implementing srtp encryption and authentication

13 years ago · 212df63857
parent 6ee0284b66
commit 212df63857
7 changed files with 209 additions and 36 deletions
--- a/daemon/call.c
+++ b/daemon/call.c
@ -224,7 +224,7 @@ static int call_avpf2avp(str *s, struct streamrelay *r) {
 	return rtcp_avpf2avp(s);
 }
 static int call_avp2savp_rtp(str *s, struct streamrelay *r) {
-	return rtp_savp2avp(s, &r->peer.crypto);
+	return rtp_savp2avp(s, &r->peer.crypto.out);
 }
 static int call_avp2savp_rtcp(str *s, struct streamrelay *r) {
 	return 0;
@ -463,7 +463,7 @@ out:
 static void stream_readable(int fd, void *p, uintptr_t u) {
 	struct callstream *cs = p;
 	struct streamrelay *r;
-	char buf[8192];
+	char buf[RTP_BUFFER_SIZE];
 	int ret;
 	struct sockaddr_storage ss;
 	struct sockaddr_in6 sin6;
@ -481,7 +481,8 @@ static void stream_readable(int fd, void *p, uintptr_t u) {

 	for (;;) {
 		sinlen = sizeof(ss);
-		ret = recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) &ss, &sinlen);
+		ret = recvfrom(fd, buf + RTP_BUFFER_HEAD_ROOM, MAX_RTP_PACKET_SIZE,
+				0, (struct sockaddr *) &ss, &sinlen);

 		if (ret < 0) {
 			if (errno == EINTR)
@ -492,7 +493,7 @@ static void stream_readable(int fd, void *p, uintptr_t u) {
 			stream_closed(fd, r, 0);
 			return;
 		}
-		if (ret >= sizeof(buf))
+		if (ret >= MAX_RTP_PACKET_SIZE)
 			mylog(LOG_WARNING, "UDP packet possibly truncated");

 		if (ss.ss_family != r->fd.fd_family)
@ -508,8 +509,7 @@ static void stream_readable(int fd, void *p, uintptr_t u) {
 			in4_to_6(&sin6.sin6_addr, sin->sin_addr.s_addr);
 		}

-		s.s = buf;
-		s.len = ret;
+		str_init_len(&s, buf, ret);
 		ret = stream_packet(r, &s, sinp);
 		if (ret == -1) {
 			mylog(LOG_WARNING, "Write error on RTP socket");
--- a/daemon/call.h
+++ b/daemon/call.h
@ -17,11 +17,17 @@
 #include "str.h"
 #include "crypto.h"

-struct poller;
-struct control_stream;


+#define MAX_RTP_PACKET_SIZE	8192
+#define RTP_BUFFER_HEAD_ROOM	128
+#define RTP_BUFFER_TAIL_ROOM	256
+#define RTP_BUFFER_SIZE		(MAX_RTP_PACKET_SIZE + RTP_BUFFER_HEAD_ROOM + RTP_BUFFER_TAIL_ROOM)
+

+
+struct poller;
+struct control_stream;
 struct peer;
 struct callstream;
 struct call;
@ -71,7 +77,7 @@ struct stream {
 	u_int16_t		port;
 	int			num;
 	enum transport_protocol	protocol;
-	struct crypto_context	crypto;
+	struct crypto_context_pair crypto;
 };
 struct stream_input {
 	struct stream		stream;
--- a/daemon/crypto.c
+++ b/daemon/crypto.c
@ -2,12 +2,17 @@

 #include <string.h>
 #include <openssl/evp.h>
+#include <openssl/hmac.h>

 #include "str.h"
 #include "aux.h"
+#include "rtp.h"



