implementing srtp encryption and authentication

13 years ago · 212df63857
--- a/daemon/call.c
+++ b/daemon/call.c
@ -224,7 +224,7 @@ static int call_avpf2avp(str *s, struct streamrelay *r) {
 	return rtcp_avpf2avp(s);
 }
 static int call_avp2savp_rtp(str *s, struct streamrelay *r) {
 	return rtp_savp2avp(s, &r->peer.crypto);
 	return rtp_savp2avp(s, &r->peer.crypto.out);
 }
 static int call_avp2savp_rtcp(str *s, struct streamrelay *r) {
 	return 0;
@ -463,7 +463,7 @@ out:
 static void stream_readable(int fd, void *p, uintptr_t u) {
 	struct callstream *cs = p;
 	struct streamrelay *r;
 	char buf[8192];
 	char buf[RTP_BUFFER_SIZE];
 	int ret;
 	struct sockaddr_storage ss;
 	struct sockaddr_in6 sin6;
@ -481,7 +481,8 @@ static void stream_readable(int fd, void *p, uintptr_t u) {

 	for (;;) {
 		sinlen = sizeof(ss);
 		ret = recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) &ss, &sinlen);
 		ret = recvfrom(fd, buf + RTP_BUFFER_HEAD_ROOM, MAX_RTP_PACKET_SIZE,
 				0, (struct sockaddr *) &ss, &sinlen);

 		if (ret < 0) {
 			if (errno == EINTR)
@ -492,7 +493,7 @@ static void stream_readable(int fd, void *p, uintptr_t u) {
 			stream_closed(fd, r, 0);
 			return;
 		}
 		if (ret >= sizeof(buf))
 		if (ret >= MAX_RTP_PACKET_SIZE)
 			mylog(LOG_WARNING, "UDP packet possibly truncated");

 		if (ss.ss_family != r->fd.fd_family)
@ -508,8 +509,7 @@ static void stream_readable(int fd, void *p, uintptr_t u) {
 			in4_to_6(&sin6.sin6_addr, sin->sin_addr.s_addr);
 		}

 		s.s = buf;
 		s.len = ret;
 		str_init_len(&s, buf, ret);
 		ret = stream_packet(r, &s, sinp);
 		if (ret == -1) {
 			mylog(LOG_WARNING, "Write error on RTP socket");
--- a/daemon/call.h
+++ b/daemon/call.h
@ -17,11 +17,17 @@
 #include "str.h"
 #include "crypto.h"

 struct poller;
 struct control_stream;


 #define MAX_RTP_PACKET_SIZE	8192
 #define RTP_BUFFER_HEAD_ROOM	128
 #define RTP_BUFFER_TAIL_ROOM	256
 #define RTP_BUFFER_SIZE		(MAX_RTP_PACKET_SIZE + RTP_BUFFER_HEAD_ROOM + RTP_BUFFER_TAIL_ROOM)



 struct poller;
 struct control_stream;
 struct peer;
 struct callstream;
 struct call;
@ -71,7 +77,7 @@ struct stream {
 	u_int16_t		port;
 	int			num;
 	enum transport_protocol	protocol;
 	struct crypto_context	crypto;
 	struct crypto_context_pair crypto;
 };
 struct stream_input {
 	struct stream		stream;
--- a/daemon/crypto.c
+++ b/daemon/crypto.c
@ -2,12 +2,17 @@

 #include <string.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>

 #include "str.h"
 #include "aux.h"
 #include "rtp.h"



 static int aes_cm_encrypt_rtp(struct crypto_context *, struct rtp_header *, str *, u_int64_t);
 static int hmac_sha1_rtp(struct crypto_context *, char *out, str *in);

