ccRTP 2.1.2
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Groups Pages
CryptoContext.cpp
Go to the documentation of this file.
1 /*
2  Copyright (C) 2004-2006 the Minisip Team
3 
4  This library is free software; you can redistribute it and/or
5  modify it under the terms of the GNU Lesser General Public
6  License as published by the Free Software Foundation; either
7  version 2.1 of the License, or (at your option) any later version.
8 
9  This library is distributed in the hope that it will be useful,
10  but WITHOUT ANY WARRANTY; without even the implied warranty of
11  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  Lesser General Public License for more details.
13 
14  You should have received a copy of the GNU Lesser General Public
15  License along with this library; if not, write to the Free Software
16  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 */
18 
19 /* Copyright (C) 2004-2012
20  *
21  * Authors: Israel Abad <i_abad@terra.es>
22  * Erik Eliasson <eliasson@it.kth.se>
23  * Johan Bilien <jobi@via.ecp.fr>
24  * Joachim Orrblad <joachim@orrblad.com>
25  * Werner Dittmann <Werner.Dittmann@t-online.de>
26  */
27 
28 #include <iostream>
29 
30 #include <ccrtp-config.h>
31 
32 #ifdef SRTP_SUPPORT
33 #include <ccrtp/crypto/hmac.h>
34 #include <ccrtp/crypto/macSkein.h>
35 #endif
36 
37 #include <commoncpp/config.h>
38 #include <commoncpp/export.h>
39 #include <ccrtp/CryptoContext.h>
40 
41 NAMESPACE_COMMONCPP
42 
43 CryptoContext::CryptoContext( uint32 ssrc ):
44 ssrcCtx(ssrc),
45 using_mki(false),mkiLength(0),mki(NULL),
46 roc(0),guessed_roc(0),s_l(0),key_deriv_rate(0),
47 replay_window(0),
48 master_key(NULL), master_key_length(0),
49 master_key_srtp_use_nb(0), master_key_srtcp_use_nb(0),
50 master_salt(NULL), master_salt_length(0),
51 n_e(0),k_e(NULL),n_a(0),k_a(NULL),n_s(0),k_s(NULL),
52 ealg(SrtpEncryptionNull), aalg(SrtpAuthenticationNull),
53 ekeyl(0), akeyl(0), skeyl(0),
54 seqNumSet(false), macCtx(NULL), cipher(NULL), f8Cipher(NULL)
55 {}
56 
57 #ifdef SRTP_SUPPORT
58 CryptoContext::CryptoContext( uint32 ssrc,
59  int32 roc,
60  int64 key_deriv_rate,
61  const int32 ealg,
62  const int32 aalg,
63  uint8* master_key,
64  int32 master_key_length,
65  uint8* master_salt,
66  int32 master_salt_length,
67  int32 ekeyl,
68  int32 akeyl,
69  int32 skeyl,
70  int32 tagLength):
71 
72 ssrcCtx(ssrc),using_mki(false),mkiLength(0),mki(NULL),
73 roc(roc),guessed_roc(0),s_l(0),key_deriv_rate(key_deriv_rate),
74 replay_window(0),
75 master_key_srtp_use_nb(0), master_key_srtcp_use_nb(0), seqNumSet(false),
76 macCtx(NULL), cipher(NULL), f8Cipher(NULL)
77 {
78  this->ealg = ealg;
79  this->aalg = aalg;
80  this->ekeyl = ekeyl;
81  this->akeyl = akeyl;
82  this->skeyl = skeyl;
83 
84  this->master_key_length = master_key_length;
85  this->master_key = new uint8[master_key_length];
86  memcpy(this->master_key, master_key, master_key_length);
87 
88  this->master_salt_length = master_salt_length;
89  this->master_salt = new uint8[master_salt_length];
90  memcpy(this->master_salt, master_salt, master_salt_length);
91 
92  switch( ealg ) {
