void initonce_libgcrypt (void) +{ + if ((gcry_check_version ("1.1.94") == NULL) + || gcry_control (GCRYCTL_DISABLE_SECMEM, 0) + || gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0) +#ifndef WIN32 + || gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread) +#endif + ) + return; + + libgcrypt_usable = true; +} + +static int init_libgcrypt (void) +{ + int retval; +#ifndef WIN32 + static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + static pthread_once_t once = PTHREAD_ONCE_INIT; + + pthread_mutex_lock (&mutex); + pthread_once (&once, initonce_libgcrypt); + retval = -libgcrypt_usable; + pthread_mutex_unlock (&mutex); +#else +# warning FIXME: This is not thread-safe. + if (!libgcrypt_usable) + initonce_libgcrypt (); + retval = -libgcrypt_usable; +#endif + + return retval; + +} + + +static void proto_destroy (srtp_proto_t *p) +{ + gcry_md_close (p->mac); + gcry_cipher_close (p->cipher); +} + + +/** + * Releases all resources associated with a Secure RTP session. + */ +void srtp_destroy (srtp_session_t *s) +{ + assert (s != NULL); + + proto_destroy (&s->rtcp); + proto_destroy (&s->rtp); + free (s); +} + + +static int proto_create (srtp_proto_t *p, int gcipher, int gmd) +{ + if (gcry_cipher_open (&p->cipher, gcipher, GCRY_CIPHER_MODE_CTR, 0) == 0) + { + if (gcry_md_open (&p->mac, gmd, GCRY_MD_FLAG_HMAC) == 0) + return 0; + gcry_cipher_close (p->cipher); + } + return -1; +} + + +/** + * Allocates a Secure RTP session. + * + * @param name cipher-suite name + * @param kdr key derivation rate + * @param winsize anti-replay windows size (between 64 and 32767 inclusive) + * 0 disable replay attack protection (OK for send only) + * @param flags OR'ed optional flags. + * + * @return NULL in case of error + */ +srtp_session_t * +srtp_create (const char *name, unsigned flags, unsigned kdr, uint16_t winsize) +{ + assert (name != NULL); + + if (kdr != 0) + return NULL; // FIXME: KDR not implemented yet + if (winsize != 0) + return NULL; // FIXME: replay protection not implemented yet + + uint8_t mac_len; + int cipher = GCRY_CIPHER_AES, md = GCRY_MD_SHA1; + + if (strcmp (name, "AES_CM_128_HMAC_SHA1_80") == 0) + mac_len = 80; + else + if (strcmp (name, "AES_CM_128_HMAC_SHA1_32") == 0) + mac_len = 32; + else + // F8_128_HMAC_SHA1_80 is not implemented + return NULL; + + if ((flags & ~SRTP_FLAGS_MASK) || (winsize > 32767) || init_libgcrypt ()) + return NULL; + + srtp_session_t *s = malloc (sizeof (*s)); + if (s == NULL) + return NULL; + + memset (s, 0, sizeof (*s)); + s->flags = flags; + s->kdr = kdr; + + if (proto_create (&s->rtp, cipher, md) == 0) + { + if (proto_create (&s->rtcp, cipher, md) == 0) + return s; + proto_destroy (&s->rtp); + } + + free (s); + return NULL; +} + + +/** + * AES-CM key derivation (saltlen = 14 bytes) + */ +static int +derive (gcry_cipher_hd_t prf, const void *salt, + const uint8_t *r, size_t rlen, uint8_t label, + void *out, size_t outlen) +{ + uint8_t iv[16]; + + memcpy (iv, salt, 14); + iv[14] = iv[15] = 0; + + assert (rlen < 14); + iv[13 - rlen] ^= label; + for (size_t i = 0; i < rlen; i++) + iv[sizeof (iv) - rlen + i] ^= r[i]; + + /* TODO: retry with CTR mode */ + while (outlen >= sizeof (iv)) + { + /* AES */ + if (gcry_cipher_encrypt (prf, out, sizeof (iv), iv, sizeof (iv))) + return EINVAL; + outlen -= sizeof (iv); + out = ((uint8_t *)out) + sizeof (iv); + + /* Increment IV in network byte order */ + if (++iv[sizeof (iv) - 1] == 0) + ++iv[sizeof (iv) -2]; + } + + if (outlen > 0) + { + /* Truncated last AES output block */ + if (gcry_cipher_encrypt (prf, iv, sizeof (iv), NULL, 0)) + return -1; + memcpy (out, iv, outlen); + } + + return 0; +} + + +static int +proto_derive (srtp_proto_t *p, gcry_cipher_hd_t prf, + const void *salt, size_t saltlen, + const uint8_t *r, size_t rlen, bool rtcp) +{ + if (saltlen != 14) + return -1; + + uint8_t cipherkey[16]; + uint8_t label = rtcp ? SRTCP_CRYPT : SRTP_CRYPT; + + if (derive (prf, salt, r, rlen, label++, cipherkey, 16) + || gcry_cipher_setkey (p->cipher, cipherkey, 16) + || derive (prf, salt, r, rlen, label++, NULL, 0) /* FIXME HMAC */ + || derive (prf, salt, r, rlen, label++, p->salt, 14)) + return -1; + + return 0; +} + + +/** + * SRTP/SRTCP cipher/salt/MAC keys derivation. + */ +static int +srtp_derive (srtp_session_t *s, const void *key, size_t keylen, + const void *salt, size_t saltlen) +{ + gcry_cipher_hd_t prf; + uint8_t r[6]; + + /* TODO: retry with CTR mode */ + if (gcry_cipher_open (&prf, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0) + || gcry_cipher_setkey (prf, key, keylen)) + return -1; + + /* RTP key derivation */ + if (s->kdr != 0) + { + uint64_t index = (((uint64_t)s->rtp_roc) << 16) | s->rtp_seq; + index /= s->kdr; + + for (int i = sizeof (r) - 1; i >= 0; i--) + { + r[i] = index & 0xff; + index = index >> 8; + } + } + else + memset (r, 0, sizeof (r)); + + if (proto_derive (&s->rtp, prf, salt, saltlen, r, 6, false)) + return -1; + + /* RTCP key derivation */ + memcpy (r, &(uint32_t){ htonl (s->rtcp_index) }, 4); + if (proto_derive (&s->rtcp, prf, salt, saltlen, r, 4, true)) + return -1; + + (void)gcry_cipher_close (prf); + return 0; +} + + + +/** + * Sets (or resets) the master key and master salt for a SRTP session. + * This must be done at least once before using rtp_send(), rtp_recv(), + * rtcp_send() or rtcp_recv(). Also, rekeying is required every + * 2^48 RTP packets or 2^31 RTCP packets (whichever comes first), + * otherwise the protocol security might be broken. + * + * @return 0 on success, in case of error: + * EINVAL invalid or unsupported key/salt sizes combination + */ +int +srtp_setkey (srtp_session_t *s, const void *key, size_t keylen, + const void *salt, size_t saltlen) +{ + return srtp_derive (s, key, keylen, salt, saltlen) ? EINVAL : 0; +} + + +/** AES-CM encryption/decryption (ctr length = 16 bytes) */ +static int +encrypt (gcry_cipher_hd_t hd, uint32_t *ctr, uint8_t *data, size_t len) +{ + const size_t ctrlen = 16; + while (len >= ctrlen) + { + if (gcry_cipher_setctr (hd, ctr, ctrlen) + || gcry_cipher_encrypt (hd, data, ctrlen, NULL, 0)) + return -1; + + data += ctrlen; + len -= ctrlen; + ctr[3] = htonl (ntohl (ctr[3]) + 1); + } + + if (len > 0) + { + /* Truncated