2 * SRTP encryption/decryption
3 * Copyright (c) 2012 Martin Storsjo
5 * This file is part of FFmpeg.
7 * FFmpeg is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * FFmpeg is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with FFmpeg; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22 #include "libavutil/base64.h"
23 #include "libavutil/aes.h"
24 #include "libavutil/hmac.h"
25 #include "libavutil/intreadwrite.h"
26 #include "libavutil/log.h"
30 void ff_srtp_free(struct SRTPContext *s)
36 av_hmac_free(s->hmac);
40 static void encrypt_counter(struct AVAES *aes, uint8_t *iv, uint8_t *outbuf,
44 for (i = 0, outpos = 0; outpos < outlen; i++) {
45 uint8_t keystream[16];
47 av_aes_crypt(aes, keystream, iv, 1, NULL, 0);
48 for (j = 0; j < 16 && outpos < outlen; j++, outpos++)
49 outbuf[outpos] ^= keystream[j];
53 static void derive_key(struct AVAES *aes, const uint8_t *salt, int label,
54 uint8_t *out, int outlen)
56 uint8_t input[16] = { 0 };
57 memcpy(input, salt, 14);
58 // Key derivation rate assumed to be zero
59 input[14 - 7] ^= label;
60 memset(out, 0, outlen);
61 encrypt_counter(aes, input, out, outlen);
64 int ff_srtp_set_crypto(struct SRTPContext *s, const char *suite,
72 if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80") ||
73 !strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_80")) {
74 s->rtp_hmac_size = s->rtcp_hmac_size = 10;
75 } else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {
76 s->rtp_hmac_size = s->rtcp_hmac_size = 4;
77 } else if (!strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_32")) {
78 // RFC 5764 section 4.1.2
80 s->rtcp_hmac_size = 10;
82 av_log(NULL, AV_LOG_WARNING, "SRTP Crypto suite %s not supported\n",
84 return AVERROR(EINVAL);
86 if (av_base64_decode(buf, params, sizeof(buf)) != sizeof(buf)) {
87 av_log(NULL, AV_LOG_WARNING, "Incorrect amount of SRTP params\n");
88 return AVERROR(EINVAL);
90 // MKI and lifetime not handled yet
91 s->aes = av_aes_alloc();
92 s->hmac = av_hmac_alloc(AV_HMAC_SHA1);
93 if (!s->aes || !s->hmac)
94 return AVERROR(ENOMEM);
95 memcpy(s->master_key, buf, 16);
96 memcpy(s->master_salt, buf + 16, 14);
99 av_aes_init(s->aes, s->master_key, 128, 0);
101 derive_key(s->aes, s->master_salt, 0x00, s->rtp_key, sizeof(s->rtp_key));
102 derive_key(s->aes, s->master_salt, 0x02, s->rtp_salt, sizeof(s->rtp_salt));
103 derive_key(s->aes, s->master_salt, 0x01, s->rtp_auth, sizeof(s->rtp_auth));
105 derive_key(s->aes, s->master_salt, 0x03, s->rtcp_key, sizeof(s->rtcp_key));
106 derive_key(s->aes, s->master_salt, 0x05, s->rtcp_salt, sizeof(s->rtcp_salt));
107 derive_key(s->aes, s->master_salt, 0x04, s->rtcp_auth, sizeof(s->rtcp_auth));
111 static void create_iv(uint8_t *iv, const uint8_t *salt, uint64_t index,
117 AV_WB32(&iv[4], ssrc);
118 AV_WB64(indexbuf, index);
119 for (i = 0; i < 8; i++) // index << 16
120 iv[6 + i] ^= indexbuf[i];
121 for (i = 0; i < 14; i++)
125 int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr)
127 uint8_t iv[16] = { 0 }, hmac[20];
129 int av_uninit(seq_largest);
130 uint32_t ssrc, av_uninit(roc);
134 // TODO: Missing replay protection
137 return AVERROR_INVALIDDATA;
139 rtcp = RTP_PT_IS_RTCP(buf[1]);
140 hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;
143 return AVERROR_INVALIDDATA;
145 // Authentication HMAC
146 av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));