93  case SrtpEncryptionNull:
94  n_e = 0;
95  k_e = NULL;
96  n_s = 0;
97  k_s = NULL;
98  break;
99 
100  case SrtpEncryptionTWOF8:
101  f8Cipher = new SrtpSymCrypto(SrtpEncryptionTWOF8);
102 
103  case SrtpEncryptionTWOCM:
104  n_e = ekeyl;
105  k_e = new uint8[n_e];
106  n_s = skeyl;
107  k_s = new uint8[n_s];
108  cipher = new SrtpSymCrypto(SrtpEncryptionTWOCM);
109  break;
110 
111  case SrtpEncryptionAESF8:
112  f8Cipher = new SrtpSymCrypto(SrtpEncryptionAESF8);
113 
114  case SrtpEncryptionAESCM:
115  n_e = ekeyl;
116  k_e = new uint8[n_e];
117  n_s = skeyl;
118  k_s = new uint8[n_s];
119  cipher = new SrtpSymCrypto(SrtpEncryptionAESCM);
120  break;
121  }
122 
123  switch( aalg ) {
124  case SrtpAuthenticationNull:
125  n_a = 0;
126  k_a = NULL;
127  this->tagLength = 0;
128  break;
129 
130  case SrtpAuthenticationSha1Hmac:
131  case SrtpAuthenticationSkeinHmac:
132  n_a = akeyl;
133  k_a = new uint8[n_a];
134  this->tagLength = tagLength;
135  break;
136  }
137 }
138 
139 #endif
140 
141 CryptoContext::~CryptoContext(){
142 
143 #ifdef SRTP_SUPPORT
144  if (mki)
145  delete [] mki;
146 
147  if (master_key_length > 0) {
148  memset(master_key, 0, master_key_length);
149  master_key_length = 0;
150  delete [] master_key;
151  }
152  if (master_salt_length > 0) {
153  memset(master_salt, 0, master_salt_length);
154  master_salt_length = 0;
155  delete [] master_salt;
156  }
157  if (n_e > 0) {
158  memset(k_e, 0, n_e);
159  n_e = 0;
160  delete [] k_e;
161  }
162  if (n_s > 0) {
163  memset(k_s, 0, n_s);
164  n_s = 0;
165  delete [] k_s;
166  }
167  if (n_a > 0) {
168  memset(k_a, 0, n_a);
169  n_a = 0;
170  delete [] k_a;
171  }
172  if (cipher != NULL) {
173  delete cipher;
174  cipher = NULL;
175  }
176  if (f8Cipher != NULL) {
177  delete f8Cipher;
178  f8Cipher = NULL;
179  }
180  if (macCtx != NULL) {
181  switch(aalg) {
182  case SrtpAuthenticationSha1Hmac:
183  freeSha1HmacContext(macCtx);
184  break;
185 
186  case SrtpAuthenticationSkeinHmac:
187  freeSkeinMacContext(macCtx);
188  break;
189  }
190  }
191 #endif
192 
193  ealg = SrtpEncryptionNull;
194  aalg = SrtpAuthenticationNull;
195 }
196 
197 void CryptoContext::srtpEncrypt(RTPPacket* rtp, uint64 index, uint32 ssrc)
198 {
199  if (ealg == SrtpEncryptionNull) {
200  return;
201  }
202 #ifdef SRTP_SUPPORT
203  if (ealg == SrtpEncryptionAESCM || ealg == SrtpEncryptionTWOCM) {
204 
205  /* Compute the CM IV (refer to chapter 4.1.1 in RFC 3711):
206  *
207  * k_s XX XX XX XX XX XX XX XX XX XX XX XX XX XX
208  * SSRC XX XX XX XX
209  * index XX XX XX XX XX XX
210  * ------------------------------------------------------XOR
211  * IV XX XX XX XX XX XX XX XX XX XX XX XX XX XX 00 00
212  */
213 
214  unsigned char iv[16];
215  memcpy( iv, k_s, 4 );
216 
217  int i;
218  for(i = 4; i < 8; i++ ){
219  iv[i] = ( 0xFF & ( ssrc >> ((7-i)*8) ) ) ^ k_s[i];
220  }
221  for(i = 8; i < 14; i++ ){
222  iv[i] = ( 0xFF & (unsigned char)( index >> ((13-i)*8) ) ) ^ k_s[i];
223  }
224  iv[14] = iv[15] = 0;
225 
226  int32 pad = rtp->isPadded() ? rtp->getPaddingSize() : 0;
227  cipher->ctr_encrypt(const_cast<uint8*>(rtp->getPayload()),