last block */ + uint8_t dummy[ctrlen]; + memcpy (dummy, data, len); + memset (dummy + len, 0, ctrlen - len); + + if (gcry_cipher_setctr (hd, ctr, ctrlen) + || gcry_cipher_encrypt (hd, dummy, ctrlen, data, ctrlen)) + return -1; + memcpy (data, dummy, len); + } + + return 0; +} + + +/** AES-CM for RTP (salt = 14 bytes + 2 nul bytes) */ +static inline int +rtp_encrypt (gcry_cipher_hd_t hd, uint32_t ssrc, uint32_t roc, uint16_t seq, + const uint32_t *salt, uint8_t *data, size_t len) +{ + /* Determines cryptographic counter (IV) */ + uint32_t counter[4]; + counter[0] = salt[0]; + counter[1] = salt[1] ^ ssrc; + counter[2] = salt[2] ^ htonl (roc); + counter[3] = salt[3] ^ htonl (seq << 16); + + /* Encryption */ + return encrypt (hd, counter, data, len); +} + + +/** + * Encrypts/decrypts a RTP packet and updates SRTP context + * (CTR block cypher mode of operation has identical encryption and + * decryption function). + * + * @param buf RTP packet to be encrypted/digested + * @param len RTP packet length + * + * @return 0 on success, in case of error: + * EINVAL malformatted RTP packet + */ +static int srtp_encrypt (srtp_session_t *s, uint8_t *buf, size_t len) +{ + assert (s != NULL); + + if ((len < 12) || ((buf[0] >> 6) != 2)) + return EINVAL; + + /* Computes encryption offset */ + uint16_t offset = 12; + offset += (buf[0] & 0xf) * 4; // skips CSRC + + if (buf[0] & 0x10) + { + uint16_t extlen; + + offset += 4; + if (len < offset) + return EINVAL; + + memcpy (&extlen, buf + offset - 2, 2); + offset += htons (extlen); + } + + if (len < offset) + return EINVAL; + + /* Determines RTP 48-bits counter and SSRC */ + uint32_t ssrc; + memcpy (&ssrc, buf + 8, 4); + + uint16_t seq = (buf[2] << 8) | buf[3]; + if (((seq - s->rtp_seq) & 0xffff) < 32768) + { + if (seq < s->rtp_seq) + s->rtp_roc++; /* Sequence number wrap */ + } + else + { + if (seq > s->rtp_seq) + s->rtp_roc--; + } + + s->rtp_seq = seq; + + if (s->flags & SRTP_UNENCRYPTED) + return 0; + + if (rtp_encrypt (s->rtp.cipher, ssrc, s->rtp_roc, seq, s->rtp.salt, + buf + offset, len - offset)) + return EINVAL; + + return 0; +} + + +/** + * Turns a RTP packet into a SRTP packet: encrypt it, then computes + * the authentication tag and appends it. + * Note that you can encrypt packet in disorder. + * + * @param buf RTP packet to be encrypted/digested + * @param lenp pointer to the RTP packet length on entry, + * set to the SRTP length on exit (undefined in case of error) + * @param bufsize size (bytes) of the packet buffer + * + * @return 0 on success, in case of error: + * EINVAL malformatted RTP packet + * ENOBUFS bufsize is too small + */ +int +srtp_send (srtp_session_t *s, uint8_t *buf, size_t *lenp, size_t bufsize) +{ + size_t len = *lenp; + int val = srtp_encrypt (s, buf, len); + if (val) + return val; + + if (bufsize < (len + s->rtp.mac_len)) + return ENOBUFS; + + /* FIXME: HMAC and anti-replay */ + return 0; +} + + +/** + * Turns a RTP packet into a SRTP packet: encrypt it, then computes + * the authentication tag and appends it. + * Note that you can encrypt packet in disorder. + * + * @param buf RTP