From b5009eff0be233e4357546994393819712d63b23 Mon Sep 17 00:00:00 2001
From: SPChan <shihping.chan@gmail.com>
Date: Fri, 11 Dec 2020 11:40:17 +0800
Subject: [PATCH] crypto.c: handle 12 bytes master salt length of AEAD

AEAD RFC7714 specifies 12 bytes master salt length
(section 12) but the KDF expects 14 bytes.

The erratum to RFC7714 specifies to pad on the right
by 16 bits to be compliant with the KDF.

https://www.rfc-editor.org/errata_search.php?rfc=7714
---
 daemon/crypto.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/daemon/crypto.c b/daemon/crypto.c
index d43e31367..30eba867c 100644
--- a/daemon/crypto.c
+++ b/daemon/crypto.c
@@ -190,7 +190,7 @@ struct crypto_suite __crypto_suites[] = {
 		.name			= "AEAD_AES_128_GCM",
 		.dtls_name		= "SRTP_AEAD_AES_128_GCM",
 		.master_key_len		= 16,
-		.master_salt_len	= 14,
+		.master_salt_len	= 12,
 		.session_key_len	= 16,
 		.session_salt_len	= 12,
 		.srtp_lifetime		= 1ULL << 48,
@@ -214,7 +214,7 @@ struct crypto_suite __crypto_suites[] = {
 		.name			= "AEAD_AES_256_GCM",
 		.dtls_name		= "SRTP_AEAD_AES_256_GCM",
 		.master_key_len		= 32,
-		.master_salt_len	= 14,
+		.master_salt_len	= 12,
 		.session_key_len	= 32,
 		.session_salt_len	= 12,
 		.srtp_lifetime		= 1ULL << 48,
@@ -471,7 +471,14 @@ int crypto_gen_session_key(struct crypto_context *c, str *out, unsigned char lab
 	 * key_derivation_rate == 0 --> r == 0 */
 
 	key_id[0] = label;
-	memcpy(x, c->params.master_salt, 14);
+	// AEAD uses 12 bytes master salt; pad on the right to get 14
+	// Errata: https://www.rfc-editor.org/errata_search.php?rfc=7714
+	if (c->params.crypto_suite->master_salt_len == 12) {
+		memcpy(x, c->params.master_salt, 12);
+		x[12] = x[13] = '\x00';
+	} else {
+		memcpy(x, c->params.master_salt, 14);
+	}
 	for (i = 13 - index_len; i < 14; i++)
 		x[i] = key_id[i - (13 - index_len)] ^ x[i];