use appropriate crypto context for encryption and decryption

ensures that the correct ROC is used
11 years ago · 9c3ad508f7
parent 0ac1ed2419
commit 9c3ad508f7
1 changed files with 14 additions and 20 deletions
--- a/kernel-module/xt_RTPENGINE.c
+++ b/kernel-module/xt_RTPENGINE.c
@ -2071,26 +2071,28 @@ static int srtp_auth_validate(struct re_crypto_context *c,
 	if (srtp_hash(hmac, c, s, r, pkt_idx))
 		return -1;
 	if (!memcmp(auth_tag, hmac, s->auth_tag_len))
-		goto ok;
+		goto ok_update;
 	/* or maybe we did a rollover too many */
 	if (pkt_idx >= 0x20000) {
 		pkt_idx -= 0x20000;
 		if (srtp_hash(hmac, c, s, r, pkt_idx))
 			return -1;
 		if (!memcmp(auth_tag, hmac, s->auth_tag_len))
-			goto ok;
+			goto ok_update;
 	}
 	/* last guess: reset ROC to zero */
 	pkt_idx &= 0xffff;
 	if (srtp_hash(hmac, c, s, r, pkt_idx))
 		return -1;
 	if (!memcmp(auth_tag, hmac, s->auth_tag_len))
-		goto ok;
+		goto ok_update;
 	return -1;
-ok:
+ok_update:
 	*pkt_idx_p = pkt_idx;
 	update_packet_index(c, s, pkt_idx);
 ok:
 	return 0;
 }
@ -2203,7 +2205,7 @@ static unsigned int rtpengine46(struct sk_buff *skb, struct rtpengine_table *t,
 	unsigned int datalen;
 	u_int32_t *u32;
 	struct rtp_parsed rtp;
-	u_int64_t pkt_idx = 0, pkt_idx_u;
+	u_int64_t pkt_idx;
 	skb_reset_transport_header(skb);
 	uh = udp_hdr(skb);
@ -2275,22 +2277,13 @@ src_check_ok:
 	rtp_pt_idx = rtp_payload_type(rtp.header, &g->target);
-	if ((&g->decrypt)->cipher->decrypt) {
+	// Pass to userspace if SSRC has changed.
-		pkt_idx_u = pkt_idx = packet_index(&g->decrypt, &g->target.decrypt, rtp.header);
+	if ((g->encrypt.ssrc) && (g->encrypt.ssrc != rtp.header->ssrc))
-		if (srtp_auth_validate(&g->decrypt, &g->target.decrypt, &rtp, &pkt_idx))
+		goto skip_error;
 			goto skip_error;
 		if (pkt_idx != pkt_idx_u)
 			update_packet_index(&g->decrypt, &g->target.decrypt, pkt_idx);
 	} else {
 		// Pass to userspace if SSRC has changed.
 		if ((g->encrypt.ssrc) && (g->encrypt.ssrc != rtp.header->ssrc))
 			goto skip_error;
 		pkt_idx_u = pkt_idx = packet_index(&g->encrypt, &g->target.encrypt, rtp.header);
 		if (pkt_idx != pkt_idx_u)
 			update_packet_index(&g->encrypt, &g->target.encrypt, pkt_idx);
 	}
 	pkt_idx = packet_index(&g->decrypt, &g->target.decrypt, rtp.header);
 	if (srtp_auth_validate(&g->decrypt, &g->target.decrypt, &rtp, &pkt_idx))
 		goto skip_error;
 	if (srtp_decrypt(&g->decrypt, &g->target.decrypt, &rtp, pkt_idx))
 		goto skip_error;
@ -2313,6 +2306,7 @@ not_rtp:
 	}
 	if (rtp.ok) {
 		pkt_idx = packet_index(&g->encrypt, &g->target.encrypt, rtp.header);
 		srtp_encrypt(&g->encrypt, &g->target.encrypt, &rtp, pkt_idx);
 		skb_put(skb, g->target.encrypt.mki_len + g->target.encrypt.auth_tag_len);
 		srtp_authenticate(&g->encrypt, &g->target.encrypt, &rtp, pkt_idx);