From b8a2f015ad57be93a1019447febf8425cf90946c Mon Sep 17 00:00:00 2001 From: Anthony Alba Date: Fri, 17 Mar 2017 20:59:22 -1000 Subject: [PATCH 1/7] Initial support for AES-192, AES-256 in userspace --- daemon/crypto.c | 129 +++++++++++++++++++++++++++++++++++++++++++++--- daemon/crypto.h | 4 +- daemon/sdp.c | 10 ++-- 3 files changed, 130 insertions(+), 13 deletions(-) diff --git a/daemon/crypto.c b/daemon/crypto.c index e70949eb7..e75443828 100644 --- a/daemon/crypto.c +++ b/daemon/crypto.c @@ -84,6 +84,102 @@ const struct crypto_suite crypto_suites[] = { .session_key_init = aes_cm_session_key_init, .session_key_cleanup = evp_session_key_cleanup, }, + { + .name = "AES_CM_192_HMAC_SHA1_80", + //.dtls_name = "SRTP_AES128_CM_SHA1_80", + .master_key_len = 24, + .master_salt_len = 14, + .session_key_len = 24, + .session_salt_len = 14, + .srtp_lifetime = 1ULL << 48, + .srtcp_lifetime = 1ULL << 31, + //.kernel_cipher = REC_AES_CM, + //.kernel_hmac = REH_HMAC_SHA1, + .srtp_auth_tag = 10, + .srtcp_auth_tag = 10, + .srtp_auth_key_len = 20, + .srtcp_auth_key_len = 20, + .encrypt_rtp = aes_cm_encrypt_rtp, + .decrypt_rtp = aes_cm_encrypt_rtp, + .encrypt_rtcp = aes_cm_encrypt_rtcp, + .decrypt_rtcp = aes_cm_encrypt_rtcp, + .hash_rtp = hmac_sha1_rtp, + .hash_rtcp = hmac_sha1_rtcp, + .session_key_init = aes_cm_session_key_init, + .session_key_cleanup = evp_session_key_cleanup, + }, + { + .name = "AES_CM_192_HMAC_SHA1_32", + //.dtls_name = "SRTP_AES128_CM_SHA1_32", + .master_key_len = 24, + .master_salt_len = 14, + .session_key_len = 24, + .session_salt_len = 14, + .srtp_lifetime = 1ULL << 48, + .srtcp_lifetime = 1ULL << 31, + //.kernel_cipher = REC_AES_CM, + //.kernel_hmac = REH_HMAC_SHA1, + .srtp_auth_tag = 4, + .srtcp_auth_tag = 10, + .srtp_auth_key_len = 20, + .srtcp_auth_key_len = 20, + .encrypt_rtp = aes_cm_encrypt_rtp, + .decrypt_rtp = aes_cm_encrypt_rtp, + .encrypt_rtcp = aes_cm_encrypt_rtcp, + .decrypt_rtcp = aes_cm_encrypt_rtcp, + .hash_rtp = hmac_sha1_rtp, + .hash_rtcp = hmac_sha1_rtcp, + .session_key_init = aes_cm_session_key_init, + .session_key_cleanup = evp_session_key_cleanup, + }, + { + .name = "AES_CM_256_HMAC_SHA1_80", + //.dtls_name = "SRTP_AES128_CM_SHA1_80", + .master_key_len = 32, + .master_salt_len = 14, + .session_key_len = 32, + .session_salt_len = 14, + .srtp_lifetime = 1ULL << 48, + .srtcp_lifetime = 1ULL << 31, + //.kernel_cipher = REC_AES_CM, + //.kernel_hmac = REH_HMAC_SHA1, + .srtp_auth_tag = 10, + .srtcp_auth_tag = 10, + .srtp_auth_key_len = 20, + .srtcp_auth_key_len = 20, + .encrypt_rtp = aes_cm_encrypt_rtp, + .decrypt_rtp = aes_cm_encrypt_rtp, + .encrypt_rtcp = aes_cm_encrypt_rtcp, + .decrypt_rtcp = aes_cm_encrypt_rtcp, + .hash_rtp = hmac_sha1_rtp, + .hash_rtcp = hmac_sha1_rtcp, + .session_key_init = aes_cm_session_key_init, + .session_key_cleanup = evp_session_key_cleanup, + }, + { + .name = "AES_CM_256_HMAC_SHA1_32", + //.dtls_name = "SRTP_AES128_CM_SHA1_32", + .master_key_len = 32, + .master_salt_len = 14, + .session_key_len = 32, + .session_salt_len = 14, + .srtp_lifetime = 1ULL << 48, + .srtcp_lifetime = 1ULL << 31, + //.kernel_cipher = REC_AES_CM, + //.kernel_hmac = REH_HMAC_SHA1, + .srtp_auth_tag = 4, + .srtcp_auth_tag = 10, + .srtp_auth_key_len = 20, + .srtcp_auth_key_len = 20, + .encrypt_rtp = aes_cm_encrypt_rtp, + .decrypt_rtp = aes_cm_encrypt_rtp, + .encrypt_rtcp = aes_cm_encrypt_rtcp, + .decrypt_rtcp = aes_cm_encrypt_rtcp, + .hash_rtp = hmac_sha1_rtp, + .hash_rtcp = hmac_sha1_rtcp, + .session_key_init = aes_cm_session_key_init, + .session_key_cleanup = evp_session_key_cleanup, + }, { .name = "F8_128_HMAC_SHA1_80", // .dtls_name = "SRTP_AES128_F8_SHA1_80", @@ -259,10 +355,11 @@ done: ; } -static void aes_ctr_128_no_ctx(unsigned char *out, str *in, const unsigned char *key, const unsigned char *iv) { +static void aes_ctr_128_no_ctx(unsigned char *out, str *in, const unsigned char *key, int keylen, const unsigned char *iv) { EVP_CIPHER_CTX *ctx; unsigned char block[16]; int len; + EVP_CIPHER *ecb_cipher; #if OPENSSL_VERSION_NUMBER >= 0x10100000L ctx = EVP_CIPHER_CTX_new(); @@ -271,7 +368,18 @@ static void aes_ctr_128_no_ctx(unsigned char *out, str *in, const unsigned char ctx = &ctx_s; EVP_CIPHER_CTX_init(ctx); #endif - EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, key, NULL); + switch(keylen) { + case 16: + ecb_cipher = EVP_aes_128_ecb(); + break; + case 24: + ecb_cipher = EVP_aes_192_ecb(); + break; + case 32: + ecb_cipher = EVP_aes_256_ecb(); + break; + } + EVP_EncryptInit_ex(ctx, ecb_cipher, NULL, key, NULL); aes_ctr_128(out, in, ctx, iv); EVP_EncryptFinal_ex(ctx, block, &len); @@ -287,7 +395,7 @@ static void aes_ctr_128_no_ctx(unsigned char *out, str *in, const unsigned char * x: 112 bits * n <= 256 * out->len := n / 8 */ -static void prf_n(str *out, const unsigned char *key, const unsigned char *x) { +static void prf_n(str *out, const unsigned char *key, int keylen, const unsigned char *x) { unsigned char iv[16]; unsigned char o[32]; unsigned char in[32]; @@ -300,7 +408,7 @@ static void prf_n(str *out, const unsigned char *key, const unsigned char *x) { /* iv[14] = iv[15] = 0; := x << 16 */ ZERO(in); /* outputs the key stream */ str_init_len(&in_s, (void *) in, out->len > 16 ? 32 : 16); - aes_ctr_128_no_ctx(o, &in_s, key, iv); + aes_ctr_128_no_ctx(o, &in_s, key, keylen, iv); memcpy(out->s, o, out->len); } @@ -322,7 +430,7 @@ int crypto_gen_session_key(struct crypto_context *c, str *out, unsigned char lab for (i = 13 - index_len; i < 14; i++) x[i] = key_id[i - (13 - index_len)] ^ x[i]; - prf_n(out, c->params.master_key, x); + prf_n(out, c->params.master_key, c->params.crypto_suite->master_key_len, x); #if CRYPTO_DEBUG ilog(LOG_DEBUG, "Generated session key: master key " @@ -516,6 +624,7 @@ static int hmac_sha1_rtcp(struct crypto_context *c, char *out, str *in) { } static int aes_cm_session_key_init(struct crypto_context *c) { + EVP_CIPHER * ecb_cipher; evp_session_key_cleanup(c); #if OPENSSL_VERSION_NUMBER >= 0x10100000L @@ -524,7 +633,15 @@ static int aes_cm_session_key_init(struct crypto_context *c) { c->session_key_ctx[0] = g_slice_alloc(sizeof(EVP_CIPHER_CTX)); EVP_CIPHER_CTX_init(c->session_key_ctx[0]); #endif - EVP_EncryptInit_ex(c->session_key_ctx[0], EVP_aes_128_ecb(), NULL, + switch(c->params.crypto_suite->session_key_len) { + case 