packet to be decrypted/digested + * @param lenp pointer to the RTP packet length on entry, + * set to the SRTP length on exit (undefined in case of error) + * + * @return 0 on success, in case of error: + * EINVAL malformatted RTP packet + * EACCES authentication failed (spoofed packet or out-of-sync) + */ +int +srtp_recv (srtp_session_t *s, uint8_t *buf, size_t *lenp) +{ + size_t len = *lenp; + int val = srtp_encrypt (s, buf, len); + if (val) + return val; + + /* FIXME: HMAC and anti-replay */ + return 0; +} + diff --git a/libs/srtp/srtp.h b/libs/srtp/srtp.h new file mode 100644 index 0000000000..d51427cdba --- /dev/null +++ b/libs/srtp/srtp.h @@ -0,0 +1,51 @@ +/* + * Secure RTP with libgcrypt + * Copyright (C) 2007 Rémi Denis-Courmont + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef LIBVLC_SRTP_H +# define LIBVLC_SRTP_H 1 + +typedef struct srtp_session_t srtp_session_t; + +enum +{ + SRTP_UNENCRYPTED=0x1, // do not encrypt SRTP packets + SRTCP_UNENCRYPTED=0x2, // do not encrypt SRTCP packets + SRTP_NULL_CIPHER=0x3, // use NULL cipher (encrypt nothing) + SRTP_UNAUTHENTICATED=0x4, // do not authenticated SRTP packets + SRTP_FLAGS_MASK=0x7 +}; + + +# ifdef __cplusplus +extern "C" { +# endif + +srtp_session_t *srtp_create (const char *name, unsigned flags, unsigned kdr, + uint16_t winsize); +void srtp_destroy (srtp_session_t *s); +int srtp_send (srtp_session_t *s, uint8_t *buf, size_t *lenp, size_t maxsize); +int srtp_recv (srtp_session_t *s, uint8_t *buf, size_t *lenp); + +int srtp_setkey (srtp_session_t *s, const void *key, size_t keylen, + const void *salt, size_t saltlen); +# ifdef __cplusplus +} +# endif +#endif + diff --git a/libs/srtp/test-aes.c b/libs/srtp/test-aes.c new file mode 100644 index 0000000000..986bd0b273 --- /dev/null +++ b/libs/srtp/test-aes.c @@ -0,0 +1,156 @@ +/* + * Secure RTP with libgcrypt + * Copyright (C) 2007 Rémi Denis-Courmont + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include +#include "srtp.c" + +static void printhex (const void *buf, size_t len) +{ + for (size_t i = 0; i < len; i++) + printf ("%02X", ((uint8_t *)buf)[i]); + fputc ('\n', stdout); +} + +static void fatal (const char *msg) +{ + puts (msg); + exit (1); +} + +/** AES-CM key derivation test vectors */ +static void test_derivation (void) +{ + static const uint8_t key[16] = + "\xE1\xF9\x7A\x0D\x3E\x01\x8B\xE0\xD6\x4F\xA3\x2C\x06\xDE\x41\x39"; + static const uint8_t salt[14] = + "\x0E\xC6\x75\xAD\x49\x8A\xFE\xEB\xB6\x96\x0B\x3A\xAB\xE6"; + + static const uint8_t good_cipher[16] = + "\xC6\x1E\x7A\x93\x74\x4F\x39\xEE\x10\x73\x4A\xFE\x3F\xF7\xA0\x87"; + static const uint8_t good_salt[14] = + "\x30\xCB\xBC\x08\x86\x3D\x8C\x85\xD4\x9D\xB3\x4A\x9A\xE1"; + static const uint8_t good_auth[94] = + "\xCE\xBE\x32\x1F\x6F\xF7\x71\x6B\x6F\xD4\xAB\x49\xAF\x25\x6A\x15" + "\x6D\x38\xBA\xA4\x8F\x0A\x0A\xCF\x3C\x34\xE2\x35\x9E\x6C\xDB\xCE" + "\xE0\x49\x64\x6C\x43\xD9\x32\x7A\xD1\x75\x57\x8E\xF7\x22\x70\x98" + "\x63\x71\xC1\x0C\x9A\x36\x9A\xC2\xF9\x4A\x8C\x5F\xBC\xDD\xDC\x25" + "\x6D\x6E\x91\x9A\x48\xB6\x10\xEF\x17\xC2\x04\x1E\x47\x40\x35\x76" + "\x6B\x68\x64\x2C\x59\xBB\xFC\x2F\x34\xDB\x60\xDB\xDF\xB2"; + + static