FFmpeg
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
srtp.c
Go to the documentation of this file.
1 /*
2  * SRTP encryption/decryption
3  * Copyright (c) 2012 Martin Storsjo
4  *
5  * This file is part of FFmpeg.
6  *
7  * FFmpeg is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * FFmpeg is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with FFmpeg; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20  */
21 
22 #include "libavutil/base64.h"
23 #include "libavutil/aes.h"
24 #include "libavutil/hmac.h"
25 #include "libavutil/intreadwrite.h"
26 #include "libavutil/log.h"
27 #include "rtp.h"
28 #include "srtp.h"
29 
30 void ff_srtp_free(struct SRTPContext *s)
31 {
32  if (!s)
33  return;
34  av_freep(&s->aes);
35  if (s->hmac)
36  av_hmac_free(s->hmac);
37  s->hmac = NULL;
38 }
39 
40 static void encrypt_counter(struct AVAES *aes, uint8_t *iv, uint8_t *outbuf,
41  int outlen)
42 {
43  int i, j, outpos;
44  for (i = 0, outpos = 0; outpos < outlen; i++) {
45  uint8_t keystream[16];
46  AV_WB16(&iv[14], i);
47  av_aes_crypt(aes, keystream, iv, 1, NULL, 0);
48  for (j = 0; j < 16 && outpos < outlen; j++, outpos++)
49  outbuf[outpos] ^= keystream[j];
50  }
51 }
52 
53 static void derive_key(struct AVAES *aes, const uint8_t *salt, int label,
54  uint8_t *out, int outlen)
55 {
56  uint8_t input[16] = { 0 };
57  memcpy(input, salt, 14);
58  // Key derivation rate assumed to be zero
59  input[14 - 7] ^= label;
60  memset(out, 0, outlen);
61  encrypt_counter(aes, input, out, outlen);
62 }
63 
64 int ff_srtp_set_crypto(struct SRTPContext *s, const char *suite,
65  const char *params)
66 {
67  uint8_t buf[30];
68 
69  ff_srtp_free(s);
70 
71  // RFC 4568
72  if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80") ||
73  !strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_80")) {
74  s->rtp_hmac_size = s->rtcp_hmac_size = 10;
75  } else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {
76  s->rtp_hmac_size = s->rtcp_hmac_size = 4;
77  } else if (!strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_32")) {
78  // RFC 5764 section 4.1.2
79  s->rtp_hmac_size = 4;
80  s->rtcp_hmac_size = 10;
81  } else {
82  av_log(NULL, AV_LOG_WARNING, "SRTP Crypto suite %s not supported\n",
83  suite);
84  return AVERROR(EINVAL);
85  }
86  if (av_base64_decode(buf, params, sizeof(buf)) != sizeof(buf)) {
87  av_log(NULL, AV_LOG_WARNING, "Incorrect amount of SRTP params\n");
88  return AVERROR(EINVAL);
89  }
90  // MKI and lifetime not handled yet
91  s->aes = av_aes_alloc();
92  s->hmac = av_hmac_alloc(AV_HMAC_SHA1);
93  if (!s->aes || !s->hmac)
94  return AVERROR(ENOMEM);
95  memcpy(s->master_key, buf, 16);
96  memcpy(s->master_salt, buf + 16, 14);
97 
98  // RFC 3711
99  av_aes_init(s->aes, s->master_key, 128, 0);
100 
101  derive_key(s->aes, s->master_salt, 0x00, s->rtp_key, sizeof(s->rtp_key));
102  derive_key(s->aes, s->master_salt, 0x02, s->rtp_salt, sizeof(s->rtp_salt));
103  derive_key(s->aes, s->master_salt, 0x01, s->rtp_auth, sizeof(s->rtp_auth));
104 
105  derive_key(s->aes, s->master_salt, 0x03, s->rtcp_key, sizeof(s->rtcp_key));
106  derive_key(s->aes, s->master_salt, 0x05, s->rtcp_salt, sizeof(s->rtcp_salt));
107  derive_key(s->aes, s->master_salt, 0x04, s->rtcp_auth, sizeof(s->rtcp_auth));
108  return 0;
109 }
110 
111 static void create_iv(uint8_t *iv, const uint8_t *salt, uint64_t index,
112  uint32_t ssrc)
113 {