228  rtp->getPayloadSize()+pad, iv);
229  }
230 
231  if (ealg == SrtpEncryptionAESF8 || ealg == SrtpEncryptionTWOF8) {
232 
233  /* Create the F8 IV (refer to chapter 4.1.2.2 in RFC 3711):
234  *
235  * IV = 0x00 || M || PT || SEQ || TS || SSRC || ROC
236  * 8Bit 1bit 7bit 16bit 32bit 32bit 32bit
237  * ------------\ /--------------------------------------------------
238  * XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
239  */
240 
241  unsigned char iv[16];
242  uint32 *ui32p = (uint32 *)iv;
243 
244  memcpy(iv, rtp->getRawPacket(), 12);
245  iv[0] = 0;
246 
247  // set ROC in network order into IV
248  ui32p[3] = htonl(roc);
249 
250  int32 pad = rtp->isPadded() ? rtp->getPaddingSize() : 0;
251  cipher->f8_encrypt(rtp->getPayload(), rtp->getPayloadSize()+pad, iv, f8Cipher);
252  }
253 #endif
254 }
255 
256 /* Warning: tag must have been initialized */
257 void CryptoContext::srtpAuthenticate(RTPPacket* rtp, uint32 roc, uint8* tag )
258 {
259  if (aalg == SrtpAuthenticationNull) {
260  return;
261  }
262 #ifdef SRTP_SUPPORT
263  int32_t macL;
264 
265  unsigned char temp[20];
266  const unsigned char* chunks[3];
267  unsigned int chunkLength[3];
268  uint32_t beRoc = htonl(roc);
269 
270  chunks[0] = rtp->getRawPacket();
271  chunkLength[0] = rtp->getRawPacketSize();
272 
273  chunks[1] = (unsigned char *)&beRoc;
274  chunkLength[1] = 4;
275  chunks[2] = NULL;
276 
277  switch (aalg) {
278  case SrtpAuthenticationSha1Hmac:
279  hmacSha1Ctx(macCtx,
280  chunks, // data chunks to hash
281  chunkLength, // length of the data to hash
282  temp, &macL);
283  /* truncate the result */
284  memcpy(tag, temp, getTagLength());
285  break;
286  case SrtpAuthenticationSkeinHmac:
287  macSkeinCtx(macCtx,
288  chunks, // data chunks to hash
289  chunkLength, // length of the data to hash
290  temp);
291  /* truncate the result */
292  memcpy(tag, temp, getTagLength());
293  break;
294  }
295 #endif
296 }
297 
298 #ifdef SRTP_SUPPORT
299 /* used by the key derivation method */
300 static void computeIv(unsigned char* iv, uint64 label, uint64 index,
301  int64 kdv, unsigned char* master_salt)
302 {
303 
304  uint64 key_id;
305 
306  if (kdv == 0) {
307  key_id = label << 48;
308  }
309  else {
310  key_id = ((label << 48) | (index / kdv));
311  }
312 
313  //printf( "Key_ID: %llx\n", key_id );
314 
315  /* compute the IV
316  key_id: XX XX XX XX XX XX XX
317  master_salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX
318  ------------------------------------------------------------ XOR
319  IV: XX XX XX XX XX XX XX XX XX XX XX XX XX XX 00 00
320  */
321 
322  int i;
323  for(i = 0; i < 7 ; i++ ) {
324  iv[i] = master_salt[i];
325  }
326 
327  for(i = 7; i < 14 ; i++ ) {
328  iv[i] = (unsigned char)(0xFF & (key_id >> (8*(13-i)))) ^
329  master_salt[i];
330  }
331 
332  iv[14] = iv[15] = 0;
333 }
334 #endif
335 
336 /* Derives the srtp session keys from the master key */
337 void CryptoContext::deriveSrtpKeys(uint64 index)
338 {
339 #ifdef SRTP_SUPPORT
340  uint8 iv[16];
341 
342  // prepare AES cipher to compute derived keys.
