|
|
|
|
@ -65,6 +65,8 @@ MODULE_LICENSE("GPL");
|
|
|
|
|
|
|
|
|
|
struct mp_hmac;
|
|
|
|
|
struct mp_cipher;
|
|
|
|
|
struct rtp_parsed;
|
|
|
|
|
struct mp_crypto_context;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -108,6 +110,9 @@ static int proc_main_list_show(struct seq_file *, void *);
|
|
|
|
|
static void table_push(struct mediaproxy_table *);
|
|
|
|
|
static struct mediaproxy_target *get_target(struct mediaproxy_table *, u_int16_t);
|
|
|
|
|
|
|
|
|
|
static int srtp_encrypt_aes_cm(struct mp_crypto_context *, struct mediaproxy_srtp *,
|
|
|
|
|
struct rtp_parsed *, u_int64_t);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -158,6 +163,10 @@ struct mediaproxy_table {
|
|
|
|
|
struct mp_cipher {
|
|
|
|
|
const char *name;
|
|
|
|
|
const char *tfm_name;
|
|
|
|
|
int (*decrypt)(struct mp_crypto_context *, struct mediaproxy_srtp *,
|
|
|
|
|
struct rtp_parsed *, u_int64_t);
|
|
|
|
|
int (*encrypt)(struct mp_crypto_context *, struct mediaproxy_srtp *,
|
|
|
|
|
struct rtp_parsed *, u_int64_t);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct mp_hmac {
|
|
|
|
|
@ -250,6 +259,8 @@ static const struct mp_cipher mp_ciphers[] = {
|
|
|
|
|
[MPC_AES_CM] = {
|
|
|
|
|
.name = "AES-CM",
|
|
|
|
|
.tfm_name = "aes",
|
|
|
|
|
.decrypt = srtp_encrypt_aes_cm,
|
|
|
|
|
.encrypt = srtp_encrypt_aes_cm,
|
|
|
|
|
},
|
|
|
|
|
[MPC_AES_F8] = {
|
|
|
|
|
.name = "AES-F8",
|
|
|
|
|
@ -894,7 +905,7 @@ static int validate_srtp(struct mediaproxy_srtp *s) {
|
|
|
|
|
|
|
|
|
|
/* XXX shared code */
|
|
|
|
|
static void aes_ctr_128(unsigned char *out, const unsigned char *in, int in_len,
|
|
|
|
|
struct crypto_cipher *tfm, const char *iv)
|
|
|
|
|
struct crypto_cipher *tfm, const unsigned char *iv)
|
|
|
|
|
{
|
|
|
|
|
unsigned char ivx[16];
|
|
|
|
|
unsigned char key_block[16];
|
|
|
|
|
@ -1613,14 +1624,16 @@ static u_int64_t packet_index(struct mp_crypto_context *c,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int srtp_auth_validate(struct mp_crypto_context *c,
|
|
|
|
|
struct mediaproxy_srtp *s, struct rtp_parsed *r)
|
|
|
|
|
struct mediaproxy_srtp *s, struct rtp_parsed *r,
|
|
|
|
|
u_int64_t pkt_idx)
|
|
|
|
|
{
|
|
|
|
|
unsigned char *auth_tag;
|
|
|
|
|
unsigned char hmac[20];
|
|
|
|
|
struct shash_desc *dsc;
|
|
|
|
|
u_int64_t pkt_idx;
|
|
|
|
|
u_int32_t roc;
|
|
|
|
|
|
|
|
|
|
if (s->hmac == MPH_NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
if (!c->hmac)
|
|
|
|
|
return 0;
|
|
|
|
|
if (!c->shash)
|
|
|
|
|
@ -1639,7 +1652,6 @@ static int srtp_auth_validate(struct mp_crypto_context *c,
|
|
|
|
|
if (!s->auth_tag_len)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
pkt_idx = packet_index(c, s, r->header);
|
|
|
|
|
roc = htonl((pkt_idx & 0xffffffff0000ULL) >> 16);
|
|
|
|
|
|
|
|
|
|
dsc = kmalloc(sizeof(*dsc) + crypto_shash_descsize(c->shash), GFP_ATOMIC);
|
|
|
|
|
@ -1681,6 +1693,56 @@ error:
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* XXX shared code */
|
|
|
|
|
static int srtp_encrypt_aes_cm(struct mp_crypto_context *c,
|
|
|
|