16: + ecb_cipher = EVP_aes_128_ecb(); + case 24: + ecb_cipher = EVP_aes_192_ecb(); + case 32: + ecb_cipher = EVP_aes_256_ecb(); + } + EVP_EncryptInit_ex(c->session_key_ctx[0], ecb_cipher, NULL, (unsigned char *) c->session_key, NULL); return 0; } diff --git a/daemon/crypto.h b/daemon/crypto.h index b723857f4..0095697f9 100644 --- a/daemon/crypto.h +++ b/daemon/crypto.h @@ -11,9 +11,9 @@ -#define SRTP_MAX_MASTER_KEY_LEN 16 +#define SRTP_MAX_MASTER_KEY_LEN 32 #define SRTP_MAX_MASTER_SALT_LEN 14 -#define SRTP_MAX_SESSION_KEY_LEN 16 +#define SRTP_MAX_SESSION_KEY_LEN 32 #define SRTP_MAX_SESSION_SALT_LEN 14 #define SRTP_MAX_SESSION_AUTH_LEN 20 diff --git a/daemon/sdp.c b/daemon/sdp.c index 22616775a..a8a6f499f 100644 --- a/daemon/sdp.c +++ b/daemon/sdp.c @@ -1,8 +1,8 @@ #include "sdp.h" #include -#include -#include +#include +#include #include #include @@ -274,7 +274,7 @@ INLINE int extract_token(char **sp, char *end, str *out) { *sp = space + 1; } return 0; - + } #define EXTRACT_TOKEN(field) if (extract_token(&start, end, &output->field)) return -1 #define EXTRACT_NETWORK_ADDRESS_NP(field) \ @@ -978,10 +978,10 @@ int sdp_parse(str *body, GQueue *sessions) { if (line_end - value < 4) break; if (!memcmp(value, "RR:", 3)) - *(media ? &media->rr : &session->rr) = + *(media ? &media->rr : &session->rr) = (line_end - value == 4 && value[3] == '0') ? 0 : 1; else if (!memcmp(value, "RS:", 3)) - *(media ? &media->rs : &session->rs) = + *(media ? &media->rs : &session->rs) = (line_end - value == 4 && value[3] == '0') ? 0 : 1; break; From 357bb1d50fb566a5dabbdd50241c681f161a5aea Mon Sep 17 00:00:00 2001 From: Anthony Alba Date: Wed, 22 Mar 2017 12:27:49 +0800 Subject: [PATCH 2/7] Refactor to add explicit session key init functions --- daemon/crypto.c | 75 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 50 insertions(+), 25 deletions(-) diff --git a/daemon/crypto.c b/daemon/crypto.c index e75443828..6bf6cd955 100644 --- a/daemon/crypto.c +++ b/daemon/crypto.c @@ -28,7 +28,9 @@ static int hmac_sha1_rtp(struct crypto_context *, char *out, str *in, u_int64_t) static int hmac_sha1_rtcp(struct crypto_context *, char *out, str *in); static int aes_f8_encrypt_rtp(struct crypto_context *c, struct rtp_header *r, str *s, u_int64_t idx); static int aes_f8_encrypt_rtcp(struct crypto_context *c, struct rtcp_packet *r, str *s, u_int64_t idx); -static int aes_cm_session_key_init(struct crypto_context *c); +static int aes_cm_session_key_init_128(struct crypto_context *c); +static int aes_cm_session_key_init_192(struct crypto_context *c); +static int aes_cm_session_key_init_256(struct crypto_context *c); static int aes_f8_session_key_init(struct crypto_context *c); static int evp_session_key_cleanup(struct crypto_context *c); static int null_crypt_rtp(struct crypto_context *c, struct rtp_header *r, str *s, u_int64_t idx); @@ -57,7 +59,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init, + .session_key_init = aes_cm_session_key_init_128, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -81,7 +83,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init, + .session_key_init = aes_cm_session_key_init_128, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -105,7 +107,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init, + .session_key_init = aes_cm_session_key_init_192, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -129,7 +131,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init, + .session_key_init = aes_cm_session_key_init_192, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -153,7 +155,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init, + .session_key_init = aes_cm_session_key_init_256, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -177,7 +179,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init, + .session_key_init = aes_cm_session_key_init_256, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -307,7 +309,7 @@ const struct crypto_suite *crypto_find_suite(const str *s) { /* rfc 3711 section 4.1 and 4.1.1 * "in" and "out" MAY point to the same buffer */ -static void aes_ctr_128(unsigned char *out, str *in, EVP_CIPHER_CTX *ecc, const unsigned char *iv) { +static void aes_ctr(unsigned char *out, str *in, EVP_CIPHER_CTX *ecc, const unsigned char *iv) { unsigned char ivx[16]; unsigned char key_block[16]; unsigned char *p, *q; @@ -355,11 +357,11 @@ done: ; } -static void aes_ctr_128_no_ctx(unsigned char *out, str *in, const unsigned char *key, int keylen, const unsigned char *iv) { +static void aes_ctr_no_ctx(unsigned char *out, str *in, const unsigned char *key, int keylen, const unsigned char *iv) { EVP_CIPHER_CTX *ctx; unsigned char block[16]; int len; - EVP_CIPHER *ecb_cipher; + const EVP_CIPHER *ecb_cipher; #if OPENSSL_VERSION_NUMBER >= 0x10100000L ctx = EVP_CIPHER_CTX_new(); @@ -378,9 +380,13 @@ static void aes_ctr_128_no_ctx(unsigned char *out, str *in, const unsigned char case 32: ecb_cipher = EVP_aes_256_ecb(); break; + default: + // silence -Wmaybe-unintialized; must not end up here + assert(FALSE); + break; } EVP_EncryptInit_ex(ctx, ecb_cipher, NULL, key, NULL); - aes_ctr_128(out, in, ctx, iv); + aes_ctr(out, in, ctx, iv); EVP_EncryptFinal_ex(ctx, block, &len); #if OPENSSL_VERSION_NUMBER >= 0x10100000L @@ -408,7 +414,7 @@ static void prf_n(str *out, const unsigned char *key, int keylen, const unsigned /* iv[14] = iv[15] = 0; := x << 16 */ ZERO(in); /* outputs the key stream */ str_init_len(&in_s, (void *) in, out->len > 16 ? 