147 // If MKI is used, this should exclude the MKI as well
148 av_hmac_update(s->hmac, buf, len - hmac_size);
151 int seq = AV_RB16(buf + 2);
155 // RFC 3711 section 3.3.1, appendix A
156 seq_largest = s->seq_initialized ? s->seq_largest : seq;
158 if (seq_largest < 32768) {
159 if (seq - seq_largest > 32768)
162 if (seq_largest - 32768 > seq)
166 seq_largest = FFMAX(seq_largest, seq);
167 } else if (v == roc + 1) {
171 index = seq + (((uint64_t)v) << 16);
173 AV_WB32(rocbuf, roc);
174 av_hmac_update(s->hmac, rocbuf, 4);
177 av_hmac_final(s->hmac, hmac, sizeof(hmac));
178 if (memcmp(hmac, buf + len - hmac_size, hmac_size)) {
179 av_log(NULL, AV_LOG_WARNING, "HMAC mismatch\n");
180 return AVERROR_INVALIDDATA;
187 return AVERROR_INVALIDDATA;
190 uint32_t srtcp_index = AV_RB32(buf + len - 4);
194 ssrc = AV_RB32(buf + 4);
195 index = srtcp_index & 0x7fffffff;
199 if (!(srtcp_index & 0x80000000))
203 s->seq_initialized = 1;
204 s->seq_largest = seq_largest;
207 csrc = buf[0] & 0x0f;
209 ssrc = AV_RB32(buf + 8);
217 return AVERROR_INVALIDDATA;
221 return AVERROR_INVALIDDATA;
222 ext = (AV_RB16(buf + 2) + 1) * 4;
224 return AVERROR_INVALIDDATA;
230 create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);
231 av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);
232 encrypt_counter(s->aes, iv, buf, len);
237 int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,
238 uint8_t *out, int outlen)
240 uint8_t iv[16] = { 0 }, hmac[20];
243 int rtcp, hmac_size, padding;
247 return AVERROR_INVALIDDATA;
249 rtcp = RTP_PT_IS_RTCP(in[1]);
250 hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;
253 padding += 4; // For the RTCP index
255 if (len + padding > outlen)
258 memcpy(out, in, len);
262 ssrc = AV_RB32(buf + 4);
263 index = s->rtcp_index++;
269 int seq = AV_RB16(buf + 2);
272 return AVERROR_INVALIDDATA;
274 ssrc = AV_RB32(buf + 8);
276 if (seq < s->seq_largest)
278 s->seq_largest = seq;
279 index = seq + (((uint64_t)s->roc) << 16);
281 csrc = buf[0] & 0x0f;
290 return AVERROR_INVALIDDATA;
294 return AVERROR_INVALIDDATA;
295 ext = (AV_RB16(buf + 2) + 1) * 4;
297 return AVERROR_INVALIDDATA;
303 create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);
304 av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);
305 encrypt_counter(s->aes, iv, buf, len);
308 AV_WB32(buf + len, 0x80000000 | index);
312 av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));
313 av_hmac_update(s->hmac, out, buf + len - out);
316 AV_WB32(rocbuf, s->roc);
317 av_hmac_update(s->hmac, rocbuf, 4);
319 av_hmac_final(s->hmac, hmac, sizeof(hmac));
321 memcpy(buf + len, hmac, hmac_size);
323 return buf + len - out;
329 static const char *aes128_80_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
331 static const uint8_t rtp_aes128_80[] = {
333 0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
335 0x62, 0x69, 0x76, 0xca, 0xc5,
337 0xa1, 0xac, 0x1b, 0xb4, 0xa0, 0x1c, 0xd5, 0x49, 0x28, 0x99,
340 static const uint8_t rtcp_aes128_80[] = {
342 0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,
344 0x8a, 0xac, 0xdc, 0xa5, 0x4c, 0xf6, 0x78, 0xa6, 0x62, 0x8f, 0x24, 0xda,
345 0x6c, 0x09, 0x3f, 0xa9, 0x28, 0x7a, 0xb5, 0x7f, 0x1f, 0x0f, 0xc9, 0x35,
347 0x80, 0x00, 0x00, 0x03,
349 0xe9, 0x3b, 0xc0, 0x5c, 0x0c, 0x06, 0x9f, 0xab, 0xc0, 0xde,
352 static const char *aes128_32_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
