2 * SRTP encryption/decryption
3 * Copyright (c) 2012 Martin Storsjo
5 * This file is part of Libav.
7 * Libav is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * Libav is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with Libav; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22 #include "libavutil/base64.h"
23 #include "libavutil/aes.h"
24 #include "libavutil/hmac.h"
25 #include "libavutil/intreadwrite.h"
26 #include "libavutil/log.h"
30 void ff_srtp_free(struct SRTPContext *s)
36 av_hmac_free(s->hmac);
40 static void encrypt_counter(struct AVAES *aes, uint8_t *iv, uint8_t *outbuf,
44 for (i = 0, outpos = 0; outpos < outlen; i++) {
45 uint8_t keystream[16];
47 av_aes_crypt(aes, keystream, iv, 1, NULL, 0);
48 for (j = 0; j < 16 && outpos < outlen; j++, outpos++)
49 outbuf[outpos] ^= keystream[j];
53 static void derive_key(struct AVAES *aes, const uint8_t *salt, int label,
54 uint8_t *out, int outlen)
56 uint8_t input[16] = { 0 };
57 memcpy(input, salt, 14);
58 // Key derivation rate assumed to be zero
59 input[14 - 7] ^= label;
60 memset(out, 0, outlen);
61 encrypt_counter(aes, input, out, outlen);
64 int ff_srtp_set_crypto(struct SRTPContext *s, const char *suite,
72 if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80") ||
73 !strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_80")) {
74 s->rtp_hmac_size = s->rtcp_hmac_size = 10;
75 } else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {
76 s->rtp_hmac_size = s->rtcp_hmac_size = 4;
77 } else if (!strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_32")) {
78 // RFC 5764 section 4.1.2
80 s->rtcp_hmac_size = 10;
82 av_log(NULL, AV_LOG_WARNING, "SRTP Crypto suite %s not supported\n",
84 return AVERROR(EINVAL);
86 if (av_base64_decode(buf, params, sizeof(buf)) != sizeof(buf)) {
87 av_log(NULL, AV_LOG_WARNING, "Incorrect amount of SRTP params\n");
88 return AVERROR(EINVAL);
90 // MKI and lifetime not handled yet
91 s->aes = av_aes_alloc();
92 s->hmac = av_hmac_alloc(AV_HMAC_SHA1);
93 if (!s->aes || !s->hmac)
94 return AVERROR(ENOMEM);
95 memcpy(s->master_key, buf, 16);
96 memcpy(s->master_salt, buf + 16, 14);
99 av_aes_init(s->aes, s->master_key, 128, 0);
101 derive_key(s->aes, s->master_salt, 0x00, s->rtp_key, sizeof(s->rtp_key));
102 derive_key(s->aes, s->master_salt, 0x02, s->rtp_salt, sizeof(s->rtp_salt));
103 derive_key(s->aes, s->master_salt, 0x01, s->rtp_auth, sizeof(s->rtp_auth));
105 derive_key(s->aes, s->master_salt, 0x03, s->rtcp_key, sizeof(s->rtcp_key));
106 derive_key(s->aes, s->master_salt, 0x05, s->rtcp_salt, sizeof(s->rtcp_salt));
107 derive_key(s->aes, s->master_salt, 0x04, s->rtcp_auth, sizeof(s->rtcp_auth));
111 static void create_iv(uint8_t *iv, const uint8_t *salt, uint64_t index,
117 AV_WB32(&iv[4], ssrc);
118 AV_WB64(indexbuf, index);
119 for (i = 0; i < 8; i++) // index << 16
120 iv[6 + i] ^= indexbuf[i];
121 for (i = 0; i < 14; i++)
125 int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr)
127 uint8_t iv[16] = { 0 }, hmac[20];
129 int ext, av_uninit(seq_largest);
130 uint32_t ssrc, av_uninit(roc);
134 // TODO: Missing replay protection
137 return AVERROR_INVALIDDATA;
139 rtcp = RTP_PT_IS_RTCP(buf[1]);
140 hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;
143 return AVERROR_INVALIDDATA;
145 // Authentication HMAC
146 av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));
147 // If MKI is used, this should exclude the MKI as well
148 av_hmac_update(s->hmac, buf, len - hmac_size);
151 int seq = AV_RB16(buf + 2);
155 // RFC 3711 section 3.3.1, appendix A
156 seq_largest = s->seq_initialized ? s->seq_largest : seq;
158 if (seq_largest < 32768) {
159 if (seq - seq_largest > 32768)
162 if (seq_largest - 32768 > seq)
166 seq_largest = FFMAX(seq_largest, seq);
167 } else if (v == roc + 1) {
171 index = seq + (((uint64_t)v) << 16);
173 AV_WB32(rocbuf, roc);
174 av_hmac_update(s->hmac, rocbuf, 4);
177 av_hmac_final(s->hmac, hmac, sizeof(hmac));
178 if (memcmp(hmac, buf + len - hmac_size, hmac_size)) {
179 av_log(NULL, AV_LOG_WARNING, "HMAC mismatch\n");
180 return AVERROR_INVALIDDATA;
187 return AVERROR_INVALIDDATA;
190 uint32_t srtcp_index = AV_RB32(buf + len - 4);
194 ssrc = AV_RB32(buf + 4);
195 index = srtcp_index & 0x7fffffff;
199 if (!(srtcp_index & 0x80000000))
203 s->seq_initialized = 1;
204 s->seq_largest = seq_largest;
207 csrc = buf[0] & 0x0f;
209 ssrc = AV_RB32(buf + 8);
217 return AVERROR_INVALIDDATA;
221 return AVERROR_INVALIDDATA;
222 ext = (AV_RB16(buf + 2) + 1) * 4;