343  cipher->setNewKey(master_key, master_key_length);
344  memset(master_key, 0, master_key_length);
345 
346  // compute the session encryption key
347  uint64 label = 0;
348  computeIv(iv, label, index, key_deriv_rate, master_salt);
349  cipher->get_ctr_cipher_stream(k_e, n_e, iv);
350 
351  // compute the session authentication key
352  label = 0x01;
353  computeIv(iv, label, index, key_deriv_rate, master_salt);
354  cipher->get_ctr_cipher_stream(k_a, n_a, iv);
355 
356  // Initialize MAC context with the derived key
357  switch (aalg) {
358  case SrtpAuthenticationSha1Hmac:
359  macCtx = createSha1HmacContext(k_a, n_a);
360  break;
361  case SrtpAuthenticationSkeinHmac:
362  // Skein MAC uses number of bits as MAC size, not just bytes
363  macCtx = createSkeinMacContext(k_a, n_a, tagLength*8, Skein512);
364  break;
365  }
366  memset(k_a, 0, n_a);
367 
368  // compute the session salt
369  label = 0x02;
370  computeIv(iv, label, index, key_deriv_rate, master_salt);
371  cipher->get_ctr_cipher_stream(k_s, n_s, iv);
372  memset(master_salt, 0, master_salt_length);
373 
374  // as last step prepare ciphers with derived key.
375  cipher->setNewKey(k_e, n_e);
376  if (f8Cipher != NULL)
377  cipher->f8_deriveForIV(f8Cipher, k_e, n_e, k_s, n_s);
378  memset(k_e, 0, n_e);
379 
380 #endif
381 }
382 
383 /* Based on the algorithm provided in Appendix A - draft-ietf-srtp-05.txt */
384 uint64_t CryptoContext::guessIndex(uint16 new_seq_nb )
385 {
386  /*
387  * Initialize the sequences number on first call that uses the
388  * sequence number. Either GuessIndex() or checkReplay().
389  */
390  if (!seqNumSet) {
391  seqNumSet = true;
392  s_l = new_seq_nb;
393  }
394  if (s_l < 32768){
395  if (new_seq_nb - s_l > 32768) {
396  guessed_roc = roc - 1;
397  }
398  else {
399  guessed_roc = roc;
400  }
401  }
402  else {
403  if (s_l - 32768 > new_seq_nb) {
404  guessed_roc = roc + 1;
405  }
406  else {
407  guessed_roc = roc;
408  }
409  }
410 
411  return ((uint64)guessed_roc) << 16 | new_seq_nb;
412 }
413 
414 bool CryptoContext::checkReplay( uint16 new_seq_nb )
415 {
416 #ifdef SRTP_SUPPORT
417  if ( aalg == SrtpAuthenticationNull && ealg == SrtpEncryptionNull ) {
418  /* No security policy, don't use the replay protection */
419  return true;
420  }
421 
422  /*
423  * Initialize the sequences number on first call that uses the
424  * sequence number. Either guessIndex() or checkReplay().