 /* all lengths are in bits, some code assumes everything to be multiples of 8 */
 const struct crypto_suite crypto_suites[] = {
 	{
@ -25,6 +30,8 @@ const struct crypto_suite crypto_suites[] = {
 		.srtcp_auth_tag		= 80,
 		.srtp_auth_key_len	= 160,
 		.srtcp_auth_key_len	= 160,
 		.encrypt_rtp		= aes_cm_encrypt_rtp,
 		.hash_rtp		= hmac_sha1_rtp,
 	},
 	{
 		.name			= "AES_CM_128_HMAC_SHA1_32",
@ -41,6 +48,8 @@ const struct crypto_suite crypto_suites[] = {
 		.srtcp_auth_tag		= 80,
 		.srtp_auth_key_len	= 160,
 		.srtcp_auth_key_len	= 160,
 		.encrypt_rtp		= aes_cm_encrypt_rtp,
 		.hash_rtp		= hmac_sha1_rtp,
 	},
 	{
 		.name			= "F8_128_HMAC_SHA1_80",
@ -57,6 +66,7 @@ const struct crypto_suite crypto_suites[] = {
 		.srtcp_auth_tag		= 80,
 		.srtp_auth_key_len	= 160,
 		.srtcp_auth_key_len	= 160,
 		.hash_rtp		= hmac_sha1_rtp,
 	},
 };

@ -89,7 +99,8 @@ const struct crypto_suite *crypto_find_suite(const str *s) {



 /* rfc 3711 section 4.1 and 4.1.1 */
 /* rfc 3711 section 4.1 and 4.1.1
 * "in" and "out" MAY point to the same buffer */
 static void aes_ctr_128(char *out, str *in, char *key, char *iv) {
 	EVP_CIPHER_CTX ecc;
 	unsigned char ivx[16];
@ -103,7 +114,7 @@ static void aes_ctr_128(char *out, str *in, char *key, char *iv) {
 	q = (unsigned char *) out;
 	left = in->len;

 	/* XXX do this only once per thread? */
 	/* XXX do this only once per thread or maybe once per stream/key? */
 	EVP_CIPHER_CTX_init(&ecc);

 	EVP_EncryptInit_ex(&ecc, EVP_aes_128_ecb(), NULL, (unsigned char *) key, NULL);
@ -182,3 +193,42 @@ int crypto_gen_session_key(struct crypto_context *c, str *out, unsigned char lab

 	return 0;
 }

 /* rfc 3711 section 4.1.1 */
 static int aes_cm_encrypt_rtp(struct crypto_context *c, struct rtp_header *r, str *s, u_int64_t idx) {
 	unsigned char iv[16];
 	unsigned char *p;
 	int i;

 	ZERO(iv);
 	memcpy(iv, c->session_salt, 14);

 	p = (void *) &r->ssrc;
 	for (i = 0; i < 4; i++)
 		iv[i + 4] = iv[i + 4] ^ p[i];

 	for (i = 0; i < 6; i++)
 		iv[i + 8] = iv[i + 8] ^ ((idx >> ((5 - i) * 8)) & 0xff);

 	aes_ctr_128(s->s, s, c->session_key, (char *) iv);

 	return 0;
 }

 /* rfc 3711, sections 4.2 and 4.2.1 */
 static int hmac_sha1_rtp(struct crypto_context *c, char *out, str *in) {
 	unsigned char hmac[20];
 	HMAC_CTX hc;
 	u_int32_t roc;

 	HMAC_Init(&hc, c->session_auth_key, c->crypto_suite->srtp_auth_key_len, EVP_sha1());
 	HMAC_Update(&hc, (unsigned char *) in->s, in->len);
 	roc = htonl(c->roc);
 	HMAC_Update(&hc, (unsigned char *) &roc, sizeof(roc));
 	HMAC_Final(&hc, hmac, NULL);
 	HMAC_CTX_cleanup(&hc);

 	memcpy(out, hmac, c->crypto_suite->srtp_auth_tag);

 	return 0;
 }
--- a/daemon/crypto.h
+++ b/daemon/crypto.h
@ -24,6 +24,12 @@ enum mac {
 	__MAC_LAST
 };

 struct crypto_context;
 struct rtp_header;

 typedef int (*crypto_func)(struct crypto_context *, struct rtp_header *, str *, u_int64_t);
 typedef int (*hash_func)(struct crypto_context *, char *out, str *in);

 struct crypto_suite {
 	const char *name;
 	unsigned int
@ -41,6 +47,8 @@ struct crypto_suite {
 		srtcp_lifetime;
 	enum cipher cipher;
 	enum mac mac;
 	crypto_func encrypt_rtp;
 	hash_func hash_rtp;
 };

 struct crypto_context {
@ -58,13 +66,18 @@ struct crypto_context {
 	u_int64_t num_packets;
 	/* <from, to>? */

 	char session_key[16];
 	char session_salt[14];
 	char session_key[16]; /* k_e */
 	char session_salt[14]; /* k_s */
 	char session_auth_key[20];

 	int have_session_key:1;
 };

 struct crypto_context_pair {
 	struct crypto_context in,
 			      out;
 };