32 : 16); - aes_ctr_128_no_ctx(o, &in_s, key, keylen, iv); + aes_ctr_no_ctx(o, &in_s, key, keylen, iv); memcpy(out->s, o, out->len); } @@ -474,7 +480,7 @@ static int aes_cm_encrypt(struct crypto_context *c, u_int32_t ssrc, str *s, u_in ivi[2] ^= idxh; ivi[3] ^= idxl; - aes_ctr_128((void *) s->s, s, c->session_key_ctx[0], iv); + aes_ctr((void *) s->s, s, c->session_key_ctx[0], iv); return 0; } @@ -623,8 +629,7 @@ static int hmac_sha1_rtcp(struct crypto_context *c, char *out, str *in) { return 0; } -static int aes_cm_session_key_init(struct crypto_context *c) { - EVP_CIPHER * ecb_cipher; +static int aes_cm_session_key_init_128(struct crypto_context *c) { evp_session_key_cleanup(c); #if OPENSSL_VERSION_NUMBER >= 0x10100000L @@ -633,15 +638,35 @@ static int aes_cm_session_key_init(struct crypto_context *c) { c->session_key_ctx[0] = g_slice_alloc(sizeof(EVP_CIPHER_CTX)); EVP_CIPHER_CTX_init(c->session_key_ctx[0]); #endif - switch(c->params.crypto_suite->session_key_len) { - case 16: - ecb_cipher = EVP_aes_128_ecb(); - case 24: - ecb_cipher = EVP_aes_192_ecb(); - case 32: - ecb_cipher = EVP_aes_256_ecb(); - } - EVP_EncryptInit_ex(c->session_key_ctx[0], ecb_cipher, NULL, + EVP_EncryptInit_ex(c->session_key_ctx[0], EVP_aes_128_ecb(), NULL, + (unsigned char *) c->session_key, NULL); + return 0; +} + +static int aes_cm_session_key_init_192(struct crypto_context *c) { + evp_session_key_cleanup(c); + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + c->session_key_ctx[0] = EVP_CIPHER_CTX_new(); +#else + c->session_key_ctx[0] = g_slice_alloc(sizeof(EVP_CIPHER_CTX)); + EVP_CIPHER_CTX_init(c->session_key_ctx[0]); +#endif + EVP_EncryptInit_ex(c->session_key_ctx[0], EVP_aes_192_ecb(), NULL, + (unsigned char *) c->session_key, NULL); + return 0; +} + +static int aes_cm_session_key_init_256(struct crypto_context *c) { + evp_session_key_cleanup(c); + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + c->session_key_ctx[0] = EVP_CIPHER_CTX_new(); +#else + c->session_key_ctx[0] = g_slice_alloc(sizeof(EVP_CIPHER_CTX)); + EVP_CIPHER_CTX_init(c->session_key_ctx[0]); +#endif + EVP_EncryptInit_ex(c->session_key_ctx[0], EVP_aes_256_ecb(), NULL, (unsigned char *) c->session_key, NULL); return 0; } @@ -652,7 +677,7 @@ static int aes_f8_session_key_init(struct crypto_context *c) { int k_e_len, k_s_len; /* n_e, n_s */ unsigned char *key; - aes_cm_session_key_init(c); + aes_cm_session_key_init_128(c); k_e_len = c->params.crypto_suite->session_key_len; k_s_len = c->params.crypto_suite->session_salt_len; From d5cecc500fe13fbc817f59405f8276baa6dd06d2 Mon Sep 17 00:00:00 2001 From: Anthony Alba Date: Wed, 22 Mar 2017 20:55:06 +0800 Subject: [PATCH 3/7] Add AES-192, AES-256 CM to kernel SRTP --- daemon/crypto.c | 20 ++++---- daemon/media_socket.c | 2 + kernel-module/xt_RTPENGINE.c | 92 ++++++++++++++++++++++++++++++------ kernel-module/xt_RTPENGINE.h | 8 +++- 4 files changed, 95 insertions(+), 27 deletions(-) diff --git a/daemon/crypto.c b/daemon/crypto.c index 6bf6cd955..f3922178a 100644 --- a/daemon/crypto.c +++ b/daemon/crypto.c @@ -47,7 +47,7 @@ const struct crypto_suite crypto_suites[] = { .session_salt_len = 14, .srtp_lifetime = 1ULL << 48, .srtcp_lifetime = 1ULL << 31, - .kernel_cipher = REC_AES_CM, + .kernel_cipher = REC_AES_CM_128, .kernel_hmac = REH_HMAC_SHA1, .srtp_auth_tag = 10, .srtcp_auth_tag = 10, @@ -71,7 +71,7 @@ const struct crypto_suite crypto_suites[] = { .session_salt_len = 14, .srtp_lifetime = 1ULL << 48, .srtcp_lifetime = 1ULL << 31, - .kernel_cipher = REC_AES_CM, + .kernel_cipher = REC_AES_CM_128, .kernel_hmac = REH_HMAC_SHA1, .srtp_auth_tag = 4, .srtcp_auth_tag = 10, @@ -95,8 +95,8 @@ const struct crypto_suite crypto_suites[] = { .session_salt_len = 14, .srtp_lifetime = 1ULL << 48, .srtcp_lifetime = 1ULL << 31, - //.kernel_cipher = REC_AES_CM, - //.kernel_hmac = REH_HMAC_SHA1, + .kernel_cipher = REC_AES_CM_192, + .kernel_hmac = REH_HMAC_SHA1, .srtp_auth_tag = 10, .srtcp_auth_tag = 10, .srtp_auth_key_len = 20, @@ -119,8 +119,8 @@ const struct crypto_suite crypto_suites[] = { .session_salt_len = 14, .srtp_lifetime = 1ULL << 48, .srtcp_lifetime = 1ULL << 31, - //.kernel_cipher = REC_AES_CM, - //.kernel_hmac = REH_HMAC_SHA1, + .kernel_cipher = REC_AES_CM_192, + .kernel_hmac = REH_HMAC_SHA1, .srtp_auth_tag = 4, .srtcp_auth_tag = 10, .srtp_auth_key_len = 20, @@ -143,8 +143,8 @@ const struct crypto_suite crypto_suites[] = { .session_salt_len = 14, .srtp_lifetime = 1ULL << 48, .srtcp_lifetime = 1ULL << 31, - //.kernel_cipher = REC_AES_CM, - //.kernel_hmac = REH_HMAC_SHA1, + .kernel_cipher = REC_AES_CM_256, + .kernel_hmac = REH_HMAC_SHA1, .srtp_auth_tag = 10, .srtcp_auth_tag = 10, .srtp_auth_key_len = 20, @@ -167,8 +167,8 @@ const struct crypto_suite crypto_suites[] = { .session_salt_len = 14, .srtp_lifetime = 1ULL << 48, .srtcp_lifetime = 1ULL << 31, - //.kernel_cipher = REC_AES_CM, - //.kernel_hmac = REH_HMAC_SHA1, + .kernel_cipher = REC_AES_CM_256, + .kernel_hmac = REH_HMAC_SHA1, .srtp_auth_tag = 4, .srtcp_auth_tag = 10, .srtp_auth_key_len = 20, diff --git a/daemon/media_socket.c b/daemon/media_socket.c index afafd5210..62c06adf9 100644 --- a/daemon/media_socket.c +++ b/daemon/media_socket.c @@ -826,6 +826,8 @@ static int __k_srtp_crypt(struct rtpengine_srtp *s, struct crypto_context *c) { if (c->params.mki_len) memcpy(s->mki, c->params.mki, c->params.mki_len); memcpy(s->master_key, c->params.master_key, c->params.crypto_suite->master_key_len); + s->master_key_len = c->params.crypto_suite->master_key_len; + s->session_key_len = c->params.crypto_suite->session_key_len; memcpy(s->master_salt, c->params.master_salt, c->params.crypto_suite->master_salt_len); if (c->params.session_params.unencrypted_srtp) diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index 2108a1efa..a237ad234 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -231,7 +231,7 @@ static inline int bitfield_clear(unsigned long *bf, unsigned int i); struct re_crypto_context { spinlock_t lock; /* protects roc and last_index */ - unsigned char session_key[16]; + unsigned char session_key[32]; unsigned char session_salt[14]; unsigned char session_auth_key[20]; u_int32_t roc; @@ -501,9 +501,9 @@ static const struct re_cipher re_ciphers[] = { .id = REC_NULL, .name = "NULL", }, - [REC_AES_CM] = { - .id = REC_AES_CM, - .name = "AES-CM", + [REC_AES_CM_128] = { + .id = REC_AES_CM_128, + .name = "AES-CM-128", .tfm_name = "aes", .decrypt = srtp_encrypt_aes_cm, .encrypt = srtp_encrypt_aes_cm, @@ -516,6 +516,20 @@ static const struct re_cipher re_ciphers[] = { .encrypt = srtp_encrypt_aes_f8, .session_key_init = aes_f8_session_key_init, }, + [REC_AES_CM_192] = { + .id = REC_AES_CM_192, + .name = "AES-CM-192", + .tfm_name = "aes", + .decrypt = srtp_encrypt_aes_cm, + .encrypt = srtp_encrypt_aes_cm, + }, + [REC_AES_CM_256] = { + .id = REC_AES_CM_256, + .name = "AES-CM-256", + .tfm_name = "aes", + .decrypt = srtp_encrypt_aes_cm, + .encrypt = srtp_encrypt_aes_cm, + }, }; static const struct re_hmac re_hmacs[] = { @@ -1700,7 +1714,7 @@ static void aes_f8(unsigned char *in_out, int in_len, u_int32_t *xu; crypto_cipher_encrypt_one(iv_tfm, ivx, iv); - + pi = (void *) in_out; ki = (void *) key_block; lki = (void *) last_key_block; @@ -1747,7 +1761,7 @@ done: } static int aes_ctr_128_no_ctx(unsigned char *out, const char *in, int in_len, - const unsigned char *key, const unsigned char *iv) + const unsigned char *key, unsigned int key_len, const unsigned char *iv) { struct crypto_cipher *tfm; @@ -1755,14 +1769,14 @@ static int aes_ctr_128_no_ctx(unsigned char *out, const char *in, int in_len, if (IS_ERR(tfm)) return PTR_ERR(tfm); - crypto_cipher_setkey(tfm, key, 16); + crypto_cipher_setkey(tfm, key, key_len); aes_ctr_128(out, in, in_len, tfm, iv); crypto_free_cipher(tfm); return 0; } -static int prf_n(unsigned char *out, int len, const unsigned char *key, const unsigned char *x) { +static int prf_n(unsigned char *out, int len, const unsigned char *key, unsigned int key_len, const unsigned char *x) { unsigned char iv[16]; unsigned char o[32]; unsigned char in[32]; @@ -1773,7 +1787,7 @@ static int prf_n(unsigned char *out, int len, const unsigned char *key, const un in_len = len > 16 ? 32 : 16; memset(in, 0, in_len); - ret = aes_ctr_128_no_ctx(o, in, in_len, key, iv); + ret = aes_ctr_128_no_ctx(o, in, in_len, key, key_len, iv); if (ret) return ret; @@ -1795,7 +1809,7 @@ static int gen_session_key(unsigned char *out, int len, struct rtpengine_srtp *s for (i = 13 - 6; i < 14; i++) x[i] = key_id[i - (13 - 6)] ^ x[i]; - ret = prf_n(out, len, s->master_key, x); + ret = prf_n(out, len, s->master_key, s->master_key_len, x); if (ret) return ret; return 0; @@ -1836,7 +1850,7 @@ static int gen_session_keys(struct re_crypto_context *c, struct rtpengine_srtp * if (s->cipher == REC_NULL && s->hmac == REH_NULL) return 0; err = "failed to generate session key"; - ret = gen_session_key(c->session_key, 16, s, 0x00); + ret = gen_session_key(c->session_key, s->session_key_len, s, 0x00); if (ret) goto error; ret = gen_session_key(c->session_auth_key, 20, s, 0x01); @@ -1854,7 +1868,7 @@ static int gen_session_keys(struct re_crypto_context *c, struct rtpengine_srtp * c->tfm[0] = NULL; goto error; } - crypto_cipher_setkey(c->tfm[0], c->session_key, 16); + crypto_cipher_setkey(c->tfm[0], c->session_key, s->session_key_len); } if (c->cipher->session_key_init) { @@ -1874,21 +1888,69 @@ static int gen_session_keys(struct re_crypto_context *c, struct rtpengine_srtp * crypto_shash_setkey(c->shash, c->session_auth_key, 20); } - DBG("master key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", + switch(s->master_key_len) { + case 16: + DBG("master key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", s->master_key[0], s->master_key[1], s->master_key[2], s->master_key[3], s->master_key[4], s->master_key[5], s->master_key[6], s->master_key[7], s->master_key[8], s->master_key[9], s->master_key[10], s->master_key[11], s->master_key[12], s->master_key[13], s->master_key[14], s->master_key[15]); + break; + case 24: + DBG("master key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", + s->master_key[0], s->master_key[1], s->master_key[2], s->master_key[3], + s->master_key[4], s->master_key[5], s->master_key[6], s->master_key[7], + s->master_key[8], s->master_key[9], s->master_key[10], s->master_key[11], + s->master_key[12], s->master_key[13], s->master_key[14], s->master_key[15], + s->master_key[16], s->master_key[17], s->master_key[18], s->master_key[19], + s->master_key[20], s->master_key[21], s->master_key[22], s->master_key[23]); + break; + case 32: + DBG("master key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", + s->master_key[0], s->master_key[1], s->master_key[2], s->master_key[3], + s->master_key[4], s->master_key[5], s->master_key[6], s->master_key[7], + s->master_key[8], s->master_key[9], s->master_key[10], s->master_key[11], + s->master_key[12], s->master_key[13], s->master_key[14], s->master_key[15], + s->master_key[16], s->master_key[17], s->master_key[18], s->master_key[19], + s->master_key[20], s->master_key[21], s->master_key[22], s->master_key[23], + s->master_key[24], s->master_key[25], s->master_key[26], s->master_key[27], + s->master_key[28], s->master_key[29], s->master_key[30], s->master_key[21]); + break; + } DBG("master salt %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", s->master_salt[0], s->master_salt[1], s->master_salt[2], s->master_salt[3], s->master_salt[4], s->master_salt[5], s->master_salt[6], s->master_salt[7], s->master_salt[8], s->master_salt[9], s->master_salt[10], s->master_salt[11], s->master_salt[12], s->master_salt[13]); - DBG("session key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", + switch(s->session_key_len) { + case 16: + DBG("session key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", c->session_key[0], c->session_key[1], c->session_key[2], c->session_key[3], c->session_key[4], c->session_key[5], c->session_key[6], c->session_key[7], c->session_key[8], c->session_key[9], c->session_key[10], c->session_key[11], c->session_key[12], c->session_key[13], c->session_key[14], c->session_key[15]); + break; + case 24: + DBG("session key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", + c->session_key[0], c->session_key[1], c->session_key[2], c->session_key[3], + c->session_key[4], c->session_key[5], c->session_key[6], c->session_key[7], + c->session_key[8], c->session_key[9], c->session_key[10], c->session_key[11], + c->session_key[12], c->session_key[13], c->session_key[14], c->session_key[15], + c->session_key[16], c->session_key[17], c->session_key[18], c->session_key[19], + c->session_key[20], c->session_key[21], c->session_key[22], c->session_key[23]); + break; + case 32: + DBG("session key %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", + c->session_key[0], c->session_key[1], c->session_key[2], c->session_key[3], + c->session_key[4], c->session_key[5], c->session_key[6], c->session_key[7], + c->session_key[8], c->session_key[9], c->session_key[10], c->session_key[11], + c->session_key[12], c->session_key[13], c->session_key[14], c->session_key[15], + c->session_key[16], c->session_key[17], c->session_key[18], c->session_key[19], + c->session_key[20], c->session_key[21], c->session_key[22], c->session_key[23], + c->session_key[24], c->session_key[25], c->session_key[26], c->session_key[27], + c->session_key[28], c->session_key[29], c->session_key[30], c->session_key[21]); + break; + } DBG("session