+static int aes_cm_encrypt_rtp(struct crypto_context *, struct rtp_header *, str *, u_int64_t);
+static int hmac_sha1_rtp(struct crypto_context *, char *out, str *in);
+
 /* all lengths are in bits, some code assumes everything to be multiples of 8 */
 const struct crypto_suite crypto_suites[] = {
 	{
@ -25,6 +30,8 @@ const struct crypto_suite crypto_suites[] = {
 		.srtcp_auth_tag		= 80,
 		.srtp_auth_key_len	= 160,
 		.srtcp_auth_key_len	= 160,
+		.encrypt_rtp		= aes_cm_encrypt_rtp,
+		.hash_rtp		= hmac_sha1_rtp,
 	},
 	{
 		.name			= "AES_CM_128_HMAC_SHA1_32",
@ -41,6 +48,8 @@ const struct crypto_suite crypto_suites[] = {
 		.srtcp_auth_tag		= 80,
 		.srtp_auth_key_len	= 160,
 		.srtcp_auth_key_len	= 160,
+		.encrypt_rtp		= aes_cm_encrypt_rtp,
+		.hash_rtp		= hmac_sha1_rtp,
 	},
 	{
 		.name			= "F8_128_HMAC_SHA1_80",
@ -57,6 +66,7 @@ const struct crypto_suite crypto_suites[] = {
 		.srtcp_auth_tag		= 80,
 		.srtp_auth_key_len	= 160,
 		.srtcp_auth_key_len	= 160,
+		.hash_rtp		= hmac_sha1_rtp,
 	},
 };

@ -89,7 +99,8 @@ const struct crypto_suite *crypto_find_suite(const str *s) {



-/* rfc 3711 section 4.1 and 4.1.1 */
+/* rfc 3711 section 4.1 and 4.1.1
+ * "in" and "out" MAY point to the same buffer */
 static void aes_ctr_128(char *out, str *in, char *key, char *iv) {
 	EVP_CIPHER_CTX ecc;
 	unsigned char ivx[16];
@ -103,7 +114,7 @@ static void aes_ctr_128(char *out, str *in, char *key, char *iv) {
 	q = (unsigned char *) out;
 	left = in->len;

-	/* XXX do this only once per thread? */
+	/* XXX do this only once per thread or maybe once per stream/key? */
 	EVP_CIPHER_CTX_init(&ecc);

 	EVP_EncryptInit_ex(&ecc, EVP_aes_128_ecb(), NULL, (unsigned char *) key, NULL);
@ -182,3 +193,42 @@ int crypto_gen_session_key(struct crypto_context *c, str *out, unsigned char lab

 	return 0;
 }
+
+/* rfc 3711 section 4.1.1 */
+static int aes_cm_encrypt_rtp(struct crypto_context *c, struct rtp_header *r, str *s, u_int64_t idx) {
+	unsigned char iv[16];
+	unsigned char *p;
+	int i;
+
+	ZERO(iv);
+	memcpy(iv, c->session_salt, 14);
+
+	p = (void *) &r->ssrc;
+	for (i = 0; i < 4; i++)
+		iv[i + 4] = iv[i + 4] ^ p[i];
+
+	for (i = 0; i < 6; i++)
+		iv[i + 8] = iv[i + 8] ^ ((idx >> ((5 - i) * 8)) & 0xff);
+
+	aes_ctr_128(s->s, s, c->session_key, (char *) iv);
+
+	return 0;
+}
+
+/* rfc 3711, sections 4.2 and 4.2.1 */
+static int hmac_sha1_rtp(struct crypto_context *c, char *out, str *in) {
+	unsigned char hmac[20];
+	HMAC_CTX hc;
+	u_int32_t roc;
+
+	HMAC_Init(&hc, c->session_auth_key, c->crypto_suite->srtp_auth_key_len, EVP_sha1());
+	HMAC_Update(&hc, (unsigned char *) in->s, in->len);
+	roc = htonl(c->roc);
+	HMAC_Update(&hc, (unsigned char *) &roc, sizeof(roc));
+	HMAC_Final(&hc, hmac, NULL);
+	HMAC_CTX_cleanup(&hc);
+
+	memcpy(out, hmac, c->crypto_suite->srtp_auth_tag);
+
+	return 0;
+}
--- a/daemon/crypto.h
+++ b/daemon/crypto.h
@ -24,6 +24,12 @@ enum mac {
 	__MAC_LAST
 };

+struct crypto_context;
+struct rtp_header;
+
+typedef int (*crypto_func)(struct crypto_context *, struct rtp_header *, str *, u_int64_t);
+typedef int (*hash_func)(struct crypto_context *, char *out, str *in);
+
 struct crypto_suite {
 	const char *name;
 	unsigned int
@ -41,6 +47,8 @@ struct crypto_suite {
 		srtcp_lifetime;
 	enum cipher cipher;
 	enum mac mac;
+	crypto_func encrypt_rtp;
+	hash_func hash_rtp;
 };

 struct crypto_context {
@ -58,13 +66,18 @@ struct crypto_context {
 	u_int64_t num_packets;
 	/* <from, to>? */