425  */
426  if (!seqNumSet) {
427  seqNumSet = true;
428  s_l = new_seq_nb;
429  }
430  uint64 guessed_index = guessIndex( new_seq_nb );
431  uint64 local_index = (((uint64_t)roc) << 16) | s_l;
432 
433  int64 delta = guessed_index - local_index;
434  if (delta > 0) {
435  /* Packet not yet received*/
436  return true;
437  }
438  else {
439  if( -delta > REPLAY_WINDOW_SIZE ) {
440  /* Packet too old */
441  return false;
442  }
443  else {
444  if((replay_window >> (-delta)) & 0x1) {
445  /* Packet already received ! */
446  return false;
447  }
448  else {
449  /* Packet not yet received */
450  return true;
451  }
452  }
453 }
454 #else
455  return true;
456 #endif
457 }
458 
459 void CryptoContext::update(uint16 new_seq_nb)
460 {
461 #ifdef SRTP_SUPPORT
462  int64 delta = guessIndex(new_seq_nb) - (((uint64)roc) << 16 | s_l );
463 
464  /* update the replay bitmask */
465  if( delta > 0 ){
466  replay_window = replay_window << delta;
467  replay_window |= 1;
468  }
469  else {
470  replay_window |= ( 1 << delta );
471  }
472 
473  /* update the locally stored ROC and highest sequence number */
474  if( new_seq_nb > s_l ) {
475  s_l = new_seq_nb;
476  }
477  if( guessed_roc > roc ) {
478  roc = guessed_roc;
479  s_l = new_seq_nb;
480  }
481 #endif
482 }
483 
484 CryptoContext* CryptoContext::newCryptoContextForSSRC(uint32 ssrc, int roc, int64 keyDerivRate)
485 {
486 #ifdef SRTP_SUPPORT
487  CryptoContext* pcc = new CryptoContext(
488  ssrc,
489  roc, // Roll over Counter,
490  keyDerivRate, // keyderivation << 48,
491  this->ealg, // encryption algo
492  this->aalg, // authentication algo
493  this->master_key, // Master Key
494  this->master_key_length, // Master Key length
495  this->master_salt, // Master Salt
496  this->master_salt_length, // Master Salt length
497  this->ekeyl, // encryption keyl
498  this->akeyl, // authentication key len
499  this->skeyl, // session salt len
500  this->tagLength); // authentication tag len
501 
502  return pcc;
503 #else
504  return NULL;
505 #endif
506 }
507 
508 END_NAMESPACE
509 
SrtpSymCrypto
Implments the SRTP encryption modes as defined in RFC3711.
Definition: SrtpSymCrypto.h:77
CryptoContext::replay_window
uint64 replay_window
Definition: CryptoContext.h:368
RTPPacket::isPadded
bool isPadded() const
Ask whether the packet contains padding bytes at the end.
Definition: rtppkt.h:164
RTPPacket
A base class for both IncomingRTPPkt and OutgoingRTPPkt.
Definition: rtppkt.h:72
CryptoContext::srtpAuthenticate
void srtpAuthenticate(RTPPacket *rtp, uint32 roc, uint8 *tag)
Compute the authentication tag.
Definition: CryptoContext.cpp:257
rtp
RTPAudio * rtp
Definition: rtp.cpp:88
REPLAY_WINDOW_SIZE
#define REPLAY_WINDOW_SIZE
Definition: CryptoContext.h:28
CryptoContext
The implementation for a SRTP cryptographic context.
Definition: CryptoContext.h:82
hmacSha1Ctx
void hmacSha1Ctx(void *ctx, const uint8_t *data, uint32_t data_length, uint8_t *mac, int32_t *mac_length)
Compute SHA1 HMAC.
Definition: gcrypthmac.cpp:79
SrtpEncryptionAESF8
const int SrtpEncryptionAESF8
Definition: CryptoContext.h:36
createSha1HmacContext
void * createSha1HmacContext(uint8_t *key, int32_t key_length)
Create and initialize a SHA1 HMAC context.
Definition: gcrypthmac.cpp:70
macSkeinCtx
void macSkeinCtx(void *ctx, const uint8_t *data, uint32_t data_length, uint8_t *mac)
Compute Skein MAC.
Definition: macSkein.cpp:61
freeSkeinMacContext
void freeSkeinMacContext(void *ctx)
Free Skein MAC context.
Definition: macSkein.cpp:85
freeSha1HmacContext
void freeSha1HmacContext(void *ctx)
Free SHA1 HMAC context.
Definition: gcrypthmac.cpp:113
createSkeinMacContext
void * createSkeinMacContext(uint8_t *key, int32_t key_length, int32_t mac_length, SkeinSize_t skeinSize)
Create and initialize a Skein MAC context.