salt %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", c->session_salt[0], c->session_salt[1], c->session_salt[2], c->session_salt[3], c->session_salt[4], c->session_salt[5], c->session_salt[6], c->session_salt[7], @@ -2014,7 +2076,7 @@ retry: kfree(rda); goto retry; } - + t->dest_addr_hash.addrs[rh_it] = rda; re_bitfield_set(&t->dest_addr_hash.addrs_bf, rh_it); diff --git a/kernel-module/xt_RTPENGINE.h b/kernel-module/xt_RTPENGINE.h index 08d6964ac..812432b03 100644 --- a/kernel-module/xt_RTPENGINE.h +++ b/kernel-module/xt_RTPENGINE.h @@ -41,8 +41,10 @@ struct re_address { enum rtpengine_cipher { REC_INVALID = 0, REC_NULL, - REC_AES_CM, + REC_AES_CM_128, REC_AES_F8, + REC_AES_CM_192, + REC_AES_CM_256, __REC_LAST }; @@ -59,8 +61,10 @@ enum rtpengine_hmac { struct rtpengine_srtp { enum rtpengine_cipher cipher; enum rtpengine_hmac hmac; - unsigned char master_key[16]; + unsigned char master_key[32]; + unsigned int master_key_len; unsigned char master_salt[14]; + unsigned int session_key_len; unsigned char mki[256]; /* XXX uses too much memory? */ u_int64_t last_index; unsigned int auth_tag_len; /* in bytes */ From 373904236c302b447f895a8cec559ded79d13c39 Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Wed, 22 Mar 2017 09:50:31 -0400 Subject: [PATCH 4/7] rename macro due to collision Change-Id: I816f2f04d1df9eac7bb4126dbc810ec9b5737c84 --- kernel-module/xt_RTPENGINE.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index e30611382..4c96a2fd3 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -338,7 +338,7 @@ struct re_stream { int eof; }; -#define HASH_BITS 8 /* make configurable? */ +#define RE_HASH_BITS 8 /* make configurable? */ struct rtpengine_table { atomic_t refcnt; rwlock_t target_lock; @@ -358,10 +358,10 @@ struct rtpengine_table { struct list_head calls; /* protected by calls.lock */ - spinlock_t calls_hash_lock[1 << HASH_BITS]; - struct hlist_head calls_hash[1 << HASH_BITS]; - spinlock_t streams_hash_lock[1 << HASH_BITS]; - struct hlist_head streams_hash[1 << HASH_BITS]; + spinlock_t calls_hash_lock[1 << RE_HASH_BITS]; + struct hlist_head calls_hash[1 << RE_HASH_BITS]; + spinlock_t streams_hash_lock[1 << RE_HASH_BITS]; + struct hlist_head streams_hash[1 << RE_HASH_BITS]; }; struct re_cipher { @@ -2479,7 +2479,7 @@ static int table_new_call(struct rtpengine_table *table, struct rtpengine_call_i /* check for name collisions */ call->hash_bucket = crc32_le(0x52342, info->call_id, strlen(info->call_id)); - call->hash_bucket = call->hash_bucket & ((1 << HASH_BITS) - 1); + call->hash_bucket = call->hash_bucket & ((1 << RE_HASH_BITS) - 1); spin_lock_irqsave(&table->calls_hash_lock[call->hash_bucket], flags); @@ -2655,7 +2655,7 @@ static int table_new_stream(struct rtpengine_table *table, struct rtpengine_stre /* check for name collisions */ stream->hash_bucket = crc32_le(0x52342 ^ info->call_idx, info->stream_name, strlen(info->stream_name)); - stream->hash_bucket = stream->hash_bucket & ((1 << HASH_BITS) - 1); + stream->hash_bucket = stream->hash_bucket & ((1 << RE_HASH_BITS) - 1); spin_lock_irqsave(&table->streams_hash_lock[stream->hash_bucket], flags); From 5c0dc629c14e4dad72c0740183f0fb53b8d18995 Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Wed, 22 Mar 2017 09:54:47 -0400 Subject: [PATCH 5/7] consolidate AES crypto suites for different key lengths Change-Id: I2d031ed7dd6b9154203b79f2a6dba2b246d2063b --- daemon/crypto.c | 101 +++++++++++++---------------------- daemon/crypto.h | 5 +- daemon/main.c | 1 + kernel-module/xt_RTPENGINE.c | 6 +-- 4 files changed, 46 insertions(+), 67 deletions(-) diff --git a/daemon/crypto.c b/daemon/crypto.c index f3922178a..75f4651e6 100644 --- a/daemon/crypto.c +++ b/daemon/crypto.c @@ -28,16 +28,14 @@ static int hmac_sha1_rtp(struct crypto_context *, char *out, str *in, u_int64_t) static int hmac_sha1_rtcp(struct crypto_context *, char *out, str *in); static int aes_f8_encrypt_rtp(struct crypto_context *c, struct rtp_header *r, str *s, u_int64_t idx); static int aes_f8_encrypt_rtcp(struct crypto_context *c, struct rtcp_packet *r, str *s, u_int64_t idx); -static int aes_cm_session_key_init_128(struct crypto_context *c); -static int aes_cm_session_key_init_192(struct crypto_context *c); -static int aes_cm_session_key_init_256(struct crypto_context *c); +static int aes_cm_session_key_init(struct crypto_context *c); static int aes_f8_session_key_init(struct crypto_context *c); static int evp_session_key_cleanup(struct crypto_context *c); static int null_crypt_rtp(struct crypto_context *c, struct rtp_header *r, str *s, u_int64_t idx); static int null_crypt_rtcp(struct crypto_context *c, struct rtcp_packet *r, str *s, u_int64_t idx); /* all lengths are in bytes */ -const struct crypto_suite crypto_suites[] = { +struct crypto_suite __crypto_suites[] = { { .name = "AES_CM_128_HMAC_SHA1_80", .dtls_name = "SRTP_AES128_CM_SHA1_80", @@ -59,7 +57,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init_128, + .session_key_init = aes_cm_session_key_init, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -83,7 +81,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init_128, + .session_key_init = aes_cm_session_key_init, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -107,7 +105,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init_192, + .session_key_init = aes_cm_session_key_init, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -131,7 +129,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init_192, + .session_key_init = aes_cm_session_key_init, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -155,7 +153,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init_256, + .session_key_init = aes_cm_session_key_init, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -179,7 +177,7 @@ const struct crypto_suite crypto_suites[] = { .decrypt_rtcp = aes_cm_encrypt_rtcp, .hash_rtp = hmac_sha1_rtp, .hash_rtcp = hmac_sha1_rtcp, - .session_key_init = aes_cm_session_key_init_256, + .session_key_init = aes_cm_session_key_init, .session_key_cleanup = evp_session_key_cleanup, }, { @@ -278,7 +276,8 @@ const struct crypto_suite crypto_suites[] = { }, }; -const