@ -76,6 +89,15 @@ extern const int num_crypto_suites;
 const struct crypto_suite *crypto_find_suite(const str *);
 int crypto_gen_session_key(struct crypto_context *, str *, unsigned char);

 static inline int crypto_encrypt_rtp(struct crypto_context *c, struct rtp_header *rtp,
 		str *payload, u_int64_t index)
 {
 	if (!c || !c->crypto_suite)
 		return -1;

 	return c->crypto_suite->encrypt_rtp(c, rtp, payload, index);
 }



 #endif
--- a/daemon/rtp.c
+++ b/daemon/rtp.c
@ -1,30 +1,22 @@
 #include "rtp.h"

 #include <sys/types.h>
 #include <arpa/inet.h>
 #include <glib.h>

 #include "str.h"
 #include "crypto.h"




 struct rtp_header {
 	unsigned char v_p_x_cc;
 	unsigned char m_pt;
 	u_int16_t seq_num;
 	u_int32_t timestamp;
 	u_int32_t ssrc;
 	u_int32_t csrc[];
 } __attribute__ ((packed));





 static inline int check_session_key(struct crypto_context *c) {
 	str s;

 	if (c->have_session_key)
 		return 0;
 	if (!c->crypto_suite)
 		return -1;

 	str_init_len(&s, c->session_key, c->crypto_suite->session_key_len);
 	if (crypto_gen_session_key(c, &s, 0x00))
@ -43,15 +35,100 @@ static inline int check_session_key(struct crypto_context *c) {
 /* XXX some error handling/logging here */
 int rtp_avp2savp(str *s, struct crypto_context *c) {
 	struct rtp_header *rtp;
 	str payload, to_auth;
 	struct rtp_extension *ext;
 	u_int16_t seq;
 	u_int64_t index, s_l_index;
 	long long int diff;
 	char *pl_end;
 	u_int32_t mki_part;

 	if (s->len < sizeof(*rtp))
 		return -1;
 	if (check_session_key(c))
 		return -1;

 	rtp = (void *) s->s;
 	if ((rtp->v_p_x_cc & 0xc0) != 0x80) /* version 2 */
 		return -1;

 	if (check_session_key(c))
 	payload = *s;
 	/* fixed header */
 	str_shift(&payload, sizeof(*rtp));
 	/* csrc list */
 	if (str_shift(&payload, (rtp->v_p_x_cc & 0xf) * 4))
 		return -1;

 	if ((rtp->v_p_x_cc & 0x10)) {
 		/* extension */
 		if (payload.len < sizeof(*ext))
 			return -1;
 		ext = (void *) payload.s;
 		if (str_shift(&payload, 4 + ntohs(ext->length) * 4))
 			return -1;
 	}

 	seq = ntohs(rtp->seq_num);
 	/* rfc 3711 section 3.3.1 */
 	if (G_UNLIKELY(!c->s_l))
 		c->s_l = seq;

 	/* rfc 3711 appendix A, modified, and sections 3.3 and 3.3.1 */
 	index = ((u_int64_t) c->roc << 16) | seq;
 	s_l_index = ((u_int64_t) c->roc << 16) | c->s_l;
 	diff = index - s_l_index;
 	if (diff >= 0) {
 		if (diff < 0x8000)
 			;
 		else if (index >= 0x10000)
 			index -= 0x10000;
 	}
 	else {
 		if (diff >= -0x8000)
 			;
 		else {
 			index += 0x10000;
 			c->roc++;
 		}
 	}