224 return AVERROR_INVALIDDATA;
230 create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);
231 av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);
232 encrypt_counter(s->aes, iv, buf, len);
237 int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,
238 uint8_t *out, int outlen)
240 uint8_t iv[16] = { 0 }, hmac[20];
243 int rtcp, hmac_size, padding;
247 return AVERROR_INVALIDDATA;
249 rtcp = RTP_PT_IS_RTCP(in[1]);
250 hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;
253 padding += 4; // For the RTCP index
255 if (len + padding > outlen)
258 memcpy(out, in, len);
262 ssrc = AV_RB32(buf + 4);
263 index = s->rtcp_index++;
269 int seq = AV_RB16(buf + 2);
272 return AVERROR_INVALIDDATA;
274 ssrc = AV_RB32(buf + 8);
276 if (seq < s->seq_largest)
278 s->seq_largest = seq;
279 index = seq + (((uint64_t)s->roc) << 16);
281 csrc = buf[0] & 0x0f;
290 return AVERROR_INVALIDDATA;
294 return AVERROR_INVALIDDATA;
295 ext = (AV_RB16(buf + 2) + 1) * 4;
297 return AVERROR_INVALIDDATA;
303 create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);
304 av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);
305 encrypt_counter(s->aes, iv, buf, len);
308 AV_WB32(buf + len, 0x80000000 | index);
312 av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));
313 av_hmac_update(s->hmac, out, buf + len - out);
316 AV_WB32(rocbuf, s->roc);
317 av_hmac_update(s->hmac, rocbuf, 4);
319 av_hmac_final(s->hmac, hmac, sizeof(hmac));
321 memcpy(buf + len, hmac, hmac_size);
323 return buf + len - out;
329 static const char *aes128_80_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
331 static const uint8_t rtp_aes128_80[] = {
333 0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
335 0x62, 0x69, 0x76, 0xca, 0xc5,
337 0xa1, 0xac, 0x1b, 0xb4, 0xa0, 0x1c, 0xd5, 0x49, 0x28, 0x99,
340 static const uint8_t rtcp_aes128_80[] = {
342 0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,
344 0x8a, 0xac, 0xdc, 0xa5, 0x4c, 0xf6, 0x78, 0xa6, 0x62, 0x8f, 0x24, 0xda,
345 0x6c, 0x09, 0x3f, 0xa9, 0x28, 0x7a, 0xb5, 0x7f, 0x1f, 0x0f, 0xc9, 0x35,
347 0x80, 0x00, 0x00, 0x03,
349 0xe9, 0x3b, 0xc0, 0x5c, 0x0c, 0x06, 0x9f, 0xab, 0xc0, 0xde,
352 static const char *aes128_32_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
354 static const uint8_t rtp_aes128_32[] = {
356 0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
358 0x62, 0x69, 0x76, 0xca, 0xc5,
360 0xa1, 0xac, 0x1b, 0xb4,
363 static const uint8_t rtcp_aes128_32[] = {
365 0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,
367 0x35, 0xe9, 0xb5, 0xff, 0x0d, 0xd1, 0xde, 0x70, 0x74, 0x10, 0xaa, 0x1b,
368 0xb2, 0x8d, 0xf0, 0x20, 0x02, 0x99, 0x6b, 0x1b, 0x0b, 0xd0, 0x47, 0x34,
370 0x80, 0x00, 0x00, 0x04,
372 0x5b, 0xd2, 0xa9, 0x9d,
375 static void print_data(const uint8_t *buf, int len)
378 for (i = 0; i < len; i++)
379 printf("%02x", buf[i]);
383 static int test_decrypt(struct SRTPContext *srtp, const uint8_t *in, int len,
386 memcpy(out, in, len);
387 if (!ff_srtp_decrypt(srtp, out, &len)) {
388 print_data(out, len);
394 static void test_encrypt(const uint8_t *data, int in_len, const char *suite,
397 struct SRTPContext enc = { 0 }, dec = { 0 };
400 ff_srtp_set_crypto(&enc, suite, key);
401 ff_srtp_set_crypto(&dec, suite, key);
402 len = ff_srtp_encrypt(&enc, data, in_len, buf, sizeof(buf));
403 if (!ff_srtp_decrypt(&dec, buf, &len)) {
404 if (len == in_len && !memcmp(buf, data, len))
405 printf("Decrypted content matches input\n");
407 printf("Decrypted content doesn't match input\n");
409 printf("Decryption failed\n");
417 static const char *aes128_80_suite = "AES_CM_128_HMAC_SHA1_80";
418 static const char *aes128_32_suite = "AES_CM_128_HMAC_SHA1_32";
419 static const char *test_key = "abcdefghijklmnopqrstuvwxyz1234567890ABCD";
421 struct SRTPContext srtp = { 0 };
423 ff_srtp_set_crypto(&srtp, aes128_80_suite, aes128_80_key);
424 len = test_decrypt(&srtp, rtp_aes128_80, sizeof(rtp_aes128_80), buf);
425 test_encrypt(buf, len, aes128_80_suite, test_key);
426 test_encrypt(buf, len, aes128_32_suite, test_key);
427 test_decrypt(&srtp, rtcp_aes128_80, sizeof(rtcp_aes128_80), buf);
428 test_encrypt(buf, len, aes128_80_suite, test_key);
429 test_encrypt(buf, len, aes128_32_suite, test_key);
432 memset(&srtp, 0, sizeof(srtp)); // Clear the context
433 ff_srtp_set_crypto(&srtp, aes128_32_suite, aes128_32_key);
434 test_decrypt(&srtp, rtp_aes128_32, sizeof(rtp_aes128_32), buf);
435 test_decrypt(&srtp, rtcp_aes128_32, sizeof(rtcp_aes128_32), buf);
projects / ffmpeg / blob