int num_crypto_suites = G_N_ELEMENTS(crypto_suites); +const struct crypto_suite *crypto_suites = __crypto_suites; +const int num_crypto_suites = G_N_ELEMENTS(__crypto_suites); @@ -357,11 +356,12 @@ done: ; } -static void aes_ctr_no_ctx(unsigned char *out, str *in, const unsigned char *key, int keylen, const unsigned char *iv) { +static void aes_ctr_no_ctx(unsigned char *out, str *in, const unsigned char *key, const EVP_CIPHER *ciph, + const unsigned char *iv) +{ EVP_CIPHER_CTX *ctx; unsigned char block[16]; int len; - const EVP_CIPHER *ecb_cipher; #if OPENSSL_VERSION_NUMBER >= 0x10100000L ctx = EVP_CIPHER_CTX_new(); @@ -370,22 +370,7 @@ static void aes_ctr_no_ctx(unsigned char *out, str *in, const unsigned char *key ctx = &ctx_s; EVP_CIPHER_CTX_init(ctx); #endif - switch(keylen) { - case 16: - ecb_cipher = EVP_aes_128_ecb(); - break; - case 24: - ecb_cipher = EVP_aes_192_ecb(); - break; - case 32: - ecb_cipher = EVP_aes_256_ecb(); - break; - default: - // silence -Wmaybe-unintialized; must not end up here - assert(FALSE); - break; - } - EVP_EncryptInit_ex(ctx, ecb_cipher, NULL, key, NULL); + EVP_EncryptInit_ex(ctx, ciph, NULL, key, NULL); aes_ctr(out, in, ctx, iv); EVP_EncryptFinal_ex(ctx, block, &len); @@ -401,7 +386,7 @@ static void aes_ctr_no_ctx(unsigned char *out, str *in, const unsigned char *key * x: 112 bits * n <= 256 * out->len := n / 8 */ -static void prf_n(str *out, const unsigned char *key, int keylen, const unsigned char *x) { +static void prf_n(str *out, const unsigned char *key, const EVP_CIPHER *ciph, const unsigned char *x) { unsigned char iv[16]; unsigned char o[32]; unsigned char in[32]; @@ -414,7 +399,7 @@ static void prf_n(str *out, const unsigned char *key, int keylen, const unsigned /* iv[14] = iv[15] = 0; := x << 16 */ ZERO(in); /* outputs the key stream */ str_init_len(&in_s, (void *) in, out->len > 16 ? 32 : 16); - aes_ctr_no_ctx(o, &in_s, key, keylen, iv); + aes_ctr_no_ctx(o, &in_s, key, ciph, iv); memcpy(out->s, o, out->len); } @@ -436,7 +421,7 @@ int crypto_gen_session_key(struct crypto_context *c, str *out, unsigned char lab for (i = 13 - index_len; i < 14; i++) x[i] = key_id[i - (13 - index_len)] ^ x[i]; - prf_n(out, c->params.master_key, c->params.crypto_suite->master_key_len, x); + prf_n(out, c->params.master_key, c->params.crypto_suite->lib_cipher_ptr, x); #if CRYPTO_DEBUG ilog(LOG_DEBUG, "Generated session key: master key " @@ -629,35 +614,7 @@ static int hmac_sha1_rtcp(struct crypto_context *c, char *out, str *in) { return 0; } -static int aes_cm_session_key_init_128(struct crypto_context *c) { - evp_session_key_cleanup(c); - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - c->session_key_ctx[0] = EVP_CIPHER_CTX_new(); -#else - c->session_key_ctx[0] = g_slice_alloc(sizeof(EVP_CIPHER_CTX)); - EVP_CIPHER_CTX_init(c->session_key_ctx[0]); -#endif - EVP_EncryptInit_ex(c->session_key_ctx[0], EVP_aes_128_ecb(), NULL, - (unsigned char *) c->session_key, NULL); - return 0; -} - -static int aes_cm_session_key_init_192(struct crypto_context *c) { - evp_session_key_cleanup(c); - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - c->session_key_ctx[0] = EVP_CIPHER_CTX_new(); -#else - c->session_key_ctx[0] = g_slice_alloc(sizeof(EVP_CIPHER_CTX)); - EVP_CIPHER_CTX_init(c->session_key_ctx[0]); -#endif - EVP_EncryptInit_ex(c->session_key_ctx[0], EVP_aes_192_ecb(), NULL, - (unsigned char *) c->session_key, NULL); - return 0; -} - -static int aes_cm_session_key_init_256(struct crypto_context *c) { +static int aes_cm_session_key_init(struct crypto_context *c) { evp_session_key_cleanup(c); #if OPENSSL_VERSION_NUMBER >= 0x10100000L @@ -666,7 +623,7 @@ static int aes_cm_session_key_init_256(struct crypto_context *c) { c->session_key_ctx[0] = g_slice_alloc(sizeof(EVP_CIPHER_CTX)); EVP_CIPHER_CTX_init(c->session_key_ctx[0]); #endif - EVP_EncryptInit_ex(c->session_key_ctx[0], EVP_aes_256_ecb(), NULL, + EVP_EncryptInit_ex(c->session_key_ctx[0], c->params.crypto_suite->lib_cipher_ptr, NULL, (unsigned char *) c->session_key, NULL); return 0; } @@ -677,7 +634,7 @@ static int aes_f8_session_key_init(struct crypto_context *c) { int k_e_len, k_s_len; /* n_e, n_s */ unsigned char *key; - aes_cm_session_key_init_128(c); + aes_cm_session_key_init(c); k_e_len = c->params.crypto_suite->session_key_len; k_s_len = c->params.crypto_suite->session_salt_len; @@ -751,3 +708,21 @@ void crypto_dump_keys(struct crypto_context *in, struct crypto_context *out) { ilog(LOG_DEBUG, "SRTP keys, outgoing:"); dump_key(out); } + +void crypto_init_main() { + struct crypto_suite *cs; + for (int i = 0; i < num_crypto_suites; i++) { + cs = &__crypto_suites[i]; + switch(cs->master_key_len) { + case 16: + cs->lib_cipher_ptr = EVP_aes_128_ecb(); + break; + case 24: + cs->lib_cipher_ptr = EVP_aes_192_ecb(); + break; + case 32: + cs->lib_cipher_ptr = EVP_aes_256_ecb(); + break; + } + } +} diff --git a/daemon/crypto.h b/daemon/crypto.h index 0095697f9..de97ff436 100644 --- a/daemon/crypto.h +++ b/daemon/crypto.h @@ -56,6 +56,7 @@ struct crypto_suite { session_key_init_func session_key_init; session_key_cleanup_func session_key_cleanup; const char *dtls_profile_code; + const void *lib_cipher_ptr; }; struct crypto_session_params { @@ -97,11 +98,13 @@ struct rtp_ssrc_entry { u_int64_t index; }; -extern const struct crypto_suite crypto_suites[]; +extern const struct crypto_suite *crypto_suites; extern const int num_crypto_suites; +void crypto_init_main(); + const struct crypto_suite *crypto_find_suite(const str *); int crypto_gen_session_key(struct crypto_context *, str *, unsigned char, int); void crypto_dump_keys(struct crypto_context *in, struct crypto_context *out); diff --git a/daemon/main.c b/daemon/main.c index 310263304..05322dd45 100644 --- a/daemon/main.c +++ b/daemon/main.c @@ -514,6 +514,7 @@ static void init_everything() { sdp_init(); dtls_init(); ice_init(); + crypto_init_main(); interfaces_init(&interfaces); } diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index 4c96a2fd3..0841d55f4 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -1651,7 +1651,7 @@ static int validate_srtp(struct rtpengine_srtp *s) { /* XXX shared code */ -static void aes_ctr_128(unsigned char *out, const unsigned char *in, int in_len, +static void aes_ctr(unsigned char *out, const unsigned char *in, int in_len, struct crypto_cipher *tfm, const unsigned char *iv) { unsigned char ivx[16]; @@ -1770,7 +1770,7 @@ static int aes_ctr_128_no_ctx(unsigned char *out, const char *in, int in_len, return PTR_ERR(tfm); crypto_cipher_setkey(tfm, key, key_len); - aes_ctr_128(out, in, in_len, tfm, iv); + aes_ctr(out, in, in_len, tfm, iv); crypto_free_cipher(tfm); return 0; @@ -3563,7 +3563,7 @@ static int srtp_encrypt_aes_cm(struct re_crypto_context *c, ivi[2] ^= idxh; ivi[3] ^= idxl; - aes_ctr_128(r->payload, r->payload, r->payload_len, c->tfm[0], iv); + aes_ctr(r->payload, r->payload, r->payload_len, c->tfm[0], iv); return 0; } From 37b22352e75c058d963e59b1a9b6891a62d1d24f Mon Sep 17 00:00:00 2001 From: Anthony Alba Date: Thu, 23 Mar 2017 01:37:19 +0800 Subject: [PATCH 6/7] Fix typos in DBG array indexing --- kernel-module/xt_RTPENGINE.