Definition: macSkein.cpp:51
SrtpEncryptionTWOF8
const int SrtpEncryptionTWOF8
Definition: CryptoContext.h:38
CryptoContext::master_key_length
uint32 master_key_length
Definition: CryptoContext.h:371
hmac.h
Functions to compute SHA1 HAMAC.
CryptoContext::checkReplay
bool checkReplay(uint16 newSeqNumber)
Check for packet replay.
Definition: CryptoContext.cpp:414
CryptoContext::srtpEncrypt
void srtpEncrypt(RTPPacket *rtp, uint64 index, uint32 ssrc)
Perform SRTP encryption.
Definition: CryptoContext.cpp:197
RTPPacket::getPayload
const uint8 *const getPayload() const
Definition: rtppkt.h:121
CryptoContext::~CryptoContext
~CryptoContext()
Destructor.
Definition: CryptoContext.cpp:141
CryptoContext::master_salt_length
uint32 master_salt_length
Definition: CryptoContext.h:375
SrtpEncryptionTWOCM
const int SrtpEncryptionTWOCM
Definition: CryptoContext.h:37
CryptoContext::newCryptoContextForSSRC
CryptoContext * newCryptoContextForSSRC(uint32 ssrc, int roc, int64 keyDerivRate)
Derive a new Crypto Context for use with a new SSRC.
Definition: CryptoContext.cpp:484
macSkein.h
Function that provide Skein MAC support.
RTPPacket::getRawPacketSize
uint32 getRawPacketSize() const
Get the raw packet length, including header, extension, payload and padding.
Definition: rtppkt.h:278
SrtpAuthenticationSkeinHmac
const int SrtpAuthenticationSkeinHmac
Definition: CryptoContext.h:32
CryptoContext::guessed_roc
uint32 guessed_roc
Definition: CryptoContext.h:363
RTPPacket::getRawPacket
const unsigned char *const getRawPacket() const
Get the raw packet as it will be sent through the network.
Definition: rtppkt.h:268
RTPPacket::getPaddingSize
uint8 getPaddingSize() const
Get the number of octets padding the end of the payload section.
Definition: rtppkt.h:174
CryptoContext::CryptoContext
CryptoContext(uint32 ssrc)
Constructor for empty SRTP cryptographic context.
Definition: CryptoContext.cpp:43
CryptoContext::update
void update(uint16 newSeqNumber)
Update the SRTP packet index.
Definition: CryptoContext.cpp:459
CryptoContext::master_key
uint8 * master_key
Definition: CryptoContext.h:370
RTPPacket::getPayloadSize
uint32 getPayloadSize() const
Definition: rtppkt.h:128
SrtpEncryptionNull
const int SrtpEncryptionNull
Definition: CryptoContext.h:34
CryptoContext::getTagLength
int32 getTagLength() const
Get the length of the SRTP authentication tag in bytes.
Definition: CryptoContext.h:310
SrtpAuthenticationSha1Hmac
const int SrtpAuthenticationSha1Hmac
Definition: CryptoContext.h:31
CryptoContext::deriveSrtpKeys
void deriveSrtpKeys(uint64 index)
Perform key derivation according to SRTP specification.
Definition: CryptoContext.cpp:337
CryptoContext::guessIndex
uint64 guessIndex(uint16 newSeqNumber)
Compute (guess) the new SRTP index based on the sequence number of a received RTP packet...
Definition: CryptoContext.cpp:384
CryptoContext::master_salt
uint8 * master_salt
Definition: CryptoContext.h:374
SrtpAuthenticationNull
const int SrtpAuthenticationNull
Definition: CryptoContext.h:30
SrtpEncryptionAESCM
const int SrtpEncryptionAESCM
Definition: CryptoContext.h:35
Generated on Dec 15, 2017 for ccrtp-2.1.2 (*.h and *.cpp) and libzrtpcpp-2.3.4 (*.h), by   doxygen 1.8.6