-	char session_key[16];
-	char session_salt[14];
+	char session_key[16]; /* k_e */
+	char session_salt[14]; /* k_s */
 	char session_auth_key[20];

 	int have_session_key:1;
 };

+struct crypto_context_pair {
+	struct crypto_context in,
+			      out;
+};
+



@ -76,6 +89,15 @@ extern const int num_crypto_suites;
 const struct crypto_suite *crypto_find_suite(const str *);
 int crypto_gen_session_key(struct crypto_context *, str *, unsigned char);

+static inline int crypto_encrypt_rtp(struct crypto_context *c, struct rtp_header *rtp,
+		str *payload, u_int64_t index)
+{
+	if (!c || !c->crypto_suite)
+		return -1;
+
+	return c->crypto_suite->encrypt_rtp(c, rtp, payload, index);
+}
+


 #endif
--- a/daemon/rtp.c
+++ b/daemon/rtp.c
@ -1,30 +1,22 @@
 #include "rtp.h"

 #include <sys/types.h>
+#include <arpa/inet.h>
+#include <glib.h>
+
 #include "str.h"
 #include "crypto.h"




-struct rtp_header {
-	unsigned char v_p_x_cc;
-	unsigned char m_pt;
-	u_int16_t seq_num;
-	u_int32_t timestamp;
-	u_int32_t ssrc;
-	u_int32_t csrc[];
-} __attribute__ ((packed));
-
-
-
-
-
 static inline int check_session_key(struct crypto_context *c) {
 	str s;

 	if (c->have_session_key)
 		return 0;
+	if (!c->crypto_suite)
+		return -1;

 	str_init_len(&s, c->session_key, c->crypto_suite->session_key_len);
 	if (crypto_gen_session_key(c, &s, 0x00))
@ -43,15 +35,100 @@ static inline int check_session_key(struct crypto_context *c) {
 /* XXX some error handling/logging here */
 int rtp_avp2savp(str *s, struct crypto_context *c) {
 	struct rtp_header *rtp;
+	str payload, to_auth;
+	struct rtp_extension *ext;
+	u_int16_t seq;
+	u_int64_t index, s_l_index;
+	long long int diff;
+	char *pl_end;
+	u_int32_t mki_part;

 	if (s->len < sizeof(*rtp))
 		return -1;
+	if (check_session_key(c))
+		return -1;

 	rtp = (void *) s->s;
+	if ((rtp->v_p_x_cc & 0xc0) != 0x80) /* version 2 */
+		return -1;

-	if (check_session_key(c))
+	payload = *s;
+	/* fixed header */
+	str_shift(&payload, sizeof(*rtp));
+	/* csrc list */
+	if (str_shift(&payload, (rtp->v_p_x_cc & 0xf) * 4))
 		return -1;

+	if ((rtp->v_p_x_cc & 0x10)) {
+		/* extension */
+		if (payload.len < sizeof(*ext))
+			return -1;
+		ext = (void *) payload.s;
+		if (str_shift(&payload, 4 + ntohs(ext->length) * 4))
+			return -1;
+	}
+
+	seq = ntohs(rtp->seq_num);
+	/* rfc 3711 section 3.3.1 */
+	if (G_UNLIKELY(!c->s_l))
+		c->s_l = seq;
+
+	/* rfc 3711 appendix A, modified, and sections 3.3 and 3.3.1 */
+	index = ((u_int64_t) c->roc << 16) | seq;
+	s_l_index = ((u_int64_t) c->roc << 16) | c->s_l;
+	diff = index - s_l_index;
+	if (diff >= 0) {
+		if (diff < 0x8000)
+			;
+		else if (index >= 0x10000)
+			index -= 0x10000;
+	}
+	else {
+		if (diff >= -0x8000)
+			;
+		else {
+			index += 0x10000;
+			c->roc++;
+		}
+	}
+
+	/* rfc 3711 section 3.1 */
+
+	if (crypto_encrypt_rtp(c, rtp, &payload, index))
+		return -1;
+
+	pl_end = s->s + s->len;
+	to_auth = *s;
+
+	if (c->mki_len) {
+		/* RTP_BUFFER_TAIL_ROOM guarantees enough room */
+		memset(pl_end, 0, c->mki_len);
+		if (c->mki_len > 4) {
+			mki_part = (c->mki & 0xffffffff00000000ULL) >> 32;
+			mki_part = htonl(mki_part);
+			if (c->mki_len < 8)
+				memcpy(pl_end, ((char *) &mki_part) + (8 - c->mki_len), c->mki_len - 4);
+			else
+				memcpy(pl_end + (c->mki_len - 8), &mki_part, 4);
+		}
+		mki_part = (c->mki & 0xffffffffULL);
+		mki_part = htonl(mki_part);
+		if (c->mki_len < 4)
+			memcpy(pl_end, ((char *) &mki_part) + (4 - c->mki_len), c->mki_len);
+		else
+			memcpy(pl_end + (c->mki_len - 4), &mki_part, 4);
+
+		pl_end += c->mki_len;
+		to_auth.len += c->mki_len;
+	}
+
+	if (c->crypto_suite->srtp_auth_tag) {
+		c->crypto_suite->hash_rtp(c, pl_end, &to_auth);
+		pl_end += c->crypto_suite->srtp_auth_tag;
+	}
+
+	s->len = pl_end - s->s;
+
 	return 0;
 }