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index a237ad234..a64688f39 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -1914,7 +1914,7 @@ static int gen_session_keys(struct re_crypto_context *c, struct rtpengine_srtp * s->master_key[16], s->master_key[17], s->master_key[18], s->master_key[19], s->master_key[20], s->master_key[21], s->master_key[22], s->master_key[23], s->master_key[24], s->master_key[25], s->master_key[26], s->master_key[27], - s->master_key[28], s->master_key[29], s->master_key[30], s->master_key[21]); + s->master_key[28], s->master_key[29], s->master_key[30], s->master_key[31]); break; } DBG("master salt %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", @@ -1948,7 +1948,7 @@ static int gen_session_keys(struct re_crypto_context *c, struct rtpengine_srtp * c->session_key[16], c->session_key[17], c->session_key[18], c->session_key[19], c->session_key[20], c->session_key[21], c->session_key[22], c->session_key[23], c->session_key[24], c->session_key[25], c->session_key[26], c->session_key[27], - c->session_key[28], c->session_key[29], c->session_key[30], c->session_key[21]); + c->session_key[28], c->session_key[29], c->session_key[30], c->session_key[31]); break; } DBG("session salt %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", From 74b2559b043f37204697063bbe66daa4c503d41d Mon Sep 17 00:00:00 2001 From: Anthony Alba Date: Fri, 24 Mar 2017 17:58:47 +0800 Subject: [PATCH 7/7] AES CM static test vectors --- tests/Makefile.aes | 38 ++++++ tests/t_crypt.c | 288 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 326 insertions(+) create mode 100644 tests/Makefile.aes create mode 100644 tests/t_crypt.c diff --git a/tests/Makefile.aes b/tests/Makefile.aes new file mode 100644 index 000000000..46714a431 --- /dev/null +++ b/tests/Makefile.aes @@ -0,0 +1,38 @@ + +## +## Build daemon/ +## cd tests/ +## make -f Makefile.aes, output is binary t_crypt +## run: ./t_crypt + +CC = gcc + +CPPFLAGS = -I../daemon -I../lib +OBJS_DIR = ../daemon/ + +OBJS = crypto.o log.o loglib.o + +LDFLAGS = $(shell pkg-config --libs glib-2.0) +LDFLAGS += $(shell pkg-config --libs openssl) + +CFLAGS = -g $(shell pkg-config --cflags glib-2.0) -D_GNU_SOURCE + +%.d: %.c + @set -e; rm -f $@; \ + $(CC) -M $(CPPFLAGS) $(shell pkg-config --cflags glib-2.0) -D_GNU_SOURCE $< > $@.$$$$; \ + sed 's,\($*\)\.o[ :]*,\1.o $@ : ,g' < $@.$$$$ > $@; \ + rm -f $@.$$$$ + +all: t_crypt + +sources = t_crypt.c + +include $(sources:.c=.d) + +t_crypt: t_crypt.o + gcc -o $@ $< $(addprefix $(OBJS_DIR), $(OBJS)) $(LDFLAGS) + +.PHONY: clean + +clean: + -rm -f t_crypt t_crypt.o diff --git a/tests/t_crypt.c b/tests/t_crypt.c new file mode 100644 index 000000000..2ec710d79 --- /dev/null +++ b/tests/t_crypt.c @@ -0,0 +1,288 @@ +#include +#include + +#include "crypto.h" +#include "rtplib.h" + +uint8_t test_key[46] = { + 0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0, + 0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39, + 0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6, 0xc1, 0x73, + 0xc3, 0x17, 0xf2, 0xda, 0xbe, 0x35, 0x77, 0x93, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6 +}; + + + +uint8_t rtp_plaintext_ref[28] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab +}; + + +uint8_t rtcp_plaintext_ref[24] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, +}; + +// SRTP Test Vectors +// ROC = 0, SSRC = 0xcafebabe, SEQ_NUM = 0x1234 +uint8_t srtp_ciphertext_128[38] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0x4e, 0x55, 0xdc, 0x4c, + 0xe7, 0x99, 0x78, 0xd8, 0x8c, 0xa4, 0xd2, 0x15, + 0x94, 0x9d, 0x24, 0x02, 0xb7, 0x8d, 0x6a, 0xcc, + 0x99, 0xea, 0x17, 0x9b, 0x8d, 0xbb +}; + +uint8_t srtp_ciphertext_192[38] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0x01, 0x57, 0x81, 0x89, + 0x44, 0x62, 0x52, 0x9d, 0x91, 0xcf, 0x36, 0x59, + 0xd2, 0x46, 0x2d, 0xb3, 0x08, 0xd9, 0xa0, 0x44, + 0xc5, 0xd7, 0xd6, 0x8b, 0x26, 0xba +}; + +uint8_t srtp_ciphertext_256[38] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0x00, 0x98, 0x21, 0x9f, + 0x7e, 0xbd, 0xba, 0x1c, 0x3d, 0x22, 0xf4, 0x93, + 0x6f, 0x1e, 0xac, 0x99, 0x06, 0xf6, 0xb2, 0x27, + 0xc8, 0x49, 0x61, 0xa7, 0xb4, 0x28 +}; + + +// SRTCP Test Vectors +// SSRC = 0xcafebabe +uint8_t srtcp_ciphertext_128[38] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0x71, 0x28, 0x03, 0x5b, 0xe4, 0x87, 0xb9, 0xbd, + 0xbe, 0xf8, 0x90, 0x41, 0xf9, 0x77, 0xa5, 0xa8, + 0x80, 0x00, 0x00, 0x01, 0x99, 0x3e, 0x08, 0xcd, + 0x54, 0xd6, 0xc1, 0x23, 0x07, 0x98 +}; + +uint8_t srtcp_ciphertext_192[38] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0x96, 0x6d, 0x60, 0x3e, 0x71, 0xf9, 0xaf, 0x33, + 0x5c, 0xf9, 0x09, 0x1a, 0x50, 0xca, 0x4d, 0x3a, + 0x80, 0x00, 0x00, 0x01, 0xd4, 0x2b, 0x40, 0x21, + 0x8d, 0xde, 0x49, 0x90, 0xbd, 0xef +}; + +uint8_t srtcp_ciphertext_256[38] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0x0a, 0x86, 0x5d, 0x33, 0x9e, 0x31, 0x26, 0x93, + 0x59, 0x23, 0x87, 0xd4, 0x5b, 0x99, 0xa5, 0x57, + 0x80, 0x00, 0x00, 0x01, 0x84, 0xf3, 0xb4, 0xf2, + 0xb5, 0x95, 0x61, 0x5a, 0xf9, 0xb5 +}; + +// Another set of AES-256 test vectors from libsrtp +uint8_t aes_256_test_key[46] = { + 0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76, + 0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29, + 0x98, 0xf6, 0xf6, 0xe4, 0x3e, 0x43, 0x09, 0xd1, + 0xe6, 0x22, 0xa0, 0xe3, 0x32, 0xb9, 0xf1, 0xb6, + + 0x3b, 0x04, 0x80, 0x3d, 0xe5, 0x1e, 