sipwise
/
rtpengine
mirror of https://github.com/sipwise/rtpengine.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Add AES-192, AES-256 CM to kernel SRTP

Browse Source
pull/332/head
Anthony Alba 8 years ago
parent 357bb1d50f
commit d5cecc500f
4 changed files with 95 additions and 27 deletions
Show Stats Download Patch File Download Diff File

20
daemon/crypto.c
Unescape View File

@ -47,7 +47,7 @@ const struct crypto_suite crypto_suites[] = {
.session_salt_len = 14,
.srtp_lifetime = 1ULL << 48,
.srtcp_lifetime = 1ULL << 31,
.kernel_cipher = REC_AES_CM,
.kernel_cipher = REC_AES_CM_128,
.kernel_hmac = REH_HMAC_SHA1,
.srtp_auth_tag = 10,
.srtcp_auth_tag = 10,
@ -71,7 +71,7 @@ const struct crypto_suite crypto_suites[] = {
.session_salt_len = 14,
.srtp_lifetime = 1ULL << 48,
.srtcp_lifetime = 1ULL << 31,
.kernel_cipher = REC_AES_CM,
.kernel_cipher = REC_AES_CM_128,
.kernel_hmac = REH_HMAC_SHA1,
.srtp_auth_tag = 4,
.srtcp_auth_tag = 10,
@ -95,8 +95,8 @@ const struct crypto_suite crypto_suites[] = {
.session_salt_len = 14,
.srtp_lifetime = 1ULL << 48,
.srtcp_lifetime = 1ULL << 31,
//.kernel_cipher = REC_AES_CM,
//.kernel_hmac = REH_HMAC_SHA1,
.kernel_cipher = REC_AES_CM_192,
.kernel_hmac = REH_HMAC_SHA1,
.srtp_auth_tag = 10,
.srtcp_auth_tag = 10,
.srtp_auth_key_len = 20,
@ -119,8 +119,8 @@ const struct crypto_suite crypto_suites[] = {
.session_salt_len = 14,
.srtp_lifetime = 1ULL << 48,
.srtcp_lifetime = 1ULL << 31,
//.kernel_cipher = REC_AES_CM,
//.kernel_hmac = REH_HMAC_SHA1,
.kernel_cipher = REC_AES_CM_192,
.kernel_hmac = REH_HMAC_SHA1,
.srtp_auth_tag = 4,
.srtcp_auth_tag = 10,
.srtp_auth_key_len = 20,
@ -143,8 +143,8 @@ const struct crypto_suite crypto_suites[] = {
.session_salt_len = 14,
.srtp_lifetime = 1ULL << 48,
.srtcp_lifetime = 1ULL << 31,
//.kernel_cipher = REC_AES_CM,
//.kernel_hmac = REH_HMAC_SHA1,
.kernel_cipher = REC_AES_CM_256,
.kernel_hmac = REH_HMAC_SHA1,
.srtp_auth_tag = 10,
.srtcp_auth_tag = 10,
.srtp_auth_key_len = 20,
@ -167,8 +167,8 @@ const struct crypto_suite crypto_suites[] = {
.session_salt_len = 14,
.srtp_lifetime = 1ULL << 48,
.srtcp_lifetime = 1ULL << 31,
//.kernel_cipher = REC_AES_CM,
//.kernel_hmac = REH_HMAC_SHA1,
.kernel_cipher = REC_AES_CM_256,
.kernel_hmac = REH_HMAC_SHA1,
.srtp_auth_tag = 4,
.srtcp_auth_tag = 10,
.srtp_auth_key_len = 20,

2
daemon/media_socket.c
Unescape View File

@ -826,6 +826,8 @@ static int __k_srtp_crypt(struct rtpengine_srtp *s, struct crypto_context *c) {
if (c->params.mki_len)
memcpy(s->mki, c->params.mki, c->params.mki_len);
memcpy(s->master_key, c->params.master_key, c->params.crypto_suite->master_key_len);
s->master_key_len = c->params.crypto_suite->master_key_len;
s->session_key_len = c->params.crypto_suite->session_key_len;
memcpy(s->master_salt, c->params.master_salt, c->params.crypto_suite->master_salt_len);
if (c->params.session_params.unencrypted_srtp)

