diff --git a/daemon/call.c b/daemon/call.c index d852c0055..d1265e3fe 100644 --- a/daemon/call.c +++ b/daemon/call.c @@ -224,7 +224,7 @@ static int call_avpf2avp(str *s, struct streamrelay *r) { return rtcp_avpf2avp(s); } static int call_avp2savp_rtp(str *s, struct streamrelay *r) { - return rtp_savp2avp(s, &r->peer.crypto); + return rtp_savp2avp(s, &r->peer.crypto.out); } static int call_avp2savp_rtcp(str *s, struct streamrelay *r) { return 0; @@ -463,7 +463,7 @@ out: static void stream_readable(int fd, void *p, uintptr_t u) { struct callstream *cs = p; struct streamrelay *r; - char buf[8192]; + char buf[RTP_BUFFER_SIZE]; int ret; struct sockaddr_storage ss; struct sockaddr_in6 sin6; @@ -481,7 +481,8 @@ static void stream_readable(int fd, void *p, uintptr_t u) { for (;;) { sinlen = sizeof(ss); - ret = recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) &ss, &sinlen); + ret = recvfrom(fd, buf + RTP_BUFFER_HEAD_ROOM, MAX_RTP_PACKET_SIZE, + 0, (struct sockaddr *) &ss, &sinlen); if (ret < 0) { if (errno == EINTR) @@ -492,7 +493,7 @@ static void stream_readable(int fd, void *p, uintptr_t u) { stream_closed(fd, r, 0); return; } - if (ret >= sizeof(buf)) + if (ret >= MAX_RTP_PACKET_SIZE) mylog(LOG_WARNING, "UDP packet possibly truncated"); if (ss.ss_family != r->fd.fd_family) @@ -508,8 +509,7 @@ static void stream_readable(int fd, void *p, uintptr_t u) { in4_to_6(&sin6.sin6_addr, sin->sin_addr.s_addr); } - s.s = buf; - s.len = ret; + str_init_len(&s, buf, ret); ret = stream_packet(r, &s, sinp); if (ret == -1) { mylog(LOG_WARNING, "Write error on RTP socket"); diff --git a/daemon/call.h b/daemon/call.h index e155a057e..47eca1516 100644 --- a/daemon/call.h +++ b/daemon/call.h @@ -17,11 +17,17 @@ #include "str.h" #include "crypto.h" -struct poller; -struct control_stream; +#define MAX_RTP_PACKET_SIZE 8192 +#define RTP_BUFFER_HEAD_ROOM 128 +#define RTP_BUFFER_TAIL_ROOM 256 +#define RTP_BUFFER_SIZE (MAX_RTP_PACKET_SIZE + RTP_BUFFER_HEAD_ROOM + RTP_BUFFER_TAIL_ROOM) + + +struct poller; +struct control_stream; struct peer; struct callstream; struct call; @@ -71,7 +77,7 @@ struct stream { u_int16_t port; int num; enum transport_protocol protocol; - struct crypto_context crypto; + struct crypto_context_pair crypto; }; struct stream_input { struct stream stream; diff --git a/daemon/crypto.c b/daemon/crypto.c index 85dc65130..7b06ca39d 100644 --- a/daemon/crypto.c +++ b/daemon/crypto.c @@ -2,12 +2,17 @@ #include #include +#include #include "str.h" #include "aux.h" +#include "rtp.h" +static int aes_cm_encrypt_rtp(struct crypto_context *, struct rtp_header *, str *, u_int64_t); +static int hmac_sha1_rtp(struct crypto_context *, char *out, str *in); + /* all lengths are in bits, some code assumes everything to be multiples of 8 */ const struct crypto_suite crypto_suites[] = { { @@ -25,6 +30,8 @@ const struct crypto_suite crypto_suites[] = { .srtcp_auth_tag = 80, .srtp_auth_key_len = 160, .srtcp_auth_key_len = 160, + .encrypt_rtp = aes_cm_encrypt_rtp, + .hash_rtp = hmac_sha1_rtp, }, { .name = "AES_CM_128_HMAC_SHA1_32", @@ -41,6 +48,8 @@ const struct crypto_suite crypto_suites[] = { .srtcp_auth_tag = 80, .srtp_auth_key_len = 160, .srtcp_auth_key_len = 160, + .encrypt_rtp = aes_cm_encrypt_rtp, + .hash_rtp = hmac_sha1_rtp, }, { .name = "F8_128_HMAC_SHA1_80", @@ -57,6 +66,7 @@ const struct crypto_suite crypto_suites[] = { .srtcp_auth_tag = 80, .srtp_auth_key_len = 160, .srtcp_auth_key_len = 160, + .hash_rtp = hmac_sha1_rtp, }, }; @@ -89,7 +99,8 @@ const struct crypto_suite *crypto_find_suite(const str *s) { -/* rfc 3711 section 4.1 and 4.1.1 */ +/* rfc 3711 section 4.1 and 4.1.1 + * "in" and "out" MAY point to the same buffer */ static void aes_ctr_128(char *out, str *in, char *key, char *iv) { EVP_CIPHER_CTX ecc; unsigned char ivx[16]; @@ -103,7 +114,7 @@ static void aes_ctr_128(char *out, str *in, char *key, char *iv) { q = (unsigned char *) out; left = in->len; - /* XXX do this only once per thread? */ + /* XXX do this only once per thread or maybe once per stream/key? */ EVP_CIPHER_CTX_init(&ecc); EVP_EncryptInit_ex(&ecc, EVP_aes_128_ecb(), NULL, (unsigned char *) key, NULL); @@ -182,3 +193,42 @@ int crypto_gen_session_key(struct crypto_context *c, str *out, unsigned char lab return 0; } + +/* rfc 3711 section 4.1.1 */ +static int aes_cm_encrypt_rtp(struct crypto_context *c, struct rtp_header *r, str *s, u_int64_t idx) { + unsigned char iv[16]; + unsigned char *p; + int i; + + ZERO(iv); + memcpy(iv, c->session_salt, 14); + + p = (void *) &r->ssrc; + for (i = 0; i < 4; i++) + iv[i + 4] = iv[i + 4] ^ p[i]; + + for (i = 0; i < 6; i++) + iv[i + 8] = iv[i + 8] ^ ((idx >> ((5 - i) * 8)) & 0xff); + + aes_ctr_128(s->s, s, c->session_key, (char *) iv); + + return 0; +} + +/* rfc 3711, sections 4.2 and 4.2.1 */ +static int hmac_sha1_rtp(struct crypto_context *c, char *out, str *in) { + unsigned char hmac[20]; + HMAC_CTX hc; + u_int32_t roc; + + HMAC_Init(&hc, c->session_auth_key, c->crypto_suite->srtp_auth_key_len, EVP_sha1()); + HMAC_Update(&hc, (unsigned char *) in->s, in->len); + roc = htonl(c->roc); + HMAC_Update(&hc, (unsigned char *) &roc, sizeof(roc)); + HMAC_Final(&hc, hmac, NULL); + HMAC_CTX_cleanup(&hc); + + memcpy(out, hmac, c->crypto_suite->srtp_auth_tag); + + return 0; +} diff --git a/daemon/crypto.h b/daemon/crypto.h index d2d1f7cbf..051379631 100644 --- a/daemon/crypto.h +++ b/daemon/crypto.h @@ -24,6 +24,12 @@ enum mac { __MAC_LAST }; +struct crypto_context; +struct rtp_header; + +typedef int (*crypto_func)(struct crypto_context *, struct rtp_header *, str *, u_int64_t); +typedef int (*hash_func)(struct crypto_context *, char *out, str *in); + struct crypto_suite { const char *name; unsigned int @@ -41,6 +47,8 @@ struct crypto_suite { srtcp_lifetime; enum cipher cipher; enum mac mac; + crypto_func encrypt_rtp; + hash_func hash_rtp; }; struct crypto_context { @@ -58,13 +66,18 @@ struct crypto_context { u_int64_t num_packets; /* ? */ - char session_key[16]; - char session_salt[14]; + char