354 static const uint8_t rtp_aes128_32[] = {
356 0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
358 0x62, 0x69, 0x76, 0xca, 0xc5,
360 0xa1, 0xac, 0x1b, 0xb4,
363 static const uint8_t rtcp_aes128_32[] = {
365 0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,
367 0x35, 0xe9, 0xb5, 0xff, 0x0d, 0xd1, 0xde, 0x70, 0x74, 0x10, 0xaa, 0x1b,
368 0xb2, 0x8d, 0xf0, 0x20, 0x02, 0x99, 0x6b, 0x1b, 0x0b, 0xd0, 0x47, 0x34,
370 0x80, 0x00, 0x00, 0x04,
372 0x5b, 0xd2, 0xa9, 0x9d,
375 static const char *aes128_80_32_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
377 static const uint8_t rtp_aes128_80_32[] = {
379 0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
381 0x62, 0x69, 0x76, 0xca, 0xc5,
383 0xa1, 0xac, 0x1b, 0xb4,
386 static const uint8_t rtcp_aes128_80_32[] = {
388 0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,
390 0xd6, 0xae, 0xc1, 0x58, 0x63, 0x70, 0xc9, 0x88, 0x66, 0x26, 0x1c, 0x53,
391 0xff, 0x5d, 0x5d, 0x2b, 0x0f, 0x8c, 0x72, 0x3e, 0xc9, 0x1d, 0x43, 0xf9,
393 0x80, 0x00, 0x00, 0x05,
395 0x09, 0x16, 0xb4, 0x27, 0x9a, 0xe9, 0x92, 0x26, 0x4e, 0x10,
398 static void print_data(const uint8_t *buf, int len)
401 for (i = 0; i < len; i++)
402 printf("%02x", buf[i]);
406 static int test_decrypt(struct SRTPContext *srtp, const uint8_t *in, int len,
409 memcpy(out, in, len);
410 if (!ff_srtp_decrypt(srtp, out, &len)) {
411 print_data(out, len);
417 static void test_encrypt(const uint8_t *data, int in_len, const char *suite,
420 struct SRTPContext enc = { 0 }, dec = { 0 };
423 ff_srtp_set_crypto(&enc, suite, key);
424 ff_srtp_set_crypto(&dec, suite, key);
425 len = ff_srtp_encrypt(&enc, data, in_len, buf, sizeof(buf));
426 if (!ff_srtp_decrypt(&dec, buf, &len)) {
427 if (len == in_len && !memcmp(buf, data, len))
428 printf("Decrypted content matches input\n");
430 printf("Decrypted content doesn't match input\n");
432 printf("Decryption failed\n");
440 static const char *aes128_80_suite = "AES_CM_128_HMAC_SHA1_80";
441 static const char *aes128_32_suite = "AES_CM_128_HMAC_SHA1_32";
442 static const char *aes128_80_32_suite = "SRTP_AES128_CM_HMAC_SHA1_32";
443 static const char *test_key = "abcdefghijklmnopqrstuvwxyz1234567890ABCD";
445 struct SRTPContext srtp = { 0 };
447 ff_srtp_set_crypto(&srtp, aes128_80_suite, aes128_80_key);
448 len = test_decrypt(&srtp, rtp_aes128_80, sizeof(rtp_aes128_80), buf);
449 test_encrypt(buf, len, aes128_80_suite, test_key);
450 test_encrypt(buf, len, aes128_32_suite, test_key);
451 test_encrypt(buf, len, aes128_80_32_suite, test_key);
452 test_decrypt(&srtp, rtcp_aes128_80, sizeof(rtcp_aes128_80), buf);
453 test_encrypt(buf, len, aes128_80_suite, test_key);
454 test_encrypt(buf, len, aes128_32_suite, test_key);
455 test_encrypt(buf, len, aes128_80_32_suite, test_key);
458 memset(&srtp, 0, sizeof(srtp)); // Clear the context
459 ff_srtp_set_crypto(&srtp, aes128_32_suite, aes128_32_key);
460 test_decrypt(&srtp, rtp_aes128_32, sizeof(rtp_aes128_32), buf);
461 test_decrypt(&srtp, rtcp_aes128_32, sizeof(rtcp_aes128_32), buf);
464 memset(&srtp, 0, sizeof(srtp)); // Clear the context
465 ff_srtp_set_crypto(&srtp, aes128_80_32_suite, aes128_80_32_key);
466 test_decrypt(&srtp, rtp_aes128_80_32, sizeof(rtp_aes128_80_32), buf);
467 test_decrypt(&srtp, rtcp_aes128_80_32, sizeof(rtcp_aes128_80_32), buf);