114  uint8_t indexbuf[8];
115  int i;
116  memset(iv, 0, 16);
117  AV_WB32(&iv[4], ssrc);
118  AV_WB64(indexbuf, index);
119  for (i = 0; i < 8; i++) // index << 16
120  iv[6 + i] ^= indexbuf[i];
121  for (i = 0; i < 14; i++)
122  iv[i] ^= salt[i];
123 }
124 
125 int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr)
126 {
127  uint8_t iv[16] = { 0 }, hmac[20];
128  int len = *lenptr;
129  int av_uninit(seq_largest);
130  uint32_t ssrc, av_uninit(roc);
131  uint64_t index;
132  int rtcp, hmac_size;
133 
134  // TODO: Missing replay protection
135 
136  if (len < 2)
137  return AVERROR_INVALIDDATA;
138 
139  rtcp = RTP_PT_IS_RTCP(buf[1]);
140  hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;
141 
142  if (len < hmac_size)
143  return AVERROR_INVALIDDATA;
144 
145  // Authentication HMAC
146  av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));
147  // If MKI is used, this should exclude the MKI as well
148  av_hmac_update(s->hmac, buf, len - hmac_size);
149 
150  if (!rtcp) {
151  int seq = AV_RB16(buf + 2);
152  uint32_t v;
153  uint8_t rocbuf[4];
154 
155  // RFC 3711 section 3.3.1, appendix A
156  seq_largest = s->seq_initialized ? s->seq_largest : seq;
157  v = roc = s->roc;
158  if (seq_largest < 32768) {
159  if (seq - seq_largest > 32768)
160  v = roc - 1;
161  } else {
162  if (seq_largest - 32768 > seq)
163  v = roc + 1;
164  }
165  if (v == roc) {
166  seq_largest = FFMAX(seq_largest, seq);
167  } else if (v == roc + 1) {
168  seq_largest = seq;
169  roc = v;
170  }
171  index = seq + (((uint64_t)v) << 16);
172 
173  AV_WB32(rocbuf, roc);
174  av_hmac_update(s->hmac, rocbuf, 4);
175  }
176 
177  av_hmac_final(s->hmac, hmac, sizeof(hmac));
178  if (memcmp(hmac, buf + len - hmac_size, hmac_size)) {
179  av_log(NULL, AV_LOG_WARNING, "HMAC mismatch\n");
180  return AVERROR_INVALIDDATA;
181  }
182 
183  len -= hmac_size;
184  *lenptr = len;
185 
186  if (len < 12)
187  return AVERROR_INVALIDDATA;
188 
189  if (rtcp) {
190  uint32_t srtcp_index = AV_RB32(buf + len - 4);
191  len -= 4;
192  *lenptr = len;
193 
194  ssrc = AV_RB32(buf + 4);
195  index = srtcp_index & 0x7fffffff;
196 
197  buf += 8;
198  len -= 8;
199  if (!(srtcp_index & 0x80000000))
200  return 0;
201  } else {
202  int ext, csrc;
203  s->seq_initialized = 1;
204  s->seq_largest = seq_largest;
205  s->roc = roc;
206 
207  csrc = buf[0] & 0x0f;
208  ext = buf[0] & 0x10;
209  ssrc = AV_RB32(buf + 8);
210 
211  buf += 12;
212  len -= 12;
213 
214  buf += 4 * csrc;
215  len -= 4 * csrc;
216  if (len < 0)
217  return AVERROR_INVALIDDATA;
218 
219  if (ext) {
220  if (len < 4)
221  return AVERROR_INVALIDDATA;
222  ext = (AV_RB16(buf + 2) + 1) * 4;
223  if (len < ext)
224  return AVERROR_INVALIDDATA;
225  len -= ext;
226  buf += ext;
227  }
228  }
229 
230  create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);
231  av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);
232  encrypt_counter(s->aes, iv, buf, len);
233 
234  return 0;
235 }
236 
237 int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,
238  uint8_t *out, int outlen)
239 {
240  uint8_t iv[16] = { 0 }, hmac[20];
241  uint64_t index;
242  uint32_t ssrc;
243  int rtcp, hmac_size, padding;
244  uint8_t *buf;
245 
246  if (len < 8)
247  return AVERROR_INVALIDDATA;
248 
249  rtcp = RTP_PT_IS_RTCP(in[1]);
250  hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;
251  padding = hmac_size;
