X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libs%2Fsrtp%2Fsrtp.c;h=daf0e18d203db42b3e8f97f033bba23109063fa3;hb=7bdd4ba5b1c58233b656c75e4abd9017f7ef02ee;hp=9978ff44d5e1f08e1cc872d3018723a1b0171f0b;hpb=263b77a37a173ae8ed008b959ae54d1d48f09f77;p=vlc diff --git a/libs/srtp/srtp.c b/libs/srtp/srtp.c index 9978ff44d5..daf0e18d20 100644 --- a/libs/srtp/srtp.c +++ b/libs/srtp/srtp.c @@ -17,6 +17,12 @@ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ +/* TODO: + * Useless stuff (because nothing depends on it): + * - non-nul key derivation rate + * - MKI payload + */ + #ifdef HAVE_CONFIG_H # include #endif @@ -33,16 +39,15 @@ #include -#define debug( ... ) (void)0 +#ifdef WIN32 +# include +#else +# include +# include +GCRY_THREAD_OPTION_PTHREAD_IMPL; +#endif -/* TODO: - * Useful stuff: - * - ROC profile thingy (multicast really needs this) - * - * Useless stuff (because nothing depends on it): - * - non-nul key derivation rate - * - MKI payload - */ +#define debug( ... ) (void)0 typedef struct srtp_proto_t { @@ -76,13 +81,10 @@ enum }; -#ifdef WIN32 -# include -#else -# include -# include -GCRY_THREAD_OPTION_PTHREAD_IMPL; -#endif +static inline unsigned rcc_mode (const srtp_session_t *s) +{ + return (s->flags >> 4) & 3; +} static bool libgcrypt_usable = false; @@ -216,6 +218,12 @@ srtp_create (int encr, int auth, unsigned tag_len, int prf, unsigned flags) memset (s, 0, sizeof (*s)); s->flags = flags; s->tag_len = tag_len; + s->rtp_rcc = 1; /* Default RCC rate */ + if (rcc_mode (s)) + { + if (tag_len < 4) + goto error; + } if (proto_create (&s->rtp, cipher, md) == 0) { @@ -224,11 +232,43 @@ srtp_create (int encr, int auth, unsigned tag_len, int prf, unsigned flags) proto_destroy (&s->rtp); } +error: free (s); return NULL; } +/** + * Counter Mode encryption/decryption (ctr length = 16 bytes) + * with non-padded (truncated) text + */ +static int +ctr_crypt (gcry_cipher_hd_t hd, const void *ctr, uint8_t *data, size_t len) +{ + const size_t ctrlen = 16; + div_t d = div (len, ctrlen); + + if (gcry_cipher_setctr (hd, ctr, ctrlen) + || gcry_cipher_encrypt (hd, data, d.quot * ctrlen, NULL, 0)) + return -1; + + if (d.rem) + { + /* Truncated last block */ + uint8_t dummy[ctrlen]; + data += d.quot * ctrlen; + memcpy (dummy, data, d.rem); + memset (dummy + d.rem, 0, ctrlen - d.rem); + + if (gcry_cipher_encrypt (hd, dummy, ctrlen, data, ctrlen)) + return -1; + memcpy (data, dummy, d.rem); + } + + return 0; +} + + /** * AES-CM key derivation (saltlen = 14 bytes) */ @@ -247,29 +287,8 @@ derive (gcry_cipher_hd_t prf, const void *salt, for (size_t i = 0; i < rlen; i++) iv[sizeof (iv) - rlen + i] ^= r[i]; - /* TODO: retry with CTR mode */ - while (outlen >= sizeof (iv)) - { - /* AES */ - if (gcry_cipher_encrypt (prf, out, sizeof (iv), iv, sizeof (iv))) - return EINVAL; - outlen -= sizeof (iv); - out = ((uint8_t *)out) + sizeof (iv); - - /* Increment IV in network byte order */ - if (++iv[sizeof (iv) - 1] == 0) - ++iv[sizeof (iv) -2]; - } - - if (outlen > 0) - { - /* Truncated last AES output block */ - if (gcry_cipher_encrypt (prf, iv, sizeof (iv), NULL, 0)) - return -1; - memcpy (out, iv, outlen); - } - - return 0; + memset (out, 0, outlen); + return ctr_crypt (prf, iv, out, outlen); } @@ -305,8 +324,7 @@ srtp_derive (srtp_session_t *s, const void *key, size_t keylen, gcry_cipher_hd_t prf; uint8_t r[6]; - /* TODO: retry with CTR mode */ - if (gcry_cipher_open (&prf, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0) + if (gcry_cipher_open (&prf, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR, 0) || gcry_cipher_setkey (prf, key, keylen)) return -1; @@ -383,39 +401,6 @@ void srtp_setrcc_rate (srtp_session_t *s, uint16_t rate) } -/** AES-CM encryption/decryption (ctr length = 16 bytes) */ -static int -ctr_crypt (gcry_cipher_hd_t hd, uint32_t *ctr, uint8_t *data, size_t len) -{ - const size_t ctrlen = 16; - while (len >= ctrlen) - { - if (gcry_cipher_setctr (hd, ctr, ctrlen) - || gcry_cipher_encrypt (hd, data, ctrlen, NULL, 0)) - return -1; - - data += ctrlen; - len -= ctrlen; - ctr[3] = htonl (ntohl (ctr[3]) + 1); - } - - if (len > 0) - { - /* Truncated last block */ - uint8_t dummy[ctrlen]; - memcpy (dummy, data, len); - memset (dummy + len, 0, ctrlen - len); - - if (gcry_cipher_setctr (hd, ctr, ctrlen) - || gcry_cipher_encrypt (hd, dummy, ctrlen, data, ctrlen)) - return -1; - memcpy (data, dummy, len); - } - - return 0; -} - - /** AES-CM for RTP (salt = 14 bytes + 2 nul bytes) */ static int rtp_crypt (gcry_cipher_hd_t hd, uint32_t ssrc, uint32_t roc, uint16_t seq, @@ -464,14 +449,14 @@ static inline uint16_t rtp_seq (const uint8_t *buf) /** Message Authentication and Integrity for RTP */ static const uint8_t * -rtp_digest (srtp_session_t *s, const uint8_t *data, size_t len) +rtp_digest (srtp_session_t *s, const uint8_t *data, size_t len, + uint32_t roc) { const gcry_md_hd_t md = s->rtp.mac; - uint32_t roc = htonl (srtp_compute_roc (s, rtp_seq (data))); gcry_md_reset (md); gcry_md_write (md, data, len); - gcry_md_write (md, &roc, 4); + gcry_md_write (md, &(uint32_t){ htonl (roc) }, 4); return gcry_md_read (md, 0); } @@ -556,12 +541,13 @@ static int srtp_crypt (srtp_session_t *s, uint8_t *buf, size_t len) * * @param buf RTP packet to be encrypted/digested * @param lenp pointer to the RTP packet length on entry, - * set to the SRTP length on exit (undefined in case of error) + * set to the SRTP length on exit (undefined on non-ENOSPC error) * @param bufsize size (bytes) of the packet buffer * * @return 0 on success, in case of error: * EINVAL malformatted RTP packet or internal error - * ENOSPC bufsize is too small (to add authentication tag) + * ENOSPC bufsize is too small to add authentication tag + * ( will hold the required byte size) * EACCES packet would trigger a replay error on receiver */ int @@ -574,12 +560,32 @@ srtp_send (srtp_session_t *s, uint8_t *buf, size_t *lenp, size_t bufsize) if (!(s->flags & SRTP_UNAUTHENTICATED)) { - if (bufsize < (len + s->tag_len)) + size_t tag_len = s->tag_len; + *lenp = len + tag_len; + if (bufsize < (len + tag_len)) return ENOSPC; - const uint8_t *tag = rtp_digest (s, buf, len); - memcpy (buf + len, tag, s->tag_len); - *lenp = len + s->tag_len; + uint32_t roc = srtp_compute_roc (s, rtp_seq (buf)); + const uint8_t *tag = rtp_digest (s, buf, len, roc); + if (rcc_mode (s)) + { + assert (s->rtp_rcc); + if ((rtp_seq (buf) % s->rtp_rcc) == 0) + { + memcpy (buf + len, &(uint32_t){ htonl (s->rtp_roc) }, 4); + len += 4; + if (rcc_mode (s) == 3) + tag_len = 0; + else + tag_len -= 4; + } + else + { + if (rcc_mode (s) & 1) + tag_len = 0; + } + } + memcpy (buf + len, tag, tag_len); } return 0; @@ -602,17 +608,53 @@ int srtp_recv (srtp_session_t *s, uint8_t *buf, size_t *lenp) { size_t len = *lenp; + if (len < 12u) + return EINVAL; if (!(s->flags & SRTP_UNAUTHENTICATED)) { - if (len < (12u + s->tag_len)) + size_t tag_len = s->tag_len, roc_len = 0; + if (rcc_mode (s)) + { + if ((rtp_seq (buf) % s->rtp_rcc) == 0) + { + roc_len = 4; + if (rcc_mode (s) == 3) + tag_len = 0; + else + tag_len -= 4; + } + else + { + if (rcc_mode (s) & 1) + tag_len = 0; // RCC mode 1 or 3: no auth + } + } + + if (len < (12u + roc_len + tag_len)) return EINVAL; - len -= s->tag_len; + len -= roc_len + tag_len; - const uint8_t *tag = rtp_digest (s, buf, len); - if (memcmp (buf + len, tag, s->tag_len)) + uint32_t roc = srtp_compute_roc (s, rtp_seq (buf)), rcc; + if (roc_len) + { + assert (roc_len == 4); + memcpy (&rcc, buf + len, 4); + rcc = ntohl (rcc); + } + else + rcc = roc; + + const uint8_t *tag = rtp_digest (s, buf, len, rcc); + if (memcmp (buf + len + roc_len, tag, s->tag_len)) return EACCES; + if (roc_len) + { + /* Authenticated packet carried a Roll-Over-Counter */ + s->rtp_roc += rcc - roc; + assert (srtp_compute_roc (s, rtp_seq (buf)) == rcc); + } *lenp = len; }