const uint8_t r[6] = { 0, 0, 0, 0, 0, 0 }; + gcry_cipher_hd_t prf; + uint8_t out[94]; + + puts ("AES-CM key derivation test..."); + printf (" master key: "); + printhex (key, sizeof (key)); + printf (" master salt: "); + printhex (salt, sizeof (salt)); + + if (gcry_cipher_open (&prf, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0) + || gcry_cipher_setkey (prf, key, sizeof (key))) + fatal ("Internal PRF error"); + + if (derive (prf, salt, r, sizeof (r), SRTP_CRYPT, out, 16)) + fatal ("Internal cipher derivation error"); + printf (" cipher key: "); + printhex (out, 16); + if (memcmp (out, good_cipher, 16)) + fatal ("Test failed"); + + if (derive (prf, salt, r, sizeof (r), SRTP_SALT, out, 14)) + fatal ("Internal salt derivation error"); + printf (" cipher salt: "); + printhex (out, 14); + if (memcmp (out, good_salt, 14)) + fatal ("Test failed"); + + if (derive (prf, salt, r, sizeof (r), SRTP_AUTH, out, 94)) + fatal ("Internal auth key derivation error"); + printf (" auth key: "); + printhex (out, 94); + if (memcmp (out, good_auth, 94)) + fatal ("Test failed"); + + gcry_cipher_close (prf); +} + +/** AES-CM key derivation test vectors */ +static void test_keystream (void) +{ + static const uint8_t key[16] = + "\x2B\x7E\x15\x16\x28\xAE\xD2\xA6\xAB\xF7\x15\x88\x09\xCF\x4F\x3C"; + const uint32_t salt[4]= + { htonl (0xf0f1f2f3), htonl (0xf4f5f6f7), + htonl (0xf8f9fafb), htonl (0xfcfd0000) }; + + puts ("AES-CM key stream test..."); + uint8_t *buf = calloc (0xff02, 16); + if (buf == NULL) + { + fputs ("Not enough memory for test\n", stderr); + return; + } + + printf (" session key: "); + printhex (key, sizeof (key)); + + gcry_cipher_hd_t hd; + if (gcry_cipher_open (&hd, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR, 0)) + fatal ("Cipher initialization error"); + if (gcry_cipher_setkey (hd, key, sizeof (key))) + fatal ("Cipher key error"); + + if (rtp_encrypt (hd, 0, 0, 0, salt, buf, 0xff020)) + fatal ("Encryption failure"); + gcry_cipher_close (hd); + + static const uint8_t good_start[48] = + "\xE0\x3E\xAD\x09\x35\xC9\x5E\x80\xE1\x66\xB1\x6D\xD9\x2B\x4E\xB4" + "\xD2\x35\x13\x16\x2B\x02\xD0\xF7\x2A\x43\xA2\xFE\x4A\x5F\x97\xAB" + "\x41\xE9\x5B\x3B\xB0\xA2\xE8\xDD\x47\x79\x01\xE4\xFC\xA8\x94\xC0"; + static const uint8_t good_end[48] = + "\xEC\x8C\xDF\x73\x98\x60\x7C\xB0\xF2\xD2\x16\x75\xEA\x9E\xA1\xE4" + "\x36\x2B\x7C\x3C\x67\x73\x51\x63\x18\xA0\x77\xD7\xFC\x50\x73\xAE" + "\x6A\x2C\xC3\x78\x78\x89\x37\x4F\xBE\xB4\xC8\x1B\x17\xBA\x6C\x44"; + + printf (" key stream: "); + printhex (buf, sizeof (good_start)); + printf (" ... cont'd : "); + printhex (buf + 0xff020 - sizeof (good_end), sizeof (good_end)); + if (memcmp (buf, good_start, sizeof (good_start)) + || memcmp (buf + 0xff020 - sizeof (good_end), good_end, + sizeof (good_end))) + fatal ("Key stream test failed"); + free (buf); +} + +static void srtp_test (void) +{ + if (init_libgcrypt ()) + fatal ("Libgcrypt initialization error"); + test_derivation (); + test_keystream (); +} + +int main (void) +{ + srtp_test (); + return 0; +}