252  if (rtcp)
253  padding += 4; // For the RTCP index
254 
255  if (len + padding > outlen)
256  return 0;
257 
258  memcpy(out, in, len);
259  buf = out;
260 
261  if (rtcp) {
262  ssrc = AV_RB32(buf + 4);
263  index = s->rtcp_index++;
264 
265  buf += 8;
266  len -= 8;
267  } else {
268  int ext, csrc;
269  int seq = AV_RB16(buf + 2);
270 
271  if (len < 12)
272  return AVERROR_INVALIDDATA;
273 
274  ssrc = AV_RB32(buf + 8);
275 
276  if (seq < s->seq_largest)
277  s->roc++;
278  s->seq_largest = seq;
279  index = seq + (((uint64_t)s->roc) << 16);
280 
281  csrc = buf[0] & 0x0f;
282  ext = buf[0] & 0x10;
283 
284  buf += 12;
285  len -= 12;
286 
287  buf += 4 * csrc;
288  len -= 4 * csrc;
289  if (len < 0)
290  return AVERROR_INVALIDDATA;
291 
292  if (ext) {
293  if (len < 4)
294  return AVERROR_INVALIDDATA;
295  ext = (AV_RB16(buf + 2) + 1) * 4;
296  if (len < ext)
297  return AVERROR_INVALIDDATA;
298  len -= ext;
299  buf += ext;
300  }
301  }
302 
303  create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);
304  av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);
305  encrypt_counter(s->aes, iv, buf, len);
306 
307  if (rtcp) {
308  AV_WB32(buf + len, 0x80000000 | index);
309  len += 4;
310  }
311 
312  av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));
313  av_hmac_update(s->hmac, out, buf + len - out);
314  if (!rtcp) {
315  uint8_t rocbuf[4];
316  AV_WB32(rocbuf, s->roc);
317  av_hmac_update(s->hmac, rocbuf, 4);
318  }
319  av_hmac_final(s->hmac, hmac, sizeof(hmac));
320 
321  memcpy(buf + len, hmac, hmac_size);
322  len += hmac_size;
323  return buf + len - out;
324 }
325 
326 #ifdef TEST
327 #include <stdio.h>
328 
329 static const char *aes128_80_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
330 
331 static const uint8_t rtp_aes128_80[] = {
332  // RTP header
333  0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
334  // encrypted payload
335  0x62, 0x69, 0x76, 0xca, 0xc5,
336  // HMAC
337  0xa1, 0xac, 0x1b, 0xb4, 0xa0, 0x1c, 0xd5, 0x49, 0x28, 0x99,
338 };
339 
340 static const uint8_t rtcp_aes128_80[] = {
341  // RTCP header
342  0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,
343  // encrypted payload
344  0x8a, 0xac, 0xdc, 0xa5, 0x4c, 0xf6, 0x78, 0xa6, 0x62, 0x8f, 0x24, 0xda,
345  0x6c, 0x09, 0x3f, 0xa9, 0x28, 0x7a, 0xb5, 0x7f, 0x1f, 0x0f, 0xc9, 0x35,
346  // RTCP index
347  0x80, 0x00, 0x00, 0x03,
348  // HMAC
349  0xe9, 0x3b, 0xc0, 0x5c, 0x0c, 0x06, 0x9f, 0xab, 0xc0, 0xde,
350 };
351 
352 static const char *aes128_32_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
353 
354 static const uint8_t rtp_aes128_32[] = {
355  // RTP header
356  0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
357  // encrypted payload
358  0x62, 0x69, 0x76, 0xca, 0xc5,
359  // HMAC
360  0xa1, 0xac, 0x1b, 0xb4,
361 };
362 
363 static const uint8_t rtcp_aes128_32[] = {
364  // RTCP header
365  0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,
366  // encrypted payload
367  0x35, 0xe9, 0xb5, 0xff, 0x0d, 0xd1, 0xde, 0x70, 0x74, 0x10, 0xaa, 0x1b,
368  0xb2, 0x8d, 0xf0, 0x20, 0x02, 0x99, 0x6b, 0x1b, 0x0b, 0xd0, 0x47, 0x34,
369  // RTCP index
370  0x80, 0x00, 0x00, 0x04,
371  // HMAC
372  0x5b, 0xd2, 0xa9, 0x9d,
373 };
374 
375 static const char *aes128_80_32_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";
376 
377 static const uint8_t rtp_aes128_80_32[] = {
378  // RTP header