92
kernel-module/xt_RTPENGINE.c
Unescape View File

@ -231,7 +231,7 @@ static inline int bitfield_clear(unsigned long *bf, unsigned int i);
struct re_crypto_context {
spinlock_t lock; /* protects roc and last_index */
unsigned char session_key[16];
unsigned char session_key[32];
unsigned char session_salt[14];
unsigned char session_auth_key[20];
u_int32_t roc;
@ -501,9 +501,9 @@ static const struct re_cipher re_ciphers[] = {
.id = REC_NULL,
.name = "NULL",
},
[REC_AES_CM] = {
.id = REC_AES_CM,
.name = "AES-CM",
[REC_AES_CM_128] = {
.id = REC_AES_CM_128,
.name = "AES-CM-128",
.tfm_name = "aes",
.decrypt = srtp_encrypt_aes_cm,
.encrypt = srtp_encrypt_aes_cm,
@ -516,6 +516,20 @@ static const struct re_cipher re_ciphers[] = {
.encrypt = srtp_encrypt_aes_f8,
.session_key_init = aes_f8_session_key_init,
},
[REC_AES_CM_192] = {
.id = REC_AES_CM_192,
.name = "AES-CM-192",
.tfm_name = "aes",
.decrypt = srtp_encrypt_aes_cm,
.encrypt = srtp_encrypt_aes_cm,
},
[REC_AES_CM_256] = {
.id = REC_AES_CM_256,
.name = "AES-CM-256",
.tfm_name = "aes",
.decrypt = srtp_encrypt_aes_cm,
.encrypt = srtp_encrypt_aes_cm,
},
};
static const struct re_hmac re_hmacs[] = {
@ -1700,7 +1714,7 @@ static void aes_f8(unsigned char *in_out, int in_len,
u_int32_t *xu;
crypto_cipher_encrypt_one(iv_tfm, ivx, iv);
pi = (void *) in_out;
ki = (void *) key_block;
lki = (void *) last_key_block;
@ -1747,7 +1761,7 @@ done:
}
static int aes_ctr_128_no_ctx(unsigned char *out, const char *in, int in_len,
const unsigned char *key, const unsigned char *iv)
const unsigned char *key, unsigned int key_len, const unsigned char *iv)
{
struct crypto_cipher *tfm;
@ -1755,14 +1769,14 @@ static int aes_ctr_128_no_ctx(unsigned char *out, const char *in, int in_len,
if (IS_ERR(tfm))
return PTR_ERR(tfm);
crypto_cipher_setkey(tfm, key, 16);
crypto_cipher_setkey(tfm, key, key_len);
aes_ctr_128(out, in, in_len, tfm, iv);
crypto_free_cipher(tfm);
return 0;
}
static int prf_n(unsigned char *out, int len, const unsigned char *key, const unsigned char *x) {
static int prf_n(unsigned char *out, int len, const unsigned char *key, unsigned int key_len, const unsigned char *x) {
unsigned char iv[16];
unsigned char o[32];
unsigned char in[32];
@ -1773,7 +1787,7 @@ static int prf_n(unsigned char *out, int len, const unsigned char *key, const un
in_len = len > 16 ? 32 : 16;
memset(in, 0, in_len);
ret = aes_ctr_128_no_ctx(o, in, in_len, key, iv);
ret = aes_ctr_128_no_ctx(o, in, in_len, key, key_len, iv);
if (ret)
return ret;
@ -1795,7 +1809,7 @@ static int gen_session_key(unsigned char *out, int len, struct rtpengine_srtp *s
for (i = 13 - 6; i < 14; i++)
x[i] = key_id[i - (13 - 6)] ^ x[i];
ret = prf_n(out, len, s->master_key, x);
ret = prf_n(out, len, s->master_key, s->master_key_len, x);
if (ret)
return ret;
return 0;
@ -1836,7 +1850,7 @@ static int gen_session_keys(struct re_crypto_context *c, struct rtpengine_srtp *
if (s->cipher == REC_NULL && s->hmac == REH_NULL)
return 0;
err = "failed to generate session key";
ret = gen_session_key(c->session_key, 16, s, 0x00);
ret = gen_session_key(c->session_key, s->session_key_len, s, 0x00);
if (ret)
goto error;
ret = gen_session_key(c->session_auth_key, 20, s, 0x01);
@ -1854,7 +1868,7 @@ static int gen_session_keys(struct re_crypto_context *c, struct rtpengine_srtp *
c->tfm[0] = NULL;
goto error;
}
crypto_cipher_setkey(c->tfm[0], c->session_key, 16);
crypto_cipher_setkey(c->tfm[0], c->session_key, s->session_key_len);
}
if (c->cipher->session_key_init) {
@ -1874,21 +1888,69 @@ static int gen_session_keys(struct re_crypto_context *c, struct rtpengine_srtp *
crypto_shash_setkey(c->shash, c->session_auth_key, 20);
}
DBG("master key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
switch(s->master_key_len) {
case 16:
DBG("master key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
s->master_key[0], s->master_key[1], s->master_key[2], s->master_key[3],
s->master_key[4], s->master_key[5], s->master_key[6], s->master_key[7],
s->master_key[8], s->master_key[9], s->master_key[10], s->master_key[11],
s->master_key[12], s->master_key[13], s->master_key[14], s->master_key[15]);
break;
case 24:
DBG("master key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
s->master_key[0], s->master_key[1], s->master_key[2], s->master_key[3],