--- a/daemon/rtp.h
+++ b/daemon/rtp.h
@ -9,6 +9,24 @@

 struct crypto_context;

+struct rtp_header {
+	unsigned char v_p_x_cc;
+	unsigned char m_pt;
+	u_int16_t seq_num;
+	u_int32_t timestamp;
+	u_int32_t ssrc;
+	u_int32_t csrc[];
+} __attribute__ ((packed));
+struct rtp_extension {
+	u_int16_t undefined;
+	u_int16_t length;
+} __attribute__ ((packed));
+
+
+
+
+
+
 int rtp_avp2savp(str *, struct crypto_context *);
 int rtp_savp2avp(str *, struct crypto_context *);

--- a/daemon/sdp.c
+++ b/daemon/sdp.c
@ -795,15 +795,15 @@ int sdp_streams(const GQueue *sessions, GQueue *streams, GHashTable *streamhash,
 			id = ATTR_CRYPTO;
 			attr = g_hash_table_lookup(media->attributes.id_hash, &id);
 			if (attr) {
-				si->stream.crypto.crypto_suite = attr->u.crypto.crypto_suite;
-				si->stream.crypto.mki = attr->u.crypto.mki;
-				si->stream.crypto.mki_len = attr->u.crypto.mki_len;
-				assert(sizeof(si->stream.crypto.master_key) >= attr->u.crypto.master_key.len);
-				assert(sizeof(si->stream.crypto.master_salt) >= attr->u.crypto.salt.len);
-				memcpy(si->stream.crypto.master_key, attr->u.crypto.master_key.s, attr->u.crypto.master_key.len);
-				memcpy(si->stream.crypto.master_salt, attr->u.crypto.salt.s, attr->u.crypto.salt.len);
-				assert(sizeof(si->stream.crypto.session_key) >= attr->u.crypto.crypto_suite->session_key_len);
-				assert(sizeof(si->stream.crypto.session_salt) >= attr->u.crypto.crypto_suite->session_salt_len);
+				si->stream.crypto.in.crypto_suite = attr->u.crypto.crypto_suite;
+				si->stream.crypto.in.mki = attr->u.crypto.mki;
+				si->stream.crypto.in.mki_len = attr->u.crypto.mki_len;
+				assert(sizeof(si->stream.crypto.in.master_key) >= attr->u.crypto.master_key.len);
+				assert(sizeof(si->stream.crypto.in.master_salt) >= attr->u.crypto.salt.len);
+				memcpy(si->stream.crypto.in.master_key, attr->u.crypto.master_key.s, attr->u.crypto.master_key.len);
+				memcpy(si->stream.crypto.in.master_salt, attr->u.crypto.salt.s, attr->u.crypto.salt.len);
+				assert(sizeof(si->stream.crypto.in.session_key) >= attr->u.crypto.crypto_suite->session_key_len);
+				assert(sizeof(si->stream.crypto.in.session_salt) >= attr->u.crypto.crypto_suite->session_salt_len);
 			}

 			g_hash_table_insert(streamhash, si, si);