379  0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
380  // encrypted payload
381  0x62, 0x69, 0x76, 0xca, 0xc5,
382  // HMAC
383  0xa1, 0xac, 0x1b, 0xb4,
384 };
385 
386 static const uint8_t rtcp_aes128_80_32[] = {
387  // RTCP header
388  0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,
389  // encrypted payload
390  0xd6, 0xae, 0xc1, 0x58, 0x63, 0x70, 0xc9, 0x88, 0x66, 0x26, 0x1c, 0x53,
391  0xff, 0x5d, 0x5d, 0x2b, 0x0f, 0x8c, 0x72, 0x3e, 0xc9, 0x1d, 0x43, 0xf9,
392  // RTCP index
393  0x80, 0x00, 0x00, 0x05,
394  // HMAC
395  0x09, 0x16, 0xb4, 0x27, 0x9a, 0xe9, 0x92, 0x26, 0x4e, 0x10,
396 };
397 
398 static void print_data(const uint8_t *buf, int len)
399 {
400  int i;
401  for (i = 0; i < len; i++)
402  printf("%02x", buf[i]);
403  printf("\n");
404 }
405 
406 static int test_decrypt(struct SRTPContext *srtp, const uint8_t *in, int len,
407  uint8_t *out)
408 {
409  memcpy(out, in, len);
410  if (!ff_srtp_decrypt(srtp, out, &len)) {
411  print_data(out, len);
412  return len;
413  } else
414  return -1;
415 }
416 
417 static void test_encrypt(const uint8_t *data, int in_len, const char *suite,
418  const char *key)
419 {
420  struct SRTPContext enc = { 0 }, dec = { 0 };
421  int len;
422  char buf[1500];
423  ff_srtp_set_crypto(&enc, suite, key);
424  ff_srtp_set_crypto(&dec, suite, key);
425  len = ff_srtp_encrypt(&enc, data, in_len, buf, sizeof(buf));
426  if (!ff_srtp_decrypt(&dec, buf, &len)) {
427  if (len == in_len && !memcmp(buf, data, len))
428  printf("Decrypted content matches input\n");
429  else
430  printf("Decrypted content doesn't match input\n");
431  } else {
432  printf("Decryption failed\n");
433  }
434  ff_srtp_free(&enc);
435  ff_srtp_free(&dec);
436 }
437 
438 int main(void)
439 {
440  static const char *aes128_80_suite = "AES_CM_128_HMAC_SHA1_80";
441  static const char *aes128_32_suite = "AES_CM_128_HMAC_SHA1_32";
442  static const char *aes128_80_32_suite = "SRTP_AES128_CM_HMAC_SHA1_32";
443  static const char *test_key = "abcdefghijklmnopqrstuvwxyz1234567890ABCD";
444  uint8_t buf[1500];
445  struct SRTPContext srtp = { 0 };
446  int len;
447  ff_srtp_set_crypto(&srtp, aes128_80_suite, aes128_80_key);
448  len = test_decrypt(&srtp, rtp_aes128_80, sizeof(rtp_aes128_80), buf);
449  test_encrypt(buf, len, aes128_80_suite, test_key);
450  test_encrypt(buf, len, aes128_32_suite, test_key);
451  test_encrypt(buf, len, aes128_80_32_suite, test_key);
452  test_decrypt(&srtp, rtcp_aes128_80, sizeof(rtcp_aes128_80), buf);
453  test_encrypt(buf, len, aes128_80_suite, test_key);
454  test_encrypt(buf, len, aes128_32_suite, test_key);
455  test_encrypt(buf, len, aes128_80_32_suite, test_key);
456  ff_srtp_free(&srtp);
457 
458  memset(&srtp, 0, sizeof(srtp)); // Clear the context
459  ff_srtp_set_crypto(&srtp, aes128_32_suite, aes128_32_key);
460  test_decrypt(&srtp, rtp_aes128_32, sizeof(rtp_aes128_32), buf);
461  test_decrypt(&srtp, rtcp_aes128_32, sizeof(rtcp_aes128_32), buf);
462  ff_srtp_free(&srtp);
463 
464  memset(&srtp, 0, sizeof(srtp)); // Clear the context
465  ff_srtp_set_crypto(&srtp, aes128_80_32_suite, aes128_80_32_key);
466  test_decrypt(&srtp, rtp_aes128_80_32, sizeof(rtp_aes128_80_32), buf);
467  test_decrypt(&srtp, rtcp_aes128_80_32, sizeof(rtcp_aes128_80_32), buf);
468  ff_srtp_free(&srtp);
469  return 0;
470 }
471 #endif /* TEST */
Generated on Sat May 25 2013 04:01:19 for FFmpeg by   doxygen 1.8.2