0xe7, 0xc9, + 0x64, 0x23, 0xab, 0x5b, 0x78, 0xd2 +}; +uint8_t aes_256_rtp_plaintext_ref[28] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab +}; + +uint8_t aes_256_srtp_ciphertext[38] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xf1, 0xd9, 0xde, 0x17, + 0xff, 0x25, 0x1f, 0xf1, 0xaa, 0x00, 0x77, 0x74, + 0xb0, 0xb4, 0xb4, 0x0d, 0xa0, 0x8d, 0x9d, 0x9a, + 0x5b, 0x3a, 0x55, 0xd8, 0x87, 0x3b +}; + + +#define RTP_HEADER_LEN 12 +#define RTCP_HEADER_LEN 8 +// Test: AES-128 CM +void srtp_validate (struct crypto_context *c, struct crypto_context *c2, char* message, uint8_t *plaintext, uint8_t *ciphertext, + uint8_t *rtcp_plaintext, uint8_t *rtcp_ciphertext) +{ + str payload, hash; + uint8_t o_hash[10]; + + uint8_t srtp_plaintext[38]; + uint8_t srtp_ciphertext[38]; + + uint8_t srtcp_plaintext[38]; + uint8_t srtcp_ciphertext[38]; + + memcpy(srtp_plaintext, plaintext, 28); + memcpy(srtp_ciphertext, ciphertext, 38); + // in-place crypto so we must encrypt first + payload.len = 16; + payload.s = srtp_plaintext+RTP_HEADER_LEN; + crypto_encrypt_rtp(c, (struct rtp_header *)srtp_plaintext, &payload, ntohs(((struct rtp_header *)srtp_plaintext)->seq_num)); + + hash.len = 28; + hash.s = srtp_plaintext; + c->params.crypto_suite->hash_rtp(c, srtp_plaintext+28, &hash, ntohs(((struct rtp_header *)srtp_plaintext)->seq_num)); + assert( memcmp(payload.s, srtp_ciphertext+RTP_HEADER_LEN, 26) == 0 ); + + printf("%s RTP encrypt: PASS\n", message); + + hash.s = srtp_ciphertext; + c->params.crypto_suite->hash_rtp(c, o_hash, &hash, ntohs(((struct rtp_header *)srtp_plaintext)->seq_num)); + payload.len = 16; + payload.s = srtp_ciphertext+RTP_HEADER_LEN; + crypto_decrypt_rtp(c, (struct rtp_header *)srtp_ciphertext, &payload, ntohs(((struct rtp_header *)srtp_ciphertext)->seq_num)); + assert( memcmp(payload.s, rtp_plaintext_ref+RTP_HEADER_LEN, 16) == 0 ); + assert( memcmp(o_hash, srtp_ciphertext+RTP_HEADER_LEN+16, 10) == 0 ); + + printf("%s RTP decrypt: PASS\n", message); + + // in-place crypto so we must encrypt first + if (!c2) return; + memcpy(srtcp_plaintext, rtcp_plaintext, 24); + memcpy(srtcp_ciphertext, rtcp_ciphertext, 38); + memcpy(srtcp_plaintext+24, srtcp_ciphertext+24, 4); + payload.len = 16; + payload.s = srtcp_plaintext+RTCP_HEADER_LEN; + crypto_encrypt_rtcp(c2, (struct rtcp_packet *)srtcp_plaintext, &payload, 1); + + hash.len = 28; + hash.s = srtcp_plaintext; + c->params.crypto_suite->hash_rtcp(c2, srtcp_plaintext+28, &hash); + assert( memcmp(payload.s, srtcp_ciphertext+RTCP_HEADER_LEN, 30) == 0 ); + + printf("%s RTCP encrypt: PASS\n", message); + + hash.s = srtcp_ciphertext; + c->params.crypto_suite->hash_rtcp(c2, o_hash, &hash); + payload.len = 16; + payload.s = srtcp_ciphertext+RTCP_HEADER_LEN; + crypto_decrypt_rtcp(c2, (struct rtcp_packet *)srtcp_ciphertext, &payload, 1); + assert( memcmp(payload.s, rtcp_plaintext_ref+RTCP_HEADER_LEN, 16) == 0 ); + assert( memcmp(o_hash, srtcp_ciphertext+RTCP_HEADER_LEN+16+4, 10) == 0 ); + + printf("%s RTCP decrypt: PASS\n", message); +} + +extern void crypto_init_main(); + +void check_session_keys(struct crypto_context *c, int i) { + str s; + str_init_len_assert(&s, c->session_key, c->params.crypto_suite->session_key_len); + if (crypto_gen_session_key(c, &s, i++, 6)) + goto error; + str_init_len_assert(&s, c->session_auth_key, c->params.crypto_suite->srtp_auth_key_len); + if (crypto_gen_session_key(c, &s, i++, 6)) + goto error; + str_init_len_assert(&s, c->session_salt, c->params.crypto_suite->session_salt_len); + if (crypto_gen_session_key(c, &s, i, 6)) + goto error; + + c->have_session_key = 1; + crypto_init_session_key(c); + +error: + return; +} + +int main(int argc, char** argv) { + + str suite; + str s; + const struct crypto_suite *c; + struct crypto_context ctx, ctx2; + + crypto_init_main(); + + str_init(&suite, "AES_CM_128_HMAC_SHA1_80"); + c = crypto_find_suite(&suite); + assert(c); + + memset(&ctx, 0, sizeof(ctx)); + ctx.params.crypto_suite = c; + memcpy(ctx.params.master_key, test_key, 16); + memcpy(ctx.params.master_salt, (uint8_t*)test_key+16, 14); + ctx.params.mki_len = 0; + + check_session_keys(&ctx, 0); + + memset(&ctx2, 0, sizeof(ctx2)); + ctx2.params.crypto_suite = c; + memcpy(ctx2.params.master_key, test_key, 16); + memcpy(ctx2.params.master_salt, (uint8_t*)test_key+16, 14); + ctx2.params.mki_len = 0; + + check_session_keys(&ctx2, 3); + + srtp_validate(&ctx, &ctx2, "SRTP AES-CM-128", rtp_plaintext_ref, srtp_ciphertext_128, + rtcp_plaintext_ref, srtcp_ciphertext_128); + + str_init(&suite, "AES_CM_192_HMAC_SHA1_80"); + c = crypto_find_suite(&suite); + assert(c); + + memset(&ctx, 0, sizeof(ctx)); + ctx.params.crypto_suite = c; + memcpy(ctx.params.master_key, test_key, 24); + memcpy(ctx.params.master_salt, (uint8_t*)test_key+24, 14); + ctx.params.mki_len = 0; + + check_session_keys(&ctx, 0); + + memset(&ctx2, 0, sizeof(ctx2)); + ctx2.params.crypto_suite = c; + memcpy(ctx2.params.master_key, test_key, 24); + memcpy(ctx2.params.master_salt, (uint8_t*)test_key+24, 14); + ctx2.params.mki_len = 0; + + check_session_keys(&ctx2, 3); + + srtp_validate(&ctx, &ctx2, "SRTP AES-CM-192", rtp_plaintext_ref, srtp_ciphertext_192, + rtcp_plaintext_ref, srtcp_ciphertext_192); + + str_init(&suite, "AES_CM_256_HMAC_SHA1_80"); + c = crypto_find_suite(&suite); + assert(c); + + memset(&ctx, 0, sizeof(ctx)); + ctx.params.crypto_suite = c; + memcpy(ctx.params.master_key, test_key, 32); + memcpy(ctx.params.master_salt, (uint8_t*)test_key+32, 14); + ctx.params.mki_len = 0; + + check_session_keys(&ctx, 0); + + memset(&ctx2, 0, sizeof(ctx2)); + ctx2.params.crypto_suite = c; + memcpy(ctx2.params.master_key, test_key, 32); + memcpy(ctx2.params.master_salt, (uint8_t*)test_key+32, 14); + ctx2.params.mki_len = 0; + + check_session_keys(&ctx2, 3); + + srtp_validate(&ctx, &ctx2, "SRTP AES-CM-256", rtp_plaintext_ref, srtp_ciphertext_256, + rtcp_plaintext_ref, srtcp_ciphertext_256); + + + memset(&ctx, 0, sizeof(ctx)); + ctx.params.crypto_suite = c; + memcpy(ctx.params.master_key, aes_256_test_key, 32); + memcpy(ctx.params.master_salt, (uint8_t*)aes_256_test_key+32, 14); + ctx.params.mki_len = 0; + + check_session_keys(&ctx, 0); + + srtp_validate(&ctx, NULL, "extra AES-CM-256", aes_256_rtp_plaintext_ref, aes_256_srtp_ciphertext, + NULL, NULL); + +}