|
struct mediaproxy_srtp *s, struct rtp_parsed *r,
|
|
|
|
|
u_int64_t pkt_idx)
|
|
|
|
|
{
|
|
|
|
|
unsigned char iv[16];
|
|
|
|
|
u_int32_t *ivi;
|
|
|
|
|
u_int32_t idxh, idxl;
|
|
|
|
|
|
|
|
|
|
if (s->cipher == MPC_NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
if (!c->cipher)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
memcpy(iv, c->session_salt, 14);
|
|
|
|
|
iv[14] = iv[15] = '\0';
|
|
|
|
|
ivi = (void *) iv;
|
|
|
|
|
pkt_idx <<= 16;
|
|
|
|
|
idxh = htonl((pkt_idx & 0xffffffff00000000ULL) >> 32);
|
|
|
|
|
idxl = htonl(pkt_idx & 0xffffffffULL);
|
|
|
|
|
|
|
|
|
|
ivi[1] ^= r->header->ssrc;
|
|
|
|
|
ivi[2] ^= idxh;
|
|
|
|
|
ivi[3] ^= idxl;
|
|
|
|
|
|
|
|
|
|
aes_ctr_128(r->payload, r->payload, r->payload_len, c->tfm, iv);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static inline int srtp_encrypt(struct mp_crypto_context *c,
|
|
|
|
|
struct mediaproxy_srtp *s, struct rtp_parsed *r,
|
|
|
|
|
u_int64_t pkt_idx)
|
|
|
|
|
{
|
|
|
|
|
if (!c->cipher->encrypt)
|
|
|
|
|
return 0;
|
|
|
|
|
return c->cipher->encrypt(c, s, r, pkt_idx);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline int srtp_decrypt(struct mp_crypto_context *c,
|
|
|
|
|
struct mediaproxy_srtp *s, struct rtp_parsed *r,
|
|
|
|
|
u_int64_t pkt_idx)
|
|
|
|
|
{
|
|
|
|
|
if (!c->cipher->decrypt)
|
|
|
|
|
return 0;
|
|
|
|
|
return c->cipher->decrypt(c, s, r, pkt_idx);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned int mediaproxy46(struct sk_buff *skb, struct mediaproxy_table *t) {
|
|
|
|
|
struct udphdr *uh;
|
|
|
|
|
struct mediaproxy_target *g;
|
|
|
|
|
@ -1690,6 +1752,7 @@ static unsigned int mediaproxy46(struct sk_buff *skb, struct mediaproxy_table *t
|
|
|
|
|
unsigned long flags;
|
|
|
|
|
u_int32_t *u32;
|
|
|
|
|
struct rtp_parsed rtp;
|
|
|
|
|
u_int64_t pkt_idx = 0;
|
|
|
|
|
|
|
|
|
|
skb_reset_transport_header(skb);
|
|
|
|
|
uh = udp_hdr(skb);
|
|
|
|
|
@ -1729,8 +1792,20 @@ not_stun:
|
|
|
|
|
|
|
|
|
|
if (parse_rtp(&rtp, skb))
|
|
|
|
|
goto not_rtp;
|
|
|
|
|
if (srtp_auth_validate(&g->decrypt, &g->target.decrypt, &rtp))
|
|
|
|
|
pkt_idx = packet_index(&g->decrypt, &g->target.decrypt, rtp.header);
|
|
|
|
|
if (srtp_auth_validate(&g->decrypt, &g->target.decrypt, &rtp, pkt_idx))
|
|
|
|
|
goto skip3;
|
|
|
|
|
if (srtp_decrypt(&g->decrypt, &g->target.decrypt, &rtp, pkt_idx))
|
|
|
|
|
goto skip3;
|
|
|
|
|
|
|
|
|
|
skb_trim(skb, rtp.header_len + rtp.payload_len);
|
|
|
|
|
|
|
|
|
|
DBG("packet payload decrypted as %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x...\n",
|
|
|
|
|
rtp.payload[0], rtp.payload[1], rtp.payload[2], rtp.payload[3],
|
|
|
|
|
rtp.payload[4], rtp.payload[5], rtp.payload[6], rtp.payload[7],
|
|
|
|
|
rtp.payload[8], rtp.payload[9], rtp.payload[10], rtp.payload[11],
|
|
|
|
|
rtp.payload[12], rtp.payload[13], rtp.payload[14], rtp.payload[15],
|
|
|
|
|
rtp.payload[16], rtp.payload[17], rtp.payload[18], rtp.payload[19]);
|
|
|
|
|
|
|
|
|
|
not_rtp:
|
|
|
|
|
if (g->target.mirror_addr.family) {
|
|
|
|
|
|
Richard Fuchs
13 years ago