s->master_key[4], s->master_key[5], s->master_key[6], s->master_key[7],
s->master_key[8], s->master_key[9], s->master_key[10], s->master_key[11],
s->master_key[12], s->master_key[13], s->master_key[14], s->master_key[15],
s->master_key[16], s->master_key[17], s->master_key[18], s->master_key[19],
s->master_key[20], s->master_key[21], s->master_key[22], s->master_key[23]);
break;
case 32:
DBG("master key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
s->master_key[0], s->master_key[1], s->master_key[2], s->master_key[3],
s->master_key[4], s->master_key[5], s->master_key[6], s->master_key[7],
s->master_key[8], s->master_key[9], s->master_key[10], s->master_key[11],
s->master_key[12], s->master_key[13], s->master_key[14], s->master_key[15],
s->master_key[16], s->master_key[17], s->master_key[18], s->master_key[19],
s->master_key[20], s->master_key[21], s->master_key[22], s->master_key[23],
s->master_key[24], s->master_key[25], s->master_key[26], s->master_key[27],
s->master_key[28], s->master_key[29], s->master_key[30], s->master_key[21]);
break;
}
DBG("master salt %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
s->master_salt[0], s->master_salt[1], s->master_salt[2], s->master_salt[3],
s->master_salt[4], s->master_salt[5], s->master_salt[6], s->master_salt[7],
s->master_salt[8], s->master_salt[9], s->master_salt[10], s->master_salt[11],
s->master_salt[12], s->master_salt[13]);
DBG("session key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
switch(s->session_key_len) {
case 16:
DBG("session key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
c->session_key[0], c->session_key[1], c->session_key[2], c->session_key[3],
c->session_key[4], c->session_key[5], c->session_key[6], c->session_key[7],
c->session_key[8], c->session_key[9], c->session_key[10], c->session_key[11],
c->session_key[12], c->session_key[13], c->session_key[14], c->session_key[15]);
break;
case 24:
DBG("session key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
c->session_key[0], c->session_key[1], c->session_key[2], c->session_key[3],
c->session_key[4], c->session_key[5], c->session_key[6], c->session_key[7],
c->session_key[8], c->session_key[9], c->session_key[10], c->session_key[11],
c->session_key[12], c->session_key[13], c->session_key[14], c->session_key[15],
c->session_key[16], c->session_key[17], c->session_key[18], c->session_key[19],
c->session_key[20], c->session_key[21], c->session_key[22], c->session_key[23]);
break;
case 32:
DBG("session key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
c->session_key[0], c->session_key[1], c->session_key[2], c->session_key[3],
c->session_key[4], c->session_key[5], c->session_key[6], c->session_key[7],
c->session_key[8], c->session_key[9], c->session_key[10], c->session_key[11],
c->session_key[12], c->session_key[13], c->session_key[14], c->session_key[15],
c->session_key[16], c->session_key[17], c->session_key[18], c->session_key[19],
c->session_key[20], c->session_key[21], c->session_key[22], c->session_key[23],
c->session_key[24], c->session_key[25], c->session_key[26], c->session_key[27],
c->session_key[28], c->session_key[29], c->session_key[30], c->session_key[21]);
break;
}
DBG("session salt %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n",
c->session_salt[0], c->session_salt[1], c->session_salt[2], c->session_salt[3],
c->session_salt[4], c->session_salt[5], c->session_salt[6], c->session_salt[7],
@ -2014,7 +2076,7 @@ retry:
kfree(rda);
goto retry;
}
t->dest_addr_hash.addrs[rh_it] = rda;
re_bitfield_set(&t->dest_addr_hash.addrs_bf, rh_it);

8
kernel-module/xt_RTPENGINE.h
Unescape View File

@ -41,8 +41,10 @@ struct re_address {
enum rtpengine_cipher {
REC_INVALID = 0,
REC_NULL,
REC_AES_CM,
REC_AES_CM_128,
REC_AES_F8,
REC_AES_CM_192,
REC_AES_CM_256,
__REC_LAST
};
@ -59,8 +61,10 @@ enum rtpengine_hmac {
struct rtpengine_srtp {
enum rtpengine_cipher cipher;
enum rtpengine_hmac hmac;
unsigned char master_key[16];
unsigned char master_key[32];
unsigned int master_key_len;
unsigned char master_salt[14];
unsigned int session_key_len;
unsigned char mki[256]; /* XXX uses too much memory? */
u_int64_t last_index;
unsigned int auth_tag_len; /* in bytes */

Write Preview
Loading…
Cancel
Save