RuhNetConsulting
/
rtpengine
mirror of https://github.com/sipwise/rtpengine
1
1
Fork 0
Code Issues 0 Projects 0 Releases 822 Wiki Activity
Browse Source

TT#146201 support RTCP encryption in kernel 

Change-Id: I30c2b88e0323e545a5be54b5af1a50c5b3e9378c
pull/1682/head
Richard Fuchs 4 years ago
parent
196e874c65
commit
5ff9294bab
7 changed files with 459 additions and 138 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +6
    -3
      daemon/crypto.c
  2. +11
    -10
      daemon/media_socket.c
  3. +1
    -1
      daemon/rtp.c
  4. +2
    -2
      include/crypto.h
  5. +429
    -114
      kernel-module/xt_RTPENGINE.c
  6. +4
    -2
      kernel-module/xt_RTPENGINE.h
  7. +6
    -6
      tests/kernel-module-test.c

+ 6
- 3
daemon/crypto.c View File

@ -467,7 +467,7 @@ static void prf_n(str *out, const unsigned char *key, const EVP_CIPHER *ciph, co
/* rfc 3711 section 4.3.1 */
int crypto_gen_session_key(struct crypto_context *c, str *out, unsigned char label, int index_len) {
int crypto_gen_session_key(struct crypto_context *c, str *out, unsigned char label, unsigned int index_len) {
unsigned char key_id[7]; /* [ label, 48-bit ROC || SEQ ] */
unsigned char x[14];
int i;
@ -658,7 +658,7 @@ static int aes_gcm_encrypt_rtcp(struct crypto_context *c, struct rtcp_packet *r,
iv.ssrc ^= r->ssrc;
iv.srtcp ^= htonl(idx & 0x007fffffffULL);
e_idx = htonl( (idx&0x007fffffffULL) | 0x80000000);
e_idx = htonl((idx & 0x007fffffffULL) | 0x80000000ULL);
EVP_EncryptInit_ex(c->session_key_ctx[0], c->params.crypto_suite->aead_evp(), NULL,
(const unsigned char *) c->session_key, iv.bytes);
@ -685,11 +685,14 @@ static int aes_gcm_decrypt_rtcp(struct crypto_context *c, struct rtcp_packet *r,
uint32_t e_idx;
int len, plaintext_len;
if (s->len < 16)
return -1;
memcpy(iv.bytes, c->session_salt, 12);
iv.ssrc ^= r->ssrc;
iv.srtcp ^= htonl(idx & 0x007fffffffULL);
e_idx = htonl( (idx&0x007fffffffULL) | 0x80000000);
e_idx = htonl((idx & 0x007fffffffULL) | 0x80000000ULL);
EVP_DecryptInit_ex(c->session_key_ctx[0], c->params.crypto_suite->aead_evp(), NULL,
(const unsigned char *) c->session_key, iv.bytes);


+ 11
- 10
daemon/media_socket.c View File

@ -1345,10 +1345,11 @@ static int __k_srtp_crypt(struct rtpengine_srtp *s, struct crypto_context *c,
.cipher = c->params.crypto_suite->kernel_cipher,
.hmac = c->params.crypto_suite->kernel_hmac,
.mki_len = c->params.mki_len,
.auth_tag_len = c->params.crypto_suite->srtp_auth_tag,
.rtp_auth_tag_len= c->params.crypto_suite->srtp_auth_tag,
.rtcp_auth_tag_len= c->params.crypto_suite->srtcp_auth_tag,
};
for (unsigned int i = 0; i < RTPE_NUM_SSRC_TRACKING; i++)
s->last_index[i] = ssrc_ctx[i] ? ssrc_ctx[i]->srtp_index : 0;
s->last_rtp_index[i] = ssrc_ctx[i] ? ssrc_ctx[i]->srtp_index : 0;
if (c->params.mki_len)
memcpy(s->mki, c->params.mki, c->params.mki_len);
memcpy(s->master_key, c->params.master_key, c->params.crypto_suite->master_key_len);
@ -1361,7 +1362,7 @@ static int __k_srtp_crypt(struct rtpengine_srtp *s, struct crypto_context *c,
if (c->params.session_params.unencrypted_srtp)
s->cipher = REC_NULL;
if (c->params.session_params.unauthenticated_srtp)
s->auth_tag_len = 0;
s->rtp_auth_tag_len = 0;
return 0;
}
@ -3442,13 +3443,13 @@ enum thread_looper_action kernel_stats_updater(void) {
if (max_pt != -1)
payload_tracker_add(&ctx->tracker, max_pt);
if (sink->crypto.params.crypto_suite
&& o->encrypt.last_index[u] - ctx->srtp_index > 0x4000)
&& o->encrypt.last_rtp_index[u] - ctx->srtp_index > 0x4000)
{
ilog(LOG_DEBUG, "Updating SRTP encryption index from %" PRIu64
" to %" PRIu64,
ctx->srtp_index,
o->encrypt.last_index[u]);
ctx->srtp_index = o->encrypt.last_index[u];
o->encrypt.last_rtp_index[u]);
ctx->srtp_index = o->encrypt.last_rtp_index[u];
update = true;
}
}
@ -3465,19 +3466,19 @@ enum thread_looper_action kernel_stats_updater(void) {
if (!ctx)
continue;
// TODO: add in SSRC stats similar to __stream_update_stats
atomic64_set(&ctx->last_seq, ke->target.decrypt.last_index[u]);
atomic64_set(&ctx->last_seq, ke->target.decrypt.last_rtp_index[u]);
if (max_pt != -1)
payload_tracker_add(&ctx->tracker, max_pt);
if (sfd->crypto.params.crypto_suite
&& ke->target.decrypt.last_index[u]
&& ke->target.decrypt.last_rtp_index[u]
- ctx->srtp_index > 0x4000) {
ilog(LOG_DEBUG, "Updating SRTP decryption index from %" PRIu64
" to %" PRIu64,
ctx->srtp_index,
ke->target.decrypt.last_index[u]);
ctx->srtp_index = ke->target.decrypt.last_index[u];
ke->target.decrypt.last_rtp_index[u]);
ctx->srtp_index = ke->target.decrypt.last_rtp_index[u];
update = true;
}
}