session_key[16]; /* k_e */ + char session_salt[14]; /* k_s */ char session_auth_key[20]; int have_session_key:1; }; +struct crypto_context_pair { + struct crypto_context in, + out; +}; + @@ -76,6 +89,15 @@ extern const int num_crypto_suites; const struct crypto_suite *crypto_find_suite(const str *); int crypto_gen_session_key(struct crypto_context *, str *, unsigned char); +static inline int crypto_encrypt_rtp(struct crypto_context *c, struct rtp_header *rtp, + str *payload, u_int64_t index) +{ + if (!c || !c->crypto_suite) + return -1; + + return c->crypto_suite->encrypt_rtp(c, rtp, payload, index); +} + #endif diff --git a/daemon/rtp.c b/daemon/rtp.c index d8a4a8d2c..e9a649e18 100644 --- a/daemon/rtp.c +++ b/daemon/rtp.c @@ -1,30 +1,22 @@ #include "rtp.h" #include +#include +#include + #include "str.h" #include "crypto.h" -struct rtp_header { - unsigned char v_p_x_cc; - unsigned char m_pt; - u_int16_t seq_num; - u_int32_t timestamp; - u_int32_t ssrc; - u_int32_t csrc[]; -} __attribute__ ((packed)); - - - - - static inline int check_session_key(struct crypto_context *c) { str s; if (c->have_session_key) return 0; + if (!c->crypto_suite) + return -1; str_init_len(&s, c->session_key, c->crypto_suite->session_key_len); if (crypto_gen_session_key(c, &s, 0x00)) @@ -43,15 +35,100 @@ static inline int check_session_key(struct crypto_context *c) { /* XXX some error handling/logging here */ int rtp_avp2savp(str *s, struct crypto_context *c) { struct rtp_header *rtp; + str payload, to_auth; + struct rtp_extension *ext; + u_int16_t seq; + u_int64_t index, s_l_index; + long long int diff; + char *pl_end; + u_int32_t mki_part; if (s->len < sizeof(*rtp)) return -1; + if (check_session_key(c)) + return -1; rtp = (void *) s->s; + if ((rtp->v_p_x_cc & 0xc0) != 0x80) /* version 2 */ + return -1; - if (check_session_key(c)) + payload = *s; + /* fixed header */ + str_shift(&payload, sizeof(*rtp)); + /* csrc list */ + if (str_shift(&payload, (rtp->v_p_x_cc & 0xf) * 4)) return -1; + if ((rtp->v_p_x_cc & 0x10)) { + /* extension */ + if (payload.len < sizeof(*ext)) + return -1; + ext = (void *) payload.s; + if (str_shift(&payload, 4 + ntohs(ext->length) * 4)) + return -1; + } + + seq = ntohs(rtp->seq_num); + /* rfc 3711 section 3.3.1 */ + if (G_UNLIKELY(!c->s_l)) + c->s_l = seq; + + /* rfc 3711 appendix A, modified, and sections 3.3 and 3.3.1 */ + index = ((u_int64_t) c->roc << 16) | seq; + s_l_index = ((u_int64_t) c->roc << 16) | c->s_l; + diff = index - s_l_index; + if (diff >= 0) { + if (diff < 0x8000) + ; + else if (index >= 0x10000) + index -= 0x10000; + } + else { + if (diff >= -0x8000) + ; + else { + index += 0x10000; + c->roc++; + } + } + + /* rfc 3711 section 3.1 */ + + if (crypto_encrypt_rtp(c, rtp, &payload, index)) + return -1; + + pl_end = s->s + s->len; + to_auth = *s; + + if (c->mki_len) { + /* RTP_BUFFER_TAIL_ROOM guarantees enough room */ + memset(pl_end, 0, c->mki_len); + if (c->mki_len > 4) { + mki_part = (c->mki & 0xffffffff00000000ULL) >> 