 	/* rfc 3711 section 3.1 */

 	if (crypto_encrypt_rtp(c, rtp, &payload, index))
 		return -1;

 	pl_end = s->s + s->len;
 	to_auth = *s;

 	if (c->mki_len) {
 		/* RTP_BUFFER_TAIL_ROOM guarantees enough room */
 		memset(pl_end, 0, c->mki_len);
 		if (c->mki_len > 4) {
 			mki_part = (c->mki & 0xffffffff00000000ULL) >> 32;
 			mki_part = htonl(mki_part);
 			if (c->mki_len < 8)
 				memcpy(pl_end, ((char *) &mki_part) + (8 - c->mki_len), c->mki_len - 4);
 			else
 				memcpy(pl_end + (c->mki_len - 8), &mki_part, 4);
 		}
 		mki_part = (c->mki & 0xffffffffULL);
 		mki_part = htonl(mki_part);
 		if (c->mki_len < 4)
 			memcpy(pl_end, ((char *) &mki_part) + (4 - c->mki_len), c->mki_len);
 		else
 			memcpy(pl_end + (c->mki_len - 4), &mki_part, 4);

 		pl_end += c->mki_len;
 		to_auth.len += c->mki_len;
 	}

 	if (c->crypto_suite->srtp_auth_tag) {
 		c->crypto_suite->hash_rtp(c, pl_end, &to_auth);
 		pl_end += c->crypto_suite->srtp_auth_tag;
 	}

 	s->len = pl_end - s->s;

 	return 0;
 }

--- a/daemon/rtp.h
+++ b/daemon/rtp.h
@ -9,6 +9,24 @@

 struct crypto_context;

 struct rtp_header {
 	unsigned char v_p_x_cc;
 	unsigned char m_pt;
 	u_int16_t seq_num;
 	u_int32_t timestamp;
 	u_int32_t ssrc;
 	u_int32_t csrc[];
 } __attribute__ ((packed));
 struct rtp_extension {
 	u_int16_t undefined;
 	u_int16_t length;
 } __attribute__ ((packed));






 int rtp_avp2savp(str *, struct crypto_context *);
 int rtp_savp2avp(str *, struct crypto_context *);

--- a/daemon/sdp.c
+++ b/daemon/sdp.c
@ -795,15 +795,15 @@ int sdp_streams(const GQueue *sessions, GQueue *streams, GHashTable *streamhash,
 			id = ATTR_CRYPTO;
 			attr = g_hash_table_lookup(media->attributes.id_hash, &id);
 			if (attr) {
 				si->stream.crypto.crypto_suite = attr->u.crypto.crypto_suite;
 				si->stream.crypto.mki = attr->u.crypto.mki;
 				si->stream.crypto.mki_len = attr->u.crypto.mki_len;
 				assert(sizeof(si->stream.crypto.master_key) >= attr->u.crypto.master_key.len);
 				assert(sizeof(si->stream.crypto.master_salt) >= attr->u.crypto.salt.len);
 				memcpy(si->stream.crypto.master_key, attr->u.crypto.master_key.s, attr->u.crypto.master_key.len);
 				memcpy(si->stream.crypto.master_salt, attr->u.crypto.salt.s, attr->u.crypto.salt.len);
 				assert(sizeof(si->stream.crypto.session_key) >= attr->u.crypto.crypto_suite->session_key_len);
 				assert(sizeof(si->stream.crypto.session_salt) >= attr->u.crypto.crypto_suite->session_salt_len);
 				si->stream.crypto.in.crypto_suite = attr->u.crypto.crypto_suite;
 				si->stream.crypto.in.mki = attr->u.crypto.mki;
 				si->stream.crypto.in.mki_len = attr->u.crypto.mki_len;
 				assert(sizeof(si->stream.crypto.in.master_key) >= attr->u.crypto.master_key.len);
 				assert(sizeof(si->stream.crypto.in.master_salt) >= attr->u.crypto.salt.len);
 				memcpy(si->stream.crypto.in.master_key, attr->u.crypto.master_key.s, attr->u.crypto.master_key.len);
 				memcpy(si->stream.crypto.in.master_salt, attr->u.crypto.salt.s, attr->u.crypto.salt.len);
 				assert(sizeof(si->stream.crypto.in.session_key) >= attr->u.crypto.crypto_suite->session_key_len);
 				assert(sizeof(si->stream.crypto.in.session_salt) >= attr->u.crypto.crypto_suite->session_salt_len);
 			}

 			g_hash_table_insert(streamhash, si, si);