+ 1
- 1
daemon/rtp.c View File

@ -42,7 +42,7 @@ INLINE int check_session_keys(struct crypto_context *c) {
return 0;
error:
ilog(LOG_ERROR | LOG_FLAG_LIMIT, "%s", err);
ilogs(srtp, LOG_ERROR | LOG_FLAG_LIMIT, "%s", err);
return -1;
}


+ 2
- 2
include/crypto.h View File

@ -106,8 +106,8 @@ extern __thread GString *crypto_debug_string;
void crypto_init_main(void);
const struct crypto_suite * crypto_find_suite(const str *);
int crypto_gen_session_key(struct crypto_context *, str *, unsigned char, int);
const struct crypto_suite *crypto_find_suite(const str *);
int crypto_gen_session_key(struct crypto_context *, str *, unsigned char, unsigned int);
void crypto_dump_keys(struct crypto_context *in, struct crypto_context *out);
char *crypto_params_sdes_dump(const struct crypto_params_sdes *, char **);


+ 429
- 114
kernel-module/xt_RTPENGINE.c
File diff suppressed because it is too large
View File


+ 4
- 2
kernel-module/xt_RTPENGINE.h View File

@ -81,8 +81,10 @@ struct rtpengine_srtp {
unsigned int session_key_len;
unsigned int session_salt_len;
unsigned char mki[256]; /* XXX uses too much memory? */
uint64_t last_index[RTPE_NUM_SSRC_TRACKING];
unsigned int auth_tag_len; /* in bytes */
uint64_t last_rtp_index[RTPE_NUM_SSRC_TRACKING];
uint64_t last_rtcp_index[RTPE_NUM_SSRC_TRACKING];
unsigned int rtp_auth_tag_len; /* in bytes */
unsigned int rtcp_auth_tag_len; /* in bytes */
unsigned int mki_len;
};


+ 6
- 6
tests/kernel-module-test.c View File

@ -469,7 +469,7 @@ int main(void) {
.master_salt_len = 14,
.session_key_len = 16,
.session_salt_len = 14,
.auth_tag_len = 10,
.rtp_auth_tag_len = 10,
.master_key = {0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0,
0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39},
.master_salt = {0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb,
@ -543,7 +543,7 @@ int main(void) {
.master_salt_len = 14,
.session_key_len = 16,
.session_salt_len = 14,
.auth_tag_len = 10,
.rtp_auth_tag_len = 10,
.master_key = {0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0,
0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39},
.master_salt = {0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb,
@ -627,7 +627,7 @@ int main(void) {
.master_salt_len = 14,
.session_key_len = 16,
.session_salt_len = 14,
.auth_tag_len = 10,
.rtp_auth_tag_len = 10,
.master_key = {0x86, 0x70, 0x84, 0x51, 0x5a, 0xa4, 0xf7, 0x73,
0xd0, 0xcd, 0x56, 0xd0, 0x32, 0x34, 0x5b, 0x0b},
.master_salt = {0xc1, 0xe3, 0xb1, 0x54, 0x17, 0x3d, 0xf1, 0x3f,
@ -660,7 +660,7 @@ int main(void) {
.master_salt_len = 14,
.session_key_len = 16,
.session_salt_len = 14,
.auth_tag_len = 10,
.rtp_auth_tag_len = 10,
.master_key = {0x86, 0x70, 0x84, 0x51, 0x5a, 0xa4, 0xf7, 0x73,
0xd0, 0xcd, 0x56, 0xd0, 0x32, 0x34, 0x5b, 0x0b},
.master_salt = {0xc1, 0xe3, 0xb1, 0x54, 0x17, 0x3d, 0xf1, 0x3f,
@ -783,7 +783,7 @@ int main(void) {
.master_salt_len = 12,
.session_key_len = 32,
.session_salt_len = 12,
.auth_tag_len = 0,
.rtp_auth_tag_len = 0,
.master_key = {0x81, 0xa4, 0xe5, 0x86, 0x21, 0x62, 0x6c, 0x57,
0x9c, 0x5b, 0x8b, 0x2f, 0x1e, 0x27, 0x6a, 0x69,
0x3c, 0xf2, 0xd5, 0xf6, 0xd0, 0xbc, 0x9a, 0x53,
@ -818,7 +818,7 @@ int main(void) {
.master_salt_len = 12,
.session_key_len = 32,
.session_salt_len = 12,
.auth_tag_len = 0,
.rtp_auth_tag_len = 0,
.master_key = {0x81, 0xa4, 0xe5, 0x86, 0x21, 0x62, 0x6c, 0x57,
0x9c, 0x5b, 0x8b, 0x2f, 0x1e, 0x27, 0x6a, 0x69,
0x3c, 0xf2, 0xd5, 0xf6, 0xd0, 0xbc, 0x9a, 0x53,


Write Preview
Loading…
Cancel
Save