32; + mki_part = htonl(mki_part); + if (c->mki_len < 8) + memcpy(pl_end, ((char *) &mki_part) + (8 - c->mki_len), c->mki_len - 4); + else + memcpy(pl_end + (c->mki_len - 8), &mki_part, 4); + } + mki_part = (c->mki & 0xffffffffULL); + mki_part = htonl(mki_part); + if (c->mki_len < 4) + memcpy(pl_end, ((char *) &mki_part) + (4 - c->mki_len), c->mki_len); + else + memcpy(pl_end + (c->mki_len - 4), &mki_part, 4); + + pl_end += c->mki_len; + to_auth.len += c->mki_len; + } + + if (c->crypto_suite->srtp_auth_tag) { + c->crypto_suite->hash_rtp(c, pl_end, &to_auth); + pl_end += c->crypto_suite->srtp_auth_tag; + } + + s->len = pl_end - s->s; + return 0; } diff --git a/daemon/rtp.h b/daemon/rtp.h index d219938f0..bec3f7f2c 100644 --- a/daemon/rtp.h +++ b/daemon/rtp.h @@ -9,6 +9,24 @@ struct crypto_context; +struct rtp_header { + unsigned char v_p_x_cc; + unsigned char m_pt; + u_int16_t seq_num; + u_int32_t timestamp; + u_int32_t ssrc; + u_int32_t csrc[]; +} __attribute__ ((packed)); +struct rtp_extension { + u_int16_t undefined; + u_int16_t length; +} __attribute__ ((packed)); + + + + + + int rtp_avp2savp(str *, struct crypto_context *); int rtp_savp2avp(str *, struct crypto_context *); diff --git a/daemon/sdp.c b/daemon/sdp.c index cd4cf8fdd..0efaa0783 100644 --- a/daemon/sdp.c +++ b/daemon/sdp.c @@ -795,15 +795,15 @@ int sdp_streams(const GQueue *sessions, GQueue *streams, GHashTable *streamhash, id = ATTR_CRYPTO; attr = g_hash_table_lookup(media->attributes.id_hash, &id); if (attr) { - si->stream.crypto.crypto_suite = attr->u.crypto.crypto_suite; - si->stream.crypto.mki = attr->u.crypto.mki; - si->stream.crypto.mki_len = attr->u.crypto.mki_len; - assert(sizeof(si->stream.crypto.master_key) >= attr->u.crypto.master_key.len); - assert(sizeof(si->stream.crypto.master_salt) >= attr->u.crypto.salt.len); - memcpy(si->stream.crypto.master_key, attr->u.crypto.master_key.s, attr->u.crypto.master_key.len); - memcpy(si->stream.crypto.master_salt, attr->u.crypto.salt.s, attr->u.crypto.salt.len); - assert(sizeof(si->stream.crypto.session_key) >= attr->u.crypto.crypto_suite->session_key_len); - assert(sizeof(si->stream.crypto.session_salt) >= attr->u.crypto.crypto_suite->session_salt_len); + si->stream.crypto.in.crypto_suite = attr->u.crypto.crypto_suite; + si->stream.crypto.in.mki = attr->u.crypto.mki; + si->stream.crypto.in.mki_len = attr->u.crypto.mki_len; + assert(sizeof(si->stream.crypto.in.master_key) >= attr->u.crypto.master_key.len); + assert(sizeof(si->stream.crypto.in.master_salt) >= attr->u.crypto.salt.len); + memcpy(si->stream.crypto.in.master_key, attr->u.crypto.master_key.s, attr->u.crypto.master_key.len); + memcpy(si->stream.crypto.in.master_salt, attr->u.crypto.salt.s, attr->u.crypto.salt.len); + assert(sizeof(si->stream.crypto.in.session_key) >= attr->u.crypto.crypto_suite->session_key_len); + assert(sizeof(si->stream.crypto.in.session_salt) >= attr->u.crypto.crypto_suite->session_salt_len); } g_hash_table_insert(streamhash, si, si);